|
Replies:
4
-
Last Post:
Dec 23, 2008 6:52 AM
by: malm
|
|
|
|
|
|
|
How to get started developing WSIT enabled web service client
Posted:
Dec 21, 2008 11:38 PM
|
|
|
Here is my problem:
I need to develop a web service client that talks to a web service provided by a government authority. The authority has provided me the WSDL (not containing any WS policy stuff) and a statement saying the service I have to talk to requires WS-Security username/passwords and RSA signatures but no encryption. After pressing for further details I was given a sample XML (at the end).
Now I am stuck how to proceed. I can easily create the JAX-WS artefacts from the WSDL but have no idea how to get going with the WSIT stuff. I read the tutorials and some web blogs but they don't seem to match what I need doing. To start with my NetBeans 6.5 environment doesn't offer security options under the Quality of Service for the web service. Obviously I don't have any ws policy any where as I was hoping NetBeans would create those for me. Also as this is only the client the project is a standard Java SE project as it is from a Java SE client I need to talk to the service. Obviously I have put the Metro jars into the projects classpath.
Any suggestions or pointers would be really much appreciated.
Thank you very much
Manuel
<?xml version="1.0" encoding="UTF-8"?>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<soapenv:Header>
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" soapenv:mustUnderstand="1">
<wsse:UsernameToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="UsernameToken-18395542">
<wsse:Username>XXXXX</wsse:Username>
<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">XXXXX</wsse:Password>
<wsse:Nonce>XXXXXXXXXXX</wsse:Nonce>
<wsu:Created>2007-05-25T03:18:31Z</wsu:Created>
</wsse:UsernameToken>
<wsse:BinarySecurityToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="CertId-550709">XXXXXXXXXXXX</wsse:BinarySecurityToken>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="Signature-6058603">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#id-32859623">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>XXXXXXXXXXXXXXXXXX</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>XXXXXXXXXX</ds:SignatureValue>
<ds:KeyInfo Id="KeyId-22804747">
<wsse:SecurityTokenReference xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="STRId-20667268">
<wsse:Reference URI="#CertId-550709" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
</wsse:Security>
</soapenv:Header>
<soapenv:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="id-32859623">
<GetDealingSearch xmlns="http://wsgate.nrw.qld.gov.au/ATS/dEnquiries">
<ns1:dealing_number xmlns:ns1="java:au.gov.qld.nrm.ats.searches">123456789</ns1:dealing_number>
</GetDealingSearch>
</soapenv:Body>
</soapenv:Envelope>
|
|
|
|
|
|
|
Re: How to get started developing WSIT enabled web service client
Posted:
Dec 22, 2008 5:26 AM
in response to: malm
|
|
|
The four scenarios I've done are at the bottom of [1], point #5, for both CXF
and Metro.
I haven't seen username tokens used with signatures--that might be a
nonstandard use case outside what NetBeans provides by default. Two
suggestions:
1.) Look at the client-side configuration files I have for UsernameToken and
X.509 at the link above for Metro. You technically don't need NetBeans to
create these--if you place the proper client-side config data (username
passwords, signature stuff) in the *client* side config, that should be
sufficient to get the client to send that security info--that fact that the
web service provider does not have policy statements AFAIK will not matter.
However, the policy statements that would otherwise be in the WSDL will need
to be placed into the client-side config files.
2.) Apache CXF has not yet implemented WS-Security policy (it ignores those
policy statements)--their security config is manually configured via Apache
WSS4J, again shown at the links by [1]. If you want to avoid trying to
create the correct policy statements in order to get a Metro client to send
security info, you might want to try to configure CXF to send what you want,
and, if you need help, ask either the CXF mailing list or WSS4J mailing list
for assistance.
3.) I recommend working with Wireshark as you're trying to properly
configure the SOAP requests--it is good for seeing how your SOAP requests
are looking.
HTH,
Glen
[1]
http://www.jroller.com/gmazza/entry/creating_a_wsdl_first_web1#WFwhatsnext
metro-3 wrote:
>
> Here is my problem:
>
> I need to develop a web service client that talks to a web service
> provided by a government authority. The authority has provided me the WSDL
> (not containing any WS policy stuff) and a statement saying the service I
> have to talk to requires WS-Security username/passwords and RSA signatures
> but no encryption. After pressing for further details I was given a sample
> XML (at the end).
>
> Now I am stuck how to proceed. I can easily create the JAX-WS artefacts
> from the WSDL but have no idea how to get going with the WSIT stuff. I
> read the tutorials and some web blogs but they don't seem to match what I
> need doing. To start with my NetBeans 6.5 environment doesn't offer
> security options under the Quality of Service for the web service.
> Obviously I don't have any ws policy any where as I was hoping NetBeans
> would create those for me. Also as this is only the client the project is
> a standard Java SE project as it is from a Java SE client I need to talk
> to the service. Obviously I have put the Metro jars into the projects
> classpath.
>
> Any suggestions or pointers would be really much appreciated.
>
> Thank you very much
>
> Manuel
>
> <?xml version="1.0" encoding="UTF-8"?>
> <soapenv:Envelope
> xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
> xmlns:xsd="http://www.w3.org/2001/XMLSchema"
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
> <soapenv:Header>
> <wsse:Security
> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
> soapenv:mustUnderstand="1">
> <wsse:UsernameToken
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
> wsu:Id="UsernameToken-18395542">
> <wsse:Username>XXXXX</wsse:Username>
> <wsse:Password
> Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">XXXXX</wsse:Password>
> <wsse:Nonce>XXXXXXXXXXX</wsse:Nonce>
> <wsu:Created>2007-05-25T03:18:31Z</wsu:Created>
> </wsse:UsernameToken>
> <wsse:BinarySecurityToken
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
> EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"
> ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"
> wsu:Id="CertId-550709">XXXXXXXXXXXX</wsse:BinarySecurityToken>
> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
> Id="Signature-6058603">
> <ds:SignedInfo>
> <ds:CanonicalizationMethod
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
> <ds:SignatureMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
> <ds:Reference URI="#id-32859623">
> <ds:Transforms>
> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
> </ds:Transforms>
> <ds:DigestMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
> <ds:DigestValue>XXXXXXXXXXXXXXXXXX</ds:DigestValue>
> </ds:Reference>
> </ds:SignedInfo>
> <ds:SignatureValue>XXXXXXXXXX</ds:SignatureValue>
> <ds:KeyInfo Id="KeyId-22804747">
> <wsse:SecurityTokenReference
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
> wsu:Id="STRId-20667268">
> <wsse:Reference URI="#CertId-550709"
> ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
> </wsse:SecurityTokenReference>
> </ds:KeyInfo>
> </ds:Signature>
> </wsse:Security>
> </soapenv:Header>
> <soapenv:Body
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
> wsu:Id="id-32859623">
> <GetDealingSearch xmlns="http://wsgate.nrw.qld.gov.au/ATS/dEnquiries">
> <ns1:dealing_number
> xmlns:ns1="java:au.gov.qld.nrm.ats.searches">123456789</ns1:dealing_number>
> </GetDealingSearch>
> </soapenv:Body>
> </soapenv:Envelope>
> [Message sent by forum member 'malm' (malm)]
>
> http://forums.java.net/jive/thread.jspa?messageID=322902
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
> For additional commands, e-mail: users-help@metro.dev.java.net
>
>
>
--
View this message in context: http://www.nabble.com/How-to-get-started-developing-WSIT-enabled-web-service-client-tp21123863p21127772.html
Sent from the Metro - Users mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
For additional commands, e-mail: users-help@metro.dev.java.net
|
|
|
|
|
|
|
|
|
Re: How to get started developing WSIT enabled web service client
Posted:
Dec 22, 2008 4:38 PM
in response to: malm
|
|
|
Glen,
your blogs on using NetBeans + Metro + WSIT were a life saver. I managed to get a "working" Java SE project together with those instructions. This stuff is really anything but intuitive or straight forward. I had to put "working" in quotes because my project does produce web services messages with the WS-Security headers as specified in the WS-Policy configuration but these are not quite the headers required by the service I need to talk to. So the next challenge is to configure WS-Policy to match the services requirements which seem to be:
Username/Password tokens with "nonce"
Message signed with my private key
Any suggestion how to configure this?
Thanks again for your invaluable help.
Manuel
|
|
|
|
|
|
|
|
|
Re: How to get started developing WSIT enabled web service client
Posted:
Dec 22, 2008 6:07 PM
in response to: malm
|
|
|
I haven't done that before. The WS-SecurityPolicy spec may help you here:
http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/ws-securitypolicy-1.2-spec-os.html
What you're doing is a hybrid of the username token policy and the X.509
policy. I would try to strip down my X.509 example so that it is only doing
signatures, not encryption, and then try to merge the resulting policy with
the policy from the username token blog entry. Perhaps the spec above will
give you clues here on this merging.
I'm not sure why the SOAP service is requiring *both* your signature and a
username/password token. Unless I'm missing something here, the former
normally makes the latter redundant.
Glen
metro-3 wrote:
>
> Glen,
>
> your blogs on using NetBeans + Metro + WSIT were a life saver. I managed
> to get a "working" Java SE project together with those instructions. This
> stuff is really anything but intuitive or straight forward. I had to put
> "working" in quotes because my project does produce web services messages
> with the WS-Security headers as specified in the WS-Policy configuration
> but these are not quite the headers required by the service I need to talk
> to. So the next challenge is to configure WS-Policy to match the services
> requirements which seem to be:
>
> Username/Password tokens with "nonce"
> Message signed with my private key
>
> Any suggestion how to configure this?
>
> Thanks again for your invaluable help.
>
> Manuel
> [Message sent by forum member 'malm' (malm)]
>
> http://forums.java.net/jive/thread.jspa?messageID=323028
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
> For additional commands, e-mail: users-help@metro.dev.java.net
>
>
>
--
View this message in context: http://www.nabble.com/How-to-get-started-developing-WSIT-enabled-web-service-client-tp21123863p21138384.html
Sent from the Metro - Users mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
For additional commands, e-mail: users-help@metro.dev.java.net
|
|
|
|
|
|
|
|
|
Re: How to get started developing WSIT enabled web service client
Posted:
Dec 23, 2008 6:52 AM
in response to: malm
|
|
|
Thanks Glen, I am marking this tread as answered as I certainly got started with your help.
|
|
|
|
|
java.net RSS
