Hi Jonathan, I spent some time this week end to get WS-Security integrated. Sorry in advance because I changed some of your co http://www.nabble.com/file/p22782120/patch-ws-security.txt patch-ws-security.txt de (but it allowed me to go faster).
I enhanced the sample application to illustrate how to use WS-Security. Here is a patch file with all changes. Please, can you apply it on your local working copy and have a look on tests ? I think you can launch the CalculatorTest test case from the webservice-ws-security project. It would be very nice to have some feedback. @David: for the moment, no special properties management has been done. Jean-Louis Jonathan Gallimore-2 wrote: > > I really like the idea of this configuration. > > I think David's point is a good one - I don't know how bean specific these > properties are, but if you want to use a set of properties for more than > one > webservice I guess we could have a node with the global webservice > security > config for the app, with any bean specific properties defined overriding > this. > > I guess I'm thinking of something along the lines of: > > <openejb-jar xmlns="http://openejb.apache.org/xml/ns/openejb-jar-2.2";> > <global-ws-security> > <configuration> > wss4j.in.action = Encrypt Signature > wss4j.in.signaturePropFile = path to file/CalculatorSecurity.properties > wss4j.in.encryptionPropFile = path to file/CalculatorSecurity.properties > > wss4j.out.action = Encrypt Signature > wss4j.out.signaturePropFile = path to file/CalculatorSecurity.properties > wss4j.out.encryptionPropFile = path to file/CalculatorSecurity.properties > wss4j.out.user = something > wss4j.out.encryptionUser = bod > wss4j.out.signatureKeyIdentifier = DirectReference > wss4j.out.encryptionSymAlgorithm = > http://www.w3.org/2001/04/xmlenc#tripledes-cbc > ... > </configuration> > </global-ws-security> > > <enterprise-beans> > <session> > <ejb-name>CalculatorImpl</ejb-name> > <web-service-security> > <security-realm-name/> > <transport-guarantee>NONE</transport-guarantee> > <auth-method>WS-SECURITY</auth-method> > > <configuration> > wss4j.some_bean_specific_property = foo > ... > </configuration> > > </web-service-security> > </session> > </enterprise-beans> > </openejb-jar> > > I'm very happy to help with some of the code and/or testing. > > Cheers, > > Jon > > On Fri, Mar 20, 2009 at 4:57 PM, David Blevins > <[email protected]>wrote: > >> On Mar 20, 2009, at 8:13 AM, Jean-Louis MONTEIRO wrote: >> >> <openejb-jar xmlns="http://openejb.apache.org/xml/ns/openejb-jar-2.2";> >>> <enterprise-beans> >>> <session> >>> <ejb-name>CalculatorImpl</ejb-name> >>> <web-service-security> >>> <security-realm-name/> >>> <transport-guarantee>NONE</transport-guarantee> >>> <auth-method>WS-SECURITY</auth-method> >>> >>> <configuration> >>> wss4j.in.action = Encrypt Signature >>> wss4j.in.signaturePropFile = path to file/CalculatorSecurity.properties >>> wss4j.in.encryptionPropFile = path to file/CalculatorSecurity.properties >>> >>> wss4j.out.action = Encrypt Signature >>> wss4j.out.signaturePropFile = path to file/CalculatorSecurity.properties >>> wss4j.out.encryptionPropFile = path to >>> file/CalculatorSecurity.properties >>> wss4j.out.user = something >>> wss4j.out.encryptionUser = bod >>> wss4j.out.signatureKeyIdentifier = DirectReference >>> wss4j.out.encryptionSymAlgorithm = >>> http://www.w3.org/2001/04/xmlenc#tripledes-cbc >>> ... >>> </configuration> >>> >>> </web-service-security> >>> </session> >>> </enterprise-beans> >>> </openejb-jar> >>> >> >> I'm curious on how bean specific that above configuration is. If I have >> say 10 web services that need to be secured, which properties will likely >> be >> the same and which would I typically want to be different? Just >> wondering >> if we'll want some more general way to setup the security in addition to >> 100% bean defined. >> >> -David >> >> >> >> > > http://www.nabble.com/file/p22782120/patch-ws-security.txt patch-ws-security.txt -- View this message in context: http://www.nabble.com/Re%3A-Securing-a-webservice-tp22265166p22782120.html Sent from the OpenEJB Dev mailing list archive at Nabble.com.
