Just out of curiosity - Did you try to use a password digest/hash instead? Using a nonce might be interesting as well (nonce is an effective countermeasure against replay attacks). If you use SoapUI as a WS client you could easily generate most of these WSS header elements for testing purposes.
Cheers Daniel On Sat, Feb 28, 2009 at 9:51 PM, Jonathan Gallimore <[email protected]> wrote: > Yep. Here's the soap request captured by tcpmon: > > POST /CalculatorImpl HTTP/1.1 > Content-Type: text/xml; charset=UTF-8 > SOAPAction: "" > Accept: * > Cache-Control: no-cache > Pragma: no-cache > User-Agent: Java/1.6.0_11 > Host: 127.0.0.1:42040 > Connection: keep-alive > Transfer-Encoding: chunked > > 2ce > <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/";> > <soap:Header> > <wsse:Security xmlns:wsse=" > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"; > soap:mustUnderstand="1"><wsse:UsernameToken xmlns:wsu=" > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; > wsu:Id="UsernameToken-47889642"><wsse:Username>jane</wsse:Username><wsse:Password > Type=" > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText";>waterfall</wsse:Password></wsse:UsernameToken></wsse:Security></soap:Header><soap:Body><ns1:sum > xmlns:ns1="http://superbiz.org/wsdl > "><arg0>4</arg0><arg1>6</arg1></ns1:sum></soap:Body></soap:Envelope> > > Jon > > On Sat, Feb 28, 2009 at 6:42 PM, Daniel S. Haischt < > [email protected]> wrote: > >> Are you using the username token profile ? >> >> On Sat, Feb 28, 2009 at 7:31 PM, Jonathan Gallimore >> <[email protected]> wrote: >> > I spent a bit more time looking at this - and added a bit more code. I >> > noticed that the Jaxb tree for openejb-jar.xml has some webservice >> security >> > attributes that we aren't using, but I think Geronimo is. I've added >> support >> > that does simple username/password authentication using basic http >> > mechanism, and an interceptor to do username/password auth using >> WS-Security >> > headers. >> > >> > I've uploaded a patch to >> > http://people.apache.org/~jgallimore/webservices.diff<http://people.apache.org/%7Ejgallimore/webservices.diff>. > - Show quoted text - >> I be grateful on >> > anyone's thoughts. Its pretty basic at the moment, but I think it would >> be >> > nice if this could go into OpenEJB - if others agree, I'd like to open a >> > JIRA and do some more work on it. >> > >> > I've copied this to the dev@ list too in case anyone who might be >> interested >> > missed it, hope that's ok. >> > >> > Cheers >> > >> > Jon >> > >> > On Fri, Feb 20, 2009 at 1:06 PM, Jonathan Gallimore < >> > [email protected]> wrote: >> > >> >> Hi Jean-Louis, >> >> >> >> Many thanks for your detailed reply and the link to the article. I'll be >> >> having a good look at this over the weekend. I had initially thought >> just >> >> applying basic auth was all there was to it, which is probably a bit >> naive >> >> of me! >> >> >> >> I think it would be worthwhile working out whether there's some samples >> >> (and maybe some enhancements) we could add to OpenEJB in this regard - >> I'm >> >> sure others would find it useful too. >> >> >> >> Cheers, >> >> Jon >> >> >> >> >> >> On Fri, Feb 20, 2009 at 8:49 AM, Jean-Louis MONTEIRO < >> >> [email protected]> wrote: >> >> >> >>> >> >>> Jonathan, >> >>> >> >>> Here are some inputs. >> >>> >> >>> >> >>> Jonathan Gallimore-2 wrote: >> >>> > >> >>> > Obviously I think it would be great if the standalone and embedded >> >>> servers >> >>> > which use their own HTTP listener could accept credentials via basic >> >>> > authentication, meanwhile Tomcat could do the authentication for us >> >>> based >> >>> > on >> >>> > however its been configured (currently it looks like a new >> >>> StandardContext >> >>> > is created for each webservice, and there is code to setup >> >>> authentication, >> >>> > but WsService.authMethod was always null when I debugged it, causing >> no >> >>> > authentication to be applied, and I couldn't see how it could be set >> >>> > otherwise), and the user and role principals could be passed through >> >>> from >> >>> > Tomcat to the relevant EJB container. >> >>> > >> >>> Definitively! (nice to have ;-)). >> >>> Doing basic authentication (without ws-security) seems to be possible >> >>> using >> >>> JAX-WS handlers. >> >>> >> >>> >> >>> Jonathan Gallimore-2 wrote: >> >>> > >> >>> > To give a bit more background on how this has come about - my >> colleague >> >>> at >> >>> > work has been working on some functionality as an EJB, and felt it >> would >> >>> > be >> >>> > nice to have it available as a webservice - and adding the >> @WebService >> >>> > annotation to the EJB seemed to be a nice idea, rather then creating >> a >> >>> > webservice as a separate class that just delegates through to the EJB >> as >> >>> > you >> >>> > describe - >> >>> > >> >>> I was probably not so clear. >> >>> It seems to me, from an architecture point of view, it's better to use >> web >> >>> services as facades. They are personal concerns you know ;-) >> >>> Never mind, I had in mind an EJB Web Service (@stateless + @webservice) >> >>> which delegates to other business EJB and it works fine with OpenEJB >> for >> >>> simple cases. >> >>> >> >>> >> >>> Jonathan Gallimore-2 wrote: >> >>> > >> >>> > and we hoped the container would handle the authentication for >> >>> > us. When configured correctly, JBoss (4.2.2.GA) does seem to do this >> >>> for >> >>> > us, >> >>> > however OpenEJB doesn't at the moment - I don't actually know if this >> is >> >>> > even supposed to work (or even whether its part of any of the JEE >> spec - >> >>> > I'll have to read up!). >> >>> > >> >>> I can't help you on this topic (not read this part of the spec). >> >>> If you have 10 minutes, here is an interesting article >> >>> >> http://www.javaworld.com/javaworld/jw-02-2007/jw-02-handler.html?page=1 >> >>> >> http://www.javaworld.com/javaworld/jw-02-2007/jw-02-handler.html?page=1 >> >>> >> >>> >> >>> Jonathan Gallimore-2 wrote: >> >>> > >> >>> > I think I should probably have a look at WS-Security - I'd be very >> >>> > interested in a seeing a sample using OpenEJB/JAX-WS/WS-Security if >> >>> you're >> >>> > putting one together. >> >>> > >> >>> >> >>> OK, I've done some tests since yesterday morning. But, the way OpenEJB >> >>> publishes EJB as web services does not allow configuring ws-security. >> >>> >> >>> When using CXF + WS-Security, it's quite simple: add a WSS4J >> InInterceptor >> >>> and a WSS4J OutInterceptor giving them a set of properties. >> Interceptors >> >>> can >> >>> be configured using both a Spring application context or CXF >> annotations >> >>> (@InInterceptors @OutInterceptor). >> >>> >> >>> At a JAX-WS point of view we only have handlers (soap handlers and >> logical >> >>> handlers) so I have to spend some more time to look if we can manage >> >>> WS-Security using handlers. >> >>> >> >>> More coming soon ;-) >> >>> >> >>> Kind regards, >> >>> Jean-Louis >> >>> >> >>> >> >>> >> >>> >> >>> -- >> >>> View this message in context: >> >>> http://www.nabble.com/Securing-a-webservice-tp22089576p22116953.html >> >>> Sent from the OpenEJB User mailing list archive at Nabble.com. >> >>> >> >>> >> >> >> > >> >
