Alick: Is there any good tutorial with Addressing and wss4j security and Axis1.
Thanks, cabear On Mon, Aug 31, 2009 at 10:45 PM, Wishing Carebear < [email protected]> wrote: > Thanks Alick. > > I will try it out. > > Regards, > cabear > > > On Mon, Aug 31, 2009 at 2:54 PM, Alick Buckley <[email protected] > > wrote: > >> Hi, >> >> Axis 1.4 offers WS-Security capability by using the Apache WSS4J, >> XML-Security and WS-Addressing projects. >> >> WS-Security and WS-Addressing capability is available by configuring the >> Axis client configuration file for the particular service that needs to have >> these features enabled. >> >> The global configuration parameter 'enableNamespacePrefixOptimization' >> needs to be false, so the XML is not altered after the signing process. >> >> Client Configuration Example >> >> <?xml version="1.0" encoding="utf-8"?> >> >> <deployment name="defaultClientConfig" xmlns=" >> http://xml.apache.org/axis/wsdd/"; xmlns:java=" >> http://xml.apache.org/axis/wsdd/providers/java";> >> >> <globalConfiguration> >> <parameter name="disablePrettyXML" value="true"/> >> <parameter name="addressing.sendReplyTo" value="true"/> >> <parameter name="enableNamespacePrefixOptimization" value="false"/> >> </globalConfiguration> >> >> <service name="MyServicePort"> >> <requestFlow> >> <handler type="java:com.acme.MyHandler"> >> <parameter name="acme.keyword" value="value"/> >> </handler> >> </requestFlow> >> </service> >> >> <service name="XYZPort"> >> <requestFlow> >> >> <handler >> type="java:org.apache.axis.message.addressing.handler.AddressingHandler"> >> <!-- Reference elements are added in the same order --> >> <parameter name="referencePropertyNames" >> value="{Element}{ >> http://schemas.xmlsoap.org/ws/2004/03/addressing}Action<http://schemas.xmlsoap.org/ws/2004/03/addressing%7DAction> >> ; >> {Element}{ >> http://schemas.xmlsoap.org/ws/2004/03/addressing}MessageID<http://schemas.xmlsoap.org/ws/2004/03/addressing%7DMessageID> >> ; >> {Element}{ >> http://schemas.xmlsoap.org/ws/2004/03/addressing}ReplyTo<http://schemas.xmlsoap.org/ws/2004/03/addressing%7DReplyTo> >> ; >> {Element}{ >> http://schemas.xmlsoap.org/ws/2004/03/addressing}To<http://schemas.xmlsoap.org/ws/2004/03/addressing%7DTo> >> ; >> {Element}{ >> http://schemas.xmlsoap.org/ws/2004/03/addressing}From<http://schemas.xmlsoap.org/ws/2004/03/addressing%7DFrom> >> "/> >> </handler> >> >> <handler type="java:org.apache.ws.axis.security.WSDoAllSender"> >> <!-- action order is important, do Timestamp then Signature if >> signing Timestamp --> >> <parameter name="action" value="Timestamp Signature"/> >> <parameter name="user" value="XYZLabel"/> >> <parameter name="passwordCallbackClass" >> value="com.acme.security.PasswordCallback"/> >> <parameter name="signatureKeyIdentifier" value="DirectReference"/> >> <parameter name="signaturePropFile" >> value="pki/security.properties"/> >> <parameter name="timeToLive" value="300"/> >> <parameter name="precisionInMilliseconds" value="false" /> >> <!-- Reference elements are added in the same order --> >> <parameter name="signatureParts" >> value="{Element}{ >> http://schemas.xmlsoap.org/ws/2004/03/addressing}Action<http://schemas.xmlsoap.org/ws/2004/03/addressing%7DAction> >> ; >> {Element}{ >> http://schemas.xmlsoap.org/ws/2004/03/addressing}MessageID<http://schemas.xmlsoap.org/ws/2004/03/addressing%7DMessageID> >> ; >> {Element}{ >> http://schemas.xmlsoap.org/ws/2004/03/addressing}ReplyTo<http://schemas.xmlsoap.org/ws/2004/03/addressing%7DReplyTo> >> ; >> {Element}{ >> http://schemas.xmlsoap.org/ws/2004/03/addressing}To<http://schemas.xmlsoap.org/ws/2004/03/addressing%7DTo> >> ; >> {Element}{ >> http://schemas.xmlsoap.org/ws/2004/03/addressing}From<http://schemas.xmlsoap.org/ws/2004/03/addressing%7DFrom> >> ; >> {Element}{ >> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd}Timestamp<http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd%7DTimestamp> >> ; >> {Element}{ >> http://schemas.xmlsoap.org/soap/envelope/}Body<http://schemas.xmlsoap.org/soap/envelope/%7DBody> >> "/> >> </handler> >> </requestFlow> >> </service> >> >> <transport name="http" >> pivot="java:org.apache.axis.transport.http.HTTPSender"/> >> <transport name="java" >> pivot="java:org.apache.axis.transport.java.JavaSender"/> >> <transport name="local" >> pivot="java:org.apache.axis.transport.local.LocalSender"/> >> >> </deployment> >> >> The latest WS-Addressing namespace is currently ' >> http://schemas.xmlsoap.org/ws/2004/08/addressing' but some web service >> servers such as .Net expect the namespace to be ' >> http://schemas.xmlsoap.org/ws/2004/03/addressing'. >> >> To change the 2004/08 to the 2004/03 namespace requires the following >> code: >> >> stub._setProperty ( >> org.apache.axis.message.addressing.Constants.ENV_ADDRESSING_NAMESPACE_URI, >> >> org.apache.axis.message.addressing.Constants.NS_URI_ADDRESSING_2004_03 ) ; >> >> >> The parameter user can have several roles depending on the type of action. >> If one of the actions is Signature then the user value is the keystore >> alias/label in the specified keystore file. The password to the private key >> is supplied by a custom call back class specified in the passwordCallback >> parameter. The user value is passed to an instance of the callback class as >> the identifier. >> >> The parameter signaturePropFile specifies the properties file used during >> the signing process. This file specifies what keystore file to used and the >> password to the keystore. >> >> >> # >> # Webservice Security >> # >> >> org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin >> org.apache.ws.security.crypto.merlin.keystore.type=pkcs12 >> org.apache.ws.security.crypto.merlin.file=pki/keystore.pfx >> org.apache.ws.security.crypto.merlin.keystore.password=keypassword >> # >> >> The following example is a template for a password callback class. >> >> >> package com.acme.security ; >> >> import java.io.* ; >> >> import javax.security.auth.callback.Callback ; >> import javax.security.auth.callback.CallbackHandler ; >> import javax.security.auth.callback.UnsupportedCallbackException ; >> >> import org.apache.ws.security.WSPasswordCallback ; >> >> public class PasswordCallback implements CallbackHandler >> { >> public PasswordCallback () >> { >> } >> >> public void handle ( Callback[] callbackArray ) throws IOException, >> UnsupportedCallbackException >> { >> System.out.println ( "PasswordCallback handle" ) ; >> >> for ( int i = 0; i < callbackArray.length; i++ ) >> { >> if ( callbackArray[i] instanceof WSPasswordCallback ) >> { >> WSPasswordCallback callback = >> (WSPasswordCallback)callbackArray[i] ; >> >> int usage = callback.getUsage () ; >> >> String identifier = callback.getIdentifer () ; >> >> if ( usage == WSPasswordCallback.UNKNOWN ) >> { >> System.out.println ( "UNKNOWN " + identifier ) ; >> >> continue ; >> } >> >> if ( usage == WSPasswordCallback.DECRYPT ) >> { >> System.out.println ( "DECRYPT " + identifier ) ; >> >> continue ; >> } >> >> if ( usage == WSPasswordCallback.SIGNATURE ) >> { >> System.out.println ( "SIGNATURE " + identifier ) ; >> >> if ( identifier.equals ( "XYZLabel" ) ) >> { >> /* >> keystore private key password >> */ >> >> callback.setPassword ( "keypassword" ) ; >> >> return ; >> } >> >> return ; >> } >> >> if ( usage == WSPasswordCallback.KEY_NAME ) >> { >> System.out.println ( "KEY_NAME " + identifier ) ; >> >> continue ; >> } >> >> if ( usage == WSPasswordCallback.USERNAME_TOKEN ) >> { >> System.out.println ( "USERNAME_TOKEN " + identifier ) >> ; >> >> if ( identifier.equals ( "myuser" ) ) >> { >> callback.setPassword ( "mypassword" ) ; >> >> return ; >> } >> >> return ; >> } >> >> if ( usage == WSPasswordCallback.USERNAME_TOKEN_UNKNOWN ) >> { >> System.out.println ( "USERNAME_TOKEN_UNKNOWN " + >> identifier ) ; >> >> continue ; >> } >> >> if ( usage == WSPasswordCallback.SECURITY_CONTEXT_TOKEN ) >> { >> System.out.println ( "SECURITY_CONTEXT_TOKEN " + >> identifier ) ; >> >> continue ; >> } >> } >> } >> >> throw new java.io.IOException ( "PasswordCallback: unrecognized >> password callback instance or callback usage" ) ; >> } >> } >> >> >> ============================================================================================= >> >> >> -----Original Message----- >> *From:* Wishing Carebear [mailto:[email protected]] >> *Sent:* Saturday, 29 August 2009 7:35 AM >> *To:* [email protected] >> *Subject:* Re: Help with axis1.4.1 (not axis2) and wss4j >> >> Hello: >> Can someone provide some pointers. >> >> Thanks, >> cabear >> >> On Fri, Aug 28, 2009 at 10:13 AM, Wishing Carebear < >> [email protected]> wrote: >> >>> Hello: >>> I'm trying to write a client to a WSE 3.0 published webservice. The >>> policy file looks like below: >>> >>> Does wss4j and axis supports addressing. >>> >>> Thanks, >>> cabear >>> >>> ------------------------ >>> >>> <policies xmlns="http://schemas.microsoft.com/wse/2005/06/policy"; >>> <http://schemas.microsoft.com/wse/2005/06/policy>> >>> <extensions> >>> <extension name="usernameForCertificateSecurity" >>> type="Microsoft.Web.Services3.Design.UsernameForCertificateAssertion, >>> Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, >>> PublicKeyToken=31bf3856ad364e35" /> >>> <extension name="x509" >>> type="Microsoft.Web.Services3.Design.X509TokenProvider, >>> Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, >>> PublicKeyToken=31bf3856ad364e35" /> >>> <extension name="requireActionHeader" >>> type="Microsoft.Web.Services3.Design.RequireActionHeaderAssertion, >>> Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, >>> PublicKeyToken=31bf3856ad364e35" /> >>> </extensions> >>> <policy name="ServerPolicy"> >>> <usernameForCertificateSecurity establishSecurityContext="true" >>> renewExpiredSecurityContext="true" requireSignatureConfirmation="false" >>> messageProtectionOrder="SignBeforeEncrypt" requireDerivedKeys="true" >>> ttlInSeconds="300"> >>> <serviceToken> >>> <x509 storeLocation="LocalMachine" >>> storeName="My" findValue="CN=TMPDMDevelopment" >>> findType="FindBySubjectDistinguishedName" /> >>> </serviceToken> >>> <protection> >>> <request signatureOptions="IncludeAddressing, >>> IncludeTimestamp, IncludeSoapBody" encryptBody="true" /> >>> <response signatureOptions="IncludeAddressing, >>> IncludeTimestamp, IncludeSoapBody" encryptBody="true" /> >>> <fault signatureOptions="IncludeAddressing, >>> IncludeTimestamp, IncludeSoapBody" encryptBody="false" /> >>> </protection> >>> </usernameForCertificateSecurity> >>> <requireActionHeader /> >>> </policy> >>> <policy name="AuthenticationServicePolicy"> >>> <usernameForCertificateSecurity establishSecurityContext="true" >>> renewExpiredSecurityContext="true" requireSignatureConfirmation="false" >>> messageProtectionOrder="SignBeforeEncrypt" requireDerivedKeys="true" >>> ttlInSeconds="300"> >>> <serviceToken> >>> <x509 storeLocation="LocalMachine" >>> storeName="AddressBook" findValue="CN=TMPDMDevelopment" >>> findType="FindBySubjectDistinguishedName" /> >>> </serviceToken> >>> <protection> >>> <request signatureOptions="IncludeAddressing, >>> IncludeTimestamp, IncludeSoapBody" encryptBody="true" /> >>> <response signatureOptions="IncludeAddressing, >>> IncludeTimestamp, IncludeSoapBody" encryptBody="true" /> >>> <fault signatureOptions="IncludeAddressing, >>> IncludeTimestamp, IncludeSoapBody" encryptBody="false" /> >>> </protection> >>> </usernameForCertificateSecurity> >>> <requireActionHeader /> >>> </policy> >>> <!--<policy name="ClientPolicy"> >>> <usernameForCertificateSecurity establishSecurityContext="true" >>> renewExpiredSecurityContext="true" requireSignatureConfirmation="false" >>> messageProtectionOrder="SignBeforeEncrypt" requireDerivedKeys="true" >>> ttlInSeconds="300"> >>> <serviceToken> >>> <x509 storeLocation="LocalMachine" >>> storeName="AddressBook" findValue="CN=TMPDMDevelopment" >>> findType="FindBySubjectDistinguishedName" /> >>> </serviceToken> >>> <protection> >>> <request signatureOptions="IncludeAddressing, >>> IncludeTimestamp, IncludeSoapBody" encryptBody="true" /> >>> <response signatureOptions="IncludeAddressing, >>> IncludeTimestamp, IncludeSoapBody" encryptBody="true" /> >>> <fault signatureOptions="IncludeAddressing, >>> IncludeTimestamp, IncludeSoapBody" encryptBody="false" /> >>> </protection> >>> </usernameForCertificateSecurity> >>> <requireActionHeader /> >>> </policy>--> >>> </policies> >>> >>> >>> ------------------------ >>> >>> >> >> >
