1 Reply Latest reply on Jul 25, 2008 9:45 AM by Peter Cankar

    WS-Security - extract information from signature in SOAP mes

    Peter Cankar Newbie

      Hi,

      I'm using WS-Security to sign SOAP messages. Currently on endpoint side I know only that I trust the client that called some web service but I don't know which of the clients has called it. Now I would also like to know which client has called the web service.
      Can you please help me how to extract client information from signature in SOAP message or maybe how to know which alias was used for authentication.

      Sorry for my English.


      I'm using (for server and client):
      - JbossAS : 4.2.1.GA
      - JbossWS : 1.2.1.GA (build=200704151756)
      - Eclipse : 3.3.1.1
      - JDK : 1.5.0_14



      Server side configuration:

      WsServer.java

      package app.ws.server;
      
      import javax.ejb.Remote;
      
      @Remote
      public interface WsServer {
       public String hello(String parameter);
      }


      WsServerBean.java
      package app.ws.server;
      
      import org.jboss.ws.annotation.WebContext;
      import javax.ejb.Stateless;
      import javax.jws.WebService;
      import javax.jws.soap.SOAPBinding;
      import javax.jws.WebMethod;
      import javax.jws.WebParam;
      import org.jboss.ws.annotation.EndpointConfig;
      import org.apache.log4j.Logger;
      import org.jboss.annotation.security.SecurityDomain;
      
      @Stateless
      @WebContext(contextRoot="/TestWebServices")
      @WebService(serviceName="testws", targetNamespace="http://testuri.org/")
      @SOAPBinding(style = SOAPBinding.Style.DOCUMENT, use = SOAPBinding.Use.LITERAL, parameterStyle = SOAPBinding.ParameterStyle.WRAPPED)
      @EndpointConfig(configName = "Standard WSSecurity Endpoint")
      @SecurityDomain("JBossWS")
      public class WsServerBean implements WsServer {
       private static final Logger logger = Logger.getLogger(WsServerBean.class.getName());
      
       @WebMethod(operationName = "hello", action = "urn:hello")
       public String hello(@WebParam(name = "parameter") String parameter) {
       logger.info("You have called method hello with parameter : " + parameter);
       return "Hello world. You have called method hello with parameter : " + parameter;
       }
      }


      META-INF/standard-jaxws-endpoint-config.xml
      <jaxws-config xmlns="urn:jboss:jaxws-config:2.0"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xmlns:javaee="http://java.sun.com/xml/ns/javaee"
       xsi:schemaLocation="urn:jboss:jaxws-config:2.0 jaxws-config_2_0.xsd">
      
       <endpoint-config>
       <config-name>Standard WSSecurity Endpoint</config-name>
       <post-handler-chains>
       <javaee:handler-chain>
       <javaee:protocol-bindings>##SOAP11_HTTP</javaee:protocol-bindings>
       <javaee:handler>
       <javaee:handler-name>WSSecurity Handler</javaee:handler-name>
       <javaee:handler-class>org.jboss.ws.extensions.security.jaxws.WSSecurityHandlerServer</javaee:handler-class>
       </javaee:handler>
       </javaee:handler-chain>
       </post-handler-chains>
       </endpoint-config>
      
      </jaxws-config>
      


      META-INF/jboss-wsse-server.xml
      <?xml version="1.0" encoding="UTF-8"?>
      <jboss-ws-security xmlns="http://www.jboss.com/ws-security/config"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xsi:schemaLocation="http://www.jboss.com/ws-security/config http://www.jboss.com/ws-security/schema/jboss-ws-security_1_0.xsd">
       <key-store-file>META-INF/wsse.keystore</key-store-file>
       <key-store-password>jbossws</key-store-password>
       <trust-store-file>META-INF/wsse.truststore</trust-store-file>
       <trust-store-password>jbossws</trust-store-password>
       <config>
       <sign type="x509v3" alias="wsse"/>
       <requires>
       <signature/>
       </requires>
       </config>
      </jboss-ws-security>


      META-INF/wsse.keystore
      keytool -genkey -keystore wsse.keystore -storepass jbossws -keyalg RSA -alias wsse -validity 365


      META-INF/wsse.cer
      keytool -export -file wsse.cer -keystore wsse.keystore -storepass jbossws -alias wsse


      META-INF/wsse.truststore
      keytool -import -alias wsse -file wsse.cer -keystore wsse.truststore -storepass jbossws
      keytool -import -alias wssc -file wssc.cer -keystore wsse.truststore -storepass jbossws


      output
      09:31:27,777 INFO [Reference] Verification successful for URI "#element-1-1216711887170-23623672"
      09:31:27,777 INFO [Reference] Verification successful for URI "#timestamp"
      09:31:27,796 INFO [WsServerBean] You have called method hello with parameter : aaaaa




      Client side configuration:

      Generating stubs from WSDL
      wsconsume.sh -k -p "app.ws.client" "http://10.10.11.173:8080/TestWebServices/WsServerBean?wsdl"


      I have to change the service implementation class. In my case Testws.java.
      FROM : public class Testws extends Service
      TO : public class Testws extends ServiceExt


      META-INF/wssc.keystore
      keytool -genkey -keystore wssc.keystore -storepass jbossws -keyalg RSA -alias wssc -validity 365


      META-INF/wssc.cer
      keytool -export -file wssc.cer -keystore wssc.keystore -storepass jbossws -alias wssc


      META-INF/wssc.truststore
      keytool -import -alias wssc -file wssc.cer -keystore wssc.truststore -storepass jbossws
      keytool -import -alias wsse -file wsse.cer -keystore wssc.truststore -storepass jbossws


      TestClient.java
      package app.ws.client;
      
      import java.io.File;
      import java.net.URL;
      import javax.xml.namespace.QName;
      import org.jboss.ws.core.StubExt;
      import org.jboss.ws.core.jaxws.client.ServiceExt;
      
      public class TestClient {
       public static void main(String[] args) {
       try{
       System.setProperty("org.jboss.wsse.keyStore", "/workspace/test/src/app/ws/client/META-INF/wssc.keystore");
       System.setProperty("org.jboss.wsse.keyStorePassword", "jbossws");
       System.setProperty("org.jboss.wsse.keyStoreType", "jks");
       System.setProperty("org.jboss.wsse.trustStore", "/workspace/test/src/app/ws/client/META-INF/wssc.truststore");
       System.setProperty("org.jboss.wsse.trustStorePassword", "jbossws");
       System.setProperty("org.jboss.wsse.trustStoreType", "jks");
      
       String wsdlLocation = "http://10.10.11.173:8080/TestWebServices/WsServerBean?wsdl";
       URL securityURL = new File("/workspace/test/src/app/ws/client/META-INF/jboss-wsse-client.xml").toURL();
       String targetNamespace = "http://testuri.org/";
       String serviceName = "testws";
      
       Testws service = new Testws(new URL(wsdlLocation), new QName(targetNamespace, serviceName));
       ((ServiceExt)service).setSecurityConfig(securityURL.toExternalForm());
      
       WsServerBean wsServerBean = service.getWsServerBeanPort();
       ((StubExt)wsServerBean).setConfigName("Standard WSSecurity Client");
      
       System.out.println("\n===[ hello ]===================================================================v");
       System.out.println(wsServerBean.hello("aaaaa"));
       System.out.println("===============================================================================^");
      
       }
       catch (Exception e) {
       System.out.println("\n===[ Exception handler ]=======================================================v");
       e.printStackTrace();
       System.out.println("===============================================================================^");
       }
       }
      }


      META-INF/jboss-wsse-client.xml
      <?xml version="1.0" encoding="UTF-8"?>
      <jboss-ws-security xmlns="http://www.jboss.com/ws-security/config"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xsi:schemaLocation="http://www.jboss.com/ws-security/config http://www.jboss.com/ws-security/schema/jboss-ws-security_1_0.xsd">
       <key-store-file>/workspace/test/src/app/ws/client/META-INF/wssc.keystore</key-store-file>
       <key-store-password>jbossws</key-store-password>
       <trust-store-file>/workspace/test/src/app/ws/client/META-INF/wssc.truststore</trust-store-file>
       <trust-store-password>jbossws</trust-store-password>
       <config>
       <sign type="x509v3" alias="wssc"/>
       <requires>
       <signature/>
       </requires>
       </config>
      </jboss-ws-security>


      META-INF/standard-jaxws-client-config.xml
      <jaxws-config xmlns="urn:jboss:jaxws-config:2.0"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xmlns:javaee="http://java.sun.com/xml/ns/javaee"
       xsi:schemaLocation="urn:jboss:jaxws-config:2.0 jaxws-config_2_0.xsd">
      
       <client-config>
       <config-name>Standard WSSecurity Client</config-name>
       <post-handler-chains>
       <javaee:handler-chain>
       <javaee:protocol-bindings>##SOAP11_HTTP</javaee:protocol-bindings>
       <javaee:handler>
       <javaee:handler-name>WSSecurityHandlerOutbound</javaee:handler-name>
       <javaee:handler-class>org.jboss.ws.extensions.security.jaxws.WSSecurityHandlerClient</javaee:handler-class>
       </javaee:handler>
       </javaee:handler-chain>
       </post-handler-chains>
       </client-config>
      
      </jaxws-config>


      I have to add following lines to "wsrunclient.sh".
      WSRUNCLIENT_CLASSPATH="$WSRUNCLIENT_CLASSPATH:$JBOSS_HOME/client/wsdl4j.jar"
      WSRUNCLIENT_CLASSPATH="$WSRUNCLIENT_CLASSPATH:$JBOSS_HOME/lib/jboss-common.jar"
      WSRUNCLIENT_CLASSPATH="$WSRUNCLIENT_CLASSPATH:$JBOSS_HOME/client/xmlsec.jar"
      WSRUNCLIENT_CLASSPATH="$WSRUNCLIENT_CLASSPATH:$JBOSS_HOME/client/commons-logging.jar"


      Running the client:
      wsrunclient.sh -classpath /workspace/test/src/app/ws/client "app.ws.client.TestClient" -/usr/local/jboss/bin


      output:
      ===[ hello ]===================================================================v
      08:31:27,890 INFO [Reference] Verification successful for URI "#element-16-1216711887803-747136"
      08:31:27,892 INFO [Reference] Verification successful for URI "#timestamp"
      Hello world. You have called method hello with parameter : aaaaa
      ===============================================================================^



      Thanks and Regards,
      Peter


        • 1. Re: WS-Security - extract information from signature in SOAP
          Peter Cankar Newbie

          Hi all,

          I have search further and found these two topics:
          - http://www.jboss.com/index.html?module=bb&op=viewtopic&t=110386
          - http://www.jboss.com/index.html?module=bb&op=viewtopic&t=88871
          that encourage me to upgrade to latest version (jbossws-native-3.0.2.GA).

          I have tried to read http://jbws.dyndns.org/mediawiki/index.php?title=WS-Security_options#X.509_certificate_token document but I don't understand much.
          If I insert following

          <authenticate>
           <signatureCertAuth certificatePrincipal="org.jboss.security.auth.certs.SubjectCNMapping"/>
           </authenticate>

          lines to jboss-wsse-server.xml file I get error:
          15:00:46,874 ERROR [SOAPFaultHelperJAXWS] SOAP request exception
          javax.ejb.EJBAccessException: Authentication failure
           at org.jboss.ejb3.security.Ejb3AuthenticationInterceptor.handleGeneralSecurityException(Ejb3AuthenticationInterceptor.java:68)
           at org.jboss.aspects.security.AuthenticationInterceptor.invoke(AuthenticationInterceptor.java:70)
           at org.jboss.ejb3.security.Ejb3AuthenticationInterceptor.invoke(Ejb3AuthenticationInterceptor.java:106)
           at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101)
           at org.jboss.ejb3.ENCPropagationInterceptor.invoke(ENCPropagationInterceptor.java:46)
           at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101)
           at org.jboss.ejb3.asynchronous.AsynchronousInterceptor.invoke(AsynchronousInterceptor.java:106)
           at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101)
           at org.jboss.wsf.container.jboss42.InvocationHandlerEJB3.invoke(InvocationHandlerEJB3.java:103)
           at org.jboss.ws.core.server.ServiceEndpointInvoker.invoke(ServiceEndpointInvoker.java:221)
           at org.jboss.wsf.stack.jbws.RequestHandlerImpl.processRequest(RequestHandlerImpl.java:466)
           at org.jboss.wsf.stack.jbws.RequestHandlerImpl.handleRequest(RequestHandlerImpl.java:284)
           at org.jboss.wsf.stack.jbws.RequestHandlerImpl.doPost(RequestHandlerImpl.java:201)
           at org.jboss.wsf.stack.jbws.RequestHandlerImpl.handleHttpRequest(RequestHandlerImpl.java:134)
           at org.jboss.wsf.stack.jbws.EndpointServlet.service(EndpointServlet.java:84)
           at javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
           at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
           at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
           at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
           at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
           at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
           at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:230)
           at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)
           at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:179)
           at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:84)
           at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
           at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:104)
           at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:157)
           at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
           at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:241)
           at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
           at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:580)
           at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
           at java.lang.Thread.run(Thread.java:595)


          I'm sorry if my question is too newbie one.
          Can anyone look at this topic and try to help me with some examples or direct me to simple document please?


          Thanks and Best Regards,
          Peter