Version 7
Created by jason.greene on Oct 19, 2005 10:02 AM. Last modified by jason.greene on Oct 27, 2005 4:38 PM.

    WS-Security Message Encypt Example

     

    In this example we configure both the client and the server to encrypt the message body. Both also require this from each other. So, if you remove either the client or the server security deployment descriptor, you will notice that the other party will throw a fault explaining that the message did not conform to the proper security requirements.

     

     

    Server configuration (jboss-wsse-server.xml)

         <?xml version="1.0" encoding="UTF-8"?>
     <jboss-ws-security xmlns="http://www.jboss.com/ws-security/config" 
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
       xsi:schemaLocation="http://www.jboss.com/ws-security/config
         http://www.jboss.com/ws-security/schema/jboss-ws-security_1_0.xsd">
  1.   <key-store-file>WEB-INF/wsse.keystore</key-store-file>
  2.   <key-store-password>jbossws</key-store-password>
  3.   <trust-store-file>WEB-INF/wsse.truststore</trust-store-file>
  4.   <trust-store-password>jbossws</trust-store-password>
  5.   <config>
  6     <encrypt type="x509v3" alias="wsse"></encrypt>
  7.     <requires>
  8.       <encryption></encryption>
         </requires>
       </config>
     </jboss-ws-security>

     

    Explanation

     

     

    1. This specifies that the key store we wish to use is WEB-INF/wsse.keystore, which is located in our war file.

    2. This specifies that the store password is "jbossws"

    3. This specifies that the trust store we wish to use is WEB-INF/wsse.truststore, which is located in our war file.

    4. This specifies that the trust store password is also "jbossws"

    5. Here we start our root config block. The root config block is the default configuration for all services in this war file.

    6. This means that the server must encrypt the message body of all responses. Type means that we are to use a X.509v3 certificate (a standard certificate). The alias option says that the certificate of the party we are communicating with is in the key store under the "wsse" alias.

    7. Here we start our optional requires block. This block specifies all security requirements that must be met when the server receives a message.

    8. This means that all web services in this war file require the message body to be encrypted

     

    Notes

     

    The key alias specified in the encrypt tag is usually differeent than the one you would specify in a sign tag. The reason is that, with encryption, you actually are using the other party's public key, not your own key pair. This is normal 2-way asymmetric encryption semmantics. Each person uses the other's public key to send data to each other, because each person never gives out their private key, which is the only key that can decrypt the message. What this means to you is that when you want to set up encryption between another party, you need to get a certificate from them, and import that into your keystore as a trustedCertEntry. You will then be able to send encrypted data to them. If this is mutual (they send data to you as well), then you will also need to give them your certificate.

     

     

    Client configuration (jboss-wsse-client.xml)

         <?xml version="1.0" encoding="UTF-8"?>
     <jboss-ws-security xmlns="http://www.jboss.com/ws-security/config" 
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
       xsi:schemaLocation="http://www.jboss.com/ws-security/config   
         http://www.jboss.com/ws-security/schema/jboss-ws-security_1_0.xsd">
  1.   <config>
  2.     <encrypt type="x509v3" alias="wsse"></encrypt>
  3.     <requires>
  4.       <signature></signature>
         </requires>
       </config>
     </jboss-ws-security>

     

    Explanation

     

     

    1. Here we start our root config block. The root config block is the default configuration for all web service clients (Call, Proxy objects).

    2. This means that the client must encrypt the message body of all requests it sends. Type means that we are to use a X.509v3 certificate (a standard certificate). The alias option says that the certificate/public key to use for encryption is in the key store under the "wsse" alias

    3. Here we start our optional requires block. This block specifies all security requirements that must be met when the client receives a response.

    4. This means that all web service clients must receive encrypted response messages.

     

    Notes

     

    • We did not specify a key store or trust store, because client apps instead use the wsse System properties instead. If this was a web or ejb client (meaning a webservice client in a war or ejb jar file), then we would have specified them in the client descriptor.

     

     

    Client Request Before Encryption

     

    <?xml version="1.0" encoding="UTF-8"?>
<env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/">
  <env:Header></env:Header>
  <env:Body>
    <ns1:echoUserType xmlns:ns1="http://org.jboss.test.ws/wsse">
      <UserType_1 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
        <msg>Kermit</msg>
      </UserType_1>
    </ns1:echoUserType>
  </env:Body>
</env:Envelope>

     

    Server Response Before Encryption

     

    <?xml version="1.0" encoding="UTF-8"?>
<env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/">
  <env:Header>
  </env:Header>
  <env:Body>
    <ns1:echoUserTypeResponse xmlns:ns1="http://org.jboss.test.ws/wsse">
      <result xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
        <msg>Kermit</msg>
      </result>
    </ns1:echoUserTypeResponse>
  </env:Body>
</env:Envelope>

     

    Client Request After Encryption

     

    <?xml version="1.0" encoding="UTF-8"?>
<env:Envelope
  xmlns:env='http://schemas.xmlsoap.org/soap/envelope/'>
  <env:Header>
    <wsse:Security
      env:mustUnderstand='1'
      xmlns:wsse='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd'
      xmlns:wsu='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd'>
      <wsse:BinarySecurityToken
        EncodingType='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary'
        ValueType='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3'
        wsu:Id='token-3-1129730718156-32112901'>
MIIEQTCCA6qgAwIBAgIBAzANBgkqhkiG9w0BAQUFADCBkjELMAkGA1UEBhMCVVMxEzARBgNVBAgT
Cldhc2hpbmd0b24xGDAWBgNVBAcTD1Nub3F1YWxtaWUgUGFzczETMBEGA1UEChMKSkJvc3MgSW5j
LjELMAkGA1UECxMCUUExEjAQBgNVBAMTCWpib3NzLmNvbTEeMBwGCSqGSIb3DQEJARYPYWRtaW5A
amJvc3MuY29tMB4XDTA1MDkxNTAwMDk0MVoXDTE1MDkxMzAwMDk0MVowgYsxCzAJBgNVBAYTAlVT
MRMwEQYDVQQIEwpXYXNoaW5ndG9uMRMwEQYDVQQKEwpKQm9zcyBJbmMuMRQwEgYDVQQLEwtEZXZl
bG9wbWVudDEVMBMGA1UEAxMMSmFzb24gR3JlZW5lMSUwIwYJKoZIhvcNAQkBFhZqYXNvbi5ncmVl
bmVAamJvc3MuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzzj+VomXdEuHTg4g
N9mN865eulLiAPITiZMLfz2ODuzF0pj39iTKhHM8IS6YQYbkPGRXMTmnCy0NFfMsVKTXs/9rZBMP
1ko3kZopaN+XrUT8yxIiydL76QYcRpDGgxG9G4kc+mHdt0rZtARWVwoVPhO4Irx09AONpSYqdSq0
8jMXscA+yXwvhDHGV+J4CCSmQgYVa95OdDaAMnWp5csAfg4eL/GTLI36Up4tjsFnMq5NFKsCnZ1q
qxA1OO3CbhsK/IlEZw13alGJPJ1FgvaTZTZNh+h2YIKl//P5iQOtfURrzWsVwGcEa6S+lC72BJHj
JBOw4byI/FTi1HCe6wd3iQIDAQABo4IBJjCCASIwCQYDVR0TBAIwADAsBglghkgBhvhCAQ0EHxYd
T3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFKzdWmBd7MDzEemEN6HMXIeq
St86MIHHBgNVHSMEgb8wgbyAFEuV2BcIYuw61dmN9JIrAvNK+hZ+oYGYpIGVMIGSMQswCQYDVQQG
EwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEYMBYGA1UEBxMPU25vcXVhbG1pZSBQYXNzMRMwEQYD
VQQKEwpKQm9zcyBJbmMuMQswCQYDVQQLEwJRQTESMBAGA1UEAxMJamJvc3MuY29tMR4wHAYJKoZI
hvcNAQkBFg9hZG1pbkBqYm9zcy5jb22CCQCr9VL/ZBpN7zANBgkqhkiG9w0BAQUFAAOBgQDEU/Bs
M2Pqcr8j8/NdYlgSYXX1R7u2wjYkRnW6jeHlxNm5XeuY0t4nr8fq5S05YOAlU4LTJuGNMB8kZUit
hAU2QxkMLmKKsb+B1zIdzP756xC6x+5g0dXLIt0ItVjPv5GQIw1SRmQKBkfliwV5jOrkCzJ5/v04
Hb1iUP9iqcdN2w==</wsse:BinarySecurityToken>
      <xenc:EncryptedKey
        xmlns:xenc='http://www.w3.org/2001/04/xmlenc#'>
        <xenc:EncryptionMethod
          Algorithm='http://www.w3.org/2001/04/xmlenc#rsa-1_5'
          xmlns:xenc='http://www.w3.org/2001/04/xmlenc#'></xenc:EncryptionMethod>
        <ds:KeyInfo
          xmlns:ds='http://www.w3.org/2000/09/xmldsig#'>
          <wsse:SecurityTokenReference
            wsu:Id='reference-4-1129730718171-7789321'>
            <wsse:Reference
              URI='#token-3-1129730718156-32112901'
              ValueType='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3'></wsse:Reference>
          </wsse:SecurityTokenReference>
        </ds:KeyInfo>
        <xenc:CipherData
          xmlns:xenc='http://www.w3.org/2001/04/xmlenc#'>
          <xenc:CipherValue
            xmlns:xenc='http://www.w3.org/2001/04/xmlenc#'>
TfO+w0eWCTnjjmJCdzhwv1/6LeWfWd7Ue6xSYq/ORkJz1P1OnXr1q3gX/HTS0Jxwg2aZ8yhL74Ay
7eQBOgsh8cM7hJc9oWKucdTbuVbZR7zJIifO4dv/UzCcHtwMbxeFb+fQ84E0qf9VZvH18+hwISD7
SQxp45LQ++SBN4Zu6rm9fhjD1lFIm1Dn1FSEKmPuHKm1c5P1rLXU0/aEsUXsyIUwhT85ZKUmNyiJ
YyYh+6ZFaGasjtfyXSDg3MV7L1WBOeCrCP3/jUxTrCkCFDzdQC2zUTctLQa4AoI+gpfxBRzdmtbB
EbGsI7NvR+gKLio+1NhpPhweyf9rv+LCj/W5dg==</xenc:CipherValue>
        </xenc:CipherData>
        <xenc:ReferenceList
          xmlns:xenc='http://www.w3.org/2001/04/xmlenc#'>
          <xenc:DataReference
            URI='#encrypted-2-1129730718062-26684986'
            xmlns:xenc='http://www.w3.org/2001/04/xmlenc#'></xenc:DataReference>
        </xenc:ReferenceList>
      </xenc:EncryptedKey>
    </wsse:Security>
  </env:Header>
  <env:Body
    wsu:Id='element-1-1129730718062-23360120'
    xmlns:wsu='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd'>
    <xenc:EncryptedData
      Id='encrypted-2-1129730718062-26684986'
      Type='http://www.w3.org/2001/04/xmlenc#Content'
      xmlns:xenc='http://www.w3.org/2001/04/xmlenc#'>
      <xenc:EncryptionMethod
        Algorithm='http://www.w3.org/2001/04/xmlenc#aes128-cbc'
        xmlns:xenc='http://www.w3.org/2001/04/xmlenc#'></xenc:EncryptionMethod>
      <xenc:CipherData
        xmlns:xenc='http://www.w3.org/2001/04/xmlenc#'>
        <xenc:CipherValue
          xmlns:xenc='http://www.w3.org/2001/04/xmlenc#'>
l/0Tfn0ahB4d37VwdmS1MrKnXJ0AMLBHGngC38KKQfgX1qWTha3N/Bxoo1NWs22xovts3xgohMTx
fvl20qKntfiAfCKtooPTTASfgQ64uA04hQrblJ5V/XnyN6TuTakmBhyPeuYD34bISznnjYMniyqf
Ppk41wBqu3vIV4mIeeknKGc9XFQ5fy9G1SBzBDHJ/05gBKBeEm3XZwivy4NNafn7U+vYxMzUMrTR
Vpo66liahOWAYxTF6zuzivlyunlRfdEbkqVlDYWD9An5NhkH2iY2W5M/s033Uq34NPgRHQ3HbuZJ
E4WUv+9JOfR3CfxWtupsJb/jqB4wJWp41uNUf1VvHvN5MVVtxxkwEuxjBPz3iq+46ZL6p/0E7WMP
qJmMbqUvrf4nu1utH3NzhD3uqDHhkELtuIwE3xnjuG+XtLA8z9Upct9R/MXmojg3VDrYu4qEbztE
tDj7G9MG49mdCQ==</xenc:CipherValue>
      </xenc:CipherData>
    </xenc:EncryptedData>
  </env:Body>
</env:Envelope>

     

    Server Response After Encryption

     

    <?xml version="1.0" encoding="UTF-8"?>
<env:Envelope
  xmlns:env='http://schemas.xmlsoap.org/soap/envelope/'>
  <env:Header>
    <wsse:Security
      env:mustUnderstand='1'
      xmlns:wsse='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd'
      xmlns:wsu='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd'>
      <wsse:BinarySecurityToken
        EncodingType='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary'
        ValueType='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3'
        wsu:Id='token-6-1129730718812-26557006'>
MIIEQTCCA6qgAwIBAgIBAzANBgkqhkiG9w0BAQUFADCBkjELMAkGA1UEBhMCVVMxEzARBgNVBAgT
Cldhc2hpbmd0b24xGDAWBgNVBAcTD1Nub3F1YWxtaWUgUGFzczETMBEGA1UEChMKSkJvc3MgSW5j
LjELMAkGA1UECxMCUUExEjAQBgNVBAMTCWpib3NzLmNvbTEeMBwGCSqGSIb3DQEJARYPYWRtaW5A
amJvc3MuY29tMB4XDTA1MDkxNTAwMDk0MVoXDTE1MDkxMzAwMDk0MVowgYsxCzAJBgNVBAYTAlVT
MRMwEQYDVQQIEwpXYXNoaW5ndG9uMRMwEQYDVQQKEwpKQm9zcyBJbmMuMRQwEgYDVQQLEwtEZXZl
bG9wbWVudDEVMBMGA1UEAxMMSmFzb24gR3JlZW5lMSUwIwYJKoZIhvcNAQkBFhZqYXNvbi5ncmVl
bmVAamJvc3MuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzzj+VomXdEuHTg4g
N9mN865eulLiAPITiZMLfz2ODuzF0pj39iTKhHM8IS6YQYbkPGRXMTmnCy0NFfMsVKTXs/9rZBMP
1ko3kZopaN+XrUT8yxIiydL76QYcRpDGgxG9G4kc+mHdt0rZtARWVwoVPhO4Irx09AONpSYqdSq0
8jMXscA+yXwvhDHGV+J4CCSmQgYVa95OdDaAMnWp5csAfg4eL/GTLI36Up4tjsFnMq5NFKsCnZ1q
qxA1OO3CbhsK/IlEZw13alGJPJ1FgvaTZTZNh+h2YIKl//P5iQOtfURrzWsVwGcEa6S+lC72BJHj
JBOw4byI/FTi1HCe6wd3iQIDAQABo4IBJjCCASIwCQYDVR0TBAIwADAsBglghkgBhvhCAQ0EHxYd
T3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFKzdWmBd7MDzEemEN6HMXIeq
St86MIHHBgNVHSMEgb8wgbyAFEuV2BcIYuw61dmN9JIrAvNK+hZ+oYGYpIGVMIGSMQswCQYDVQQG
EwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEYMBYGA1UEBxMPU25vcXVhbG1pZSBQYXNzMRMwEQYD
VQQKEwpKQm9zcyBJbmMuMQswCQYDVQQLEwJRQTESMBAGA1UEAxMJamJvc3MuY29tMR4wHAYJKoZI
hvcNAQkBFg9hZG1pbkBqYm9zcy5jb22CCQCr9VL/ZBpN7zANBgkqhkiG9w0BAQUFAAOBgQDEU/Bs
M2Pqcr8j8/NdYlgSYXX1R7u2wjYkRnW6jeHlxNm5XeuY0t4nr8fq5S05YOAlU4LTJuGNMB8kZUit
hAU2QxkMLmKKsb+B1zIdzP756xC6x+5g0dXLIt0ItVjPv5GQIw1SRmQKBkfliwV5jOrkCzJ5/v04
Hb1iUP9iqcdN2w==</wsse:BinarySecurityToken>
      <xenc:EncryptedKey
        xmlns:xenc='http://www.w3.org/2001/04/xmlenc#'>
        <xenc:EncryptionMethod
          Algorithm='http://www.w3.org/2001/04/xmlenc#rsa-1_5'
          xmlns:xenc='http://www.w3.org/2001/04/xmlenc#'></xenc:EncryptionMethod>
        <ds:KeyInfo
          xmlns:ds='http://www.w3.org/2000/09/xmldsig#'>
          <wsse:SecurityTokenReference
            wsu:Id='reference-7-1129730718812-2553464'
            xmlns:wsse='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd'>
            <wsse:Reference
              URI='#token-6-1129730718812-26557006'
              ValueType='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3'
              xmlns:wsse='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd'></wsse:Reference>
          </wsse:SecurityTokenReference>
        </ds:KeyInfo>
        <xenc:CipherData
          xmlns:xenc='http://www.w3.org/2001/04/xmlenc#'>
          <xenc:CipherValue
            xmlns:xenc='http://www.w3.org/2001/04/xmlenc#'>
qgdoVrFe2Tw1KOM6s7utOs40tWjg4c7I3rzF2dH+a0ZLqnkBnJ318T2gB7dNsYNdYCocLshD+/Cw
S9uAeCJPEoOHDvgLO7fVddlkuIkDT9ldBs83tyRCI0R2jN6t++qfpYjYEcfvK7aDOFYRZRUOo0Gs
jyMptlgu6RYNErjEx5KJnJkRER8Z8xInf/MUBmXBWL6agHLC3OW1edXFQewjnqapvhoGT3WT+55k
TPy+r2B8+RjHoa1AlQEXL5mSHI8RQmdq+BSZJ41LDgvrzq2P5exkbMu1bLDmEPfQPvqLNpr9Y2dV
wiM6HG5DeKjb2AaxIIjLwtwszf8LWlOeTNS7YA==</xenc:CipherValue>
        </xenc:CipherData>
        <xenc:ReferenceList
          xmlns:xenc='http://www.w3.org/2001/04/xmlenc#'>
          <xenc:DataReference
            URI='#encrypted-5-1129730718812-11485193'
            xmlns:xenc='http://www.w3.org/2001/04/xmlenc#'></xenc:DataReference>
        </xenc:ReferenceList>
      </xenc:EncryptedKey>
    </wsse:Security>
  </env:Header>
  <env:Body
    wsu:Id='element-4-1129730718812-7325679'
    xmlns:wsu='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd'>
    <xenc:EncryptedData
      Id='encrypted-5-1129730718812-11485193'
      Type='http://www.w3.org/2001/04/xmlenc#Content'
      xmlns:xenc='http://www.w3.org/2001/04/xmlenc#'>
      <xenc:EncryptionMethod
        Algorithm='http://www.w3.org/2001/04/xmlenc#aes128-cbc'
        xmlns:xenc='http://www.w3.org/2001/04/xmlenc#'></xenc:EncryptionMethod>
      <xenc:CipherData
        xmlns:xenc='http://www.w3.org/2001/04/xmlenc#'>
        <xenc:CipherValue
          xmlns:xenc='http://www.w3.org/2001/04/xmlenc#'>
HCJouXWqQ36e3xzk1KIndtPramVeFsq0Eo8TSDD7th/g8JDwd533p1KYQf8j+NbrtWhyvxOAuNH4
fDqN2TBv/Nn7SU59L29VMy6ivrAA/mQahFapPuw6okuutQm+G6T5VDFR45Ygvb//ul6WdV76K98V
1ay2ARE2KPlUTYVAuPt92CKXUmVR+Jyl5kK3JBx2sQA1NZZyCD0LZwJhapZHATMput/Gw3A9JRMe
DOltmOhYVw9FcicNZSvW20UfYoycQE41rnLciHuw+vCgmMOFnkGsgFoU+ZUcYyJCDr92tR60VUlo
03hLfWLbp3OIcCs7WbuetwYXibu0CdVGSxOt0rAocsLFOk/HjJhQcbcPXJ52COPuRnRrvM/scsAG
4/DO1Z3yUS3rQh4Va92/s1xMHyIoebTvRPRaITVrW2rZhAfcK/l3Jh++56/9Yk7rlonUR2xRpMW/
i9RqtH3Z/ytOwA==</xenc:CipherValue>
      </xenc:CipherData>
    </xenc:EncryptedData>
  </env:Body>
</env:Envelope>

     

    3099 Views Categories: Tags: