3 Replies Latest reply on Aug 4, 2011 8:32 AM by asoldano

    JBoss AS 7 and WS-Security client

    dstockdreher
    dstockdreher Jul 14, 2011 12:54 PM

      I'm attempting to set up a client in a new web app to an existing web service secured with WS-Security.

       

      I've created my local keystore and a local truststore.  I've imported my public key and the server's public key into my truststore and also the server's public key into my keystore.

       

      I've followed the client instructions here for the most part

       

      https://docs.jboss.org/author/display/JBWS/WS-Security

       

      I know have the following in my MANIFEST.MF

       

      Manifest-Version: 1.0

      Class-Path:

      Dependencies: org.apache.ws.security, org.jboss.ws.cxf.jbossws-cxf-client services export

       

      Regardless of this I continue to get the SOAPFault that the service requires <wsse:Security> which is missing.

        
      I imagine I'm somehow missing something when the application is built or deployed that signals that

      wsse:Security should be added to the soap request, but have had no luck finding the right values/setup in the docs I've been following.

       

       

      Any ideas?  Am I missing dependencies in the MANIFEST.MF or some other configuration?

        • 1. Re: JBoss AS 7 and WS-Security client
          asoldano
          asoldano Jul 15, 2011 11:59 AM (in response to dstockdreher)

          Hi,

          do the messages going over the wire actually contain the wsse:Security element, together with all the wsse info?

          Do you have the ws-security policy in the consumed wsdl contract?

            • Actions
          • 2. Re: JBoss AS 7 and WS-Security client
            dstockdreher
            dstockdreher Aug 3, 2011 5:35 PM (in response to asoldano)

            I was able to get a successful client set up after going through some pains to try to do things the "modern" way with a wsPolicy portion in the wsdl.

             

            In the end, since my service is a product of JbossWS-Native running on a JBoss 4.2.3 server  I had to programmatically set up the out and in interceptors for WSS4J.  

             

            something like the following is what I needed eventually.  In my situation, the part that I lost the most time on was what is in bold below.  The service pretty much only wanted to get things with direct-reference (by default) However given that I was using JBossWS (CXF) the default seemed to be the X509Data/X509IssuerSerial  version.

             

            //configure the outInterceptor to use the keys and to use DirectReference since that

                        //is the key id format the server expects.

                        WSS4JOutInterceptor wssOut = new WSS4JOutInterceptor(outProps);       

             

                        outProps.put(WSHandlerConstants.ACTION, WSHandlerConstants.SIGNATURE +" "+ WSHandlerConstants.ENCRYPT );

                        outProps.put(WSHandlerConstants.USER, "ccdbkey");

                        outProps.put(WSHandlerConstants.PW_CALLBACK_CLASS,

                            KeystorePasswordCallback.class.getName());

                        outProps.put(WSHandlerConstants.ENCRYPTION_USER, "ccdserv");

                        outProps.put(WSHandlerConstants.SIG_PROP_FILE, "client.properties");

                        outProps.put(WSHandlerConstants.ENC_PROP_FILE, "server.properties");           

                       outProps.put(WSHandlerConstants.SIG_KEY_ID, "DirectReference");

                        outProps.put(WSHandlerConstants.ENC_KEY_ID, "DirectReference");

                        cxfEndpoint.getOutInterceptors().add(wssOut);

             

                        //create the InInterceptor to apply the security on the returned messages

                        WSS4JInInterceptor wssIn = new WSS4JInInterceptor(inProps);       

             

                        inProps.put(WSHandlerConstants.ACTION, WSHandlerConstants.SIGNATURE +" "+ WSHandlerConstants.ENCRYPT );

                        inProps.put(WSHandlerConstants.SIG_PROP_FILE, "server.properties");

                        inProps.put(WSHandlerConstants.DEC_PROP_FILE, "client.properties");

                        cxfEndpoint.getInInterceptors().add(wssIn);

             

             

            The following doc gives a pretty good start on getting things going.   http://community.jboss.org/wiki/JBossWS-StackCXFUserGuide

             

            As another side note,  making sure you have enabled the WS module extention on the AS7 server and ensuring it is referenced in your MANIFEST.MF file are also critical steps to getting everything working correctly.

            1 of 1 people found this helpful
              • Actions
            • 3. Re: JBoss AS 7 and WS-Security client
              asoldano
              asoldano Aug 4, 2011 8:32 AM (in response to dstockdreher)

              Thanks for having shared the result of you work to the community.

               

              Yes, generally speaking you scenario tells us that when having to call a ws-security endpoint built on top on jbossws-native (hence having no ws-security policy in the published contract), it might be quicker to manually configure the Apache CXF WS-Security interceptors to map the "basic" security config on server side.

              The need for setting " outProps.put(WSHandlerConstants.SIG_KEY_ID, "DirectReference");" comes from the native stack preferring direct references to security tokens in the messages. It should actually be able to deal with issuer serial references too on receiver side, however there might be a bug in that, we need to investigate.

               

              As per the AS7 hints, for the logs also consider https://docs.jboss.org/author/display/JBWS/JBoss+Modules

                • Actions