Hi, Axis 1.4 offers WS-Security capability by using the Apache WSS4J, XML-Security and WS-Addressing projects. WS-Security and WS-Addressing capability is available by configuring the Axis client configuration file for the particular service that needs to have these features enabled. The global configuration parameter 'enableNamespacePrefixOptimization' needs to be false, so the XML is not altered after the signing process. Client Configuration Example <?xml version="1.0" encoding="utf-8"?> <deployment name="defaultClientConfig" xmlns=" <http://xml.apache.org/axis/wsdd/> http://xml.apache.org/axis/wsdd/"; xmlns:java=" <http://xml.apache.org/axis/wsdd/providers/java> http://xml.apache.org/axis/wsdd/providers/java";> <globalConfiguration> <parameter name="disablePrettyXML" value="true"/> <parameter name="addressing.sendReplyTo" value="true"/> <parameter name="enableNamespacePrefixOptimization" value="false"/> </globalConfiguration> <service name="MyServicePort"> <requestFlow> <handler type="java:com.acme.MyHandler"> <parameter name="acme.keyword" value="value"/> </handler> </requestFlow> </service> <service name="XYZPort"> <requestFlow> <handler type="java:org.apache.axis.message.addressing.handler.AddressingHandler"> <!-- Reference elements are added in the same order --> <parameter name="referencePropertyNames" value="{Element}{http://schemas.xmlsoap.org/ws/2004/03/addressing}Action; {Element}{http://schemas.xmlsoap.org/ws/2004/03/addressing}MessageID; {Element}{http://schemas.xmlsoap.org/ws/2004/03/addressing}ReplyTo; {Element}{http://schemas.xmlsoap.org/ws/2004/03/addressing}To; {Element}{http://schemas.xmlsoap.org/ws/2004/03/addressing}From"/> </handler> <handler type="java:org.apache.ws.axis.security.WSDoAllSender"> <!-- action order is important, do Timestamp then Signature if signing Timestamp --> <parameter name="action" value="Timestamp Signature"/> <parameter name="user" value="XYZLabel"/> <parameter name="passwordCallbackClass" value="com.acme.security.PasswordCallback"/> <parameter name="signatureKeyIdentifier" value="DirectReference"/> <parameter name="signaturePropFile" value="pki/security.properties"/> <parameter name="timeToLive" value="300"/> <parameter name="precisionInMilliseconds" value="false" /> <!-- Reference elements are added in the same order --> <parameter name="signatureParts" value="{Element}{http://schemas.xmlsoap.org/ws/2004/03/addressing}Action; {Element}{http://schemas.xmlsoap.org/ws/2004/03/addressing}MessageID; {Element}{http://schemas.xmlsoap.org/ws/2004/03/addressing}ReplyTo; {Element}{http://schemas.xmlsoap.org/ws/2004/03/addressing}To; {Element}{http://schemas.xmlsoap.org/ws/2004/03/addressing}From; {Element}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity -utility-1.0.xsd}Timestamp; {Element}{http://schemas.xmlsoap.org/soap/envelope/}Body"/> </handler> </requestFlow> </service> <transport name="http" pivot="java:org.apache.axis.transport.http.HTTPSender"/> <transport name="java" pivot="java:org.apache.axis.transport.java.JavaSender"/> <transport name="local" pivot="java:org.apache.axis.transport.local.LocalSender"/> </deployment> The latest WS-Addressing namespace is currently 'http://schemas.xmlsoap.org/ws/2004/08/addressing' but some web service servers such as .Net expect the namespace to be 'http://schemas.xmlsoap.org/ws/2004/03/addressing'. To change the 2004/08 to the 2004/03 namespace requires the following code: stub._setProperty ( org.apache.axis.message.addressing.Constants.ENV_ADDRESSING_NAMESPACE_URI, org.apache.axis.message.addressing.Constants.NS_URI_ADDRESSING_2004_03 ) ; The parameter user can have several roles depending on the type of action. If one of the actions is Signature then the user value is the keystore alias/label in the specified keystore file. The password to the private key is supplied by a custom call back class specified in the passwordCallback parameter. The user value is passed to an instance of the callback class as the identifier. The parameter signaturePropFile specifies the properties file used during the signing process. This file specifies what keystore file to used and the password to the keystore. # # Webservice Security # org.apache.ws.security.crypto.provider=org.apache.ws.security.components.cry pto.Merlin org.apache.ws.security.crypto.merlin.keystore.type=pkcs12 org.apache.ws.security.crypto.merlin.file=pki/keystore.pfx org.apache.ws.security.crypto.merlin.keystore.password=keypassword # The following example is a template for a password callback class. package com.acme.security ; import java.io.* ; import javax.security.auth.callback.Callback ; import javax.security.auth.callback.CallbackHandler ; import javax.security.auth.callback.UnsupportedCallbackException ; import org.apache.ws.security.WSPasswordCallback ; public class PasswordCallback implements CallbackHandler { public PasswordCallback () { } public void handle ( Callback[] callbackArray ) throws IOException, UnsupportedCallbackException { System.out.println ( "PasswordCallback handle" ) ; for ( int i = 0; i < callbackArray.length; i++ ) { if ( callbackArray[i] instanceof WSPasswordCallback ) { WSPasswordCallback callback = (WSPasswordCallback)callbackArray[i] ; int usage = callback.getUsage () ; String identifier = callback.getIdentifer () ; if ( usage == WSPasswordCallback.UNKNOWN ) { System.out.println ( "UNKNOWN " + identifier ) ; continue ; } if ( usage == WSPasswordCallback.DECRYPT ) { System.out.println ( "DECRYPT " + identifier ) ; continue ; } if ( usage == WSPasswordCallback.SIGNATURE ) { System.out.println ( "SIGNATURE " + identifier ) ; if ( identifier.equals ( "XYZLabel" ) ) { /* keystore private key password */ callback.setPassword ( "keypassword" ) ; return ; } return ; } if ( usage == WSPasswordCallback.KEY_NAME ) { System.out.println ( "KEY_NAME " + identifier ) ; continue ; } if ( usage == WSPasswordCallback.USERNAME_TOKEN ) { System.out.println ( "USERNAME_TOKEN " + identifier ) ; if ( identifier.equals ( "myuser" ) ) { callback.setPassword ( "mypassword" ) ; return ; } return ; } if ( usage == WSPasswordCallback.USERNAME_TOKEN_UNKNOWN ) { System.out.println ( "USERNAME_TOKEN_UNKNOWN " + identifier ) ; continue ; } if ( usage == WSPasswordCallback.SECURITY_CONTEXT_TOKEN ) { System.out.println ( "SECURITY_CONTEXT_TOKEN " + identifier ) ; continue ; } } } throw new java.io.IOException ( "PasswordCallback: unrecognized password callback instance or callback usage" ) ; } } ============================================================================ =================
-----Original Message----- From: Wishing Carebear [mailto:[email protected]] Sent: Saturday, 29 August 2009 7:35 AM To: [email protected] Subject: Re: Help with axis1.4.1 (not axis2) and wss4j Hello: Can someone provide some pointers. Thanks, cabear On Fri, Aug 28, 2009 at 10:13 AM, Wishing Carebear < [email protected] <mailto:[email protected]> > wrote: Hello: I'm trying to write a client to a WSE 3.0 published webservice. The policy file looks like below: Does wss4j and axis supports addressing. Thanks, cabear ------------------------ <policies xmlns= "http://schemas.microsoft.com/wse/2005/06/policy"; <http://schemas.microsoft.com/wse/2005/06/policy> > <extensions> <extension name="usernameForCertificateSecurity" type="Microsoft.Web.Services3.Design.UsernameForCertificateAssertion, Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" /> <extension name="x509" type="Microsoft.Web.Services3.Design.X509TokenProvider, Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" /> <extension name="requireActionHeader" type="Microsoft.Web.Services3.Design.RequireActionHeaderAssertion, Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" /> </extensions> <policy name="ServerPolicy"> <usernameForCertificateSecurity establishSecurityContext="true" renewExpiredSecurityContext="true" requireSignatureConfirmation="false" messageProtectionOrder="SignBeforeEncrypt" requireDerivedKeys="true" ttlInSeconds="300"> <serviceToken> <x509 storeLocation="LocalMachine" storeName="My" findValue="CN=TMPDMDevelopment" findType="FindBySubjectDistinguishedName" /> </serviceToken> <protection> <request signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="true" /> <response signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="true" /> <fault signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="false" /> </protection> </usernameForCertificateSecurity> <requireActionHeader /> </policy> <policy name="AuthenticationServicePolicy"> <usernameForCertificateSecurity establishSecurityContext="true" renewExpiredSecurityContext="true" requireSignatureConfirmation="false" messageProtectionOrder="SignBeforeEncrypt" requireDerivedKeys="true" ttlInSeconds="300"> <serviceToken> <x509 storeLocation="LocalMachine" storeName="AddressBook" findValue="CN=TMPDMDevelopment" findType="FindBySubjectDistinguishedName" /> </serviceToken> <protection> <request signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="true" /> <response signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="true" /> <fault signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="false" /> </protection> </usernameForCertificateSecurity> <requireActionHeader /> </policy> <!--<policy name="ClientPolicy"> <usernameForCertificateSecurity establishSecurityContext="true" renewExpiredSecurityContext="true" requireSignatureConfirmation="false" messageProtectionOrder="SignBeforeEncrypt" requireDerivedKeys="true" ttlInSeconds="300"> <serviceToken> <x509 storeLocation="LocalMachine" storeName="AddressBook" findValue="CN=TMPDMDevelopment" findType="FindBySubjectDistinguishedName" /> </serviceToken> <protection> <request signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="true" /> <response signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="true" /> <fault signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="false" /> </protection> </usernameForCertificateSecurity> <requireActionHeader /> </policy>--> </policies> ------------------------
