[jboss-user] [JBossWS] - Re: WS-Security: keystores and truststores

[cavani]

Hi,

I am using the follow approach based on JBossWS 2.0.1:

1. I didn't change distribution code

2. Copy to my project (EJB where WS is configured):
org.jboss.ws.extensions.security.jaxws.WSSecurityHandler
org.jboss.ws.extensions.security.jaxws.WSSecurityHandlerServer
org.jboss.ws.extensions.security.WSSecurityDispatcher

3. Merge WSSecurityHandler and WSSecurityHandlerServer in a single source (WSSecurityHandler no more abstract and delete Server) and change invocation to my WSSecurityDispatcher copy.

4. Create my own SecurityStore extending org.jboss.ws.extensions.security.SecurityStore:

  | public class SecurityStore extends org.jboss.ws.extensions.security.SecurityStore
  | {
  | 
  | 	private KeyStore keyStore;
  | 
  | 	private KeyStore trustStore;
  | 
  | 	private char[] keyStorePassword;
  | 
  | 	public SecurityStore() throws WSSecurityException
  | 	{
  | 		loadKeyStore();
  | 
  | 		SPIProvider spiProvider = SPIProviderResolver.getInstance().getProvider();
  | 		SecurityAdaptorFactory secAdapterfactory = spiProvider.getSPI(SecurityAdaptorFactory.class);
  | 		SecurityAdaptor securityAdaptor = secAdapterfactory.newSecurityAdapter();
  | 
  | 		String username = securityAdaptor.getPrincipal().toString();
  | 
  | 		loadSessionKey(username);
  | 	}
  | 
  | 	public SecurityStore(Element element) throws WSSecurityException
  | 	{
  | 		loadKeyStore();
  | 
  | 		Element child = Util.getFirstChildElement(element);
  | 
  | 		String username = null;
  | 
  | 		while (child != null)
  | 		{
  | 			String tag = child.getLocalName();
  | 
  | 			if (tag.equals("UsernameToken"))
  | 			{
  | 	            UsernameToken token = new UsernameToken(child);
  | 	            username = token.getUsername();
  | 	            break;
  | 			}
  | 
  | 			child = Util.getNextSiblingElement(child);
  | 		}
  | 
  | 		loadSessionKey(username);
  | 	}
  | 
  | // copy of public methods from SecurityStore
  | 
  | 

where:

* loadKeyStore() load server key/certificate
* loadSessionKey(String username); load user certificate (all certificate has the same alias)

4. Change WSSecurityDispatcher to instantiate my SecurityStore copy:
* Element parameter Constructor at handleInbound
* Default Constructor at handleOutbound

5. use my WSSecurityHandler at standard-jaxws-endpoint-config.xml

6. configure client with username tag at  jboss-wsse-client.xml and:


  | 	        BindingProvider bindingProvider = (BindingProvider) port;
  | 	        Map<String, Object> reqContext = bindingProvider.getRequestContext();
  | 	        reqContext.put(BindingProvider.USERNAME_PROPERTY, (String) USERNAME_HERE);
  | 	        reqContext.put(BindingProvider.PASSWORD_PROPERTY, "");
  | 

just it!

it is working fine to me (user certs are in LDAP acounts accessed with JNDI - InitialDirContext).

Any changes to improve security code to implement something like this out-of-box (like pluggable SecurityStore with username information)? for 2.0.2?

Thanks,

View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4092995#4092995

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4092995