Friday, January 23, 2009

Dump Glassfish HTTP conversations to debug security

In Glassfish is possible to dump the HTTP conversation to debug Web Services, by adding the following two JVM options to domain.xml:

<jvm-options>-Dcom.sun.xml.ws.transport.http.HttpAdapter.dump=true</jvm-options>
<jvm-options>-Dcom.sun.xml.ws.transport.http.client.HttpTransportPipe.dump=true</jvm-options>

Then when the web service is called the server.log will show complete SOAP envelopes for both request and reply:

[#|2009-01-21T03:13:33.783+0100|INFO|sun-appserver9.1|javax.enterprise.system.stream.out|_ThreadID=25;_ThreadName=httpSSLWorkerThread-8080-0;|
---[HTTP request]---|#]

[#|2009-01-21T03:13:33.783+0100|INFO|sun-appserver9.1|javax.enterprise.system.stream.out|_ThreadID=25;_ThreadName=httpSSLWorkerThread-8080-0;|
Host: localhost:8080|#]

[#|2009-01-21T03:13:33.783+0100|INFO|sun-appserver9.1|javax.enterprise.system.stream.out|_ThreadID=25;_ThreadName=httpSSLWorkerThread-8080-0;|
Content-type: text/xml;charset=UTF-8|#]

[#|2009-01-21T03:13:33.783+0100|INFO|sun-appserver9.1|javax.enterprise.system.stream.out|_ThreadID=25;_ThreadName=httpSSLWorkerThread-8080-0;|
Content-length: 866|#]

[#|2009-01-21T03:13:33.783+0100|INFO|sun-appserver9.1|javax.enterprise.system.stream.out|_ThreadID=25;_ThreadName=httpSSLWorkerThread-8080-0;|
User-agent: Jakarta Commons-HttpClient/3.1|#]

[#|2009-01-21T03:13:33.783+0100|INFO|sun-appserver9.1|javax.enterprise.system.stream.out|_ThreadID=25;_ThreadName=httpSSLWorkerThread-8080-0;|
Soapaction: ""|#]

[#|2009-01-21T03:13:33.783+0100|INFO|sun-appserver9.1|javax.enterprise.system.stream.out|_ThreadID=25;_ThreadName=httpSSLWorkerThread-8080-0;|
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:svc="http://xml.netbeans.org/schema/svcMessages">
<soapenv:Header>
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"><wsse:UsernameToken wsu:Id="UsernameToken-27540698" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"><wsse:Username>wsitUser</wsse:Username><wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest">xhM3irVV+4ROPhzEjwlEeL7IViI=</wsse:Password><wsse:Nonce>oE1wwvm+ZLeBuvgDJvaLvw==</wsse:Nonce><wsu:Created>2009-01-21T02:13:32.238Z</wsu:Created></wsse:UsernameToken></wsse:Security>
</soapenv:Header>
<soapenv:Body>
<svc:payload>Maurizio</svc:payload>
</soapenv:Body>
</soapenv:Envelope&gt;
|#]

[#|2009-01-21T03:13:33.783+0100|INFO|sun-appserver9.1|javax.enterprise.system.stream.out|_ThreadID=25;_ThreadName=httpSSLWorkerThread-8080-0;|--------------------|#]

[#|2009-01-21T03:13:34.828+0100|SEVERE|sun-appserver9.1|com.sun.xml.wss.logging.impl.filter|_ThreadID=25;_ThreadName=httpSSLWorkerThread-8080-0;_RequestID=9ffc6c88-9210-451f-ad64-08ec2bc5ca74;|WSS1408: UsernameToken Authentication Failed|#]

[#|2009-01-21T03:13:35.015+0100|INFO|sun-appserver9.1|javax.enterprise.system.stream.out|_ThreadID=25;_ThreadName=httpSSLWorkerThread-8080-0;|
---[HTTP response 500]---|#]

[#|2009-01-21T03:13:35.015+0100|INFO|sun-appserver9.1|javax.enterprise.system.stream.out|_ThreadID=25;_ThreadName=httpSSLWorkerThread-8080-0;|
<?xml version="1.0" ?><S:Envelope xmlns:S="http://schemas.xmlsoap.org/soap/envelope/"><S:Body><S:Fault xmlns:ns3="http://www.w3.org/2003/05/soap-envelope"><faultcode xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">wsse:FailedAuthentication</faultcode><faultstring>Authentication of Username Password Token Failed</faultstring></S:Fault></S:Body></S:Envelope>|#]