2 Replies Latest reply on Jan 13, 2009 7:57 AM by okism

    SLSB exposed as WS security issue

    okism
    okism Jan 13, 2009 1:31 AM

      I have SLSB exposed as WS. I tried to add security. WS is deployed as jar. I've placed jboss-wsse-server and keystore files into META-INF (together with persistence.xml).

      <?xml version="1.0" encoding="UTF-8"?>
<jboss-ws-security xmlns="http://www.jboss.com/ws-security/config"
 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 xsi:schemaLocation="http://www.jboss.com/ws-security/config http://www.jboss.com/ws-security/schema/jboss-ws-security_1_0.xsd">
 <key-store-file>META-INF/wsse.keystore</key-store-file>
 <key-store-password>jbossws</key-store-password>
 <trust-store-file>META-INF/wsse.truststore</trust-store-file>
 <trust-store-password>jbossws</trust-store-password>
 <config>
 <sign type="x509v3" alias="wsse"></sign>
 <encrypt type="x509v3" alias="wsse"></encrypt>
 <requires>
 <signature />
 <encryption />
 </requires>
 </config>
</jboss-ws-security>

      This configuration is read during deployment (if I put wrong locations of keystores, jar deployment breaks). However, when I try to access this WS with an unsecured client (generated using wsconsume) it responds normally (as if there is no security).
      Endpoint interface: 
      import javax.ejb.Remote;
import javax.jws.WebMethod;
import javax.jws.WebService;
import javax.jws.soap.SOAPBinding;

@WebService(name = "CityFacadeProxy", targetNamespace="http://gint_scm_ws")
@SOAPBinding(style=SOAPBinding.Style.DOCUMENT, use=SOAPBinding.Use.LITERAL, parameterStyle=SOAPBinding.ParameterStyle.WRAPPED)
@Remote
public interface CityFacadeSEI {
 @WebMethod
 public City createCity(String cityName) throws RemoteException;
}

      Implemetation bean: 
      import gint.scm.ws.entity.City;

import javax.ejb.Remote;
import javax.ejb.Stateless;
import javax.jws.WebService;
import javax.persistence.EntityManager;
import javax.persistence.PersistenceContext;
import javax.xml.ws.BindingType;

import org.jboss.ws.annotation.EndpointConfig;
import org.jboss.wsf.spi.annotation.WebContext;

@Stateless
@WebService(endpointInterface = "gint.scm.ws.session.CityFacadeSEI",
 serviceName = "CityFacadeServis", targetNamespace="http://gint_scm_ws")
@WebContext(contextRoot="/SCM", urlPattern="/*")
@BindingType(value = "http://schemas.xmlsoap.org/wsdl/soap/http?mtom=true")
@EndpointConfig(configName = "Standard WSSecurity Endpoint")
@Remote(CityFacadeSEI.class)
public class CityFacadeBean implements CityFacadeSEI {

 @PersistenceContext(name = "scm")
 EntityManager em;

 public City createCity(String cityName) {
 em.persist(new City(cityName.hashCode(), cityName));
 return new City(cityName.hashCode(), cityName);
 }

}

      What's wrong here? There are no examples for security for SLSB WS (or I couldn't find them in last 4 weeks).

      • 1113 Views
      • Tags:
        • 1. Re: SLSB exposed as WS security issue
          okism
          okism Jan 13, 2009 5:08 AM (in response to okism)

          When I set treshhold to ALL in jboss-log4j.xml, there are several ClassNotFoundExceptions: org.springframework.scripting.config.LangNamespaceHandler
          org.springframework.ejb.config.JeeNamespaceHandler
          org.springframework.transaction.config.TxNamespaceHandler
          org.springframework.aop.config.AopNamespaceHandler

          Does this matter?

            • Actions
          • 2. Re: SLSB exposed as WS security issue
            okism
            okism Jan 13, 2009 7:57 AM (in response to okism)

            Why no one told that it has to be deployed on 'all' configuration (4.2.3)?

              • Actions