Version 3
Created by asoldano on Apr 16, 2009 12:53 PM. Last modified by asoldano on Apr 21, 2009 1:14 PM.

    JBossWS allows you to require that requests to a given endpoint use SSL by specifying the transportGuarantee attribute in the @WebContext annotation.

    Here is an example using a SLSB endpoint:

    @Stateless
@SecurityDomain("JBossWS")
@RolesAllowed("friend")
@WebContext
(
  contextRoot="/my-cxt",
  urlPattern="/*",
  authMethod="BASIC",
  transportGuarantee="CONFIDENTIAL",
  secureWSDLAccess=false
)
public class EndpointEJB implements EndpointInterface
{
  ...
}

    Similarly to enforce the same requirement on POJO endpoints, you need to edit web.xml and add a user-data-constraint element to your security-constraint element:

      <security-constraint>
    <web-resource-collection>
      <web-resource-name>All resources</web-resource-name>
      <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
      <role-name>friend</role-name>
    </auth-constraint>
    <user-data-constraint>
      <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
  </security-constraint>

  <security-role>
    <role-name>friend</role-name>
  </security-role>

    If you're manually creating your service contract, make sure that the endpoint address in your WSDL file uses a secure protocol. The easiest way is to add "https://" to the SOAP Address entry:

       <service name="MyService">
    <port name="BasicSecuredPort" binding="tns:MyBinding">
     <soap:address location="https://localhost:8443/my-ctx/SecureEndpoint"/>
    </port>
   </service>

    For this to work the Tomcat+SSL connector must be enabled:

       <Connector port="8443" address="${jboss.bind.address}"
        maxThreads="100" minSpareThreads="5" maxSpareThreads="15"
        scheme="https" secure="true" clientAuth="want"
        keystoreFile="${jboss.server.home.dir}/conf/keystores/wsse.keystore" 
        keystorePass="jbossws"
        truststoreFile="${jboss.server.home.dir}/conf/keystores/wsse.keystore" 
        truststorePass="jbossws"
        sslProtocol = "TLS" />

    Please refer the Tomcat-5.5 SSL Configuration HOWTO for further details.

     

    Client side

    On the client side the truststore must be installed:

          <sysproperty key="javax.net.ssl.keyStore" value="${test.resources.dir}/wsse/wsse.keystore"/>
      <sysproperty key="javax.net.ssl.trustStore" value="${test.resources.dir}/wsse/wsse.truststore"/>
      <sysproperty key="javax.net.ssl.keyStorePassword" value="jbossws"/>
      <sysproperty key="javax.net.ssl.trustStorePassword" value="jbossws"/>
      <sysproperty key="javax.net.ssl.keyStoreType" value="jks"/>
      <sysproperty key="javax.net.ssl.trustStoreType" value="jks"/>

    As you can see, this requires you to setup the environment specifying both the location and type of your truststore.

    Finally, in case you see the following exception:

      java.io.IOException: HTTPS hostname wrong:  should be <localhost>
    at sun.net.www.protocol.https.HttpsClient.checkURLSpoofing(HttpsClient.java:493)
    at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:418)

    you should disable URL checking on the client side:

       <sysproperty key="org.jboss.security.ignoreHttpsHost" value="true"/>
    16896 Views Categories: Tags: