7 Replies Latest reply on Apr 4, 2011 5:48 AM by asoldano

    WS-Security on JBoss 6 (with CXF)

    franky_b

      Hi guys,

       

      I'm struggling implementing WS-Security UsernameToken authentification in JBoss 6 (M4 and above). As I could read in the release notes, starting with Milestone4 JBossWS-CXF is used instead of JBossWS-Native. All the documentation I could find concentrates on JBossWS in JBoss AS 4 or JBoss 5 and uses the @EndpointConfig annotation. However, in JBoss 6 there is no such annotation?

      Well, I think I have to go with the @HandlerChain instead, right?

       

      Here is what I want to do:

       

      - Intercept each incoming SOAP Request

      - Check the WS-Security UsernameToken headers in the SOAP message header

      - verify the provided username and passwort by looking up in the database of my application

       

      --> in order to do this, the very very best solution would be to have a stateless session bean called within the handler chain. Is this possible?

       

      Cheers,

      Frank

        • 1. WS-Security on JBoss 6 (with CXF)
          nickarls
          • 2. WS-Security on JBoss 6 (with CXF)
            franky_b

            Well, yes, I've already found and studied this (especially http://docs.jboss.org/jbossas/6/WebServices_Guide/en-US/html/chap_JBossWS-StackCXFUserGuide.html) via Google.

             

            However, in the examples, they mess with heavy XML configuration which would break my approach using annotations for all the web services. Furthermore, Spring is required in order for this to work. This is not what I call a "lightwight" solution

             

            So I don't want to rely on any container magic, I just want to inject my stateless session bean somewhere in the handler chain to parse the SOAP header and to check the username in the database...

            • 3. WS-Security on JBoss 6 (with CXF)
              franky_b

              No one has an idea?

               

              What's the default procedure to add WS-Security UsernameToken capabilities to JBoss AS 6?

               

              I think this should be a quite common task...

              • 4. WS-Security on JBoss 6 (with CXF)
                asoldano

                If you want to use the full WS-Security facilities coming with Apache CXF and hence JBossWS-CXF, you need to go through the Spring configuration, which covers the stack specific aspect of configuring the security engine, similarly to what you did with the jboss-wsse-endpoint.xml on JBossWS-Native stack.

                The documentation on WS-Security w/ JBossWS-CXF is at http://community.jboss.org/wiki/JBossWS-StackCXFUserGuide#WSSecurity . Please also consider taking a look at the mentioned Apache CXF doc there.

                 

                On the countrary, if you just want to implement and home brew solution for checking some of the WS-Security headers, you can avoid setting up security at all and install your custom handlers / interceptors. Handlers configuration is covered by standard specs and hence can be done in a stack agnostic way (see the @HandlerChain annotation). Alternatively, you can use CXF interceptors, declared through @InInterceptor/@OutInterceptor/.. (see Apache CXF doc on that).

                1 of 1 people found this helpful
                • 5. WS-Security on JBoss 6 (with CXF)
                  franky_b

                  Okay, thanks a lot for this clear statement.

                   

                  Since I only need a few base functionalities, I absolutely prefer the "home brew" solution. I'll hava a look at the suggested methods, maybe I'll come back later ;-)

                  • 6. WS-Security on JBoss 6 (with CXF)
                    vlad.bujoreanu

                    Hello,

                     

                    I am trying to migrate to the cxf stack an application that wa previously using the jboss-wsse-endpoint.xml on JBossWS-Native stack to implement username token authentication.

                    I have installed the spring deployer and used the jbossw-cxf.xml file to define username token authentication as in

                    http://community.jboss.org/wiki/JBossWS-StackCXFUserGuide#WSSecurity

                    What i want to ask is how to do this part that is indicated there :

                     

                    "Authentication and authorization will simply be delegated to the security domain configured for the endpoint. Of course you can specify the login module you prefer for that security domain (refer the application server / security documentation for that)."

                     

                    How do I do that ? I mean, is if sufficient to annotate my endpoint with @SecurityDomain and specify the application policy in login-config.xml ?

                    • 7. WS-Security on JBoss 6 (with CXF)
                      asoldano

                      Consider taking a look at the package org.jboss.test.ws.jaxws.samples.wsse* in the jbossws-cxf sources.