14 Replies Latest reply on Aug 1, 2006 4:46 PM by acxjbertr

    WS-Security Signing for EJB

    acxjbertr

      I am trying to use WS-Security to sign the contents of my SOAP requests/responses. I have successfully compile, deployed, and tested the wssecurity example from http://labs.jboss.com/file-access/default/members/jbossws/downloads/jbossws-samples-1.0.0.GA.zip. However, the example uses a servlet based Web Service and I am attempting to deploy an EJB (JSR-109) based Web Service and I can't seem to make the server enforce WS-Security message signing.

      I took the wsse.keystore and wsse.truststore from the example as well as the jboss-wsse-server.xml (but I changed "WEB-INF" to "META-INF") and put them all into the META-INF directory of my EJB. Here is the structure of my EJB jar:

      com
      com\mycompany
      com\mycompany\us
      com\mycompany\us\ejb
      com\mycompany\us\ejbConstants.class
      com\mycompany\us\ejbJBossTest2Bean.class
      com\mycompany\us\ejbJBossTest2Endpoint.class
      com\mycompany\us\ejbJBossTest2Endpoint_prescreen_RequestStruct.class
      com\mycompany\us\ejbJBossTest2Endpoint_prescreen_ResponseStruct.class
      com\mycompany\us\ejbJBossTest2SessionBean.class
      META-INF
      META-INF\wsdl
      META-INF\wsdl\JBossTest2.wsdl
      META-INF\ejb-jar.xml
      META-INF\jaxrpc-mapping.xml
      META-INF\jboss-wsse-server.xml
      META-INF\jboss.xml
      META-INF\MANIFEST.MF
      META-INF\webservices.xml
      META-INF\wsse.keystore
      META-INF\wsse.truststore

      This jar is in an ear with a few other jars (libraries). It deploys and runs fine - it just won't enforce WS-Security signing.

      Here is my jboss-wsse-server.xml:

      <?xml version="1.0" encoding="UTF-8"?>
      
      <jboss-ws-security xmlns="http://www.jboss.com/ws-security/config" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xsi:schemaLocation="http://www.jboss.com/ws-security/config http://www.jboss.com/ws-security/schema/jboss-ws-security_1_0.xsd">
       <key-store-file>META-INF/wsse.keystore</key-store-file>
       <key-store-password>jbossws</key-store-password>
       <trust-store-file>META-INF/wsse.truststore</trust-store-file>
       <trust-store-password>jbossws</trust-store-password>
       <config>
       <sign type="x509v3" alias="wsse"/>
       <requires>
       <signature/>
       </requires>
       </config>
      </jboss-ws-security>
      


        • 1. Re: WS-Security Signing for EJB
          cliffb53

          You have to add something like this to jboss.xml as well:

          <webservice-description>
          <webservice-description-name>YourServiceNameGoesHere</webservice-description-name>
          <config-name>Standard Secure Endpoint</config-name>
          </webservice-description>


          One webservice-description for each service. If you have a service named DemoService, this is the value you should put in the webservice-description-name tag.

          • 2. Re: WS-Security Signing for EJB
            cliffb53

            Sorry, I forgot to enclose the webservice-description in webservices tags (mind the spaces in the example below!).

            The end result should be something like this:
            < webservices >
            <webservice-description>
            <webservice-description-name>YourServiceNameHere</webservice-description-name>
            <config-name>Standard Secure Endpoint</config-name>
            </webservice-description>
            < /webservices >

            Oh, by the way, the config-name is configured under <_server_>/deploy/jboss14.sar/META-INF/standard-jbossws-endpoint-config.xml.

            • 3. Re: WS-Security Signing for EJB
              acxjbertr

              Awesome! Thanks cliffb53. It worked like a charm. Here is my jboss.xml now (for those who may need this later):

              <!DOCTYPE jboss PUBLIC "-//JBoss//DTD JBOSS 4.0//EN" "http://www.jboss.org/j2ee/dtd/jboss_4_0.dtd">
              <jboss>
               <!--<security-domain>java:/jaas/JBossWS</security-domain>--> <!-- This links to conf/login-config.xml in jboss point to a security domain -->
               <enterprise-beans>
               <session>
               <ejb-name>JBossTest2</ejb-name>
               <jndi-name>JBossTest2</jndi-name>
               <resource-ref>
               <description>Database Reference to DataSource</description>
               <res-ref-name>jdbc/jbossTest2DB</res-ref-name>
               <jndi-name>java:/jbossTest2DB</jndi-name>
               </resource-ref>
               <port-component>
               <port-component-name>JBossTest2Endpoint</port-component-name>
               <!--<auth-method>BASIC</auth-method>-->
               <port-component-uri>/jbosstest2/1.0</port-component-uri>
               </port-component>
               </session>
               </enterprise-beans>
               <webservices>
               <webservice-description>
               <webservice-description-name>JBossTest2</webservice-description-name>
               <config-name>Standard Secure Endpoint</config-name>
               </webservice-description>
               </webservices>
              </jboss>


              When I send requests to my service now I get:

              <env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/">
               <env:Header/>
               <env:Body>
               <env:Fault xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
               <faultcode>wsse:InvalidSecurity</faultcode>
               <faultstring>This service requires <wsse:Security>, which is missing.</faultstring>
               </env:Fault>
               </env:Body>
              </env:Envelope>


              Which is what I was wanting.

              One question I have now is, how do I generate requests that fulfill the security requirements (i.e.how do I sign requests)?

              • 4. Re: WS-Security Signing for EJB
                cliffb53

                I think that the User Manual has an example of that. If you're using some other framework you should consult their documentation as well.

                I was only testing how to do that and I was using SOAPui which doesn't seem to support WS-Security so I haven't done a complete test (actually, I stopped as soon as I got that very same fault :-) ).

                • 5. Re: WS-Security Signing for EJB
                  acxjbertr

                  I haven't been able to find anything in the User Guide about writing client code to consume Web Services protected by WS-Security. The documentation didn't even have the jboss.xml information you provided. In fact, the documentation is pretty sparse overall. I understand this is just 1.0, but this seems like pretty basic stuff most people would want to do.

                  I also use SoapUI and am looking forward to more WS-Security integration in future releases.

                  Thanks again for your help.

                  • 6. Re: WS-Security Signing for EJB
                    cliffb53

                    You're absolutely right, I went to check the userguide and the only mention to a client setup is when an EJB consumes a webservice (I think).

                    My next suggestion then is to check Axis (http://ws.apache.org/axis/java/user-guide.html#ConsumingWebServicesWithAxis) or the Java Web Services Developer pack from SUN. Actually, my best bet is JWSDP which is available at http://java.sun.com/webservices/reference/techart/index.html.

                    If you do get around to play with any of these, can you post back some results? Although I'm somewhat interested in those frameworks I have little to no time for playing with them at the moment.

                    • 7. Re: WS-Security Signing for EJB
                      arsathish

                      Hi,

                      I am working on the same thing wherein using JBOSS4.0.1Sp1. I have configured my JBOSS.xml in the same manner as specified. But still the server doesnt seem to sign the requests and responses. And moreover it accepts plain requests which are not signed. This is my jboss.xml



                      <enterprise-beans>

                      <ejb-name>HelloBean</ejb-name>
                      <jndi-name>ejb/HelloBean</jndi-name>
                      <port-component>
                      <port-component-name>Hello</port-component-name>
                      <port-component-uri>/jboss-at-work/Hello</port-component-uri>
                      <transport-guarantee>NONE</transport-guarantee>
                      </port-component>

                      </enterprise-beans>

                      <webservice-description>
                      <webservice-description-name>HelloBean</webservice-description-name>
                      <config-name>Standard Secure Endpoint</config-name>
                      </webservice-description>



                      This the client I am using to access the server:
                      public class HelloClient
                      {
                      public static void main(String[] args)
                      throws Exception
                      {
                      String urlstr = args[0];

                      System.out.println("Contacting webservice at " + urlstr);
                      URL url = new URL(urlstr);
                      QName qname = new QName("http://127.0.0.1:8080/jboss-at-work", "HelloService");
                      ServiceFactory factory = ServiceFactory.newInstance();
                      Service service = factory.createService(url, qname);
                      Hello hello = (Hello) service.getPort(Hello.class);
                      String argument = "Contract for gear boxes ";
                      System.out.println("hello.echoHello(" + argument + ")");
                      System.out.println("output:" + hello.echoHello(argument));
                      }
                      }

                      I am able to get a response from the server.

                      I want to know
                      1) how to configure the server so that it excepts signed messages.
                      2) how to configure clients so that it requests are signed.

                      This is my jboss-wsse-server.xml

                      <jboss-ws-security xmlns="http://www.jboss.com/ws-security/config"
                      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                      xsi:schemaLocation="http://www.jboss.com/ws-security/config
                      http://www.jboss.com/ws-security/schema/jboss-ws-security_1_0.xsd">
                      <key-store-file>META-INF/wsdomain.jks</key-store-file>
                      <key-store-password>wsstorepass</key-store-password>
                      <trust-store-file>META-INF/wsdomaintrust.jks</trust-store-file>
                      <trust-store-password>wsstorepass</trust-store-password>






                      </jboss-ws-security>

                      TIA,
                      Sathish

                      • 8. Re: WS-Security Signing for EJB
                        jason.greene

                         

                        "cliffb53" wrote:
                        You're absolutely right, I went to check the userguide and the only mention to a client setup is when an EJB consumes a webservice (I think).


                        The client configuration is the same for all types of client deployments. Take a look at the sample, specifically the two test cases.

                        Also ws-security is thoroughly documented in the wiki:

                        http://wiki.jboss.org/wiki/Wiki.jsp?page=WSSecurity

                        -Jason

                        • 9. Re: WS-Security Signing for EJB
                          arsathish

                          Hi Jason,

                          The problem is I am not able to make the server accept only signed requests. So my normal client program which doesnt make use of certificates is still able to communicate with the server and get the plain response.

                          FYI, I am using JBOSS-4.0.1SP1.

                          -Sathish

                          • 10. Re: WS-Security Signing for EJB
                            arsathish

                            Hi acxjbertr,

                            After struggling with JBOSS 4.0.1 without any gain, I have started using JBoss 4.0.4 with JBOSS WS-1.0.0 GA. And I am successful in configuring the server so that it accepts only signed message.

                            Now I want to sign all the requests originating from a client. My client program is

                            import com.ws.Hello;
                            import javax.xml.rpc.Service;
                            import javax.xml.rpc.ServiceFactory;
                            import javax.xml.namespace.QName;
                            import java.net.URL;

                            public class HelloClient
                            {
                            public static void main(String[] args)
                            throws Exception
                            {
                            String urlstr = args[0];

                            System.out.println("Contacting webservice at " + urlstr);
                            URL url = new URL(urlstr);
                            QName qname = new QName("http://127.0.0.1:8080/jboss-at-work", "HelloService");
                            ServiceFactory factory = ServiceFactory.newInstance();
                            Service service = factory.createService(url, qname);
                            Hello hello = (Hello) service.getPort(Hello.class);
                            String argument = "Say HELLO";
                            System.out.println("hello.echoHello(" + argument + ")");
                            System.out.println("output:" + hello.echoHello(argument));
                            }
                            }

                            And my jboss-wsse-client.xml is here:

                            <jboss-ws-security xmlns="http://www.jboss.com/ws-security/config"
                            xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                            xsi:schemaLocation="http://www.jboss.com/ws-security/config
                            http://www.jboss.com/ws-security/schema/jboss-ws-security_1_0.xsd">






                            </jboss-ws-security>

                            How should I make the client sign its request. Are you successful in this. If so guide me.

                            Thanks
                            Sathish

                            • 11. Re: WS-Security Signing for EJB
                              acxjbertr

                              arsathish,

                              You are now exactly where I was in my original post. Unfortunately I still haven't figured it out. If I ever do I will post it back to this thread. Good luck!

                              • 12. Re: WS-Security Signing for EJB
                                pma

                                I read of the Topic about ?WS-Security Signing for EJB?.
                                I setup the server sign successfully.
                                But I still don?t know How to setup the client when an EJB consumes a webservice.


                                I put the wsse.keystore wsse.truststore jboss-wsse-client.xml in the META-INF folder.

                                Also I add the reference of the webservice as followed in the ejb-jar.xml.

                                <service-ref>
                                <service-ref-name>service/serverCTIM_ServiceProxy</service-ref-name>
                                <config-name>Standard Secure Client</config-name>
                                <config-file>META_INF/jboss-wsse-client.xml</config-file>
                                <service-interface>javax.xml.rpc.Service</service-interface>
                                <wsdl-file>META-INF/wsdl/serverCTIM_ServiceProxy.wsdl</wsdl-file>
                                <jaxrpc-mapping-file>META-INF/serverCTIM_ServiceProxy-jaxrpc-mapping.xml</jaxrpc-mapping-file>

                                <handler-name>WSSecurityHandlerOutbound</handler-name>
                                <handler-class>org.jboss.ws.wsse.WSSecurityHandlerOutbound</handler-class>

                                <port-component-ref>
                                <service-endpoint-interface>com.type.CTSEI</service-endpoint-interface>
                                </port-component-ref>
                                </service-ref>

                                in the console: it said: Cannot obtain security configuration
                                So it still doest not work.
                                Where did I wrong?

                                • 13. Re: WS-Security Signing for EJB
                                  shadens

                                  Has anyone news about this problem?

                                  Bye!

                                  • 14. Re: WS-Security Signing for EJB
                                    acxjbertr