Hi Jon, thanks for the feedback.
If it sounds good for you, I will provide a patch file. No problem to add your generated keys in the project to eases maven usage. But we have to take care with keys expiration. Again, thanks for the feedback. Jean-Louis Jonathan Gallimore-2 wrote: > > I've fired this up and run the tests. It looks really good to me - many > thanks for this! If you're happy to add this patch to jira OPENEJB-1004 > I'm > happy to get it committed. > > Do you think it would be ok to include the keys I generated from your > batch > file, so that people can just do the usual 'mvn test' without any extra > work > for the test in the example project to work (I'd keep the batch file as > well > as I think its useful)? > > Jon > > On Mon, Mar 30, 2009 at 1:24 PM, Jean-Louis MONTEIRO < > [email protected]> wrote: > >> >> Hi Jonathan, >> >> I spent some time this week end to get WS-Security integrated. >> Sorry in advance because I changed some of your co >> http://www.nabble.com/file/p22782120/patch-ws-security.txt >> patch-ws-security.txt de (but it allowed me to go faster). >> >> I enhanced the sample application to illustrate how to use WS-Security. >> Here is a patch file with all changes. >> >> Please, can you apply it on your local working copy and have a look on >> tests >> ? >> I think you can launch the CalculatorTest test case from the >> webservice-ws-security project. >> >> It would be very nice to have some feedback. >> @David: for the moment, no special properties management has been done. >> >> Jean-Louis >> >> >> >> Jonathan Gallimore-2 wrote: >> > >> > I really like the idea of this configuration. >> > >> > I think David's point is a good one - I don't know how bean specific >> these >> > properties are, but if you want to use a set of properties for more >> than >> > one >> > webservice I guess we could have a node with the global webservice >> > security >> > config for the app, with any bean specific properties defined >> overriding >> > this. >> > >> > I guess I'm thinking of something along the lines of: >> > >> > <openejb-jar xmlns="http://openejb.apache.org/xml/ns/openejb-jar-2.2";> >> > <global-ws-security> >> > <configuration> >> > wss4j.in.action = Encrypt Signature >> > wss4j.in.signaturePropFile = path to file/CalculatorSecurity.properties >> > wss4j.in.encryptionPropFile = path to >> file/CalculatorSecurity.properties >> > >> > wss4j.out.action = Encrypt Signature >> > wss4j.out.signaturePropFile = path to >> file/CalculatorSecurity.properties >> > wss4j.out.encryptionPropFile = path to >> file/CalculatorSecurity.properties >> > wss4j.out.user = something >> > wss4j.out.encryptionUser = bod >> > wss4j.out.signatureKeyIdentifier = DirectReference >> > wss4j.out.encryptionSymAlgorithm = >> > http://www.w3.org/2001/04/xmlenc#tripledes-cbc >> > ... >> > </configuration> >> > </global-ws-security> >> > >> > <enterprise-beans> >> > <session> >> > <ejb-name>CalculatorImpl</ejb-name> >> > <web-service-security> >> > <security-realm-name/> >> > <transport-guarantee>NONE</transport-guarantee> >> > <auth-method>WS-SECURITY</auth-method> >> > >> > <configuration> >> > wss4j.some_bean_specific_property = foo >> > ... >> > </configuration> >> > >> > </web-service-security> >> > </session> >> > </enterprise-beans> >> > </openejb-jar> >> > >> > I'm very happy to help with some of the code and/or testing. >> > >> > Cheers, >> > >> > Jon >> > >> > On Fri, Mar 20, 2009 at 4:57 PM, David Blevins >> > <[email protected]>wrote: >> > >> >> On Mar 20, 2009, at 8:13 AM, Jean-Louis MONTEIRO wrote: >> >> >> >> <openejb-jar >> xmlns="http://openejb.apache.org/xml/ns/openejb-jar-2.2";> >> >>> <enterprise-beans> >> >>> <session> >> >>> <ejb-name>CalculatorImpl</ejb-name> >> >>> <web-service-security> >> >>> <security-realm-name/> >> >>> <transport-guarantee>NONE</transport-guarantee> >> >>> <auth-method>WS-SECURITY</auth-method> >> >>> >> >>> <configuration> >> >>> wss4j.in.action = Encrypt Signature >> >>> wss4j.in.signaturePropFile = path to >> file/CalculatorSecurity.properties >> >>> wss4j.in.encryptionPropFile = path to >> file/CalculatorSecurity.properties >> >>> >> >>> wss4j.out.action = Encrypt Signature >> >>> wss4j.out.signaturePropFile = path to >> file/CalculatorSecurity.properties >> >>> wss4j.out.encryptionPropFile = path to >> >>> file/CalculatorSecurity.properties >> >>> wss4j.out.user = something >> >>> wss4j.out.encryptionUser = bod >> >>> wss4j.out.signatureKeyIdentifier = DirectReference >> >>> wss4j.out.encryptionSymAlgorithm = >> >>> http://www.w3.org/2001/04/xmlenc#tripledes-cbc >> >>> ... >> >>> </configuration> >> >>> >> >>> </web-service-security> >> >>> </session> >> >>> </enterprise-beans> >> >>> </openejb-jar> >> >>> >> >> >> >> I'm curious on how bean specific that above configuration is. If I >> have >> >> say 10 web services that need to be secured, which properties will >> likely >> >> be >> >> the same and which would I typically want to be different? Just >> >> wondering >> >> if we'll want some more general way to setup the security in addition >> to >> >> 100% bean defined. >> >> >> >> -David >> >> >> >> >> >> >> >> >> > >> > >> http://www.nabble.com/file/p22782120/patch-ws-security.txt >> patch-ws-security.txt >> -- >> View this message in context: >> http://www.nabble.com/Re%3A-Securing-a-webservice-tp22265166p22782120.html >> Sent from the OpenEJB Dev mailing list archive at Nabble.com. >> >> > > -- View this message in context: http://www.nabble.com/Re%3A-Securing-a-webservice-tp22265166p22844980.html Sent from the OpenEJB Dev mailing list archive at Nabble.com.
