JBossWS - Secure transport

Version 3

    JBossWS allows you to require that requests to a given endpoint use SSL by specifying the transportGuarantee attribute in the @WebContext annotation.

    Here is an example using a SLSB endpoint:

    @Stateless
    @SecurityDomain("JBossWS")
    @RolesAllowed("friend")
    @WebContext
    (
      contextRoot="/my-cxt",
      urlPattern="/*",
      authMethod="BASIC",
      transportGuarantee="CONFIDENTIAL",
      secureWSDLAccess=false
    )
    public class EndpointEJB implements EndpointInterface
    {
      ...
    }
    

    Similarly to enforce the same requirement on POJO endpoints, you need to edit web.xml and add a user-data-constraint element to your security-constraint element:

      <security-constraint>
        <web-resource-collection>
          <web-resource-name>All resources</web-resource-name>
          <url-pattern>/*</url-pattern>
        </web-resource-collection>
        <auth-constraint>
          <role-name>friend</role-name>
        </auth-constraint>
        <user-data-constraint>
          <transport-guarantee>CONFIDENTIAL</transport-guarantee>
        </user-data-constraint>
      </security-constraint>
    
      <security-role>
        <role-name>friend</role-name>
      </security-role>
    

    If you're manually creating your service contract, make sure that the endpoint address in your WSDL file uses a secure protocol. The easiest way is to add "https://" to the SOAP Address entry:

       <service name="MyService">
        <port name="BasicSecuredPort" binding="tns:MyBinding">
         <soap:address location="https://localhost:8443/my-ctx/SecureEndpoint"/>
        </port>
       </service>
    

    For this to work the Tomcat+SSL connector must be enabled:

       <Connector port="8443" address="${jboss.bind.address}"
            maxThreads="100" minSpareThreads="5" maxSpareThreads="15"
            scheme="https" secure="true" clientAuth="want"
            keystoreFile="${jboss.server.home.dir}/conf/keystores/wsse.keystore" 
            keystorePass="jbossws"
            truststoreFile="${jboss.server.home.dir}/conf/keystores/wsse.keystore" 
            truststorePass="jbossws"
            sslProtocol = "TLS" />
    

    Please refer the Tomcat-5.5 SSL Configuration HOWTO for further details.

     

    Client side

    On the client side the truststore must be installed:

          <sysproperty key="javax.net.ssl.keyStore" value="${test.resources.dir}/wsse/wsse.keystore"/>
          <sysproperty key="javax.net.ssl.trustStore" value="${test.resources.dir}/wsse/wsse.truststore"/>
          <sysproperty key="javax.net.ssl.keyStorePassword" value="jbossws"/>
          <sysproperty key="javax.net.ssl.trustStorePassword" value="jbossws"/>
          <sysproperty key="javax.net.ssl.keyStoreType" value="jks"/>
          <sysproperty key="javax.net.ssl.trustStoreType" value="jks"/>
    

    As you can see, this requires you to setup the environment specifying both the location and type of your truststore.

    Finally, in case you see the following exception:

      java.io.IOException: HTTPS hostname wrong:  should be <localhost>
        at sun.net.www.protocol.https.HttpsClient.checkURLSpoofing(HttpsClient.java:493)
        at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:418)
    

    you should disable URL checking on the client side:

       <sysproperty key="org.jboss.security.ignoreHttpsHost" value="true"/>