web services - username token - Error on verifying message against security policy Error code:1000

Question

I am trying to call a web service that has username token configured in the wsdl:

<sp:SupportingTokens><wsp:Policy><sp:UsernameToken sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:HashPassword/>
<sp:WssUsernameToken10/>
</wsp:Policy>
</sp:UsernameToken>
</wsp:Policy>
</sp:SupportingTokens>

The soap request contains the following information for authentication:

<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wsse:UsernameToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsse:Username>user</wsse:Username>
<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">password</wsse:Password>
</wsse:UsernameToken>
</wsse:Security>

and i receive the following error:

<env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/">
<env:Header/>
<env:Body>
  <env:Fault xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
     <faultcode>wsse:InvalidSecurity</faultcode>
     <faultstring>Error on verifying message against security policy Error code:1000</faultstring>
  </env:Fault>
</env:Body>
</env:Envelope>

Can somebody tell me what am I doing wrong?

Thank you.

Answer 1

We had the same problem when calling the webservice from a servlet deployed in Weblogic, by using weblogic.jws.jaxws.ClientPolicyFeature and weblogic.wsee.security.unt.ClientUNTCredentialProvider to set the policy, like this:

import weblogic.jws.jaxws.ClientPolicyFeature;
import weblogic.jws.jaxws.policy.InputStreamPolicySource;
import weblogic.wsee.security.unt.ClientUNTCredentialProvider;

ClientPolicyFeature cpf = new ClientPolicyFeature();
InputStream inputStream = ChangeLogBean.class.getClassLoader().getResourceAsStream("usernametoken.xml");
cpf.setEffectivePolicy(new InputStreamPolicySource(new InputStream[]{inputStream}));

MyServiceWSPortImplService service = new MyServiceWSPortImplService(new URL(myEndpoint.getUrl()), new QName("http://myhost/myservice/V1", "MyServiceWSPortImplService"));
MyService port = service.getMyServicePort(new WebServiceFeature[]{cpf});

ArrayList credentialProviders = new ArrayList();
ClientUNTCredentialProvider untCredentialProvider = new ClientUNTCredentialProvider(myEndpoint.getUser().getBytes(), myEndpoint.getPassword().getBytes());
credentialProviders.add(untCredentialProvider);
Map context = ((BindingProvider)port).getRequestContext();
context.put(WSSecurityContext.CREDENTIAL_PROVIDER_LIST, credentialProviders);

But the WebServices stack used by our application is actually Apache CXF, which has a different way of specifying the policy (by using org.apache.neethi.Policy) as mentioned here:

http://cxf.apache.org/docs/how-to-define-policies.html#HowtoDefinePolicies-Dynamicallyviamessageproperty

So the CXF stack was basically ignoring the WSSecurityContext.CREDENTIAL_PROVIDER_LIST, and we got the fault: Error on verifying message against security policy Error code:1000

The correct solution in that case is to use the steps described in the CXF documentation:

1. Get policy from external location and build it for current message.
2. Parse WS-Policy XML using Neethi library.
3. Store result Policy object into PolicyConstants.POLICY_OVERRIDE message content property.

I am just mentioning this here in case someone else makes the mistake of mixing CXF with Weblogic. :)

Answer 2

have you supplied the username and password while calling the webservice? Looks like either its not supplied or username/password is incorrect.