2 Replies Latest reply on Oct 15, 2013 6:38 AM by Alessio Soldano

    Does WS-Security require wsdl mods?

    Mirko Caserta Newbie

      Hi there,

      I have a web service that needs to be WS-Security enabled. Since I need to implement the wsdl as given to us, I'd prefer to leave it alone. The wsdl which was given to me doesn't have any WS-Security tags.


      From what I understand, in CXF, WS-Security can be configured with interceptors, so I'm assuming I'm not supposed to modify the wsdl file to enable and configure any security features. Please correct me if I'm wrong.


      I'm also trying to use the CXF implementation in jboss-eap-6.1.0 since I'd very much prefer not having to bring my own libs when the container already has them.


      I have annotated my @WebService implementation with:


      @EndpointConfig(configFile = "WEB-INF/jaxws-endpoint-config.xml", configName = "Custom WS-Security Endpoint")


      and my jaxws-endpoint-config.xml is being picked up, since jboss fails to deploy my war if I add spurious chars in the xml.


      The thing is, nothing special happens when I deploy the WS. It just gets exposed normally as if no WS-Security had been configured.


      I'm also looking at the examples in the binary distribution and it seems to me that the only thing I'm missing is the security stuff in the wsdl, so I'm a bit confused.


      I can provide further details, such as the jaxws-endpoint.config.xml contents if necessary.


      Any word of advice would be a big help. Thanks a lot in advance.

        • 1. Re: Does WS-Security require wsdl mods?
          Mirko Caserta Newbie

          Ok, to answer to myself for future reference, I think I found what I was looking for:


          First of all you need to create the web service endpoint using JAX-WS. While this can generally be achieved in different ways, it's required to use a contract-first approach when using WS-Security, as the policies declared in the wsdl are parsed by the Apache CXF engine on both server and client sides. So, here is an example of WSDL contract enforcing signature and encryption using X 509 certificates...

          Sounds like I need to either get a wsdl with WS-Security tags or I'll have to modify it myself.

          • 2. Re: Does WS-Security require wsdl mods?
            Alessio Soldano Master

            Sorry for the late feedback.

            Yes, the suggested (and supported on EAP) way of configuring ws-security is through proper ws-policy assertions in the wsdl, so contract-first approach.


            If manually modifying the wsdl is a problem (as you need to figure out which assertions to add), you might get some help from the following approach (requires latest version of jbossws):

            1) use the tools to generate the endpoint from the wsdl that's been provided to you

            2) use @PolicySets (WS-Policy - JBoss Web Services - Project Documentation Editor) for attaching one of the existing sample policies to the published endpoint

            3) (optional) save the published wsdl and get back to full contract first approach, removing the @PolicySets from your endpoint and referencing the saved wsdl; you can of course fine tune the policies / assertions in the wsdl (and should, to be sure of getting the exact level of security you need).