1 2 3 Previous Next 34 Replies Latest reply on Jan 12, 2011 1:43 AM by Himaja Thovi

    WS-Security Newbie Question...

    Jesus Rodriguez Newbie

      Hi!

      Sorry for the question 'cause actually it's a really newbie one :) but I'm just getting crazy trying to find some kind of tutorial of implementing WS-Security in JBoss... something like "My first WS-Security web service" or "Step-by-step 'Hello World' or 'Echo' Web Service with WS-Security".

      I've seen several documents explaining things about WSSE, and I have created my keystore and truststore but then when I try to continue I just get lost...

      If you could give me some advices or some links to look, I'll be very grateful...

      I've done my first 'Echo' web service: BottomUp, TopDown, my first client, etc... and now I'm trying to implement the same Echo WebService but requiring signature (I'm not so interested in any kind of encryption, just signature)

      Thanks ;)

        • 3. Re: WS-Security Newbie Question...
          Jesus Rodriguez Newbie

          Alessio.. yes... I've already read that link. Thanks anyway ;)

          Peter.. Also I've already read that post, but I'm still lost (sorry.. these are my first days working with web services and I'm getting a bit crazy hehe)

          I'm gonna write everything I'm doing (surely there will be a lot of mistakes, but well.. all the beginnings are tough... :P) and I would appreciate a lot if you could give me a hand in this...

          First... SERVER

          Hello.java

          package wssec;
          
          import javax.jws.WebMethod;
          import javax.jws.WebParam;
          import javax.jws.WebService;
          import javax.jws.soap.SOAPBinding;
          
          import org.jboss.ws.annotation.EndpointConfig;
          
          @WebService(name = "Hello", targetNamespace = "urn:ws.sec")
          @EndpointConfig(configName = "Standard WSSecurity Endpoint")
          @SOAPBinding(style = SOAPBinding.Style.DOCUMENT)
          public class Hello
          {
           @WebMethod
           public String echo(@WebParam(name = "param1") String param1)
           {
           return param1;
           }
          }
          


          I compiled it with
          javac -d . -classpath jboss-jaxws.jar;jboss-client.jar *.java
          


          I've made my keystore with the command:

          keytool -genkey -keystore wsse.keystore -storepass jbossws -keyalg RSA -alias wsse -validity 365
          


          Then I exported the certificate with:
          keytool -export -file wsse.cer -keystore wsse.keystore -storepass jbossws -alias wsse
          


          And created the truststore with
          keytool -import -alias wsse -file wsse.cer -keystore wsse.truststore -storepass jbossws
          


          web.xml
          <web-app xmlns="http://java.sun.com/xml/ns/j2ee"
           xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
           xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd"
           version="2.4">
           <display-name>Hello</display-name>
           <servlet>
           <servlet-name>Hello</servlet-name>
           <servlet-class>wssec.Hello</servlet-class>
           <load-on-startup>1</load-on-startup>
           </servlet>
          
           <servlet-mapping>
           <servlet-name>Hello</servlet-name>
           <url-pattern>/Hello</url-pattern>
           </servlet-mapping>
          </web-app>
          


          jboss-wsse-server.xml
          <?xml version="1.0" encoding="UTF-8"?>
          
          <jboss-ws-security xmlns="http://www.jboss.com/ws-security/config" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
           xsi:schemaLocation="http://www.jboss.com/ws-security/config http://www.jboss.com/ws-security/schema/jboss-ws-security_1_
          0.xsd">
           <key-store-file>WEB-INF/wsse.keystore</key-store-file>
           <key-store-password>jbossws</key-store-password>
           <trust-store-file>WEB-INF/wsse.truststore</trust-store-file>
           <trust-store-password>jbossws</trust-store-password>
           <config>
           <sign type="x509v3" alias="wsse"/>
           <requires>
           <signature/>
           </requires>
           </config>
          </jboss-ws-security>
          


          I create my .war with
          jar cvf Hello.war WEB-INF
          


          and the structure of WEB-INF is
          WEB-INF
          | jboss-wsse-server.xml
          | wsse.keystore
          | wsse.truststore
          | web.xml
          | classes
          | | Hello.class

          Once done this I copy Hello.war into jboss4-2-2GA\server\default\deploy and everything seems to be OK

          Once that I have the WS deployed on the server which are the steps I have to follow for build my client? I only want to transmit signed messages, not interested in encryption...

          This might seem a stupid topic, but I'm getting lost, 'cause this is new for me and I'm not able to find any "very very very basic" documents...

          Thanks ;)

          • 4. Re: WS-Security Newbie Question...
            Peter Johnson Master

            On the client side, you will need the keystore and truststore. You can use the same ones used at the server, but if that it not possible (or not desireable) you will need to do more work with setting up the server keystore and truststore, and also create client keystore and truststore.

            When packaging the client, include in the META-INF directory the files:
            * client keystore
            * client truststore
            * jboss-wsse-client.xml (looks like the server one you listed above)
            * standard-jaxws-client-config.xml (get it from deploy/jbossws.sar/META-INF, remove all of the client-config entries except the one named "Standard WSSecurity Client")

            I can direct you to a location where the steps to do this are documented, but it is not free.

            • 5. Re: WS-Security Newbie Question...
              Alessio Soldano Master

               

              "PeterJ" wrote:

              * standard-jaxws-client-config.xml (get it from deploy/jbossws.sar/META-INF, remove all of the client-config entries except the one named "Standard WSSecurity Client")


              This shouldn't be required, you just need to specify the jbossws conf:
              ((StubExt)port).setConfigName("Standard WSSecurity Client");
              



              I can direct you to a location where the steps to do this are documented, but it is not free.


              Otherwise you might take a look at the org.jboss.test.ws.jaxws.samples.wssecurity samples in the src distro.



              • 6. Re: WS-Security Newbie Question...
                Peter Johnson Master

                Just a note to let lafaserem know that the code

                ((StubExt)port).setConfigName("Standard WSSecurity Client");

                is JBossWS-specific. I prefer to keep my Java code generic and place container-specific things into configuration files, make the code easier to port.

                Now, if the config name could be set using an annotation, that would be ideal because other containers would ignore the annotation.

                I also remembered an excellent description of keystores and truststores, perhaps that will be helpful http://www.jboss.com/index.html?module=bb&op=viewtopic&t=94406

                • 7. Re: WS-Security Newbie Question...
                  Jesus Rodriguez Newbie

                  Hi!

                  Ok.. now actually I'm about getting crazy!! :)

                  PeterJ, which is that location? I don't mind if it's not free... I have tried to send you a "PM" but it seems it doesn't work...

                  My problem is implementing the client in Java.. I think I have all the files I have to package.

                  I'm gonna explain all the things I've done with the client

                  Hello.java

                  package wssec;
                  
                  import javax.jws.WebMethod;
                  import javax.jws.WebParam;
                  import javax.jws.WebService;
                  import javax.jws.soap.SOAPBinding;
                  
                  import org.jboss.ws.annotation.EndpointConfig;
                  
                  @WebService(name = "Hello", targetNamespace = "urn:ws.sec")
                  @EndpointConfig(configName = "Standard WSSecurity Endpoint")
                  @SOAPBinding(style = SOAPBinding.Style.DOCUMENT)
                  public class Hello
                  {
                   @WebMethod
                   public String echo(@WebParam(name = "nombre") String nombre)
                   {
                   return nombre;
                   }
                  }


                  HelloClient.java
                  package wssec;
                  
                  import java.io.File;
                  import java.net.URL;
                  import java.util.Map;
                  
                  import javax.xml.namespace.QName;
                  import javax.xml.ws.BindingProvider;
                  import javax.xml.ws.Service;
                  
                  import org.jboss.ws.core.StubExt;
                  
                  public class HelloClient
                  {
                   public static void main(String args[])
                   {
                   if (args.length != 1)
                   {
                   System.err.println("usage: HelloClient <message>");
                   System.exit(1);
                   }
                  
                   System.setProperty("org.jboss.wsse.keyStore", "c:/keys/wsse.keystore");
                   System.setProperty("org.jboss.wsse.keyStorePassword", "jbossws");
                   System.setProperty("org.jboss.wsse.keyStoreType", "x509v3");
                   System.setProperty("org.jboss.wsse.trustStore", "c:/keys/wsse.truststore");
                   System.setProperty("org.jboss.wsse.trustStorePassword", "jbossws");
                   System.setProperty("org.jboss.wsse.trustStoreType", "x509v3");
                  
                   try{
                   Hello hello = getPort();
                   System.out.println("Server said: " + hello.echo(args[0]));
                   } catch (Exception e){
                   e.printStackTrace();
                   }
                   }
                  
                   private static Hello getPort() throws Exception
                   {
                   URL wsdlURL = new URL("http://127.0.0.1:8080/Hello/Hello?wsdl");
                   URL securityURL = new File("META-INF/jboss-wsse-client.xml").toURL();
                   QName serviceName = new QName("urn:ws.sec", "HelloService");
                  
                   Service service = Service.create(wsdlURL, serviceName);
                  
                   Hello port = (Hello)service.getPort(Hello.class);
                   ((StubExt)port).setSecurityConfig(securityURL.toExternalForm());
                   ((StubExt)port).setConfigName("Standard WSSecurity Client");
                  
                   Map<String, Object> reqContext = ((BindingProvider)port).getRequestContext();
                   reqContext.put(BindingProvider.ENDPOINT_ADDRESS_PROPERTY, "http://127.0.0.1:8080/Hello");
                  
                   return port;
                   }
                  
                  }
                  


                  jboss-wsse-client.xml
                  <?xml version="1.0" encoding="ISO-8859-1"?>
                  <jboss-ws-security xmlns="http://www.jboss.com/ws-security/config" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.jboss.com/ws-security/config http://www.jboss.com/ws-security/schema/jboss-ws-security_1_0.xsd">
                  <config>
                  <sign type="x509v3" alias="wsse"/>
                  <requires>
                  <signature/>
                  </requires>
                  </config>
                  </jboss-ws-security>
                  


                  The keystore and the truststore are the same as the server's ones.

                  The structure is
                  wssec
                  | Hello.class
                  | HelloClient.class
                  META-INF
                  | wsse.keystore
                  | wsse.truststore
                  | jboss-wsse-client.xml

                  When I run the client, I do it like this:

                  wsrunclient prueba.HelloClient "Hello"
                  


                  What am I missing? Shall I do anything more? Or maybe less? :)

                  Thanks a lot.. ;)

                  • 8. Re: WS-Security Newbie Question...
                    Jesus Rodriguez Newbie

                    Ups... I forgot to say that of course wsse.keystore and wsse.truststore are placed at c:\keys

                    Thanks ;)

                    • 9. Re: WS-Security Newbie Question...
                      Alessio Soldano Master

                       

                      "lafaserem" wrote:

                       System.setProperty("org.jboss.wsse.keyStoreType", "x509v3");
                       System.setProperty("org.jboss.wsse.trustStoreType", "x509v3");
                      

                      Why "x509v3"? Try with "jks" that should be the type of key stores you generated.

                      This said, what's the problem you have? your conf seems OK, are you getting any exception? How do you understand something is wrong? Please post some log/error here so that we can better understand.


                      • 10. Re: WS-Security Newbie Question...
                        Jesus Rodriguez Newbie

                        This is the error that it's giving to me when I run

                        wsrunclient wssec.HelloClient "Hello"
                        


                        [Fatal Error] :1:1: Content is not allowed in prolog.
                        org.jboss.ws.WSException: java.io.IOException: org.xml.sax.SAXParseException: Co
                        ntent is not allowed in prolog.
                         at org.jboss.ws.metadata.config.JBossWSConfigFactory.getNamespaceURI(JBo
                        ssWSConfigFactory.java:116)
                         at org.jboss.ws.metadata.config.JBossWSConfigFactory.parse(JBossWSConfig
                        Factory.java:80)
                         at org.jboss.ws.metadata.config.JBossWSConfigFactory.getConfig(JBossWSCo
                        nfigFactory.java:134)
                         at org.jboss.ws.metadata.umdm.EndpointMetaData.initEndpointConfig(Endpoi
                        ntMetaData.java:704)
                         at org.jboss.ws.metadata.umdm.EndpointMetaData.setConfigNameInternal(End
                        pointMetaData.java:695)
                         at org.jboss.ws.metadata.umdm.EndpointMetaData.setConfigName(EndpointMet
                        aData.java:679)
                         at org.jboss.ws.metadata.builder.jaxws.JAXWSClientMetaDataBuilder.proces
                        sEndpointConfig(JAXWSClientMetaDataBuilder.java:323)
                         at org.jboss.ws.metadata.builder.jaxws.JAXWSClientMetaDataBuilder.rebuil
                        dEndpointMetaData(JAXWSClientMetaDataBuilder.java:287)
                         at org.jboss.ws.core.jaxws.spi.ServiceDelegateImpl.getPortInternal(Servi
                        ceDelegateImpl.java:262)
                         at org.jboss.ws.core.jaxws.spi.ServiceDelegateImpl.getPort(ServiceDelega
                        teImpl.java:233)
                         at javax.xml.ws.Service.getPort(Service.java:185)
                         at wssec.HelloClient.getPort(HelloClient.java:46)
                         at wssec.HelloClient.main(HelloClient.java:31)
                        Caused by: java.io.IOException: org.xml.sax.SAXParseException: Content is not al
                        lowed in prolog.
                         at org.jboss.wsf.common.DOMUtils.parse(DOMUtils.java:156)
                         at org.jboss.ws.metadata.config.JBossWSConfigFactory.getNamespaceURI(JBo
                        ssWSConfigFactory.java:111)
                         ... 12 more
                        


                        The WSDL file is taken directly from the server. It seems to be an error with some XML file structure, but I don't know which one can be the one that is giving me the mistake...

                        Thanks ;)

                        P.d: I've changed the keyStore and trustStore Type to "jks"

                        • 11. Re: WS-Security Newbie Question...
                          Alessio Soldano Master

                          Last time I didn't noticed this: on the client side you should have the interface of you web service, not the implementation. This applies for every webservice client.
                          And of course the interface you use on the client side (which can be generated by wsconsume, otherwise you can code it manually, it is easy for your service) should not have the @EndpointConfig with the server endpoint configuration ;-)

                          • 12. Re: WS-Security Newbie Question...
                            Jesus Rodriguez Newbie

                            Ups... Ok... That's was consecuence of so many "copy-paste"s that I have done during all these days :)

                            My Hello.java file is now like this:

                            package wssec;
                            
                            import javax.jws.WebMethod;
                            import javax.jws.WebParam;
                            import javax.jws.WebResult;
                            import javax.jws.WebService;
                            import javax.xml.ws.RequestWrapper;
                            import javax.xml.ws.ResponseWrapper;
                            
                            
                            /**
                             * This class was generated by the JAX-WS RI.
                             * JAX-WS RI 2.1.1-b03-
                             * Generated source version: 2.0
                             *
                             */
                            @WebService(name = "Hello", targetNamespace = "urn:ws.sec")
                            public interface Hello {
                            
                            
                             /**
                             *
                             * @param nombre
                             * @return
                             * returns java.lang.String
                             */
                             @WebMethod
                             @WebResult(targetNamespace = "")
                             @RequestWrapper(localName = "echo", targetNamespace = "urn:ws.sec", className = "sec.ws.Echo")
                             @ResponseWrapper(localName = "echoResponse", targetNamespace = "urn:ws.sec", className = "sec.ws.EchoResponse")
                             public String echo(
                             @WebParam(name = "nombre", targetNamespace = "")
                             String nombre);
                            
                            }
                            


                            but now I have this error:
                            Exception in thread "main" java.lang.NoClassDefFoundError: org/apache/xml/securi
                            ty/Init
                             at org.jboss.ws.extensions.security.SecurityEncoder.<init>(SecurityEncod
                            er.java:47)
                             at org.jboss.ws.extensions.security.WSSecurityDispatcher.handleOutbound(
                            WSSecurityDispatcher.java:302)
                             at org.jboss.ws.extensions.security.jaxws.WSSecurityHandler.handleOutbou
                            ndSecurity(WSSecurityHandler.java:95)
                             at org.jboss.ws.extensions.security.jaxws.WSSecurityHandlerClient.handle
                            Outbound(WSSecurityHandlerClient.java:45)
                             at org.jboss.ws.core.jaxws.handler.GenericHandler.handleMessage(GenericH
                            andler.java:55)
                             at org.jboss.ws.core.jaxws.handler.HandlerChainExecutor.handleMessage(Ha
                            ndlerChainExecutor.java:295)
                             at org.jboss.ws.core.jaxws.handler.HandlerChainExecutor.handleMessage(Ha
                            ndlerChainExecutor.java:140)
                             at org.jboss.ws.core.jaxws.client.ClientImpl.callRequestHandlerChain(Cli
                            entImpl.java:160)
                             at org.jboss.ws.core.CommonClient.invoke(CommonClient.java:297)
                             at org.jboss.ws.core.jaxws.client.ClientImpl.invoke(ClientImpl.java:243)
                            
                             at org.jboss.ws.core.jaxws.client.ClientProxy.invoke(ClientProxy.java:16
                            4)
                             at org.jboss.ws.core.jaxws.client.ClientProxy.invoke(ClientProxy.java:15
                            0)
                             at $Proxy15.echo(Unknown Source)
                             at wssec.HelloClient.main(HelloClient.java:32)
                            


                            I don't know what's happening now.. I'm with it, but if you see something, i'll be grateful for your advices ;)

                            At least now I see errors refering to WSSecurity and that makes me happy hehe :)

                            Thanks ;)

                            • 13. Re: WS-Security Newbie Question...
                              Alessio Soldano Master

                              You need xmlsec.jar in your classpath.

                              • 14. Re: WS-Security Newbie Question...
                                Jesus Rodriguez Newbie

                                Ok... I have now added xmlsec.jar into "JBOSS_HOME/lib/endorsed" and recompile (just in case...) and the wsrunclient again... and I got this error:

                                javax.xml.ws.WebServiceException: org.jboss.ws.core.CommonSOAPFaultException: An
                                 internal WS-Security error occurred. See log for details
                                 at org.jboss.ws.core.jaxws.handler.HandlerChainExecutor.processHandlerFa
                                ilure(HandlerChainExecutor.java:276)
                                 at org.jboss.ws.core.jaxws.handler.HandlerChainExecutor.handleMessage(Ha
                                ndlerChainExecutor.java:155)
                                 at org.jboss.ws.core.jaxws.client.ClientImpl.callRequestHandlerChain(Cli
                                entImpl.java:160)
                                 at org.jboss.ws.core.CommonClient.invoke(CommonClient.java:297)
                                 at org.jboss.ws.core.jaxws.client.ClientImpl.invoke(ClientImpl.java:243)
                                
                                 at org.jboss.ws.core.jaxws.client.ClientProxy.invoke(ClientProxy.java:16
                                4)
                                 at org.jboss.ws.core.jaxws.client.ClientProxy.invoke(ClientProxy.java:15
                                0)
                                 at $Proxy15.echo(Unknown Source)
                                 at prueba.HelloClient.main(HelloClient.java:32)
                                Caused by: org.jboss.ws.core.CommonSOAPFaultException: An internal WS-Security e
                                rror occurred. See log for details
                                 at org.jboss.ws.extensions.security.WSSecurityDispatcher.convertToFault(
                                WSSecurityDispatcher.java:105)
                                 at org.jboss.ws.extensions.security.WSSecurityDispatcher.handleOutbound(
                                WSSecurityDispatcher.java:311)
                                 at org.jboss.ws.extensions.security.jaxws.WSSecurityHandler.handleOutbou
                                ndSecurity(WSSecurityHandler.java:95)
                                 at org.jboss.ws.extensions.security.jaxws.WSSecurityHandlerClient.handle
                                Outbound(WSSecurityHandlerClient.java:45)
                                 at org.jboss.ws.core.jaxws.handler.GenericHandler.handleMessage(GenericH
                                andler.java:55)
                                 at org.jboss.ws.core.jaxws.handler.HandlerChainExecutor.handleMessage(Ha
                                ndlerChainExecutor.java:295)
                                 at org.jboss.ws.core.jaxws.handler.HandlerChainExecutor.handleMessage(Ha
                                ndlerChainExecutor.java:140)
                                


                                Thanks again for your interest :)

                                1 2 3 Previous Next