1 Reply Latest reply on Oct 29, 2011 12:23 PM by mblanco

    ws-security on Jboss AS 6.1.0

    mblanco Newbie

      Hi, I'm trying to secure a web service through ws-security on Jboss AS 6.1.0. I made a secured web service and a client which does not provide credentials, so it should be rejected, the problem is that the client is not rejected and it completes the call to the web service.

      These are the full steps of what I have done:

      1) Created a dynamic web project "hello" with this class in it:

       

      package org.jboss.samples.webservices;

       

      import javax.jws.WebMethod;

      import javax.jws.WebService;

      import javax.jws.soap.SOAPBinding;

      import org.jboss.ws.annotation.EndpointConfig;

      @SOAPBinding(style=SOAPBinding.Style.RPC)

      @WebService()

      @EndpointConfig(configName="Standard WSSecurity Endpoint")

      public class HelloWorld {

      @WebMethod()

      public String sayHello(String name) {

           System.out.println("Hello: " + name);

           return "Hello " + name + "!";

      }

      }

      2) Configured web.xml with

       

        <servlet>

       

          <display-name>HelloWorld</display-name>

          <servlet-name>HelloWorld</servlet-name>

          <servlet-class>org.jboss.samples.webservices.HelloWorld</servlet-class>

        </servlet>

        <servlet-mapping>

          <servlet-name>HelloWorld</servlet-name>

          <url-pattern>/HelloWorld</url-pattern>

        </servlet-mapping>

      3) Created jboss-wsse-server.xml in WEB-INF (as it is a POJO web service) with this content:

       

      <?xml version="1.0" encoding="UTF-8"?>

       

      <jboss-ws-security

        xmnls="http://www.jboss.com/ws-security/config"

        xmnls:xsi="http://ww.w3.org/2001/XMLSchema-instance"

        xsi:schemaLocation="http://www.jboss.com/ws-security/config

                            http://www.jboss.com/ws-security/schema/jboss-ws-security_1_0.xsd">

        <key-store-file>WEB-INF/server.keystore</key-store-file>

        <key-store-type>jks</key-store-type>

        <key-store-password>password</key-store-password>

       

        <trust-store-file>WEB-INF/server.truststore</trust-store-file>

        <trust-store-type>jks</trust-store-type>

        <trust-store-password>password</trust-store-password>

        <key-passwords>

          <key-password alias="server" password="password" />

        </key-passwords>

        <config>

          <encrypt type="x509v3" alias="client" />

          <requires>

            <encryption />

          </requires>

        </config>

      </jboss-ws-security>

      4) Put server.keystore and server.truststore in WEB-INF

      5) Deployed the web service (it deploys with no errors)

      6) Created a test client project "hello-client"

      7) Used wsconsume on the test client project to generate the necessary classes to consume the web service

      8) Created the next class on the test client to test the web service

       

      package org.jboss.samples.webservices;

       

      public class Client {

      /**

        * @param args

        */

      public static void main(String[] args) {

      HelloWorldService helloWorldService = new HelloWorldService();

      HelloWorld helloWorldPort = helloWorldService.getHelloWorldPort();

      String sayHello = helloWorldPort.sayHello("Jhon");

      System.out.println(sayHello);

      }

      }

       

      I haven't created jboss-wsse-client.xml in the test client nor it's keystore and trustore, the problem is that if I execute the client it consumes the web service with no problem at all. Any clue why can I consume a secured web service without providing credentials? I guess the web service is not secured, but why?

       

      I appreciate any tip you can give

        • 1. Re: ws-security on Jboss AS 6.1.0
          mblanco Newbie

          Hi, I'm still stuck.

           

          As I understand jboss 6 uses JBossWS-CXF instead of JBossWS-Native, and apparently JBossWS-Native used the simple configuration I used above. I'm in a situation in which I have jboss 6.1 installed but I can't (or must not) add new modules to the server, so if jboss 6 comes with JBossWS-CXF instead of JBossWS-Native I must use JBossWS-CXF.

           

          So, I'm trying to configure wssecurity using JBossWS-CXF, according to http://docs.jboss.org/jbossas/6/WebServices_Guide/en-US/html/chap_JBossWS-StackCXFUserGuide.html#JBossWS-StackCXFUserGuide_WSSecurity I need to add interceptors through Spring or programmatically. I can't install Spring, so I need to define them programmatically  the problem is that I am not able to find a complete example of wssecurity on JBossWS-CXF configured programmatically (the guide uses jboss-cxf.xml wich is for Spring). Even JBossWS-CXF sources has all wsse examples using spring.

           

          Does anyone know of a wsse example of JBossWS-CXF on jboss 6.* without using spring?? Or any other option to configure wssecurity on Jboss 6 without adding new modules to the server (and an example)?

           

          Maybe (and most probably) I'm missing something, is it really necessary to programmatically configure wsse on a default installation of jboss 6? It surprises me because in jboss 5 it was much simpler by default.