1 Reply Latest reply on Oct 5, 2012 8:22 AM by michajil_tigrow

    @EndpointConfig ws security poblem in jboss7

    michajil_tigrow Newbie

      Hi

      I'm trying to secure my exisiting web services using WS-Security.

      I tried to follow the tutorial https://docs.jboss.org/author/display/JBWS/WS-Security but I just cant make it work - i'm stuck on the first part with X509 certificates.

      I've added this to my wsdl

       

      {code:xml}

      <wsp:Policy wsu:Id="SecurityServiceSignThenEncryptPolicy" xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">

          <wsp:ExactlyOne>

            <wsp:All>

              <sp:AsymmetricBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">

                <wsp:Policy>

                  <sp:InitiatorToken>

                    <wsp:Policy>

                      <sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">

                        <wsp:Policy>

                          <sp:WssX509V1Token11/>

                        </wsp:Policy>

                        </sp:X509Token>

                    </wsp:Policy>

                  </sp:InitiatorToken>

                  <sp:RecipientToken>

                    <wsp:Policy>

                      <sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never">

                        <wsp:Policy>

                          <sp:WssX509V1Token11/>

                        </wsp:Policy>

                      </sp:X509Token>

                    </wsp:Policy>

                  </sp:RecipientToken>

                  <sp:AlgorithmSuite>

                    <wsp:Policy>

                      <sp:TripleDesRsa15/>

                    </wsp:Policy>

                  </sp:AlgorithmSuite>

                  <sp:Layout>

                    <wsp:Policy>

                      <sp:Lax/>

                    </wsp:Policy>

                  </sp:Layout>

                  <sp:IncludeTimestamp/>

                  <sp:EncryptSignature/>

                  <sp:OnlySignEntireHeadersAndBody/>

                  <sp:SignBeforeEncrypting/>

                </wsp:Policy>

              </sp:AsymmetricBinding>

              <sp:SignedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">

                <sp:Body/>

              </sp:SignedParts>

              <sp:EncryptedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">

                <sp:Body/>

              </sp:EncryptedParts>

              <sp:Wss10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">

                <wsp:Policy>

                  <sp:MustSupportRefIssuerSerial/>

                </wsp:Policy>

              </sp:Wss10>

            </wsp:All>

          </wsp:ExactlyOne>

        </wsp:Policy>

      {code}

      I've annotated my webservice with @EndpointConfig like this

       

      {code:java}

      @Stateless(name = "AuthenticationInterfaceV1.1.0")

      @WebService(name = "AuthenticationInterfaceWS", targetNamespace = "AuthenticationInterfaceServiceV1.1.0", serviceName = "AuthenticationInterfaceV1.1.0", wsdlLocation = "META-INF/wsdl/AuthenticationInterfaceWS.wsdl")

      @SOAPBinding(style = SOAPBinding.Style.DOCUMENT, use = SOAPBinding.Use.LITERAL, parameterStyle = SOAPBinding.ParameterStyle.WRAPPED)

      @WebContext(transportGuarantee = "CONFIDENTIAL", secureWSDLAccess = false)

      @EndpointConfig(configFile = "META-INF/jaxws-endpoint-config.xml", configName = "Custom WS-Security Endpoint")

      public class AuthenticationInterfaceBean implements IAuthenticationInterface {

      ...

      }

      {code}

       

      No matter what I put in the jaxws-endpoint-config.xml, I can call my webservice without any problems with soapui, just like before I've put in the @EndpointConfig and modify wsdl.

      If I corrupt the jaxws-endpoint-config.xml file (ie remove some closing tag) I get a deploytime error, so the file is being read.

      But my callback class for providing passwords to keystores is not called at all.

       

      What I'm missing?