search

OpenLiberty / open-liberty

Open Liberty is a highly composable, fast to start, dynamic application server runtime environment
https://openliberty.io
Eclipse Public License 2.0
1.15k stars 587 forks source link

No password callback supplied with 22.0.0.9 or higher liberty server and CXF SOAP service. #26101

Open bandewarbalaji opened 1 year ago

bandewarbalaji commented 1 year ago

Getting SOAP Fault response as No password callback supplied while running CXF based SOAP service on liberty server 22.0.0.9 or later. wsSecurityProvider is used to validate user.

please let me know if any configuration needs to be changes with higher version of liberty,

neuwerk commented 1 year ago

@bandewarbalaji thanks for opening the issue! You shouldn't need to change configuration on 22.0.0.9 or later if you're just upgrading Liberty with the same feature set. Are there any exceptions or FFDCs being thrown on the Liberty server? That should show up in your server's log directory. I would expect an unexpected fault returned by the server would have one or both present in the logs.

bandewarbalaji commented 1 year ago

There is nothing in message.log or FFDCs logs.

neuwerk commented 1 year ago

Ok, so maybe not what I was expecting. Enabling trace should help, could you follow the instructions here: https://openliberty.io/docs/latest/log-trace-configuration.html and use the following trace string: org.apache.cxf.*=all:com.ibm.ws.jaxws*=all:com.ibm.ws.wssecurity.*=all. Hopefully that should provide some stack trace in the logs.

bandewarbalaji commented 1 year ago 
Content-Type: text/xml
ResponseCode: 500
ExchangeId: 74a15483-1f74-439e-9415-0704b13bcaf8
ServiceName: PolicyDocumentManagementService
PortName: IPolicyDocumentManagementPort
PortTypeName: IPolicyDocumentManagement
Headers: {}
Payload: <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
soap:Server No password callback supplied
bandewarbalaji commented 1 year ago

do you think we need to implement this as we are running on higher liberty server version after 22.0.0.6

https://www.ibm.com/docs/en/was-liberty/base?topic=level-developing-password-callback-handler-ws-security

bandewarbalaji commented 1 year ago

@neuwerk Hey, any suggestion from you.

neuwerk commented 1 year ago

Apologies for the delay getting back to you. Oh, so you do not have a callback handler implemented? I'm sorry, due to the description of the issue I thought the problem was that the callback handler was no longer working once upgrading to 22.0.0.9. If you do not have a callbackhandler implemented, then yes depending on the security configuration you would need to implement a callbackhandler as documented in the link you provided. That being said, there is a known issue with the callbackhandler APIs that are documented in that link, those were fixed in 23.0.0.3. I would recommend that you update to at least to that level prior to implementing the callback handler.

bandewarbalaji commented 1 year ago

we have added below configuration

wsSecurityProvider ws-security.validate.token="false" set-jaxb-validation-event-handler="false" ws-security.is-bsp-compliant="false" inInterceptors="WSSInterceptor"

    callerToken name="UsernameToken" mapToUserRegistry="User" 
wsSecurityProvider

and still we need to implement callback handler? i have tested application with 23.0.0.6 version but still same issue. is there any way/configuration to disable call back handler call. logs shows below error:

org.apache.cxf.binding.soap.SoapFault: No password callback supplied at org.apache.cxf.binding.soap.SoapFault.createFault(SoapFault.java:258) at org.apache.cxf.binding.soap.interceptor.Soap11FaultOutInterceptor$Soap11FaultOutInterceptorInternal.handleMessage(Soap11FaultOutInterceptor.java:73) at org.apache.cxf.binding.soap.interceptor.Soap11FaultOutInterceptor$Soap11FaultOutInterceptorInternal.handleMessage(Soap11FaultOutInterceptor.java:63) at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:307) at org.apache.cxf.interceptor.AbstractFaultChainInitiatorObserver.onMessage(AbstractFaultChainInitiatorObserver.java:112) at org.apache.cxf.phase.PhaseInterceptorChain.wrapExceptionAsFault(PhaseInterceptorChain.java:373) at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:331) at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:127) at org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:277) at com.ibm.ws.jaxws.endpoint.AbstractJaxWsWebEndpoint$1.run(AbstractJaxWsWebEndpoint.java:238) at com.ibm.ws.jaxws.endpoint.AbstractJaxWsWebEndpoint$1.run(AbstractJaxWsWebEndpoint.java:235) at java.security.AccessController.doPrivileged(Native Method) at com.ibm.ws.jaxws.endpoint.AbstractJaxWsWebEndpoint.invoke(AbstractJaxWsWebEndpoint.java:235) at com.ibm.ws.jaxws.webcontainer.LibertyJaxWsServlet.handleRequest(LibertyJaxWsServlet.java:136) at com.ibm.ws.jaxws.webcontainer.LibertyJaxWsServlet.doPost(LibertyJaxWsServlet.java:95) at javax.servlet.http.HttpServlet.service(HttpServlet.java:707) at com.ibm.ws.jaxws.webcontainer.LibertyJaxWsServlet.service(LibertyJaxWsServlet.java:87) at com.ibm.ws.webcontainer.servlet.ServletWrapper.service(ServletWrapper.java:1260) at com.ibm.ws.webcontainer.servlet.ServletWrapper.handleRequest(ServletWrapper.java:748) at com.ibm.ws.webcontainer.servlet.ServletWrapper.handleRequest(ServletWrapper.java:445) at com.ibm.ws.webcontainer.filter.WebAppFilterManager.invokeFilters(WebAppFilterManager.java:1370) at com.ibm.ws.webcontainer.webapp.WebApp.handleRequest(WebApp.java:5080) at com.ibm.ws.webcontainer.osgi.DynamicVirtualHost$2.handleRequest(DynamicVirtualHost.java:318) at com.ibm.ws.webcontainer.WebContainer.handleRequest(WebContainer.java:1038) at com.ibm.ws.webcontainer.osgi.DynamicVirtualHost$2.run(DynamicVirtualHost.java:283) at com.ibm.ws.http.dispatcher.internal.channel.HttpDispatcherLink$TaskWrapper.run(HttpDispatcherLink.java:1248) at com.ibm.ws.http.dispatcher.internal.channel.HttpDispatcherLink.wrapHandlerAndExecute(HttpDispatcherLink.java:470) at com.ibm.ws.http.dispatcher.internal.channel.HttpDispatcherLink.ready(HttpDispatcherLink.java:429) at com.ibm.ws.http.channel.internal.inbound.HttpInboundLink.handleDiscrimination(HttpInboundLink.java:569) at com.ibm.ws.http.channel.internal.inbound.HttpInboundLink.handleNewRequest(HttpInboundLink.java:503) at com.ibm.ws.http.channel.internal.inbound.HttpInboundLink.processRequest(HttpInboundLink.java:363) at com.ibm.ws.http.channel.internal.inbound.HttpInboundLink.ready(HttpInboundLink.java:330) at com.ibm.ws.tcpchannel.internal.NewConnectionInitialReadCallback.sendToDiscriminators(NewConnectionInitialReadCallback.java:169) at com.ibm.ws.tcpchannel.internal.NewConnectionInitialReadCallback.complete(NewConnectionInitialReadCallback.java:77) at com.ibm.ws.tcpchannel.internal.WorkQueueManager.requestComplete(WorkQueueManager.java:516) at com.ibm.ws.tcpchannel.internal.WorkQueueManager.attemptIO(WorkQueueManager.java:586) at com.ibm.ws.tcpchannel.internal.WorkQueueManager.workerRun(WorkQueueManager.java:970) at com.ibm.ws.tcpchannel.internal.WorkQueueManager$Worker.run(WorkQueueManager.java:1059) at com.ibm.ws.threading.internal.ExecutorServiceImpl$RunnableWrapper.run(ExecutorServiceImpl.java:247) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) Caused by: org.apache.wss4j.common.ext.WSSecurityException: No password callback supplied at org.apache.wss4j.dom.validate.UsernameTokenValidator.verifyDigestPassword(UsernameTokenValidator.java:143) at org.apache.wss4j.dom.validate.UsernameTokenValidator.verifyPlaintextPassword(UsernameTokenValidator.java:130) at org.apache.wss4j.dom.validate.UsernameTokenValidator.validate(UsernameTokenValidator.java:90) at org.apache.wss4j.dom.processor.UsernameTokenProcessor.handleUsernameToken(UsernameTokenProcessor.java:174) at org.apache.wss4j.dom.processor.UsernameTokenProcessor.handleToken(UsernameTokenProcessor.java:63) at com.ibm.ws.wssecurity.cxf.interceptor.UsernameTokenInterceptor.validateToken(UsernameTokenInterceptor.java:113) at org.apache.cxf.ws.security.wss4j.UsernameTokenInterceptor.processToken(UsernameTokenInterceptor.java:113) at org.apache.cxf.ws.security.wss4j.AbstractTokenInterceptor.handleMessage(AbstractTokenInterceptor.java:108) at org.apache.cxf.ws.security.wss4j.AbstractTokenInterceptor.handleMessage(AbstractTokenInterceptor.java:64) at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:307) ... 35 more

bandewarbalaji commented 1 year ago

and currently we are using CXF 2.5.11 jar and planning to migrate CXF 3.5.5. also we have SOAP service which is build on CXF.

neuwerk commented 1 year ago

Hm, that's interesting that this worked prior to updating. So we normally have a template that users can fill out when they open a bug report against liberty. If you could, could you fill as much of this information out. I think the only way we could get to the bottom of what's going is by having the rest of the background information asked for in the usual template. I've copied that below:

Describe the bug
A clear and concise description of what the bug is.

If there is a stack trace, please include the FULL stack trace (without any [internal classes] lines in it). To find the full stack trace, you may need to check in $WLP_OUTPUT_DIR/messages.log

Steps to Reproduce
Steps to reproduce the bug

Expected behavior
A clear and concise description of what you expected to happen.

Diagnostic information:

  • OpenLiberty Version: [e.g. 21.0.0.8 - 21.0.0.10]
  • Affected feature(s) [e.g. mpHealth-3.0]
  • Java Version: [i.e. full output of java -version]
  • server.xml configuration (WITHOUT sensitive information like passwords)
  • If it would be useful, upload the messages.log file found in $WLP_OUTPUT_DIR/messages.log

Additional context
Add any other context about the problem here.

bandewarbalaji commented 1 year ago

Hey @neuwerk, please find details below:

Describe the bug I am facing No password callback supplied error for SOAP service with IBM liberty 22.0.0.9 or higher version but same is working fine with 22.0.0.6 version. we have added below configuration

wsSecurityProvider ws-security.validate.token="false" set-jaxb-validation-event-handler="false" ws-security.is-bsp-compliant="false" inInterceptors="WSSInterceptor" callerToken name="UsernameToken" mapToUserRegistry="User" wsSecurityProvider

logs shows below error:

org.apache.cxf.binding.soap.SoapFault: No password callback supplied at org.apache.cxf.binding.soap.SoapFault.createFault(SoapFault.java:258) at org.apache.cxf.binding.soap.interceptor.Soap11FaultOutInterceptor$Soap11FaultOutInterceptorInternal.handleMessage(Soap11FaultOutInterceptor.java:73) at org.apache.cxf.binding.soap.interceptor.Soap11FaultOutInterceptor$Soap11FaultOutInterceptorInternal.handleMessage(Soap11FaultOutInterceptor.java:63) at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:307) at org.apache.cxf.interceptor.AbstractFaultChainInitiatorObserver.onMessage(AbstractFaultChainInitiatorObserver.java:112) at org.apache.cxf.phase.PhaseInterceptorChain.wrapExceptionAsFault(PhaseInterceptorChain.java:373) at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:331) at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:127) at org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:277) at com.ibm.ws.jaxws.endpoint.AbstractJaxWsWebEndpoint$1.run(AbstractJaxWsWebEndpoint.java:238) at com.ibm.ws.jaxws.endpoint.AbstractJaxWsWebEndpoint$1.run(AbstractJaxWsWebEndpoint.java:235) at java.security.AccessController.doPrivileged(Native Method) at com.ibm.ws.jaxws.endpoint.AbstractJaxWsWebEndpoint.invoke(AbstractJaxWsWebEndpoint.java:235) at com.ibm.ws.jaxws.webcontainer.LibertyJaxWsServlet.handleRequest(LibertyJaxWsServlet.java:136) at com.ibm.ws.jaxws.webcontainer.LibertyJaxWsServlet.doPost(LibertyJaxWsServlet.java:95) at javax.servlet.http.HttpServlet.service(HttpServlet.java:707) at com.ibm.ws.jaxws.webcontainer.LibertyJaxWsServlet.service(LibertyJaxWsServlet.java:87) at com.ibm.ws.webcontainer.servlet.ServletWrapper.service(ServletWrapper.java:1260) at com.ibm.ws.webcontainer.servlet.ServletWrapper.handleRequest(ServletWrapper.java:748) at com.ibm.ws.webcontainer.servlet.ServletWrapper.handleRequest(ServletWrapper.java:445) at com.ibm.ws.webcontainer.filter.WebAppFilterManager.invokeFilters(WebAppFilterManager.java:1370) at com.ibm.ws.webcontainer.webapp.WebApp.handleRequest(WebApp.java:5080) at com.ibm.ws.webcontainer.osgi.DynamicVirtualHost$2.handleRequest(DynamicVirtualHost.java:318) at com.ibm.ws.webcontainer.WebContainer.handleRequest(WebContainer.java:1038) at com.ibm.ws.webcontainer.osgi.DynamicVirtualHost$2.run(DynamicVirtualHost.java:283) at com.ibm.ws.http.dispatcher.internal.channel.HttpDispatcherLink$TaskWrapper.run(HttpDispatcherLink.java:1248) at com.ibm.ws.http.dispatcher.internal.channel.HttpDispatcherLink.wrapHandlerAndExecute(HttpDispatcherLink.java:470) at com.ibm.ws.http.dispatcher.internal.channel.HttpDispatcherLink.ready(HttpDispatcherLink.java:429) at com.ibm.ws.http.channel.internal.inbound.HttpInboundLink.handleDiscrimination(HttpInboundLink.java:569) at com.ibm.ws.http.channel.internal.inbound.HttpInboundLink.handleNewRequest(HttpInboundLink.java:503) at com.ibm.ws.http.channel.internal.inbound.HttpInboundLink.processRequest(HttpInboundLink.java:363) at com.ibm.ws.http.channel.internal.inbound.HttpInboundLink.ready(HttpInboundLink.java:330) at com.ibm.ws.tcpchannel.internal.NewConnectionInitialReadCallback.sendToDiscriminators(NewConnectionInitialReadCallback.java:169) at com.ibm.ws.tcpchannel.internal.NewConnectionInitialReadCallback.complete(NewConnectionInitialReadCallback.java:77) at com.ibm.ws.tcpchannel.internal.WorkQueueManager.requestComplete(WorkQueueManager.java:516) at com.ibm.ws.tcpchannel.internal.WorkQueueManager.attemptIO(WorkQueueManager.java:586) at com.ibm.ws.tcpchannel.internal.WorkQueueManager.workerRun(WorkQueueManager.java:970) at com.ibm.ws.tcpchannel.internal.WorkQueueManager$Worker.run(WorkQueueManager.java:1059) at com.ibm.ws.threading.internal.ExecutorServiceImpl$RunnableWrapper.run(ExecutorServiceImpl.java:247) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) Caused by: org.apache.wss4j.common.ext.WSSecurityException: No password callback supplied at org.apache.wss4j.dom.validate.UsernameTokenValidator.verifyDigestPassword(UsernameTokenValidator.java:143) at org.apache.wss4j.dom.validate.UsernameTokenValidator.verifyPlaintextPassword(UsernameTokenValidator.java:130) at org.apache.wss4j.dom.validate.UsernameTokenValidator.validate(UsernameTokenValidator.java:90) at org.apache.wss4j.dom.processor.UsernameTokenProcessor.handleUsernameToken(UsernameTokenProcessor.java:174) at org.apache.wss4j.dom.processor.UsernameTokenProcessor.handleToken(UsernameTokenProcessor.java:63) at com.ibm.ws.wssecurity.cxf.interceptor.UsernameTokenInterceptor.validateToken(UsernameTokenInterceptor.java:113) at org.apache.cxf.ws.security.wss4j.UsernameTokenInterceptor.processToken(UsernameTokenInterceptor.java:113) at org.apache.cxf.ws.security.wss4j.AbstractTokenInterceptor.handleMessage(AbstractTokenInterceptor.java:108) at org.apache.cxf.ws.security.wss4j.AbstractTokenInterceptor.handleMessage(AbstractTokenInterceptor.java:64) at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:307)

Steps to Reproduce SOAP service which built on CXF API jar and use WSSecurity as mentioned below:

wsSecurityProvider ws-security.validate.token="false" set-jaxb-validation-event-handler="false" ws-security.is-bsp-compliant="false" inInterceptors="WSSInterceptor" callerToken name="UsernameToken" mapToUserRegistry="User" wsSecurityProvider

Expected behavior IT should call soap service and respond, as it is working with 22.0.0.6 version.

Diagnostic information:

OpenLiberty Version: 22.0.0.9 or higher (till 23.0.0.6) Affected feature(s) Java Version: java version "1.8.0_121" Java(TM) SE Runtime Environment (build 1.8.0_121-b13) Java HotSpot(TM) 64-Bit Server VM (build 25.121-b13, mixed mode)

server.xml configuration (WITHOUT sensitive information like passwords):

cdi-1.2 ejbLite-3.2 ejbRemote-3.2 el-3.0 jaxb-2.2 jaxws-2.2 jdbc-4.1 jndi-1.0 jsf-2.2 localConnector-1.0 mdb-3.2 requestTiming-1.0 servlet-3.1 wmqJmsClient-2.0 ldapRegistry-3.0 appSecurity-2.0 jpaContainer-2.1 wsSecurity-1.1 jaxrs-2.0 openidConnectClient-1.0 transportSecurity-1.0
nijinillath commented 9 months ago

Hi @neuwerk was there any update or findings on this issue.. Thank you !