0 Replies Latest reply on Mar 23, 2004 12:10 PM by essington

    WS-Security and Email Transport


      Hi All

      I have finished committing what I have so far for Web Service Security, and the JBoss.Net email transport.

      I just performed a fresh checkout and the build completes successfully.

      Axis has been updated to a cvs build of 1.2 since wss4j requires it.

      I have updated the JBoss.Net classes that needed to be changed to work with Axis 1.2, and all tests pass that passed prior to changing the axis version.

      The server side email transport is implemented as an mBean that is triggered by a timer to check an email box and feed any messages it finds to the axis engine.

      The Client side transport actually has 2 implementations one that is synchronous, and one that is asynchronous. The synchronous transport isn't really usefull for much as it blocks while waiting for the response message, but the async transport is more useful.

      The async client is actually 2 parts, the first is an Mbean that is sort of a broker for the asynchronous call. It also checks a mail box for responses similar to the server transport. The other part is the actual transport class that sends the email (request) then sleeps.

      A client class that wants to send an asynchronous message would first invoke the AsynchMailClientService's getService() method to obtain an org.apache.axis.client.Service object. This service is used to create the Call, then rather than issuing a call.invoke(), the client would invoke the sendAsynchronously(Call, IAsyncCallback, Object[]) method of AsyncMailClientService. IAsyncCallback is used to process the response object. sendAsynchronously returns immediately.

      The Web Service Security (server side) is handled mostly through a pair of Axis Handlers, WSSRequestHandler, and WSSResponseHandler. There are xDoclet tag in the jboss-net xDoclet module to add/configure the handlers. These are subclasses of the wss4j handlers. They have been enhanced to get all their configuration information from the deployment descriptor, and they get their key/trust store from a SecurityDomain.

      I have also added a couple of login modules to use with the WSS handlers. They really only map an authenticated user (his certificate alias actually) to his configured roles. There has to be a better way to do the jaas login than I have come up with, so please feel free to give me some pointers.

      I have begun a little how to document for the Web Service Security stuff, but its not done yet. In the mean time, maybe have a look at the wss4j site for information on how some of this works.


      I also need to write a how to on the Asynchronous messaging.

      Oh, by the way, there are 3 new directories in thirdparty that will have to be picked up before any of this will build (apache-wss4j, apache-xmlsec, and bouncycastle). A fresh checkout will do the trick, as will "cvs get _jboss_thirdparty" from the jboss-head directory.