[
https://issues.apache.org/jira/browse/GERONIMO-4642?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Rahul Mehta updated GERONIMO-4642:
----------------------------------
Attachment: usernameToken.patch
Hello Devs,
This patch provides the UsernameToken security to the web service client (for
CXF).
Now user just needs to specify the username token properties in the
geronimo-web.xml to access the secure web service, as following:
<usertoken>
<username>username</username>
<password>password</password>
</usertoken>
Below is the example of SOAP header (traced by the tcpmonitor), with the
UsernameToken property set:
REQUEST:
----------------
<soap:Envelope
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/";><soap:Header><wsse:Security
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
soap:mustUnderstand="1"><wsse:UsernameToken
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
wsu:Id="UsernameToken-739746"><wsse:Username
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";>username</wsse:Username><wsse:Password
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText";>password</wsse:Password></wsse:UsernameToken></wsse:Security></soap:Header><soap:Body><ns2:sayHi
xmlns:ns2="http://service.web/";><arg0>Rahul</arg0></ns2:sayHi></soap:Body></soap:Envelope
>
RESPONSE:
-----------------
<soap:Envelope
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/";><soap:Body><ns2:sayHiResponse
xmlns:ns2="http://service.web/";><return>Hello
Rahul</return></ns2:sayHiResponse></soap:Body></soap:Envelope>
Now, I am working on setting the username token security for the server side
and X.509 certificate.
Many Thanks to Jarek for his constant help and all devs for the prompt reply.
Rahul
> "WS-Security support for JAX-WS Web Services"
> ---------------------------------------------
>
> Key: GERONIMO-4642
> URL: https://issues.apache.org/jira/browse/GERONIMO-4642
> Project: Geronimo
> Issue Type: New Feature
> Security Level: public(Regular issues)
> Components: webservices
> Environment: Apache Geronimo, Apache CXF, Apache Axis2, Ws-Security,
> Web Services, Java, Linux
> Reporter: Rahul Mehta
> Priority: Minor
> Attachments: site.patch, usernameToken.patch
>
> Original Estimate: 2016h
> Remaining Estimate: 2016h
>
> To integrate and enable the WS-Security features of Apache Axis2 and Apache
> CXF in Apache Geronimo:
> ----------------------------------------------------------------------------------------------------------------------------------------------
> Apache Geronimo supports two JAX-WS providers: Axis2 and CXF and both of
> these libraries have some WS-Security features. But these features are not
> integrated/enabled in Geronimo. So the goal is to enable these features from
> within Geronimo. That involves basically two things:
> 1) that the modules (i.e. WSS4J) that provide the WS-Security features for
> Axis2 and CXF are installed with Geronimo, and
> 2) that the WS-Security features such as [XML Security ('XML Signature' -
> allows one to send along with the message a digital signature of it, which
> assures that no one modified the message content between the sender and
> receiver, 'XML Encryption' -allows one to encrypt the message body or only
> its part using the given cryptography algorithm) and Tokens ('Username
> Tokens' - WS-Security scenario adds username and password values to the
> message header, 'Timestamps' - Timestamps specify how long the security data
> remains valid, 'SAML Tokens')] can be enabled and configured on web services
> via Geronimo deployment descriptors and/or annotations. For example, given
> some web service that is annotated with @WebService; so to ensure that the
> service only accepts WS-Security -secured messages, it should be something
> like "to add @WS-Security annotation".
> Further in detail, we can consider WS-Security policies which can be applied
> to the SOAP messages that pass between web services and web service controls.
> A WS-Security is controlled in WS-Security policy files. The WS-Security
> policy file (WSSE file) defines the security policy applied to the SOAP
> messages that pass between web services and their clients.[1]
> So we can use something like following annotation @WS-Security
> file="MyWebServicePolicy.wsse" Example: @WebService @WS-Security
> file="MyWebServicePolicy.wsse"
> public class xyz
> The @WS-Security annotation determines the WS-Security policy file (WSSE) to
> be applied to (1) incoming SOAP invocations of the web service's methods and
> (2) the outgoing SOAP messages containing the value returned by the web
> service's methods.[1]. The attribute file in the above mentioned annotation
> specifies the path to the WS-Security policy file (WSSE file -
> MyWebServicePolicy.wsse) used by the web service.
> Besides configuring WS-Security properties for web services we also need to
> configure the same sort of properties for Web Service references
> (@WebServiceRef) so that clients can also make WS-Security secured calls.
> In addition, I think we can also define some security feature something like
> SecurityFeature similar to other WebService Feature(s) such as
> AddressingFeature, MTOMFeature and RespectBindingFeature . This new feature
> can also have the "enabled property" like other features that is used to
> store whether a particular feature should be enabled or disabled. This type
> should provide either a constructor argument and/or a method that will allow
> the web service developer to set the enabled property. The meaning of enabled
> or disabled is determined by each individual WebServiceFeature. It is
> important that web services developers be able to enable/disable specific
> features when writing their web applications. [2]
> References:
> [1] [WWW] http://e-docs.bea.com/workshop/docs81/doc/en/core/index.html
> [2] [WWW] http://jcp.org/aboutJava/communityprocess/mrel/jsr224/index2.html
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
