Trouble connecting java soap client to Ws-Security enabled .NET webservice

Question

I am getting a variety of wild and wonderful errors ranging from "400 bad request" to "incorrect username/password" and "no username" and "no password or callback handler available" when trying to connect a code generated java client to a .NET soap service that has WS-Security enabled.

The following is the WSDL for the .NET service:



















































































































































true

















true

And the following is where I'm calling the code generated java client and adding the headers:

private IFileSubmissionService createFileSubmissionServiceClient() {

    final String webserviceURL = applicationSessionBean.getExtProperties().getProperty("fileSubmissionServiceURL");
    final String username = applicationSessionBean.getExtProperties().getProperty("wsuser");
    final String password = applicationSessionBean.getExtProperties().getProperty("wspass");

    FileSubmissionService fsService = null;

    try {
        fsService = new FileSubmissionService();
    } catch (Exception e) {
        e.printStackTrace();
    }

    if(fsService == null) {
        //get service with default WSDL location
        fsService = new FileSubmissionService();
    }

    IFileSubmissionService client = fsService.getBasicHttpsBindingIFileSubmissionService(); 

    String        salt           = "XXXXXXXX";


    // Add security header
    Map ctx = ((BindingProvider)client).getRequestContext();
    ctx.put("ws-security.username", username);
    ctx.put("ws-security.password", getSecurePassword(password, salt.getBytes()));
    ctx.put(BindingProvider.ENDPOINT_ADDRESS_PROPERTY, webserviceURL);

    // Add headers
    List handlerChain = new ArrayList();
    handlerChain.add(new HeaderHandler(username, getSecurePassword(password, salt.getBytes())));
    ((BindingProvider)client).getBinding().setHandlerChain(handlerChain);

    return client;
}

And the following is my "header handler" where I've attached the security headers:

   public boolean handleMessage(SOAPMessageContext context)
    {
        Boolean outboundProperty = (Boolean) context.get(MessageContext.MESSAGE_OUTBOUND_PROPERTY);
        if (outboundProperty.booleanValue())
        {
            try
            {
                SOAPEnvelope envelope = context.getMessage().getSOAPPart().getEnvelope();
                SOAPFactory factory = SOAPFactory.newInstance();
                SOAPHeader header = envelope.getHeader();

                if (header == null)
                {
                    header = envelope.addHeader();
                }

                header.setPrefix("S");

                envelope.addAttribute(QName.valueOf("xmlns:wsu"), utility_uri);

                SOAPElement securityElem = header
                        .addChildElement(new QName(uri, "Security", prefix));
                securityElem.addAttribute(QName.valueOf("S:mustUnderstand"), "1");

                SOAPElement timestampElem = securityElem.addChildElement("Timestamp", "wsu");
                timestampElem.addAttribute(QName.valueOf("wsu:Id"), "_0");

                TimeZone tz = TimeZone.getTimeZone("UTC");
                DateFormat df = new SimpleDateFormat("yyy-MM-dd'T'HH:mm:ss.SSS'Z'");
                df.setTimeZone(tz);

                String created = df.format(new Date());

                SOAPElement createdTimestampElem = factory.createElement("Created", utility_prefix,
                        utility_uri);
                createdTimestampElem.addTextNode(created);

                Calendar expiresCal = Calendar.getInstance();
                expiresCal.add(Calendar.MINUTE, 1);
                Date expireDate = expiresCal.getTime();

                String expires = df.format(expireDate);
                SOAPElement expiresTimestampElem = factory.createElement("Expires", utility_prefix,
                        utility_uri);
                expiresTimestampElem.addTextNode(expires);

                timestampElem.addChildElement(createdTimestampElem);
                timestampElem.addChildElement(expiresTimestampElem);
                securityElem.addChildElement(timestampElem);

                SOAPElement tokenElem = securityElem.addChildElement("UsernameToken", prefix);
                tokenElem.addAttribute(QName.valueOf("wsu:Id"),
                        "uuid-" + UUID.randomUUID().toString());

                SOAPElement userElem = factory.createElement("Username", prefix, uri);
                userElem.addTextNode(username);

                SOAPElement pwdElem = factory.createElement("Password", prefix, uri);
                pwdElem.addTextNode(getSecurePassword(password, salt.getBytes()));
                pwdElem.addAttribute(QName.valueOf("Type"),
                        "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText");

                tokenElem.addChildElement(userElem);
                tokenElem.addChildElement(pwdElem);
                securityElem.addChildElement(tokenElem);
                header.addChildElement(securityElem);


                SOAPMessage msg = context.getMessage();
                ByteArrayOutputStream out = new ByteArrayOutputStream();
                msg.writeTo(out);
                String strMsg = new String(out.toByteArray());
                System.out.println(strMsg);

            }
            catch (Exception e)
            {
                e.printStackTrace();
            }
        }
        else
        {
            try
            {
                // does nothing
            }
            catch (Exception e)
            {
                e.printStackTrace();
            }
        }

        return true;
    }

And finally here is a sample of the generated SOAP message:


    
        
            
                2016-08-12T20:37:42.282Z
                2016-08-12T20:38:42.282Z
            
            
                XXXXXXXX
                XXXXXXXX
            
        
    
    
        
            A
            NC3
            FSETStateAnnualFilingV5.2

The problem is I keep getting the following error message:

 org.apache.cxf.transport.http.HTTPException: HTTP response '400: Bad Request' when communicating with https://10.1.2.166/FileSubmissionService/FileSubmissionService.svc

I am also getting the above messages when I try playing around with removing the header injection and or not setting or setting the request context username / password variables.

What I do not understand is A) why am i getting any error related to apache CXF when I am not using apache CXF and B) why is it a bad request?

Can someone point me in the right direction? I simply want to use vanilla java to create the client. I am not certain that I need any 3rd party toolkits to do this.

Thank you!

Iofacture · Accepted Answer

Okay so here is the reason. Apparently intercepting the message and manually setting the headers and setting the username and password in the request context are two completely different approaches in JAX-WS that accomplish the same thing.

The following post explains the difference between the two: Difference between RequestContext and MessageContext in JAX WS

What I was doing was using both methods, which resulted in a request that was mal-formed and caused the webservice to puke and return a HTTP 400 code.

The reason this was not caught is that I was logging the SOAP message in the handler chain (the manual method) but was not printing the final outgoing message after the request context had been modified.

If someone can elaborate further on these two different approaches I would be forever thankful. I still do not totally understand the difference here and I could be wrong in my conclusions

Trouble connecting java soap client to Ws-Security enabled .NET webservice

Answers (1)

Related Questions