3 Replies Latest reply on Jun 6, 2016 6:03 AM by Alessio Soldano

    [Wildfly 8.2.0] Securing webservices

    Romain BROCHOT Newbie

      Hi,

      I'm trying to secure webservices with a custom policy.

       

      I have no errors when starting Wildfly but the policy is not included in the WSDL.

      We have an EAR structure project. The interface is in another JAR (client) and the implementation is in WAR.

       

      I am using this documentation here WS-Security - WildFly 8 - Project Documentation Editor  @ "Authentication and authorization"

       

      Interface :

      @WebService
      @SOAPBinding(style = Style.RPC)
      @Policy(
              placement = Policy.Placement.BINDING,
              uri = "WEB-INF/UsernameTokenPolicy.xml",
              includeInWSDL = true
      )
      public interface MyClassService {
      
      
      

       

      UsernameTokenPolicy.xml :

      <?xml version="1.0" encoding="UTF-8" ?>
      <wsp:Policy wsu:Id="WebServicePolicy" xmlns:wsp="http://www.w3.org/ns/ws-policy"
          xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
          <wsp:ExactlyOne>
              <wsp:All>
                  <sp:SupportingTokens xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
                      <wsp:Policy>
                          <sp:UsernameToken sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
                              <wsp:Policy>
                                  <sp:HashPassword/>
                              </wsp:Policy>
                          </sp:UsernameToken>
                      </wsp:Policy>
                  </sp:SupportingTokens>
              </wsp:All>
          </wsp:ExactlyOne>
      </wsp:Policy>
      
      
      

       

      Implementation :

      @Stateless
      @WebService(
              endpointInterface = "[package_name].MyClassService"
      )
      @EndpointConfig(
              configFile = "WEB-INF/jaxws-endpoint-config.xml", configName = "Custom WS-Security Endpoint"
      )
      @InInterceptors(interceptors = {
              "org.jboss.wsf.stack.cxf.security.authentication.SubjectCreatingPolicyInterceptor",
              "org.jboss.test.ws.jaxws.samples.wsse.policy.jaas.POJOEndpointAuthorizationInterceptor"}
      )
      public class MyClassServiceImpl implements MyClassService {
      [.............]
      }
      
      
      

       

      jaxws-endpoint-config.xml :

      <?xml version="1.0" encoding="UTF-8"?>
      <jaxws-config xmlns="urn:jboss:jbossws-jaxws-config:4.0"
        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:javaee="http://java.sun.com/xml/ns/javaee"
        xsi:schemaLocation="urn:jboss:jbossws-jaxws-config:4.0 schema/jbossws-jaxws-config_4_0.xsd">
        <endpoint-config>
        <config-name>Custom WS-Security Endpoint</config-name>
        <property>
        <property-name>ws-security.validate.token</property-name>
        <property-value>false</property-value>
        </property>
        </endpoint-config>
      </jaxws-config>
      
      
      

       

      Thanks in advance

        • 1. Re: [Wildfly 8.2.0] Securing webservices
          Alessio Soldano Master

          Hi,

          my guess by reading the message above is that, assuming you've done everything correctly as explained in the doc, the fact that you have the service interface in a different jar from the implementation could be related to the problem with the additional policy. Could you please try if moving the interface together with the implementation changes anything? Otherwise I'll create a testcase with you scenario and see if I can reproduce the issue.

          Cheers

          Alessio

          • 2. Re: [Wildfly 8.2.0] Securing webservices
            Romain BROCHOT Newbie

            Hello,

            I just created a basic WS with one method "sayHello".

            Interface and implementations are in the same package, annotations are the same than the original post.

             

            PrtScr.jpg

             

            <?xml version="1.0" ?><wsdl:definitions xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/" xmlns:tns="http://test.webservice.com/" xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:ns1="http://schemas.xmlsoap.org/soap/http" name="TestWebServiceImplService" targetNamespace="http://test.webservice.com/">
              <wsdl:message name="sayHello">
              </wsdl:message>
              <wsdl:message name="sayHelloResponse">
                <wsdl:part name="return" type="xsd:string">
                </wsdl:part>
              </wsdl:message>
              <wsdl:portType name="TestWebService">
                <wsdl:operation name="sayHello">
                  <wsdl:input message="tns:sayHello" name="sayHello">
                </wsdl:input>
                  <wsdl:output message="tns:sayHelloResponse" name="sayHelloResponse">
                </wsdl:output>
                </wsdl:operation>
              </wsdl:portType>
              <wsdl:binding name="TestWebServiceImplServiceSoapBinding" type="tns:TestWebService">
                <soap:binding style="rpc" transport="http://schemas.xmlsoap.org/soap/http"></soap:binding>
                <wsdl:operation name="sayHello">
                  <soap:operation soapAction="" style="rpc"></soap:operation>
                  <wsdl:input name="sayHello">
                    <soap:body namespace="http://test.webservice.com/" use="literal"></soap:body>
                  </wsdl:input>
                  <wsdl:output name="sayHelloResponse">
                    <soap:body namespace="http://test.webservice.com/" use="literal"></soap:body>
                  </wsdl:output>
                </wsdl:operation>
              </wsdl:binding>
              <wsdl:service name="TestWebServiceImplService">
                <wsdl:port binding="tns:TestWebServiceImplServiceSoapBinding" name="TestWebServiceImplPort">
                  <soap:address location="http://localhost:8080/test/TestWebServiceImpl"></soap:address>
                </wsdl:port>
              </wsdl:service>
            </wsdl:definitions>
            
            

             

            and the policy is still not there.

            • 3. Re: [Wildfly 8.2.0] Securing webservices
              Alessio Soldano Master

              Sorry for the late reply, I missed the reply notification.

              I was thinking... can you share the contents of your MANIFEST.MF? In particular, I'm interested in checking if you have the org.apache.cxf module dependency set in there. Without that dependency, the @Policy and @InInterceptors annotations simply go unnoticed.