[jboss-user] [JBossWS] - Implementing WS-Security Usename Token Profile Authenticatio

dhanushgopinath do-not-reply at jboss.com
Thu Mar 5 06:29:31 EST 2009


Hi All,

The below mentioned steps will help you implementing WS-Security Usename Token Profile on for POJO based Webservices. This example is done with JBOSS 4.2.3 AS with JBOSS Native WS 3.1.0.

Assumptions

1.	This is a step by step example of implementing the Username Token Authentication Profile of WS Security (based on http://xml.coverpages.org/WSS-UsernameTokenProfile-20040315.pdf ) using the JBOSS WS version 3.1.0. 
2.	JBOSS AS version 4.2.3 is installed.
3.	JBOSS WS 3.1.0 is deployed onto the JBOSS AS by following the instructions in the location http://www.jboss.org/file-access/default/members/jbossws/downloads/Install-jbossws-native-3.1.0.GA.txt 
4.	The web service implementation is already created using the Top Down approach.
5.	JBOSS_HOME is the home directory of JBOSSAS where jboss-4.2.3.GA is unzipped.
6.	While writing the WS Service Client we assume that the client side stubs are already provided.
7.	Username and Password used in this implementation is the JBOSS default username and password (kermit=thefrog)


Steps - Server Side


1.	Add the annotation @SecurityDomain("JBossWS") to the implementation class of web service.

    a.	This requires the importing of the package org.jboss.annotation.security.SecurityDomain to the web service and hence will need the jar jboss-annotations-ejb3.jar in the classpath of your application. This jar is available in the JBOSS_HOME/client directory.

    b.	This security domain (JBossWS )should be available under the application policy category in the login configuration xml file in JBOSS_HOME/server/default/conf/login-config.xml. (I guess it should be possible to add a custom security domain by adding a separate application policy configuration on to this file. But I have not tested it though. )
2.	Create a file jboss-web.xml under the WEB-INF directory of your application and add the following content to the XML file.
<?xml version="1.0" encoding="UTF-8"?>
  | <!DOCTYPE jboss-web PUBLIC "-//JBoss//DTD Web Application 2.4//EN" "http://www.jboss.org/j2ee/dtd/jboss-web_4_0.dtd">
  | <jboss-web>
  | 
  | 	<security-domain>java:/jaas/JBossWS</security-domain>
  | 	<context-root>/CONTEXT_ROOT_OF_YOUR_APP</context-root>
  | </jboss-web>
  | 

3.	Copy the file standard-jaxws-endpoint-config.xml from the location JBOSS_HOME\server\default\deploy\jbossws.sar\META-INF  to the META-INF directory of your  application and edit it as follows.
 
    a.	Remove all the endpoint config elements (<endpoint-config>) except the one with the config name (Standard WSSecurity Endpoint). Your standard-jaxws-endpoint-config.xml should look like this.

  | <?xml version="1.0" encoding="UTF-8"?>
  | <jaxws-config xmlns="urn:jboss:jaxws-config:2.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:javaee="http://java.sun.com/xml/ns/javaee"
  |   xsi:schemaLocation="urn:jboss:jaxws-config:2.0 jaxws-config_2_0.xsd">
  |   <endpoint-config>
  |     <config-name>Standard WSSecurity Endpoint</config-name>
  |     <post-handler-chains>
  |       <javaee:handler-chain>
  |         <javaee:protocol-bindings>##SOAP11_HTTP ##SOAP11_HTTP_MTOM</javaee:protocol-bindings>
  |         <javaee:handler>
  |           <javaee:handler-name>WSSecurity Handler</javaee:handler-name>
  |           <javaee:handler-class>org.jboss.ws.extensions.security.jaxws.WSSecurityHandlerServer</javaee:handler-class>
  |         </javaee:handler>
  |         <javaee:handler>
  |           <javaee:handler-name>Recording Handler</javaee:handler-name>
  |           <javaee:handler-class>org.jboss.wsf.framework.invocation.RecordingServerHandler</javaee:handler-class>
  |         </javaee:handler>
  |       </javaee:handler-chain>
  |     </post-handler-chains>
  |   </endpoint-config>  
  | 

4.	Create the Server side WSSE declaration (jboss-wsse-server.xml) file as per the Jboss WS 3.1.0 User guide (http://jbossws.jboss.org/mediawiki/index.php?title=WS-Security_options#POJO_Endpoint_-_Authentication_and_Authorization) in the WEB-INF directory of your application. The contents can be as given below or can be according to the above link if your want to provide role level security.

  | <?xml version="1.0" encoding="UTF-8"?>
  | <jboss-ws-security xmlns="http://www.jboss.com/ws-security/config"
  | 	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  | 	xsi:schemaLocation="http://www.jboss.com/ws-security/config
  | http://www.jboss.com/ws-security/schema/jboss-ws-security_1_0.xsd">
  | 	<config>
  | 		<authorize>
  | 			<unchecked />
  | 		</authorize>
  | 	</config>
  | </jboss-ws-security>
  | 

5.	Export the application WAR file and deploy it in JBOSS. Your application should deploy successfully. Check the log file to know more details.

Steps - Client Side

To test the application's Web Service Security we can write a sample WS Client. Before that we need to edit jbossws-users.properties file in the location JBOSS_HOME\ server\default\conf\props because the default JBossWS security domain look for the users configured in this file. Add users to this file in the username=password form.  The steps to write the client are as given below.

1.	Create the Client side WSSE declaration (jboss-wsse-client.xml) file in a location accessible to the web service client. The contents should be as per the JBOSS WS User guide (http://jbossws.jboss.org/mediawiki/index.php?title=JAX-WS_User_Guide#Client_side_WSSE_declaration_.28jboss-wsse-client.xml.29 ). Since we are using Username Token Authentication, the contents of this file should be as follows.

  | <?xml version="1.0" encoding="UTF-8"?>
  | <jboss-ws-security xmlns="http://www.jboss.com/ws-security/config"
  |                    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  |                    xsi:schemaLocation="http://www.jboss.com/ws-security/config
  | http://www.jboss.com/ws-security/schema/jboss-ws-security_1_0.xsd">   
  |     <config>
  |         <username/>        
  |     </config>
  | </jboss-ws-security>
  | 

2.	Create the WS Service Client. The important code fragment is as given below. This will require the importing of the package org.jboss.ws.core.StubExt which is available in the jar, jboss-native-core.jar. So this jar should be added to the client class path. The skeleton code is as given.

  |           
  | String url = "YOUR_DEPLOYED_WSDL_URL";
  | URL wsdlURL = new URL(url);
  | URL clientSideSecurityfile = new File("jboss-wsse-client.xml").toURL();
  | QName serviceName = new QName(SERVICE_TARGET_NS, SERVICE_NAME);
  |  Service service = Service.create(wsdlURL, serviceName);
  | 
  | //Get the Web Service Interface PORT         
  |          AWFUtilityServicePortType port = (AWFUtilityServicePortType) service.getPort(AWFUtilityServicePortType.class);
  | 
  | //Set the Security Configurations
  |         ((StubExt) port).setSecurityConfig(clientSideSecurityfile.toExternalForm());
  |          ((StubExt) port).setConfigName("Standard WSSecurity Client");
  | 
  | //Set the user name password
  |             Map<String, Object> reqContext = ((BindingProvider) port).getRequestContext();
  |             reqContext.put(BindingProvider.USERNAME_PROPERTY, "kermit");
  |             reqContext.put(BindingProvider.PASSWORD_PROPERTY, "thefrog");            
  |             reqContext.put(BindingProvider.ENDPOINT_ADDRESS_PROPERTY, url);
  | 
  | //Make the Call
  |             java.lang.String partGetIDRequest = "Hello World";
  |             java.lang.String result = port.getID(partGetIDRequest);
  |             System.out.println("Result = " + result);
  | 

3.	So there is it we are all set. Make the call you can see the SOAP Messages when the user name and password matches 

   a.	In Bound


  | <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:awf="http://www.test.com/WF/Framework/AWFUtilityService">
  |    <soapenv:Header>
  |       <wsse:Security soapenv:mustUnderstand="1" 
  | 	xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
  |  xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
  |          <wsse:UsernameToken wsu:Id="token-1-1236072936329-25515818">
  |             <wsse:Username>kermit</wsse:Username>
  |             <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">thefrog</wsse:Password>
  |          </wsse:UsernameToken>
  |       </wsse:Security>
  |    </soapenv:Header>
  |    <soapenv:Body>
  |       <awf:ID>Hi</awf:ID>
  |    </soapenv:Body>
  | </soapenv:Envelope>
  | 


    b.	Out Bound
<env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/">
  |    <env:Header/>
  |    <env:Body>
  |       <ns1:IDValue xmlns:ns1="http://www.test.com/WF/Framework/AWFUtilityService">Hello World,  Your ID is 1</ns1:IDValue>
  |    </env:Body>
  | </env:Envelope>
  | 


    c.	When the User name and Password doesn't match the following SOAP fault is thrown.
<env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/">
  |    <env:Header/>
  |    <env:Body>
  |       <env:Fault>
  |          <faultcode xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">wsse:FailedAuthentication</faultcode>
  |          <faultstring>The security token could not be authenticated or authorized.</faultstring>
  |       </env:Fault>
  |    </env:Body>
  | </env:Envelope>
  | 

Hope these steps helps. If you find any issues after implementing by these steps, please post it here.

Thanks & Regards
Dhanush

View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=4215231#4215231

Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=4215231



More information about the jboss-user mailing list