3 Replies Latest reply on Jun 6, 2016 6:03 AM by asoldano

[Wildfly 8.2.0] Securing webservices

romain.brochot May 2, 2016 5:53 AM

Hi,

I'm trying to secure webservices with a custom policy.

I have no errors when starting Wildfly but the policy is not included in the WSDL.

We have an EAR structure project. The interface is in another JAR (client) and the implementation is in WAR.

I am using this documentation here WS-Security - WildFly 8 - Project Documentation Editor @ "Authentication and authorization"

Interface :

@WebService
@SOAPBinding(style = Style.RPC)
@Policy(
        placement = Policy.Placement.BINDING,
        uri = "WEB-INF/UsernameTokenPolicy.xml",
        includeInWSDL = true
)
public interface MyClassService {

UsernameTokenPolicy.xml :

<?xml version="1.0" encoding="UTF-8" ?>
<wsp:Policy wsu:Id="WebServicePolicy" xmlns:wsp="http://www.w3.org/ns/ws-policy"
    xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
    <wsp:ExactlyOne>
        <wsp:All>
            <sp:SupportingTokens xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
                <wsp:Policy>
                    <sp:UsernameToken sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
                        <wsp:Policy>
                            <sp:HashPassword/>
                        </wsp:Policy>
                    </sp:UsernameToken>
                </wsp:Policy>
            </sp:SupportingTokens>
        </wsp:All>
    </wsp:ExactlyOne>
</wsp:Policy>

Implementation :

@Stateless
@WebService(
        endpointInterface = "[package_name].MyClassService"
)
@EndpointConfig(
        configFile = "WEB-INF/jaxws-endpoint-config.xml", configName = "Custom WS-Security Endpoint"
)
@InInterceptors(interceptors = {
        "org.jboss.wsf.stack.cxf.security.authentication.SubjectCreatingPolicyInterceptor",
        "org.jboss.test.ws.jaxws.samples.wsse.policy.jaas.POJOEndpointAuthorizationInterceptor"}
)
public class MyClassServiceImpl implements MyClassService {
[.............]
}

jaxws-endpoint-config.xml :

<?xml version="1.0" encoding="UTF-8"?>
<jaxws-config xmlns="urn:jboss:jbossws-jaxws-config:4.0"
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:javaee="http://java.sun.com/xml/ns/javaee"
  xsi:schemaLocation="urn:jboss:jbossws-jaxws-config:4.0 schema/jbossws-jaxws-config_4_0.xsd">
  <endpoint-config>
  <config-name>Custom WS-Security Endpoint</config-name>
  <property>
  <property-name>ws-security.validate.token</property-name>
  <property-value>false</property-value>
  </property>
  </endpoint-config>
</jaxws-config>

Thanks in advance

1. Re: [Wildfly 8.2.0] Securing webservices

asoldano May 3, 2016 6:03 AM (in response to romain.brochot)

Hi,
my guess by reading the message above is that, assuming you've done everything correctly as explained in the doc, the fact that you have the service interface in a different jar from the implementation could be related to the problem with the additional policy. Could you please try if moving the interface together with the implementation changes anything? Otherwise I'll create a testcase with you scenario and see if I can reproduce the issue.
Cheers
Alessio
Actions

2. Re: [Wildfly 8.2.0] Securing webservices

romain.brochot May 4, 2016 10:56 AM (in response to asoldano)

Hello,

I just created a basic WS with one method "sayHello".

Interface and implementations are in the same package, annotations are the same than the original post.

<?xml version="1.0" ?><wsdl:definitions xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/" xmlns:tns="http://test.webservice.com/" xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:ns1="http://schemas.xmlsoap.org/soap/http" name="TestWebServiceImplService" targetNamespace="http://test.webservice.com/">
  <wsdl:message name="sayHello">
  </wsdl:message>
  <wsdl:message name="sayHelloResponse">
    <wsdl:part name="return" type="xsd:string">
    </wsdl:part>
  </wsdl:message>
  <wsdl:portType name="TestWebService">
    <wsdl:operation name="sayHello">
      <wsdl:input message="tns:sayHello" name="sayHello">
    </wsdl:input>
      <wsdl:output message="tns:sayHelloResponse" name="sayHelloResponse">
    </wsdl:output>
    </wsdl:operation>
  </wsdl:portType>
  <wsdl:binding name="TestWebServiceImplServiceSoapBinding" type="tns:TestWebService">
    <soap:binding style="rpc" transport="http://schemas.xmlsoap.org/soap/http"></soap:binding>
    <wsdl:operation name="sayHello">
      <soap:operation soapAction="" style="rpc"></soap:operation>
      <wsdl:input name="sayHello">
        <soap:body namespace="http://test.webservice.com/" use="literal"></soap:body>
      </wsdl:input>
      <wsdl:output name="sayHelloResponse">
        <soap:body namespace="http://test.webservice.com/" use="literal"></soap:body>
      </wsdl:output>
    </wsdl:operation>
  </wsdl:binding>
  <wsdl:service name="TestWebServiceImplService">
    <wsdl:port binding="tns:TestWebServiceImplServiceSoapBinding" name="TestWebServiceImplPort">
      <soap:address location="http://localhost:8080/test/TestWebServiceImpl"></soap:address>
    </wsdl:port>
  </wsdl:service>
</wsdl:definitions>

and the policy is still not there.

3. Re: [Wildfly 8.2.0] Securing webservices

asoldano Jun 6, 2016 6:03 AM (in response to romain.brochot)

Sorry for the late reply, I missed the reply notification.
I was thinking... can you share the contents of your MANIFEST.MF? In particular, I'm interested in checking if you have the org.apache.cxf module dependency set in there. Without that dependency, the @Policy and @InInterceptors annotations simply go unnoticed.
Actions

Go to original post