2 Replies Latest reply on Jan 13, 2009 7:57 AM by Okanovi? Du?an

    SLSB exposed as WS security issue

    Okanovi? Du?an Newbie

      I have SLSB exposed as WS. I tried to add security. WS is deployed as jar. I've placed jboss-wsse-server and keystore files into META-INF (together with persistence.xml).

      <?xml version="1.0" encoding="UTF-8"?>
      <jboss-ws-security xmlns="http://www.jboss.com/ws-security/config"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xsi:schemaLocation="http://www.jboss.com/ws-security/config http://www.jboss.com/ws-security/schema/jboss-ws-security_1_0.xsd">
       <key-store-file>META-INF/wsse.keystore</key-store-file>
       <key-store-password>jbossws</key-store-password>
       <trust-store-file>META-INF/wsse.truststore</trust-store-file>
       <trust-store-password>jbossws</trust-store-password>
       <config>
       <sign type="x509v3" alias="wsse"></sign>
       <encrypt type="x509v3" alias="wsse"></encrypt>
       <requires>
       <signature />
       <encryption />
       </requires>
       </config>
      </jboss-ws-security>
      

      This configuration is read during deployment (if I put wrong locations of keystores, jar deployment breaks). However, when I try to access this WS with an unsecured client (generated using wsconsume) it responds normally (as if there is no security).
      Endpoint interface:
      import javax.ejb.Remote;
      import javax.jws.WebMethod;
      import javax.jws.WebService;
      import javax.jws.soap.SOAPBinding;
      
      @WebService(name = "CityFacadeProxy", targetNamespace="http://gint_scm_ws")
      @SOAPBinding(style=SOAPBinding.Style.DOCUMENT, use=SOAPBinding.Use.LITERAL, parameterStyle=SOAPBinding.ParameterStyle.WRAPPED)
      @Remote
      public interface CityFacadeSEI {
       @WebMethod
       public City createCity(String cityName) throws RemoteException;
      }
      

      Implemetation bean:
      import gint.scm.ws.entity.City;
      
      import javax.ejb.Remote;
      import javax.ejb.Stateless;
      import javax.jws.WebService;
      import javax.persistence.EntityManager;
      import javax.persistence.PersistenceContext;
      import javax.xml.ws.BindingType;
      
      import org.jboss.ws.annotation.EndpointConfig;
      import org.jboss.wsf.spi.annotation.WebContext;
      
      @Stateless
      @WebService(endpointInterface = "gint.scm.ws.session.CityFacadeSEI",
       serviceName = "CityFacadeServis", targetNamespace="http://gint_scm_ws")
      @WebContext(contextRoot="/SCM", urlPattern="/*")
      @BindingType(value = "http://schemas.xmlsoap.org/wsdl/soap/http?mtom=true")
      @EndpointConfig(configName = "Standard WSSecurity Endpoint")
      @Remote(CityFacadeSEI.class)
      public class CityFacadeBean implements CityFacadeSEI {
      
       @PersistenceContext(name = "scm")
       EntityManager em;
      
       public City createCity(String cityName) {
       em.persist(new City(cityName.hashCode(), cityName));
       return new City(cityName.hashCode(), cityName);
       }
      
      }

      What's wrong here? There are no examples for security for SLSB WS (or I couldn't find them in last 4 weeks).