On Feb 28, 2009, at 1:17 PM, Daniel S. Haischt wrote:
I think it's useful :)
I agree. Very cool.
-David
I was mainly interested in this mail thread cause I worked with the
various WSS standards recently at work including their implementation
as it represented by the IBM WebSphere JAX-WS runtime. AFAIK early
JAX-RPC implementations of WebSphere were not able to consume a
password digest - only plain text was supported.
WS policy sets is another interesting topic...
Regards
Daniel
On Sat, Feb 28, 2009 at 10:06 PM, Jonathan Gallimore
<[email protected]> wrote:
Not yet, although I'd be interested in working on this some more. I
just
wanted to get a feel of whether this is something we could include in
OpenEJB, as I'd find it pretty useful for testing some webservice
work I've
done. If people feel it would be useful I'm happy to do some more
work on
adding more authentication schemes.
Cheers
Jon
On Sat, Feb 28, 2009 at 8:59 PM, Daniel S. Haischt <
- Show quoted text -
[email protected]> wrote:
Just out of curiosity - Did you try to use a password digest/hash
instead? Using a nonce might be interesting as well (nonce is an
effective countermeasure against replay attacks). If you use
SoapUI as
a WS client you could easily generate most of these WSS header
elements for testing purposes.
Cheers
Daniel
On Sat, Feb 28, 2009 at 9:51 PM, Jonathan Gallimore
<[email protected]> wrote:
Yep. Here's the soap request captured by tcpmon:
POST /CalculatorImpl HTTP/1.1
Content-Type: text/xml; charset=UTF-8
SOAPAction: ""
Accept: *
Cache-Control: no-cache
Pragma: no-cache
User-Agent: Java/1.6.0_11
Host: 127.0.0.1:42040
Connection: keep-alive
Transfer-Encoding: chunked
2ce
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/
">
<soap:Header>
<wsse:Security xmlns:wsse="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
"
soap:mustUnderstand="1"><wsse:UsernameToken xmlns:wsu="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
"
wsu:Id="UsernameToken-47889642"><wsse:Username>jane</
wsse:Username><wsse:Password
Type="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText
">waterfall</wsse:Password></wsse:UsernameToken></wsse:Security></
soap:Header><soap:Body><ns1:sum
xmlns:ns1="http://superbiz.org/wsdl
"><arg0>4</arg0><arg1>6</arg1></ns1:sum></soap:Body></
soap:Envelope>
Jon
On Sat, Feb 28, 2009 at 6:42 PM, Daniel S. Haischt <
[email protected]> wrote:
Are you using the username token profile ?
On Sat, Feb 28, 2009 at 7:31 PM, Jonathan Gallimore
<[email protected]> wrote:
I spent a bit more time looking at this - and added a bit more
code. I
noticed that the Jaxb tree for openejb-jar.xml has some
webservice
security
attributes that we aren't using, but I think Geronimo is. I've
added
support
that does simple username/password authentication using basic
http
mechanism, and an interceptor to do username/password auth using
WS-Security
headers.
I've uploaded a patch to
http://people.apache.org/~jgallimore/webservices.diff<http://people.apache.org/%7Ejgallimore/webservices.diff
>
<http://people.apache.org/%7Ejgallimore/webservices.diff>.
- Show quoted text -
I be grateful on
anyone's thoughts. Its pretty basic at the moment, but I think it
would
be
nice if this could go into OpenEJB - if others agree, I'd like
to open
a
JIRA and do some more work on it.
I've copied this to the dev@ list too in case anyone who might be
interested
missed it, hope that's ok.
Cheers
Jon
On Fri, Feb 20, 2009 at 1:06 PM, Jonathan Gallimore <
[email protected]> wrote:
Hi Jean-Louis,
Many thanks for your detailed reply and the link to the
article. I'll
be
having a good look at this over the weekend. I had initially
thought
just
applying basic auth was all there was to it, which is probably
a bit
naive
of me!
I think it would be worthwhile working out whether there's some
samples
(and maybe some enhancements) we could add to OpenEJB in this
regard
-
I'm
sure others would find it useful too.
Cheers,
Jon
On Fri, Feb 20, 2009 at 8:49 AM, Jean-Louis MONTEIRO <
[email protected]> wrote:
Jonathan,
Here are some inputs.
Jonathan Gallimore-2 wrote:
Obviously I think it would be great if the standalone and
embedded
servers
which use their own HTTP listener could accept credentials via
basic
authentication, meanwhile Tomcat could do the authentication
for
us
based
on
however its been configured (currently it looks like a new
StandardContext
is created for each webservice, and there is code to setup
authentication,
but WsService.authMethod was always null when I debugged it,
causing
no
authentication to be applied, and I couldn't see how it
could be
set
otherwise), and the user and role principals could be passed
through
from
Tomcat to the relevant EJB container.
Definitively! (nice to have ;-)).
Doing basic authentication (without ws-security) seems to be
possible
using
JAX-WS handlers.
Jonathan Gallimore-2 wrote:
To give a bit more background on how this has come about - my
colleague
at
work has been working on some functionality as an EJB, and
felt it
would
be
nice to have it available as a webservice - and adding the
@WebService
annotation to the EJB seemed to be a nice idea, rather then
creating
a
webservice as a separate class that just delegates through
to the
EJB
as
you
describe -
I was probably not so clear.
It seems to me, from an architecture point of view, it's
better to
use
web
services as facades. They are personal concerns you know ;-)
Never mind, I had in mind an EJB Web Service (@stateless +
@webservice)
which delegates to other business EJB and it works fine with
OpenEJB
for
simple cases.
Jonathan Gallimore-2 wrote:
and we hoped the container would handle the authentication for
us. When configured correctly, JBoss (4.2.2.GA) does seem to
do
this
for
us,
however OpenEJB doesn't at the moment - I don't actually
know if
this
is
even supposed to work (or even whether its part of any of
the JEE
spec -
I'll have to read up!).
I can't help you on this topic (not read this part of the
spec).
If you have 10 minutes, here is an interesting article
http://www.javaworld.com/javaworld/jw-02-2007/jw-02-handler.html?page=1
http://www.javaworld.com/javaworld/jw-02-2007/jw-02-handler.html?page=1
Jonathan Gallimore-2 wrote:
I think I should probably have a look at WS-Security - I'd
be very
interested in a seeing a sample using OpenEJB/JAX-WS/WS-
Security
if
you're
putting one together.
OK, I've done some tests since yesterday morning. But, the way
OpenEJB
publishes EJB as web services does not allow configuring
ws-security.
When using CXF + WS-Security, it's quite simple: add a WSS4J
InInterceptor
and a WSS4J OutInterceptor giving them a set of properties.
Interceptors
can
be configured using both a Spring application context or CXF
annotations
(@InInterceptors @OutInterceptor).
At a JAX-WS point of view we only have handlers (soap
handlers and
logical
handlers) so I have to spend some more time to look if we can
manage
WS-Security using handlers.
More coming soon ;-)
Kind regards,
Jean-Louis
--
View this message in context:
http://www.nabble.com/Securing-a-webservice-tp22089576p22116953.html
Sent from the OpenEJB User mailing list archive at Nabble.com.
