Yep. Here's the soap request captured by tcpmon: POST /CalculatorImpl HTTP/1.1 Content-Type: text/xml; charset=UTF-8 SOAPAction: "" Accept: * Cache-Control: no-cache Pragma: no-cache User-Agent: Java/1.6.0_11 Host: 127.0.0.1:42040 Connection: keep-alive Transfer-Encoding: chunked
2ce <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/";> <soap:Header> <wsse:Security xmlns:wsse=" http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"; soap:mustUnderstand="1"><wsse:UsernameToken xmlns:wsu=" http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; wsu:Id="UsernameToken-47889642"><wsse:Username>jane</wsse:Username><wsse:Password Type=" http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText";>waterfall</wsse:Password></wsse:UsernameToken></wsse:Security></soap:Header><soap:Body><ns1:sum xmlns:ns1="http://superbiz.org/wsdl "><arg0>4</arg0><arg1>6</arg1></ns1:sum></soap:Body></soap:Envelope> Jon On Sat, Feb 28, 2009 at 6:42 PM, Daniel S. Haischt < [email protected]> wrote: > Are you using the username token profile ? > > On Sat, Feb 28, 2009 at 7:31 PM, Jonathan Gallimore > <[email protected]> wrote: > > I spent a bit more time looking at this - and added a bit more code. I > > noticed that the Jaxb tree for openejb-jar.xml has some webservice > security > > attributes that we aren't using, but I think Geronimo is. I've added > support > > that does simple username/password authentication using basic http > > mechanism, and an interceptor to do username/password auth using > WS-Security > > headers. > > > > I've uploaded a patch to > > http://people.apache.org/~jgallimore/webservices.diff<http://people.apache.org/%7Ejgallimore/webservices.diff>. > I be grateful on > > anyone's thoughts. Its pretty basic at the moment, but I think it would > be > > nice if this could go into OpenEJB - if others agree, I'd like to open a > > JIRA and do some more work on it. > > > > I've copied this to the dev@ list too in case anyone who might be > interested > > missed it, hope that's ok. > > > > Cheers > > > > Jon > > > > On Fri, Feb 20, 2009 at 1:06 PM, Jonathan Gallimore < > > [email protected]> wrote: > > > >> Hi Jean-Louis, > >> > >> Many thanks for your detailed reply and the link to the article. I'll be > >> having a good look at this over the weekend. I had initially thought > just > >> applying basic auth was all there was to it, which is probably a bit > naive > >> of me! > >> > >> I think it would be worthwhile working out whether there's some samples > >> (and maybe some enhancements) we could add to OpenEJB in this regard - > I'm > >> sure others would find it useful too. > >> > >> Cheers, > >> Jon > >> > >> > >> On Fri, Feb 20, 2009 at 8:49 AM, Jean-Louis MONTEIRO < > >> [email protected]> wrote: > >> > >>> > >>> Jonathan, > >>> > >>> Here are some inputs. > >>> > >>> > >>> Jonathan Gallimore-2 wrote: > >>> > > >>> > Obviously I think it would be great if the standalone and embedded > >>> servers > >>> > which use their own HTTP listener could accept credentials via basic > >>> > authentication, meanwhile Tomcat could do the authentication for us > >>> based > >>> > on > >>> > however its been configured (currently it looks like a new > >>> StandardContext > >>> > is created for each webservice, and there is code to setup > >>> authentication, > >>> > but WsService.authMethod was always null when I debugged it, causing > no > >>> > authentication to be applied, and I couldn't see how it could be set > >>> > otherwise), and the user and role principals could be passed through > >>> from > >>> > Tomcat to the relevant EJB container. > >>> > > >>> Definitively! (nice to have ;-)). > >>> Doing basic authentication (without ws-security) seems to be possible > >>> using > >>> JAX-WS handlers. > >>> > >>> > >>> Jonathan Gallimore-2 wrote: > >>> > > >>> > To give a bit more background on how this has come about - my > colleague > >>> at > >>> > work has been working on some functionality as an EJB, and felt it > would > >>> > be > >>> > nice to have it available as a webservice - and adding the > @WebService > >>> > annotation to the EJB seemed to be a nice idea, rather then creating > a > >>> > webservice as a separate class that just delegates through to the EJB > as > >>> > you > >>> > describe - > >>> > > >>> I was probably not so clear. > >>> It seems to me, from an architecture point of view, it's better to use > web > >>> services as facades. They are personal concerns you know ;-) > >>> Never mind, I had in mind an EJB Web Service (@stateless + @webservice) > >>> which delegates to other business EJB and it works fine with OpenEJB > for > >>> simple cases. > >>> > >>> > >>> Jonathan Gallimore-2 wrote: > >>> > > >>> > and we hoped the container would handle the authentication for > >>> > us. When configured correctly, JBoss (4.2.2.GA) does seem to do this > >>> for > >>> > us, > >>> > however OpenEJB doesn't at the moment - I don't actually know if this > is > >>> > even supposed to work (or even whether its part of any of the JEE > spec - > >>> > I'll have to read up!). > >>> > > >>> I can't help you on this topic (not read this part of the spec). > >>> If you have 10 minutes, here is an interesting article > >>> > http://www.javaworld.com/javaworld/jw-02-2007/jw-02-handler.html?page=1 > >>> > http://www.javaworld.com/javaworld/jw-02-2007/jw-02-handler.html?page=1 > >>> > >>> > >>> Jonathan Gallimore-2 wrote: > >>> > > >>> > I think I should probably have a look at WS-Security - I'd be very > >>> > interested in a seeing a sample using OpenEJB/JAX-WS/WS-Security if > >>> you're > >>> > putting one together. > >>> > > >>> > >>> OK, I've done some tests since yesterday morning. But, the way OpenEJB > >>> publishes EJB as web services does not allow configuring ws-security. > >>> > >>> When using CXF + WS-Security, it's quite simple: add a WSS4J > InInterceptor > >>> and a WSS4J OutInterceptor giving them a set of properties. > Interceptors > >>> can > >>> be configured using both a Spring application context or CXF > annotations > >>> (@InInterceptors @OutInterceptor). > >>> > >>> At a JAX-WS point of view we only have handlers (soap handlers and > logical > >>> handlers) so I have to spend some more time to look if we can manage > >>> WS-Security using handlers. > >>> > >>> More coming soon ;-) > >>> > >>> Kind regards, > >>> Jean-Louis > >>> > >>> > >>> > >>> > >>> -- > >>> View this message in context: > >>> http://www.nabble.com/Securing-a-webservice-tp22089576p22116953.html > >>> Sent from the OpenEJB User mailing list archive at Nabble.com. > >>> > >>> > >> > > >
