|
Replies:
9
-
Last Post:
Jun 18, 2009 3:42 PM
by: ipsi
|
|
|
|
|
|
|
Options for Securing Client when Server has no wsp:Policy information?
Posted:
Jun 16, 2009 11:13 PM
|
|
|
I have a web application running under Glassfish V2 UR2 (Java 1.5), and as part of that Application I need to call a remote web service. As far as I'm aware, that web service doesn't have any wsp:Policy information in the WSDL, and so I need an alternate way to secure it. The less code I have to write, the better.
I've seen information regard wsit-security and {serviceName}Service.xml files, so I'm wondering if it would be as simple as taking the WSDL, adding all the required policy information (including the signed/encrypted parts and such), essentially including all the policy information that would normally be on the server side, and just allowing Metro/WSIT to pick that up. If that's possible, that'd be fantastic.
For what it's worth, I did try that, but it didn't seem to find the wsit-client.xml file...
The Application is basically an EAR, which contains two WAR files. The client that I need to secure is in a JAR in the lib/ folder of the EAR, but the code calling said client can be located in either of the WARs (though it will likely end up being called by a single WAR at the end of the day, if it matters). I'm not sure if I've got the wsit-client file in the right place - should it be in the META-INF directory of the EAR, or of each WAR? Or what? Kinda confused...
If it's not, then what are my other options? I saw a (somewhat old) example referencing XWSS, but that doesn't seem like quite what I want, as it requires a fair amount of code. I'm already using WSS4J to secure the service via a handler, but I would like to be able to get rid of that code. and just replace it with a couple of configuration files or something.
Thanks,
- Andrew
|
|
|
|
|
|
|
Re: Options for Securing Client when Server has no wsp:Policy
information?
Posted:
Jun 17, 2009 12:03 PM
in response to: ipsi
|
|
|
Amazon EC2 requires WS-Security but does not include what it requires in its
WSDL. To make it easier to use Metro to control EC2, Kohsuke developed:
https://jax-ws-commons.dev.java.net/ec2/
that sets up the required security on the client side.
Hopefully the techniques he uses can be of help to your case.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
For additional commands, e-mail: users-help@metro.dev.java.net
|
|
|
|
|
|
|
|
|
|
|
|
Re: Options for Securing Client when Server has no wsp:Policy
information?
Posted:
Jun 17, 2009 11:49 PM
in response to: Kumar Jayanti
|
|
|
Kumar Jayanti wrote:
> Harold Carr wrote:
>> Amazon EC2 requires WS-Security but does not include what it requires
>> in its WSDL. To make it easier to use Metro to control EC2, Kohsuke
>> developed:
>>
>> https://jax-ws-commons.dev.java.net/ec2/
>>
>> that sets up the required security on the client side.
>>
>> Hopefully the techniques he uses can be of help to your case.
> You can also see the following sample(s) :
>
> https://xwss.dev.java.net/files/documents/4864/103171/SecureJDK6WSWithHandlers.zip
>
> https://xwss.dev.java.net/files/documents/4864/64205/SecureXWSS20JDK6.zip
> (The sample documentation is not so clean.)
>
> and this article :
> https://xwss.dev.java.net/Securing_JAVASE6_WebServices.html
>
> though they are written for JDK6 style endpoints the same
> configuration and concepts would work for normal endpoints.
Here is more documentation. The XWSS 2.0 tutorial here explains this way
of doing things and these features are available out-of-the-box in
Metro/GlassFish.
http://java.sun.com/webservices/docs/1.6/tutorial/doc/XWS-SecurityIntro.html#wp540763
>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
>> For additional commands, e-mail: users-help@metro.dev.java.net
>>
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
> For additional commands, e-mail: users-help@metro.dev.java.net
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
For additional commands, e-mail: users-help@metro.dev.java.net
|
|
|
|
|
|
|
|
|
Re: Options for Securing Client when Server has no wsp:Policy information?
Posted:
Jun 18, 2009 2:22 AM
in response to: ipsi
|
|
|
Thanks for the information folks - very helpful!
I've managed to get it signing the request, using the method Harold pointed me to in the Amazon example.
However, I've got two problems that need solving:
1) How do I generate a UsernameToken? I would have thought something like the following would work, but apparently it doesn't:
<wsp:Policy wsu:Id="CMDMBindingPolicy">
<wsp:ExactlyOne>
<wsp:All>
<sp:AsymmetricBinding>
<wsp:Policy>
<sp:InitiatorToken>
<wsp:Policy>
<sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Always" />
<sp:UsernameToken sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:WssUsernameToken10/>
</wsp:Policy>
</sp:UsernameToken>
</wsp:Policy>
</sp:InitiatorToken>
<sp:Layout>
<wsp:Policy>
<sp:Strict />
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp />
<sp:OnlySignEntireHeadersAndBody />
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic128 />
</wsp:Policy>
</sp:AlgorithmSuite>
</wsp:Policy>
</sp:AsymmetricBinding>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
Unfortunately, it doesn't. There's no error messages in the log or anything, so I suspect this is not how it should work.
When I do the following, however (which is how most examples I've seen do it), I get an error:
<wsp:Policy wsu:Id="CMDMBindingPolicy">
<wsp:ExactlyOne>
<wsp:All>
<sp:AsymmetricBinding>
<wsp:Policy>
<sp:InitiatorToken>
<wsp:Policy>
<sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Always" />
</wsp:Policy>
</sp:InitiatorToken>
<sp:Layout>
<wsp:Policy>
<sp:Strict />
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp />
<sp:OnlySignEntireHeadersAndBody />
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic128 />
</wsp:Policy>
</sp:AlgorithmSuite>
</wsp:Policy>
</sp:AsymmetricBinding>
<sp:SignedSupportingTokens>
<wsp:Policy>
<sp:UsernameToken sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:WssUsernameToken10/>
</wsp:Policy>
</sp:UsernameToken>
</wsp:Policy>
</sp:SignedSupportingTokens>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
Error Stack Trace:
java.lang.NullPointerException
at com.sun.xml.ws.security.impl.policyconv.SupportingTokensProcessor.encryptToken(SupportingTokensProcessor.java:220)
at com.sun.xml.ws.security.impl.policyconv.SupportingTokensProcessor.process(SupportingTokensProcessor.java:145)
at com.sun.xml.ws.security.impl.policyconv.BindingProcessor.processSupportingTokens(BindingProcessor.java:284)
at com.sun.xml.ws.security.impl.policyconv.XWSSPolicyGenerator.processNonBindingAssertions(XWSSPolicyGenerator.java:269)
at com.sun.xml.ws.security.impl.policyconv.XWSSPolicyGenerator.process(XWSSPolicyGenerator.java:216)
at com.sun.xml.ws.security.impl.policyconv.XWSSPolicyGenerator.process(XWSSPolicyGenerator.java:157)
at com.sun.xml.wss.jaxws.impl.SecurityTubeBase.constructPolicyHolder(SecurityTubeBase.java:1251)
at com.sun.xml.wss.jaxws.impl.SecurityClientTube.addOutgoingProtocolPolicy(SecurityClientTube.java:605)
at com.sun.xml.wss.jaxws.impl.SecurityTubeBase.buildProtocolPolicy(SecurityTubeBase.java:1225)
at com.sun.xml.wss.jaxws.impl.SecurityTubeBase.collectPolicies(SecurityTubeBase.java:756)
at com.sun.xml.wss.jaxws.impl.SecurityTubeBase.<init>(SecurityTubeBase.java:284)
at com.sun.xml.wss.jaxws.impl.SecurityClientTube.<init>(SecurityClientTube.java:132)
at com.sun.xml.wss.provider.wsit.SecurityTubeFactory.createTube(SecurityTubeFactory.java:222)
at com.sun.xml.ws.assembler.TubeCreator.createTube(TubeCreator.java:85)
at com.sun.xml.ws.assembler.TubelineAssemblerFactoryImpl$MetroTubelineAssembler.createClient(TubelineAssemblerFactoryImpl.java:97)
at com.sun.xml.ws.client.WSServiceDelegate.createPipeline(WSServiceDelegate.java:446)
at com.sun.xml.ws.client.WSServiceDelegate.createEndpointIFBaseProxy(WSServiceDelegate.java:639)
at com.sun.xml.ws.client.WSServiceDelegate.getPort(WSServiceDelegate.java:342)
at com.sun.xml.ws.client.WSServiceDelegate.getPort(WSServiceDelegate.java:324)
at javax.xml.ws.Service.getPort(Service.java:139)
. . .
Anyone got any ideas why this is happening? As far as I'm aware, I'm using Metro 2.0.
|
|
|
|
|
|
|
|
|
Re: Options for Securing Client when Server has no wsp:Policy information?
Posted:
Jun 18, 2009 2:41 AM
in response to: ipsi
|
|
|
Sorry, hit 'post' instead of 'preview' there. Basically, I want to be able to do two things to the message:
Add a UsernameToken, with a username (but no password, at least for now).
Sign the Body and the UsernameToken.
I've managed to get a signed body, which is good. That's half the way there. Just not sure why I can't seem to add a UsernameToken.
The way I'm currently trying to set the username is with the call
bp.getRequestContext().put(BindingProvider.USERNAME_PROPERTY, "User");
Where 'bp' is the port object cast as BindingProvider - is this correct? Or should I be looking for another way to do it? I know that I could do it via the wsit-client.xml file, but that would involve a lot of duplication and such, and I'm not sure I like how it loads the wsit-client.xml file, so alternate ways would be good. But even if I place information about that in the wsit-client.xml file, and get it to load, it doesn't seem to affect anything.
Finally, why is the encryptToken method being called in the stack trace I posted for the NullPointerException? I would have expected it to be calling a signing method instead, as I haven't specified *anywhere* that I want anything encrypted. Or is that method supposed to handle both signing and encrypting?
Also, I would like a way to remove the "mustUnderstand" attribute, either via code or via the policy information. While it doesn't affect me at the moment, it may very well be become a problem down the road... I notice that it was mentioned in another thread (http://forums.java.net/jive/thread.jspa?messageID=350315񕡫) that this can't be easily done at the moment, but I would appreciate this option at some point.
Once I've solved that problem (UsernameToken), it's pretty much just a matter of choice as to exactly how I go about implementing this solution.
Once again, thanks for your help folks,
- Andrew Thorburn
|
|
|
|
|
|
|
|
|
Re: Options for Securing Client when Server has no wsp:Policy information?
Posted:
Jun 18, 2009 3:55 AM
in response to: ipsi
|
 |
Correct |
|
|
Here is how your policy should look like :
<wsp:Policy wsu:Id="CMDMBindingPolicy">
<wsp:ExactlyOne>
<wsp:All>
<sp:AsymmetricBinding>
<wsp:Policy>
<sp:InitiatorToken>
<wsp:Policy>
<sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Always" />
</wsp:Policy>
</sp:InitiatorToken>
<sp:Layout>
<wsp:Policy>
<sp:Strict />
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp />
<sp:OnlySignEntireHeadersAndBody />
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic128 />
</wsp:Policy>
</sp:AlgorithmSuite>
</wsp:Policy>
</sp:AsymmetricBinding>
<sp:SignedSupportingTokens xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
<wsp:Policy>
<sp:UsernameToken sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:WssUsernameToken10 />
<sp:NoPassword/>
</wsp:Policy>
</sp:UsernameToken>
</wsp:Policy>
</sp:SignedSupportingTokens>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
And you have to specify in the client code the following property :
((BindingProvider)port).getRequestContext().put(XWSSConstants.USERNAME_PROPERTY,"test");
See this : http://weblogs.java.net/blog/kumarjayanti/archive/2008/11/plain_text_user.html
The reason it was going into Encryption even though you did not specify anything is because whenever there is a password in the username token, Metro would try to encrypt the username token by default (this is a recommendation in the spec).
As for must-understand we don't support a way to do this when you are using WS-Policy. I just added support for it in XWSS 2.0 style legacy security for one user who asked for it.
|
|
|
|
|
|
|
|
|
Re: Options for Securing Client when Server has no wsp:Policy information?
Posted:
Jun 18, 2009 4:11 AM
in response to: kumarjayanti
|
|
|
Ahhh, thanks for that - I hadn't realised that. I assume it's throwing an NPE because I didn't specify a password, and yet failed to specify ? I would have thought it more sensible to log an error, then throw a more helpful exception.
Anyway, I'll give that a shot tomorrow - sounds promising.
Thanks very much for your help!
- Andrew Thorburn
|
|
|
|
|
|
|
|
|
Re: Options for Securing Client when Server has no wsp:Policy information?
Posted:
Jun 18, 2009 3:37 PM
in response to: ipsi
|
|
|
Yeah, that fixed it, thanks!
One thing to note: Since I'm using the com.sun.xml.ws.api.security.CallbackHandlerFeature class to provide the Signature certificate, it is apparently also used to provide the Username, therefore I don't need to make use of the BindingProvider stuff to set it - just do it during the callback.
Couple of things: Is it possible to have a username token that isn't signed? While it's not something I need at the moment, I figure it'd be nice to know if it can be done or not.
Also, is there a good reference out there for all this policy stuff? That would be extremely handy...
Thanks,
- Andrew Thorburn
|
|
|
|
|
|
|
|
|
Re: Options for Securing Client when Server has no wsp:Policy information?
Posted:
Jun 18, 2009 3:42 PM
in response to: ipsi
|
|
|
Sorry, my bad: If I'd bothered to read your link, I would have found that I can have an unsigned, unencrypted username token by putting it inside a <SupportingTokens> element, as opposed to a <SignedSupportingTokens> element.
Thanks,
- Andrew
|
|
|
|
|
java.net RSS
