[jboss-user] [JBossWS] - SLSB exposed as WS security issue

okiSM do-not-reply at jboss.com
Tue Jan 13 01:31:35 EST 2009


I have SLSB exposed as WS. I tried to add security. WS is deployed as jar. I've placed jboss-wsse-server and keystore files into META-INF (together with persistence.xml).

<?xml version="1.0" encoding="UTF-8"?>
  | <jboss-ws-security xmlns="http://www.jboss.com/ws-security/config"
  | 	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  | 	xsi:schemaLocation="http://www.jboss.com/ws-security/config http://www.jboss.com/ws-security/schema/jboss-ws-security_1_0.xsd">
  | 	<key-store-file>META-INF/wsse.keystore</key-store-file>
  | 	<key-store-password>jbossws</key-store-password>
  | 	<trust-store-file>META-INF/wsse.truststore</trust-store-file>
  | 	<trust-store-password>jbossws</trust-store-password>
  | 	<config>
  | 		<sign type="x509v3" alias="wsse"></sign>
  | 		<encrypt type="x509v3" alias="wsse"></encrypt>
  | 		<requires>
  | 			<signature />
  | 			<encryption />
  | 		</requires>
  | 	</config>
  | </jboss-ws-security>
  | 
This configuration is read during deployment (if I put wrong locations of keystores, jar deployment breaks). However, when I try to access this WS with an unsecured client (generated using wsconsume) it responds normally (as if there is no security).
Endpoint interface:
import javax.ejb.Remote;
  | import javax.jws.WebMethod;
  | import javax.jws.WebService;
  | import javax.jws.soap.SOAPBinding;
  | 
  | @WebService(name = "CityFacadeProxy", targetNamespace="http://gint_scm_ws")
  | @SOAPBinding(style=SOAPBinding.Style.DOCUMENT, use=SOAPBinding.Use.LITERAL, parameterStyle=SOAPBinding.ParameterStyle.WRAPPED)
  | @Remote
  | public interface CityFacadeSEI {
  | 	@WebMethod
  | 	public City createCity(String cityName) throws RemoteException; 
  | }
  | 
Implemetation bean:
import gint.scm.ws.entity.City;
  | 
  | import javax.ejb.Remote;
  | import javax.ejb.Stateless;
  | import javax.jws.WebService;
  | import javax.persistence.EntityManager;
  | import javax.persistence.PersistenceContext;
  | import javax.xml.ws.BindingType;
  | 
  | import org.jboss.ws.annotation.EndpointConfig;
  | import org.jboss.wsf.spi.annotation.WebContext;
  | 
  | @Stateless
  | @WebService(endpointInterface = "gint.scm.ws.session.CityFacadeSEI",
  | 			serviceName = "CityFacadeServis", targetNamespace="http://gint_scm_ws")
  | @WebContext(contextRoot="/SCM", urlPattern="/*")
  | @BindingType(value = "http://schemas.xmlsoap.org/wsdl/soap/http?mtom=true")
  | @EndpointConfig(configName = "Standard WSSecurity Endpoint")
  | @Remote(CityFacadeSEI.class)
  | public class CityFacadeBean implements CityFacadeSEI {
  | 
  | 	@PersistenceContext(name = "scm")
  | 	EntityManager em;
  | 
  | 	public City createCity(String cityName) {
  | 		em.persist(new City(cityName.hashCode(), cityName));
  | 		return new City(cityName.hashCode(), cityName);
  | 	}
  | 
  | }
What's wrong here? There are no examples for security for SLSB WS (or I couldn't find them in last 4 weeks).

View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4201217#4201217

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4201217



More information about the jboss-user mailing list