SLSB exposed as WS security issue
okism Jan 13, 2009 1:31 AMI have SLSB exposed as WS. I tried to add security. WS is deployed as jar. I've placed jboss-wsse-server and keystore files into META-INF (together with persistence.xml).
<?xml version="1.0" encoding="UTF-8"?> <jboss-ws-security xmlns="http://www.jboss.com/ws-security/config" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.jboss.com/ws-security/config http://www.jboss.com/ws-security/schema/jboss-ws-security_1_0.xsd"> <key-store-file>META-INF/wsse.keystore</key-store-file> <key-store-password>jbossws</key-store-password> <trust-store-file>META-INF/wsse.truststore</trust-store-file> <trust-store-password>jbossws</trust-store-password> <config> <sign type="x509v3" alias="wsse"></sign> <encrypt type="x509v3" alias="wsse"></encrypt> <requires> <signature /> <encryption /> </requires> </config> </jboss-ws-security>
This configuration is read during deployment (if I put wrong locations of keystores, jar deployment breaks). However, when I try to access this WS with an unsecured client (generated using wsconsume) it responds normally (as if there is no security).
Endpoint interface:
import javax.ejb.Remote; import javax.jws.WebMethod; import javax.jws.WebService; import javax.jws.soap.SOAPBinding; @WebService(name = "CityFacadeProxy", targetNamespace="http://gint_scm_ws") @SOAPBinding(style=SOAPBinding.Style.DOCUMENT, use=SOAPBinding.Use.LITERAL, parameterStyle=SOAPBinding.ParameterStyle.WRAPPED) @Remote public interface CityFacadeSEI { @WebMethod public City createCity(String cityName) throws RemoteException; }
Implemetation bean:
import gint.scm.ws.entity.City; import javax.ejb.Remote; import javax.ejb.Stateless; import javax.jws.WebService; import javax.persistence.EntityManager; import javax.persistence.PersistenceContext; import javax.xml.ws.BindingType; import org.jboss.ws.annotation.EndpointConfig; import org.jboss.wsf.spi.annotation.WebContext; @Stateless @WebService(endpointInterface = "gint.scm.ws.session.CityFacadeSEI", serviceName = "CityFacadeServis", targetNamespace="http://gint_scm_ws") @WebContext(contextRoot="/SCM", urlPattern="/*") @BindingType(value = "http://schemas.xmlsoap.org/wsdl/soap/http?mtom=true") @EndpointConfig(configName = "Standard WSSecurity Endpoint") @Remote(CityFacadeSEI.class) public class CityFacadeBean implements CityFacadeSEI { @PersistenceContext(name = "scm") EntityManager em; public City createCity(String cityName) { em.persist(new City(cityName.hashCode(), cityName)); return new City(cityName.hashCode(), cityName); } }
What's wrong here? There are no examples for security for SLSB WS (or I couldn't find them in last 4 weeks).