[JBossWS] - Re: WS-Security: keystores and truststores
by jason.greene@jboss.com
Encryption operates very differently than signature processing. You can relate it to do ssl mutual auth, or pgp.
In order to use encryption you need 2 key pairs (public/private) for each party; in spirit of old school cryptography lets call them bob and alice. In order to send an encrypted message to Alice, Bob must have her public key. He encrypts the message to Alice, using her public key, which she can then decrypt using her private key. Likewise when she replies to the message she uses Bob's public key to encrypt the message, and he uses his private key to decrypt the message.
Now when sending these messages WS-Security needs to know which public key the message was encrypted with. To do this, one mechanism is to send the X509 token of the public cert in the message. However this causes another form of validation to occur. WS-Security requires that all tokens be validated. So therefore Bob and Alice need to trust their own public keys.
Here is the setup
bobs.keystore
---------------
bob - keyPair (public + private key)
alice - trustedCertEntry (just alice's public key)
bobs.truststore
----------------
bob - trustedCertEntry (just bob's public key)
alices.keystore
-----------------
alice - keyPair (public + private key)
bob - trustedCertEntry (just bob's public key)
alices.trustore
----------------
alice - trustedCertEntry (just alice's public key)
Note, this is just for encryption, to enable signing as well you need to also add a trust entry for the other party, since in signature processing it's the public key that is used for decryption.
Let me know if you have any other questions.
-Jason
View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4032846#4032846
Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4032846
17 years, 7 months
[JBossWS] - Re: JBoss 4.0.5--JAX-RPC has Issues?
by sgof
I have the same problem, but I don't have JAI.
Anyone resolved the proble?
On my pc (with windows xp) all work, but the same jboss whith the same web service on a unix server give me the error:
ERROR [[WPMServiceServlet]] Servlet.service() for servlet WPMServiceServlet threw exception
java.lang.ExceptionInInitializerError
at java.lang.Class.forName0(Native Method)
at java.lang.Class.forName(Class.java:164)
at org.jboss.ws.soap.attachment.ContentHandlerRegistry.(ContentHandlerRegistry.java:51)
at org.jboss.ws.xop.XOPUnmarshallerImpl.(XOPUnmarshallerImpl.java:59)
at org.jboss.ws.jaxrpc.encoding.SimpleDeserializer.deserialize(SimpleDeserializer.java:52)
at org.jboss.ws.soap.SOAPContentElement.getObjectValue(SOAPContentElement.java:235)
at org.jboss.ws.binding.EndpointInvocation.transformPayloadValue(EndpointInvocation.java:233)
at org.jboss.ws.binding.EndpointInvocation.getRequestParamValue(EndpointInvocation.java:103)
at org.jboss.ws.binding.EndpointInvocation.getRequestPayload(EndpointInvocation.java:117)
at org.jboss.ws.server.ServiceEndpointInvokerJSE.invokeServiceEndpoint(ServiceEndpointInvokerJSE.java:94)
at org.jboss.ws.server.ServiceEndpointInvoker.invoke(ServiceEndpointInvoker.java:115)
at org.jboss.ws.server.ServiceEndpoint.handleRequest(ServiceEndpoint.java:209)
at org.jboss.ws.server.ServiceEndpointManager.processSOAPRequest(ServiceEndpointManager.java:355)
at org.jboss.ws.server.StandardEndpointServlet.doPost(StandardEndpointServlet.java:115)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
at org.jboss.ws.server.StandardEndpointServlet.service(StandardEndpointServlet.java:76)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:810)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:252)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:178)
at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:175)
at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:74)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105)
at org.jboss.web.tomcat.tc5.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:156)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:869)
at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:664)
at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:527)
at org.apache.tomcat.util.net.MasterSlaveWorkerThread.run(MasterSlaveWorkerThread.java:112)
at java.lang.Thread.run(Thread.java:595)
Caused by: java.lang.IllegalArgumentException: failed to parse:image/bmp, image/x-bmp, image/x-windows-bmp
at java.awt.datatransfer.DataFlavor.(DataFlavor.java:292)
at javax.activation.ActivationDataFlavor.(ActivationDataFlavor.java:81)
at org.jboss.ws.soap.attachment.ImageDataContentHandler.buildFlavors(ImageDataContentHandler.java:77)
at org.jboss.ws.soap.attachment.ImageDataContentHandler.(ImageDataContentHandler.java:63)
... 36 more
View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4032680#4032680
Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4032680
17 years, 7 months
[JBossWS] - Re: WS-Security: keystores and truststores
by PeterJ
I'll add my own two cents to this (I was going to do a new post but found this one).
The only way that I can get WS-Security encryption to work is if I place the private key into the keystore in both the client and the server. If either one has a public key, it complains with the error:
org.jboss.ws.extensions.security.WSSecurityException: Problems retrieving private key: Private key (XXX) not in keystore
This appears to be a major flaw if both the client and the server have to have the private key available, I would think that the public key would be sufficient for one side. I cannot imagine a company that provides a Web service willingly giving out the private key for that Web service. Or a second company that wants to use said web service providing its private key to the first company.
Any thoughts on this or am I just doing it wrong. (I will post the config files on request, but they are pretty much what appears at http://jbws.dyndns.org/mediawiki/index.php/JAX-WS_User_Guide#WS-Security, though substitute 'encrypt' for 'sign'. I think I tried 'sign' also and it had the same problem.)
I am using JBossWS 1.2.0.GA
View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4032593#4032593
Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4032593
17 years, 7 months