5 Replies Latest reply on Feb 12, 2008 2:27 AM by Peter Johnson

    how to secure web services in jboss?

    thomas chan Newbie

      does anyone know how to secure a web service in jboss?

        • 1. Re: how to secure web services in jboss?
          Peter Johnson Master

          Using basic authorization, or by using WSSecurity?

          For basic authorization, see the discussion at http://www.jboss.com/index.html?module=bb&op=viewtopic&t=123643.

          Also, the documentation covers this at http://jbws.dyndns.org/mediawiki/index.php?title=Authentication

          For WSSecurity, see the discussion at http://www.jboss.com/index.html?module=bb&op=viewtopic&t=127824. That discussion contains links to the documentation.

          • 2. Re: how to secure web services in jboss?
            Shashank Jain Newbie

            Hi,
            I have configured all files for JBoss WS Security..Using JBoss WS 2.0.3 stack.
            The Web service is defined as
            @WebService(name = "SecureService", targetNamespace = "http://org.jboss.ws/samples/wssecurity")
            @SOAPBinding(style = Style.RPC)
            public interface SecureService {


            /**
            *
            * @param name
            * @return
            * returns java.lang.String
            */
            @WebMethod
            @WebResult(partName = "return")
            public String getName(
            @WebParam(name = "name", partName = "name")
            String name);

            }

            The standalone java client is


            public class NewClient {

            /** Creates a new instance of NewClient */
            public NewClient() {
            try { // Call Web Service Operation
            System.setProperty("org.jboss.wsse.keyStore","c://wsse.keystore");
            System.setProperty("org.jboss.wsse.keyStorePassword","jbossws");
            System.setProperty("org.jboss.wsse.keyStoreType","x509v3");
            System.setProperty("org.jboss.wsse.trustStore","c://wsse.truststore");
            System.setProperty("org.jboss.wsse.trustStorePassword","jbossws");
            System.setProperty("org.jboss.wsse.trustStoreType","x509v3");



            //List handlerChain = new ArrayList();
            //HandlerInfo handler=new HandlerInfo();

            //handler.setHandlerClassName("WSSecurityHandlerOutbound");

            //handlerChain.add(handler);
            com.hp.security.client.SecureService_Service ser=new com.hp.security.client.SecureService_Service();


            com.hp.security.client.SecureService port = getPort();//ser.getSecureServicePort();//getPort();
            //BindingProvider bindingProvider = (BindingProvider) port;
            // bindingProvider.getBinding().setHandlerChain(handlerChain);
            //((StubExt)port).setConfigName("Standard WSSecurity Client");
            // TODO initialize WS operation arguments here
            java.lang.String name = "";
            // TODO process result here
            java.lang.String result = port.getName("Shashank");
            System.out.println("Result = "+result);
            } catch (Exception ex) {
            ex.printStackTrace();
            System.out.println(ex.getMessage());
            // TODO handle custom exceptions here
            }


            }


            private static com.hp.security.client.SecureService getPort() throws Exception
            {

            URL wsdlURL = new URL("http://127.0.0.1:8080/TestSecure/SecureService?wsdl");
            URL securityURL = new File("web//META-INF//jboss-wsse-client.xml").toURL();
            System.out.println(securityURL.getPath());
            QName serviceName = new QName("http://org.jboss.ws/samples/wssecurity", "SecureService");
            System.out.println(serviceName.toString());
            Service service = Service.create(wsdlURL, serviceName);

            SecureService port = (SecureService)service.getPort(SecureService.class);
            //((ServiceExt)service)setSecurityConfig(securityURL.toExternalForm());

            //((StubExt)port).setSecurityConfig(securityURL.toExternalForm());
            //((StubExt)port).setConfigName("Standard WSSecurity Client");

            Map<String, Object> reqContext =
            ((BindingProvider)port).getRequestContext();
            reqContext.put(BindingProvider.ENDPOINT_ADDRESS_PROPERTY,
            "http://127.0.0.1:8080/TestSecure/SecureService");

            return port;
            }

            I have all the configuration files on server as well as client....
            On client I have
            META-INF/standard-jaxws-client-config.xml
            META-INF/jboss-wsse-client.xml
            META-INF/wsse.keystore
            META-INF/wsse.truststore

            On server I have
            under
            web-inf /jboss-wsse-server.xml
            web-inf/wsse.keystore
            web-inf/wsse.truststore

            I dont see any changes as configured in samples...Still I tried everything I am unable to get it working.Pls help





            I created a standalone client. I get the following errors
            Exception in thread "main" java.lang.NoClassDefFoundError: org/jboss/util/NotImplementedException
            at java.lang.Class.getDeclaredConstructors0(Native Method)
            at java.lang.Class.privateGetDeclaredConstructors(Class.java:2357)
            at java.lang.Class.getConstructor0(Class.java:2671)
            at java.lang.Class.newInstance0(Class.java:321)
            at java.lang.Class.newInstance(Class.java:303)
            at javax.xml.ws.spi.FactoryFinder.newInstance(FactoryFinder.java:36)
            at javax.xml.ws.spi.FactoryFinder.find(FactoryFinder.java:95)
            at javax.xml.ws.spi.Provider.provider(Provider.java:83)
            at javax.xml.ws.Service.(Service.java:56)
            at com.hp.security.client.SecureService_Service.(SecureService_Service.java:40)
            at com.hp.standalone.NewClient.(NewClient.java:44)
            at com.hp.standalone.NewClient.main(NewClient.java:94)

            Pls help.
            Shashank

            • 3. Re: how to secure web services in jboss?
              Shashank Jain Newbie

              After adding few more jars in classpath i start getting this error
              org.jboss.xb.binding.JBossXBRuntimeException: Failed to create a new SAX parser

              • 4. Re: how to secure web services in jboss?
                Shashank Jain Newbie

                When I run the same with WSrunclient

                I get the following error

                javax.xml.ws.soap.SOAPFaultException: org.jboss.ws.core.CommonSOAPFaultException
                : This service requires <wsse:Security>, which is missing.
                at org.jboss.ws.core.jaxws.SOAPFaultHelperJAXWS.getSOAPFaultException(SO
                APFaultHelperJAXWS.java:72)
                at org.jboss.ws.core.jaxws.binding.SOAP11BindingJAXWS.throwFaultExceptio
                n(SOAP11BindingJAXWS.java:109)
                at org.jboss.ws.core.CommonSOAPBinding.unbindResponseMessage(CommonSOAPB
                inding.java:579)
                at org.jboss.ws.core.CommonClient.invoke(CommonClient.java:381)
                at org.jboss.ws.core.jaxws.client.ClientImpl.invoke(ClientImpl.java:300)

                at org.jboss.ws.core.jaxws.client.ClientProxy.invoke(ClientProxy.java:16
                6)
                at org.jboss.ws.core.jaxws.client.ClientProxy.invoke(ClientProxy.java:15
                2)
                at $Proxy8.getName(Unknown Source)
                at com.hp.standalone.NewClient.(NewClient.java:54)
                at com.hp.standalone.NewClient.main(NewClient.java:94)
                org.jboss.ws.core.CommonSOAPFaultException: This service requires <wsse:Security
                >, which is missing.

                regards
                Shashank

                • 5. Re: how to secure web services in jboss?
                  Peter Johnson Master

                  It is amazing how using the wsrunclient script gets rid of most of the class-not-found errors, isn't it?

                  Anyway, the error "This service requires <wsse:Security>, which is missing." means that the client still doesn't know you are using WSSecurity. What you are missing is the META-INF/standard-jaxws-client-config.xml file in your client. An example file can be found at ./server/default/deploy/jbossws.sar/META-INF. Take that file, remove all of the client-config entries, except the one named "Standard WSSecurity Client", and package it with your client.