I think it's useful :) I was mainly interested in this mail thread cause I worked with the various WSS standards recently at work including their implementation as it represented by the IBM WebSphere JAX-WS runtime. AFAIK early JAX-RPC implementations of WebSphere were not able to consume a password digest - only plain text was supported.
WS policy sets is another interesting topic... Regards Daniel On Sat, Feb 28, 2009 at 10:06 PM, Jonathan Gallimore <[email protected]> wrote: > Not yet, although I'd be interested in working on this some more. I just > wanted to get a feel of whether this is something we could include in > OpenEJB, as I'd find it pretty useful for testing some webservice work I've > done. If people feel it would be useful I'm happy to do some more work on > adding more authentication schemes. > > Cheers > > Jon > > On Sat, Feb 28, 2009 at 8:59 PM, Daniel S. Haischt < > - Show quoted text - > [email protected]> wrote: > >> Just out of curiosity - Did you try to use a password digest/hash >> instead? Using a nonce might be interesting as well (nonce is an >> effective countermeasure against replay attacks). If you use SoapUI as >> a WS client you could easily generate most of these WSS header >> elements for testing purposes. >> >> Cheers >> Daniel >> >> On Sat, Feb 28, 2009 at 9:51 PM, Jonathan Gallimore >> <[email protected]> wrote: >> > Yep. Here's the soap request captured by tcpmon: >> > >> > POST /CalculatorImpl HTTP/1.1 >> > Content-Type: text/xml; charset=UTF-8 >> > SOAPAction: "" >> > Accept: * >> > Cache-Control: no-cache >> > Pragma: no-cache >> > User-Agent: Java/1.6.0_11 >> > Host: 127.0.0.1:42040 >> > Connection: keep-alive >> > Transfer-Encoding: chunked >> > >> > 2ce >> > <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/";> >> > <soap:Header> >> > <wsse:Security xmlns:wsse=" >> > >> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd >> " >> > soap:mustUnderstand="1"><wsse:UsernameToken xmlns:wsu=" >> > >> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd >> " >> > >> wsu:Id="UsernameToken-47889642"><wsse:Username>jane</wsse:Username><wsse:Password >> > Type=" >> > >> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText >> ">waterfall</wsse:Password></wsse:UsernameToken></wsse:Security></soap:Header><soap:Body><ns1:sum >> > xmlns:ns1="http://superbiz.org/wsdl >> > "><arg0>4</arg0><arg1>6</arg1></ns1:sum></soap:Body></soap:Envelope> >> > >> > Jon >> > >> > On Sat, Feb 28, 2009 at 6:42 PM, Daniel S. Haischt < >> > [email protected]> wrote: >> > >> >> Are you using the username token profile ? >> >> >> >> On Sat, Feb 28, 2009 at 7:31 PM, Jonathan Gallimore >> >> <[email protected]> wrote: >> >> > I spent a bit more time looking at this - and added a bit more code. I >> >> > noticed that the Jaxb tree for openejb-jar.xml has some webservice >> >> security >> >> > attributes that we aren't using, but I think Geronimo is. I've added >> >> support >> >> > that does simple username/password authentication using basic http >> >> > mechanism, and an interceptor to do username/password auth using >> >> WS-Security >> >> > headers. >> >> > >> >> > I've uploaded a patch to >> >> > http://people.apache.org/~jgallimore/webservices.diff<http://people.apache.org/%7Ejgallimore/webservices.diff> >> <http://people.apache.org/%7Ejgallimore/webservices.diff>. >> > - Show quoted text - >> >> I be grateful on >> >> > anyone's thoughts. Its pretty basic at the moment, but I think it >> would >> >> be >> >> > nice if this could go into OpenEJB - if others agree, I'd like to open >> a >> >> > JIRA and do some more work on it. >> >> > >> >> > I've copied this to the dev@ list too in case anyone who might be >> >> interested >> >> > missed it, hope that's ok. >> >> > >> >> > Cheers >> >> > >> >> > Jon >> >> > >> >> > On Fri, Feb 20, 2009 at 1:06 PM, Jonathan Gallimore < >> >> > [email protected]> wrote: >> >> > >> >> >> Hi Jean-Louis, >> >> >> >> >> >> Many thanks for your detailed reply and the link to the article. I'll >> be >> >> >> having a good look at this over the weekend. I had initially thought >> >> just >> >> >> applying basic auth was all there was to it, which is probably a bit >> >> naive >> >> >> of me! >> >> >> >> >> >> I think it would be worthwhile working out whether there's some >> samples >> >> >> (and maybe some enhancements) we could add to OpenEJB in this regard >> - >> >> I'm >> >> >> sure others would find it useful too. >> >> >> >> >> >> Cheers, >> >> >> Jon >> >> >> >> >> >> >> >> >> On Fri, Feb 20, 2009 at 8:49 AM, Jean-Louis MONTEIRO < >> >> >> [email protected]> wrote: >> >> >> >> >> >>> >> >> >>> Jonathan, >> >> >>> >> >> >>> Here are some inputs. >> >> >>> >> >> >>> >> >> >>> Jonathan Gallimore-2 wrote: >> >> >>> > >> >> >>> > Obviously I think it would be great if the standalone and embedded >> >> >>> servers >> >> >>> > which use their own HTTP listener could accept credentials via >> basic >> >> >>> > authentication, meanwhile Tomcat could do the authentication for >> us >> >> >>> based >> >> >>> > on >> >> >>> > however its been configured (currently it looks like a new >> >> >>> StandardContext >> >> >>> > is created for each webservice, and there is code to setup >> >> >>> authentication, >> >> >>> > but WsService.authMethod was always null when I debugged it, >> causing >> >> no >> >> >>> > authentication to be applied, and I couldn't see how it could be >> set >> >> >>> > otherwise), and the user and role principals could be passed >> through >> >> >>> from >> >> >>> > Tomcat to the relevant EJB container. >> >> >>> > >> >> >>> Definitively! (nice to have ;-)). >> >> >>> Doing basic authentication (without ws-security) seems to be >> possible >> >> >>> using >> >> >>> JAX-WS handlers. >> >> >>> >> >> >>> >> >> >>> Jonathan Gallimore-2 wrote: >> >> >>> > >> >> >>> > To give a bit more background on how this has come about - my >> >> colleague >> >> >>> at >> >> >>> > work has been working on some functionality as an EJB, and felt it >> >> would >> >> >>> > be >> >> >>> > nice to have it available as a webservice - and adding the >> >> @WebService >> >> >>> > annotation to the EJB seemed to be a nice idea, rather then >> creating >> >> a >> >> >>> > webservice as a separate class that just delegates through to the >> EJB >> >> as >> >> >>> > you >> >> >>> > describe - >> >> >>> > >> >> >>> I was probably not so clear. >> >> >>> It seems to me, from an architecture point of view, it's better to >> use >> >> web >> >> >>> services as facades. They are personal concerns you know ;-) >> >> >>> Never mind, I had in mind an EJB Web Service (@stateless + >> @webservice) >> >> >>> which delegates to other business EJB and it works fine with OpenEJB >> >> for >> >> >>> simple cases. >> >> >>> >> >> >>> >> >> >>> Jonathan Gallimore-2 wrote: >> >> >>> > >> >> >>> > and we hoped the container would handle the authentication for >> >> >>> > us. When configured correctly, JBoss (4.2.2.GA) does seem to do >> this >> >> >>> for >> >> >>> > us, >> >> >>> > however OpenEJB doesn't at the moment - I don't actually know if >> this >> >> is >> >> >>> > even supposed to work (or even whether its part of any of the JEE >> >> spec - >> >> >>> > I'll have to read up!). >> >> >>> > >> >> >>> I can't help you on this topic (not read this part of the spec). >> >> >>> If you have 10 minutes, here is an interesting article >> >> >>> >> >> http://www.javaworld.com/javaworld/jw-02-2007/jw-02-handler.html?page=1 >> >> >>> >> >> http://www.javaworld.com/javaworld/jw-02-2007/jw-02-handler.html?page=1 >> >> >>> >> >> >>> >> >> >>> Jonathan Gallimore-2 wrote: >> >> >>> > >> >> >>> > I think I should probably have a look at WS-Security - I'd be very >> >> >>> > interested in a seeing a sample using OpenEJB/JAX-WS/WS-Security >> if >> >> >>> you're >> >> >>> > putting one together. >> >> >>> > >> >> >>> >> >> >>> OK, I've done some tests since yesterday morning. But, the way >> OpenEJB >> >> >>> publishes EJB as web services does not allow configuring >> ws-security. >> >> >>> >> >> >>> When using CXF + WS-Security, it's quite simple: add a WSS4J >> >> InInterceptor >> >> >>> and a WSS4J OutInterceptor giving them a set of properties. >> >> Interceptors >> >> >>> can >> >> >>> be configured using both a Spring application context or CXF >> >> annotations >> >> >>> (@InInterceptors @OutInterceptor). >> >> >>> >> >> >>> At a JAX-WS point of view we only have handlers (soap handlers and >> >> logical >> >> >>> handlers) so I have to spend some more time to look if we can manage >> >> >>> WS-Security using handlers. >> >> >>> >> >> >>> More coming soon ;-) >> >> >>> >> >> >>> Kind regards, >> >> >>> Jean-Louis >> >> >>> >> >> >>> >> >> >>> >> >> >>> >> >> >>> -- >> >> >>> View this message in context: >> >> >>> >> http://www.nabble.com/Securing-a-webservice-tp22089576p22116953.html >> >> >>> Sent from the OpenEJB User mailing list archive at Nabble.com. >> >> >>> >> >> >>> >> >> >> >> >> > >> >> >> > >> >
