Hi Jonathan,
First of all thanks a lot for this very well work.
I spent a small amount of time looking your WS-Security integration. I looks
fine at a first glance.
But looking deeper make me feel it can probably be enhanced.
Actually, your proposal only deals with UserToken anthentication (throughout
WS-Security headers).
It would be nice to add a complete integration (signature, encryption,
Timestamp).
Everything is well supported by CXF and more specially WSS4J.
Today, we can not fully use WSS4J because the configuration is hard coded.
EjbEndpoint.java
...
// Install WSS4J interceptor
if (port.isSecure()) {
Map<String, Object> inProps = new HashMap<String, Object>();
inProps.put(WSHandlerConstants.ACTION,
WSHandlerConstants.USERNAME_TOKEN);
inProps.put(WSHandlerConstants.PASSWORD_TYPE,
WSConstants.PW_TEXT);
inProps.put(WSHandlerConstants.PW_CALLBACK_CLASS,
ServerPasswordHandler.class.getName());
WSS4JInInterceptor wssIn = new WSS4JInInterceptor(inProps);
endpoint.getInInterceptors().add(wssIn);
}
...
I have the feeling we can enhance a little the openejb-jar.xml file by
something like that
<openejb-jar xmlns="http://openejb.apache.org/xml/ns/openejb-jar-2.2";>
<enterprise-beans>
<session>
<ejb-name>CalculatorImpl</ejb-name>
<web-service-security>
<security-realm-name/>
<transport-guarantee>NONE</transport-guarantee>
<auth-method>WS-SECURITY</auth-method>
<configuration>
wss4j.in.action = Encrypt Signature
wss4j.in.signaturePropFile = path to file/CalculatorSecurity.properties
wss4j.in.encryptionPropFile = path to file/CalculatorSecurity.properties
wss4j.out.action = Encrypt Signature
wss4j.out.signaturePropFile = path to file/CalculatorSecurity.properties
wss4j.out.encryptionPropFile = path to file/CalculatorSecurity.properties
wss4j.out.user = something
wss4j.out.encryptionUser = bod
wss4j.out.signatureKeyIdentifier = DirectReference
wss4j.out.encryptionSymAlgorithm =
http://www.w3.org/2001/04/xmlenc#tripledes-cbc
...
</configuration>
</web-service-security>
</session>
</enterprise-beans>
</openejb-jar>
We can get more or less the same functional level than if we would use
Spring configuration.
http://cwiki.apache.org/CXF20DOC/ws-security.html
Then, in the EjbEnpoint.java, we can read the configuration, fill a map and
instantiate an In/Out Interceptor (or both).
Is it something stupid ?
Can you give me your feeling ?
kind regards,
Jean-Louis
Jonathan Gallimore-2 wrote:
>
> I've just committed this. It's worked in all my tests for embedded,
> standalone and Tomcat. Please shout if there's any problems.
>
> Jon
>
> On Tue, Mar 3, 2009 at 1:34 AM, David Blevins
> <[email protected]>wrote:
>
>>
>> On Feb 28, 2009, at 1:17 PM, Daniel S. Haischt wrote:
>>
>> I think it's useful :)
>>>
>>
>> I agree. Very cool.
>>
>> -David
>>
>>
>> I was mainly interested in this mail thread cause I worked with the
>>> various WSS standards recently at work including their implementation
>>> as it represented by the IBM WebSphere JAX-WS runtime. AFAIK early
>>> JAX-RPC implementations of WebSphere were not able to consume a
>>> password digest - only plain text was supported.
>>>
>>> WS policy sets is another interesting topic...
>>>
>>> Regards
>>> Daniel
>>>
>>> On Sat, Feb 28, 2009 at 10:06 PM, Jonathan Gallimore
>>> <[email protected]> wrote:
>>>
>>>> Not yet, although I'd be interested in working on this some more. I
>>>> just
>>>> wanted to get a feel of whether this is something we could include in
>>>> OpenEJB, as I'd find it pretty useful for testing some webservice work
>>>> I've
>>>> done. If people feel it would be useful I'm happy to do some more work
>>>> on
>>>> adding more authentication schemes.
>>>>
>>>> Cheers
>>>>
>>>> Jon
>>>>
>>>> On Sat, Feb 28, 2009 at 8:59 PM, Daniel S. Haischt <
>>>> - Show quoted text -
>>>> [email protected]> wrote:
>>>>
>>>> Just out of curiosity - Did you try to use a password digest/hash
>>>>> instead? Using a nonce might be interesting as well (nonce is an
>>>>> effective countermeasure against replay attacks). If you use SoapUI as
>>>>> a WS client you could easily generate most of these WSS header
>>>>> elements for testing purposes.
>>>>>
>>>>> Cheers
>>>>> Daniel
>>>>>
>>>>> On Sat, Feb 28, 2009 at 9:51 PM, Jonathan Gallimore
>>>>> <[email protected]> wrote:
>>>>>
>>>>>> Yep. Here's the soap request captured by tcpmon:
>>>>>>
>>>>>> POST /CalculatorImpl HTTP/1.1
>>>>>> Content-Type: text/xml; charset=UTF-8
>>>>>> SOAPAction: ""
>>>>>> Accept: *
>>>>>> Cache-Control: no-cache
>>>>>> Pragma: no-cache
>>>>>> User-Agent: Java/1.6.0_11
>>>>>> Host: 127.0.0.1:42040
>>>>>> Connection: keep-alive
>>>>>> Transfer-Encoding: chunked
>>>>>>
>>>>>> 2ce
>>>>>> <soap:Envelope
>>>>>> xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/";>
>>>>>> <soap:Header>
>>>>>> <wsse:Security xmlns:wsse="
>>>>>>
>>>>>>
>>>>> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
>>>>> "
>>>>>
>>>>>> soap:mustUnderstand="1"><wsse:UsernameToken xmlns:wsu="
>>>>>>
>>>>>>
>>>>> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
>>>>> "
>>>>>
>>>>>>
>>>>>> wsu:Id="UsernameToken-47889642"><wsse:Username>jane</wsse:Username><wsse:Password
>>>>>
>>>>>> Type="
>>>>>>
>>>>>>
>>>>> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText
>>>>>
>>>>> ">waterfall</wsse:Password></wsse:UsernameToken></wsse:Security></soap:Header><soap:Body><ns1:sum
>>>>>
>>>>>> xmlns:ns1="http://superbiz.org/wsdl
>>>>>> "><arg0>4</arg0><arg1>6</arg1></ns1:sum></soap:Body></soap:Envelope>
>>>>>>
>>>>>> Jon
>>>>>>
>>>>>> On Sat, Feb 28, 2009 at 6:42 PM, Daniel S. Haischt <
>>>>>> [email protected]> wrote:
>>>>>>
>>>>>> Are you using the username token profile ?
>>>>>>>
>>>>>>> On Sat, Feb 28, 2009 at 7:31 PM, Jonathan Gallimore
>>>>>>> <[email protected]> wrote:
>>>>>>>
>>>>>>>> I spent a bit more time looking at this - and added a bit more
>>>>>>>> code.
>>>>>>>> I
>>>>>>>> noticed that the Jaxb tree for openejb-jar.xml has some webservice
>>>>>>>>
>>>>>>> security
>>>>>>>
>>>>>>>> attributes that we aren't using, but I think Geronimo is. I've
>>>>>>>> added
>>>>>>>>
>>>>>>> support
>>>>>>>
>>>>>>>> that does simple username/password authentication using basic http
>>>>>>>> mechanism, and an interceptor to do username/password auth using
>>>>>>>>
>>>>>>> WS-Security
>>>>>>>
>>>>>>>> headers.
>>>>>>>>
>>>>>>>> I've uploaded a patch to
>>>>>>>> http://people.apache.org/~jgallimore/webservices.diff<http://people.apache.org/%7Ejgallimore/webservices.diff>
>>>>>>>> <http://people.apache.org/%7Ejgallimore/webservices.diff>
>>>>>>>>
>>>>>>> <http://people.apache.org/%7Ejgallimore/webservices.diff>.
>>>>>
>>>>>> - Show quoted text -
>>>>>>
>>>>>>> I be grateful on
>>>>>>>
>>>>>>>> anyone's thoughts. Its pretty basic at the moment, but I think it
>>>>>>>>
>>>>>>> would
>>>>>
>>>>>> be
>>>>>>>
>>>>>>>> nice if this could go into OpenEJB - if others agree, I'd like to
>>>>>>>> open
>>>>>>>>
>>>>>>> a
>>>>>
>>>>>> JIRA and do some more work on it.
>>>>>>>>
>>>>>>>> I've copied this to the dev@ list too in case anyone who might be
>>>>>>>>
>>>>>>> interested
>>>>>>>
>>>>>>>> missed it, hope that's ok.
>>>>>>>>
>>>>>>>> Cheers
>>>>>>>>
>>>>>>>> Jon
>>>>>>>>
>>>>>>>> On Fri, Feb 20, 2009 at 1:06 PM, Jonathan Gallimore <
>>>>>>>> [email protected]> wrote:
>>>>>>>>
>>>>>>>> Hi Jean-Louis,
>>>>>>>>>
>>>>>>>>> Many thanks for your detailed reply and the link to the article.
>>>>>>>>> I'll
>>>>>>>>>
>>>>>>>> be
>>>>>
>>>>>> having a good look at this over the weekend. I had initially thought
>>>>>>>>>
>>>>>>>> just
>>>>>>>
>>>>>>>> applying basic auth was all there was to it, which is probably a
>>>>>>>> bit
>>>>>>>>>
>>>>>>>> naive
>>>>>>>
>>>>>>>> of me!
>>>>>>>>>
>>>>>>>>> I think it would be worthwhile working out whether there's some
>>>>>>>>>
>>>>>>>> samples
>>>>>
>>>>>> (and maybe some enhancements) we could add to OpenEJB in this regard
>>>>>>>>>
>>>>>>>> -
>>>>>
>>>>>> I'm
>>>>>>>
>>>>>>>> sure others would find it useful too.
>>>>>>>>>
>>>>>>>>> Cheers,
>>>>>>>>> Jon
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On Fri, Feb 20, 2009 at 8:49 AM, Jean-Louis MONTEIRO <
>>>>>>>>> [email protected]> wrote:
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>> Jonathan,
>>>>>>>>>>
>>>>>>>>>> Here are some inputs.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Jonathan Gallimore-2 wrote:
>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> Obviously I think it would be great if the standalone and
>>>>>>>>>>> embedded
>>>>>>>>>>>
>>>>>>>>>> servers
>>>>>>>>>>
>>>>>>>>>>> which use their own HTTP listener could accept credentials via
>>>>>>>>>>>
>>>>>>>>>> basic
>>>>>
>>>>>> authentication, meanwhile Tomcat could do the authentication for
>>>>>>>>>>>
>>>>>>>>>> us
>>>>>
>>>>>> based
>>>>>>>>>>
>>>>>>>>>>> on
>>>>>>>>>>> however its been configured (currently it looks like a new
>>>>>>>>>>>
>>>>>>>>>> StandardContext
>>>>>>>>>>
>>>>>>>>>>> is created for each webservice, and there is code to setup
>>>>>>>>>>>
>>>>>>>>>> authentication,
>>>>>>>>>>
>>>>>>>>>>> but WsService.authMethod was always null when I debugged it,
>>>>>>>>>>>
>>>>>>>>>> causing
>>>>>
>>>>>> no
>>>>>>>
>>>>>>>> authentication to be applied, and I couldn't see how it could be
>>>>>>>>>>>
>>>>>>>>>> set
>>>>>
>>>>>> otherwise), and the user and role principals could be passed
>>>>>>>>>>>
>>>>>>>>>> through
>>>>>
>>>>>> from
>>>>>>>>>>
>>>>>>>>>>> Tomcat to the relevant EJB container.
>>>>>>>>>>>
>>>>>>>>>>> Definitively! (nice to have ;-)).
>>>>>>>>>> Doing basic authentication (without ws-security) seems to be
>>>>>>>>>>
>>>>>>>>> possible
>>>>>
>>>>>> using
>>>>>>>>>> JAX-WS handlers.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Jonathan Gallimore-2 wrote:
>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> To give a bit more background on how this has come about - my
>>>>>>>>>>>
>>>>>>>>>> colleague
>>>>>>>
>>>>>>>> at
>>>>>>>>>>
>>>>>>>>>>> work has been working on some functionality as an EJB, and felt
>>>>>>>>>>> it
>>>>>>>>>>>
>>>>>>>>>> would
>>>>>>>
>>>>>>>> be
>>>>>>>>>>> nice to have it available as a webservice - and adding the
>>>>>>>>>>>
>>>>>>>>>> @WebService
>>>>>>>
>>>>>>>> annotation to the EJB seemed to be a nice idea, rather then
>>>>>>>>>>>
>>>>>>>>>> creating
>>>>>
>>>>>> a
>>>>>>>
>>>>>>>> webservice as a separate class that just delegates through to the
>>>>>>>>>>>
>>>>>>>>>> EJB
>>>>>
>>>>>> as
>>>>>>>
>>>>>>>> you
>>>>>>>>>>> describe -
>>>>>>>>>>>
>>>>>>>>>>> I was probably not so clear.
>>>>>>>>>> It seems to me, from an architecture point of view, it's better
>>>>>>>>>> to
>>>>>>>>>>
>>>>>>>>> use
>>>>>
>>>>>> web
>>>>>>>
>>>>>>>> services as facades. They are personal concerns you know ;-)
>>>>>>>>>> Never mind, I had in mind an EJB Web Service (@stateless +
>>>>>>>>>>
>>>>>>>>> @webservice)
>>>>>
>>>>>> which delegates to other business EJB and it works fine with OpenEJB
>>>>>>>>>>
>>>>>>>>> for
>>>>>>>
>>>>>>>> simple cases.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Jonathan Gallimore-2 wrote:
>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> and we hoped the container would handle the authentication for
>>>>>>>>>>> us. When configured correctly, JBoss (4.2.2.GA) does seem to do
>>>>>>>>>>>
>>>>>>>>>> this
>>>>>
>>>>>> for
>>>>>>>>>>
>>>>>>>>>>> us,
>>>>>>>>>>> however OpenEJB doesn't at the moment - I don't actually know if
>>>>>>>>>>>
>>>>>>>>>> this
>>>>>
>>>>>> is
>>>>>>>
>>>>>>>> even supposed to work (or even whether its part of any of the JEE
>>>>>>>>>>>
>>>>>>>>>> spec -
>>>>>>>
>>>>>>>> I'll have to read up!).
>>>>>>>>>>>
>>>>>>>>>>> I can't help you on this topic (not read this part of the
>>>>>>>>>>> spec).
>>>>>>>>>> If you have 10 minutes, here is an interesting article
>>>>>>>>>>
>>>>>>>>>>
>>>>>>> http://www.javaworld.com/javaworld/jw-02-2007/jw-02-handler.html?page=1
>>>>>>>
>>>>>>>>
>>>>>>>>>>
>>>>>>> http://www.javaworld.com/javaworld/jw-02-2007/jw-02-handler.html?page=1
>>>>>>>
>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Jonathan Gallimore-2 wrote:
>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> I think I should probably have a look at WS-Security - I'd be
>>>>>>>>>>> very
>>>>>>>>>>> interested in a seeing a sample using OpenEJB/JAX-WS/WS-Security
>>>>>>>>>>>
>>>>>>>>>> if
>>>>>
>>>>>> you're
>>>>>>>>>>
>>>>>>>>>>> putting one together.
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>> OK, I've done some tests since yesterday morning. But, the way
>>>>>>>>>>
>>>>>>>>> OpenEJB
>>>>>
>>>>>> publishes EJB as web services does not allow configuring
>>>>>>>>>>
>>>>>>>>> ws-security.
>>>>>
>>>>>>
>>>>>>>>>> When using CXF + WS-Security, it's quite simple: add a WSS4J
>>>>>>>>>>
>>>>>>>>> InInterceptor
>>>>>>>
>>>>>>>> and a WSS4J OutInterceptor giving them a set of properties.
>>>>>>>>>>
>>>>>>>>> Interceptors
>>>>>>>
>>>>>>>> can
>>>>>>>>>> be configured using both a Spring application context or CXF
>>>>>>>>>>
>>>>>>>>> annotations
>>>>>>>
>>>>>>>> (@InInterceptors @OutInterceptor).
>>>>>>>>>>
>>>>>>>>>> At a JAX-WS point of view we only have handlers (soap handlers
>>>>>>>>>> and
>>>>>>>>>>
>>>>>>>>> logical
>>>>>>>
>>>>>>>> handlers) so I have to spend some more time to look if we can
>>>>>>>> manage
>>>>>>>>>> WS-Security using handlers.
>>>>>>>>>>
>>>>>>>>>> More coming soon ;-)
>>>>>>>>>>
>>>>>>>>>> Kind regards,
>>>>>>>>>> Jean-Louis
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> --
>>>>>>>>>> View this message in context:
>>>>>>>>>>
>>>>>>>>>>
>>>>> http://www.nabble.com/Securing-a-webservice-tp22089576p22116953.html
>>>>>
>>>>>> Sent from the OpenEJB User mailing list archive at Nabble.com.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>
>
--
View this message in context:
http://www.nabble.com/Re%3A-Securing-a-webservice-tp22265166p22621761.html
Sent from the OpenEJB Dev mailing list archive at Nabble.com.
