10 Replies Latest reply on Nov 13, 2013 1:08 PM by David Ward

    Securing a switchyard rest-bind application

    Dishant Anand Newbie

      Hi fellas,

       

      Recently while i was going through various quickstarts,i built the rest-bind quickstart and working great now what i was thinking was how would i secure the exposed rest endpoint in switchyard?

      same question applies in case i am working on with some soap based architecture.

       

      i have been through the docs and found that sy provides policies which simply ensure tht whoever is coming to use the service is secured,but to configure we need to put some security configurations

       

      Can somebody put some light on this..

       

      Thanks and Regards

      d.synchronized

        • 1. Re: Securing a switchyard rest-bind application
          Keith Babo Master

          Take a look at the policy-security* examples in the demos section of the quickstarts:

          https://github.com/jboss-switchyard/quickstarts/tree/master/demos

           

          Quite a few examples of using security policy with SOAP there.  Securing a REST endpoint is a matter of configuring the underlying listener in standalone.xml to use SSL.  Information on that can be found in the AS 7 documentation.  For example:

          SSL setup guide - JBoss AS 7.2 - Project Documentation Editor

          • 2. Re: Securing a switchyard rest-bind application
            Dishant Anand Newbie

            Hi Keith ,

             

            Thanks for your reply,I tried with a quickstart security-policy-xaml project configured it according to the instructions,

            Steps followed to configure it,

             

            1.created a tomcat.jks file,

            2.configured https,

            3.configured security-domains ,

            4.place sts.war in deployments,

            5.copied property file into the configurations

            6.Deployed project and ran WorkServiceMain class with required arguments,

             

            but whenever i run the above mentioned  class,i get the following error,

             

            11:04:05,920 WARNING [org.apache.cxf.phase.PhaseInterceptorChain] (http-localhost-127.0.0.1-8443-1) Application {urn:switchyard-quickstart-demo:policy-security-saml:0.1.0}WorkService#{urn:switchyard-quickstart-demo:policy-security-saml:0.1.0}doWork has thrown exception, unwinding now: org.apache.cxf.interceptor.Fault: Required policies have not been provided: clientAuthentication

              at org.jboss.wsf.stack.cxf.JBossWSInvoker.createFault(JBossWSInvoker.java:246)

              at org.jboss.wsf.stack.cxf.JBossWSInvoker._invokeInternal(JBossWSInvoker.java:201)

              at org.jboss.wsf.stack.cxf.JBossWSInvoker.invoke(JBossWSInvoker.java:127)

              at org.apache.cxf.interceptor.ServiceInvokerInterceptor$1.run(ServiceInvokerInterceptor.java:58)

              at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:439) [rt.jar:1.6.0_43]

              at java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:303) [rt.jar:1.6.0_43]

              at java.util.concurrent.FutureTask.run(FutureTask.java:138) [rt.jar:1.6.0_43]

              at org.apache.cxf.workqueue.SynchronousExecutor.execute(SynchronousExecutor.java:37)

              at org.apache.cxf.interceptor.ServiceInvokerInterceptor.handleMessage(ServiceInvokerInterceptor.java:106)

              at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:263)

              at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121)

              at org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:207)

              at org.jboss.wsf.stack.cxf.RequestHandlerImpl.handleHttpRequest(RequestHandlerImpl.java:91)

              at org.jboss.wsf.stack.cxf.transport.ServletHelper.callRequestHandler(ServletHelper.java:169)

              at org.jboss.wsf.stack.cxf.CXFServletExt.invoke(CXFServletExt.java:87)

              at org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:185)

              at org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:108)

              at javax.servlet.http.HttpServlet.service(HttpServlet.java:754) [jboss-servlet-api_3.0_spec-1.0.0.Final.jar:1.0.0.Final]

              at org.jboss.wsf.stack.cxf.CXFServletExt.service(CXFServletExt.java:135)

              at org.jboss.wsf.spi.deployment.WSFServlet.service(WSFServlet.java:140) [jbossws-spi-2.0.3.GA.jar:2.0.3.GA]

              at javax.servlet.http.HttpServlet.service(HttpServlet.java:847) [jboss-servlet-api_3.0_spec-1.0.0.Final.jar:1.0.0.Final]

              at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:329)

              at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:248)

              at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:275)

              at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:161)

              at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:155)

              at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)

              at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)

              at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:368)

              at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:877)

              at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:671)

              at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:930)

              at java.lang.Thread.run(Thread.java:662) [rt.jar:1.6.0_43]

            Caused by: org.switchyard.exception.SwitchYardException: Required policies have not been provided: clientAuthentication

              at org.switchyard.component.soap.InboundHandler.invoke(InboundHandler.java:223) [switchyard-component-soap-0.6.0.Final.jar:0.6.0.Final]

              at org.switchyard.component.soap.endpoint.BaseWebService.invoke(BaseWebService.java:113) [switchyard-component-soap-0.6.0.Final.jar:0.6.0.Final]

              at org.switchyard.component.soap.endpoint.BaseWebService.invoke(BaseWebService.java:43) [switchyard-component-soap-0.6.0.Final.jar:0.6.0.Final]

              at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [rt.jar:1.6.0_43]

              at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) [rt.jar:1.6.0_43]

              at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) [rt.jar:1.6.0_43]

              at java.lang.reflect.Method.invoke(Method.java:597) [rt.jar:1.6.0_43]

              at org.jboss.ws.common.invocation.AbstractInvocationHandlerJSE.invoke(AbstractInvocationHandlerJSE.java:111)

              at org.jboss.wsf.stack.cxf.JBossWSInvoker._invokeInternal(JBossWSInvoker.java:181)

              ... 31 more

             

            When i was debugging the WorkServiceMain class ,i found that assertions were coming as assertion:saml null ,well i dont know what that signifies but in the end i was not able to invoke the soap endpoint,Since assertion are the main thing handling the client authentication,Am i missing something in configurations?

             

            Regards ,

            d.synchronized

            • 3. Re: Securing a switchyard rest-bind application
              David Ward Master

              Did you add the required security section to your switchyard.xml file, including the STSTokenCallbackHandler?  Aside, what version of SwitchYard are you using?

              • 4. Re: Securing a switchyard rest-bind application
                Dishant Anand Newbie

                Hi David ,

                 

                I am using switchyard version 1.0.0.Final and yes it has STSTokenCallbackhandler already configured,

                This is what it looks like

                   <securities>

                            <security callbackHandler="org.switchyard.security.jboss.callback.handler.STSTokenCallbackHandler" securityDomain="saml-validate-token"/>

                        </securities>

                 

                This has been added to the domain tags,I have configured this project from the quickstarts,Still not able to solve the error.

                 

                Thanks for your help in advance

                d.synchronized

                • 5. Re: Securing a switchyard rest-bind application
                  Dishant Anand Newbie

                  If i run the test class WokService Main Class,then in the method getAssertion() where it is asking the picketLink-sts for the assertions ,

                   

                  WSTrustClient client = new WSTrustClient("PicketLinkSTS", "PicketLinkSTSPort",

                                  "http://localhost:8080/picketlink-sts/PicketLinkSTS", new SecurityInfo("admin", "admin"));

                          //Element assertion = client.issueTokenForEndpoint("urn:switchyard-quickstart-demo:policy-security-saml:0.1.0");

                          Element assertion = client.issueToken(SAMLUtil.SAML2_TOKEN_TYPE);

                   

                  while the assertions are coming like [saml:Assertion: null] that means no authentication data i suppose?

                   

                  Do i need to give you some other informations apart from this? as i am using one of the project from the quickstarts ,and i have not done any changes to it

                   

                  Regards,

                  d.synchronized@gmail.com

                  • 6. Re: Securing a switchyard rest-bind application
                    David Ward Master

                    [saml:Assertion: null] is how the default toString() method outputs xml element nodes. It doesn't mean it is null.  The fact that you see that means that there is, in fact, an Assertion element.


                    Please let me see your entire target/classes/META-INF/switchyard.xml file.

                    • 7. Re: Securing a switchyard rest-bind application
                      Dishant Anand Newbie

                      Hi David ,

                       

                      Here i am attaching my switchyard.xml file

                      and i am using a switchyard server which was configured for the switchyard version 0.6.0.FInal ,I dont think that can cause any problem?,except from the version my security subsystem is properly configured.

                       

                      Thanks for you help in advance,
                      d.synchronized@gmail.com

                      • 8. Re: Securing a switchyard rest-bind application
                        David Ward Master

                        Yes, that would be a problem.  I think this is quite possibly the cause for your problems in the other threads you've posted.  You said above you're using SwitchYard 1.0.0.Final, but now you just told me you're targeting a server configured with 0.6.0.Final.  That's not gonna work.  You should align your versions properly.

                        • 9. Re: Securing a switchyard rest-bind application
                          Dishant Anand Newbie

                          Hi David,

                           

                          Thanks for your help man,i configured all the version in a proper order and the error is gone and in the mean while i got to learn about a few configuration topics as well ,how this sts- thing is working

                           

                          Cheers

                          d.synchronized