Securing a webservice

[Jonathan Gallimore <jo...@gmail.com>]

Hi,

I have an EJB that I'm also exposing as a webservice, and it is secured 
using the @DeclareRoles and @RolesAllowed annotations. Currently, 
despite passing a username and password like so:

        Service calcService = Service.create(new 
URL("http://127.0.0.1:4204/CalculatorImpl?wsdl"), null);
        assertNotNull(calcService);

        CalculatorWs calc = calcService.getPort(CalculatorWs.class);
        
((BindingProvider)calc).getRequestContext().put(BindingProvider.USERNAME_PROPERTY, 
"jane");
        
((BindingProvider)calc).getRequestContext().put(BindingProvider.PASSWORD_PROPERTY, 
"waterfall");
        assertEquals(10, calc.sum(4,6));
        assertEquals(12, calc.multiply(3,4));


I get an EJB access denied exception. Having poked around the code a 
bit, I don't think the credentials are being used by CxfWsContainer. 
Adding the following to the beginning of CxfWsContainer.processPOST() 
makes it work, but I'm wondering if I'm missing something simple:

        Object token = null;

        if (request instanceof HttpRequestImpl) {
            String auth = request.getHeader("Authorization");
            if (auth != null && auth.length() > 0) {
                if (auth.toUpperCase().startsWith("BASIC ")) {
                    auth = auth.substring(6);
                    String decoded = new 
String(Base64.decodeBase64(auth.getBytes()));
                    String[] parts = decoded.split(":");
                    if (parts != null && parts.length == 2) {
                        String username = parts[0];
                        String password = parts[1];

                        try {
                            final SecurityService securityService = 
getSecurityService();
                            token = securityService.login(username, 
password);
                            if (token != null) {
                                securityService.associate(token);
                            }
                        } catch (LoginException e) {
                        }
                    }
                }
            }

        }

It also looks like the StandardContext that is created when deploying a 
webservice in Tomcat will also always have no authentication (the code 
is there to setup the StandardContext with various auth methods but 
WsService.authMethod always seems to be null for me).

If this is a bug or something that's not been implemented I'm happy to 
have a go at making it work. Any thoughts?

Cheers,

Jon


PS. I've attached what I've done so far as a patch.

Re: Securing a webservice

[Manjiri Gogate <mg...@hotmail.com>]

Web service security example (Calculator ) service does not work for me and I
get exception like this.

<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
   <soap:Body>
      <soap:Fault>
         <faultcode>soap:Server</faultcode>
         <faultstring>Unauthorized Access by Principal Denied while invoking
public abstract int com.ln.crrg.common.ws.CalculatorWs.multiply(int,int)
with params [5, 6].</faultstring>
      </soap:Fault>
   </soap:Body>
</soap:Envelope>

I have openejb-jar.xml
EJB and implementation class imported.
tomcatusers.xml file updated.


Am I missing any more configuration? Any input /advice is appreciated.

We are using apache-tomcat-6.0.29 with openejb war file.

Thank you

Manjiri Gogate

--
View this message in context: http://openejb.979440.n4.nabble.com/Securing-a-webservice-tp981248p3476150.html
Sent from the OpenEJB User mailing list archive at Nabble.com.

Re: Securing a webservice

[Jean-Louis MONTEIRO <je...@atosorigin.com>]

David Blevins wrote:
> 
> Another thought is that if the properties all start with "wss4j." we  
> could easily sift them out of the various existing properties buckets  
> and do full overriding like we do with other things.  In other words  
> we'd take all "wss4j." properties from the system properties, override  
> them with the "wss4j." system instance properties, override them with  
> the "wss4j." openejb-jar.xml properties, and override them with  
> "wss4j." openejb-jar.xml properties for bean foo.  We don't have a per  
> bean properties bucket in the openejb-jar.xml now, but we could add one.
> 

Good thinking !
I've done the work for a bean specific configuration and it works well. But
to be honest, I've no idea about how to implement the behavior you proposed.

If someone can give me inputs, I can probably have a look to implement that.

Jean-Louis
-- 
View this message in context: http://www.nabble.com/Re%3A-Securing-a-webservice-tp22265166p22696987.html
Sent from the OpenEJB Dev mailing list archive at Nabble.com.

Re: Securing a webservice

[David Blevins <da...@visi.com>]

On Mar 20, 2009, at 2:48 PM, Jonathan Gallimore wrote:

> I guess I'm thinking of something along the lines of:
>
> <openejb-jar xmlns="http://openejb.apache.org/xml/ns/openejb-jar-2.2">
>  <global-ws-security>
>    <configuration>
> wss4j.in.action = Encrypt Signature
> wss4j.in.signaturePropFile = path to file/ 
> CalculatorSecurity.properties
> wss4j.in.encryptionPropFile = path to file/ 
> CalculatorSecurity.properties
>
> wss4j.out.action = Encrypt Signature
> wss4j.out.signaturePropFile = path to file/ 
> CalculatorSecurity.properties
> wss4j.out.encryptionPropFile = path to file/ 
> CalculatorSecurity.properties
> wss4j.out.user = something
> wss4j.out.encryptionUser = bod
> wss4j.out.signatureKeyIdentifier = DirectReference
> wss4j.out.encryptionSymAlgorithm =
> http://www.w3.org/2001/04/xmlenc#tripledes-cbc
> ...
>    </configuration>
>  </global-ws-security>
>
>  <enterprise-beans>
>      <session>
>          <ejb-name>CalculatorImpl</ejb-name>
>          <web-service-security>
>              <security-realm-name/>
>              <transport-guarantee>NONE</transport-guarantee>
>              <auth-method>WS-SECURITY</auth-method>
>
>              <configuration>
> wss4j.some_bean_specific_property = foo
> ...
>              </configuration>
>
>          </web-service-security>
>      </session>
>  </enterprise-beans>
> </openejb-jar>

Another thought is that if the properties all start with "wss4j." we  
could easily sift them out of the various existing properties buckets  
and do full overriding like we do with other things.  In other words  
we'd take all "wss4j." properties from the system properties, override  
them with the "wss4j." system instance properties, override them with  
the "wss4j." openejb-jar.xml properties, and override them with  
"wss4j." openejb-jar.xml properties for bean foo.  We don't have a per  
bean properties bucket in the openejb-jar.xml now, but we could add one.


-David

Re: Securing a webservice

[Jonathan Gallimore <jo...@gmail.com>]

That sounds great. I might have a play around with Maven and see if I can do
the equivalent of your batch file to generate the keys. It might save us
having to worry about expiring keys, and saves people having to do the extra
step to generate them.

Jon

On Thu, Apr 2, 2009 at 11:30 AM, Jean-Louis MONTEIRO <
jean-louis.monteiro@atosorigin.com> wrote:

>
> Hi Jon,
>
> thanks for the feedback.
>
> If it sounds good for you, I will provide a patch file.
> No problem to add your generated keys in the project to eases maven usage.
> But we have to take care with keys expiration.
>
> Again, thanks for the feedback.
>
> Jean-Louis
>
>
> Jonathan Gallimore-2 wrote:
> >
> > I've fired this up and run the tests. It looks really good to me - many
> > thanks for this! If you're happy to add this patch to jira OPENEJB-1004
> > I'm
> > happy to get it committed.
> >
> > Do you think it would be ok to include the keys I generated from your
> > batch
> > file, so that people can just do the usual 'mvn test' without any extra
> > work
> > for the test in the example project to work (I'd keep the batch file as
> > well
> > as I think its useful)?
> >
> > Jon
> >
> > On Mon, Mar 30, 2009 at 1:24 PM, Jean-Louis MONTEIRO <
> > jean-louis.monteiro@atosorigin.com> wrote:
> >
> >>
> >> Hi Jonathan,
> >>
> >> I spent some time this week end to get WS-Security integrated.
> >> Sorry in advance because I changed some of your co
> >> http://www.nabble.com/file/p22782120/patch-ws-security.txt
> >> patch-ws-security.txt de (but it allowed me to go faster).
> >>
> >> I enhanced the sample application to illustrate how to use WS-Security.
> >> Here is a patch file with all changes.
> >>
> >> Please, can you apply it on your local working copy and have a look on
> >> tests
> >> ?
> >> I think you can launch the CalculatorTest test case from the
> >> webservice-ws-security project.
> >>
> >> It would be very nice to have some feedback.
> >> @David: for the moment, no special properties management has been done.
> >>
> >> Jean-Louis
> >>
> >>
> >>
> >> Jonathan Gallimore-2 wrote:
> >> >
> >> > I really like the idea of this configuration.
> >> >
> >> > I think David's point is a good one - I don't know how bean specific
> >> these
> >> > properties are, but if you want to use a set of properties for more
> >> than
> >> > one
> >> > webservice I guess  we could have a node with the global webservice
> >> > security
> >> > config for the app, with any bean specific properties defined
> >> overriding
> >> > this.
> >> >
> >> > I guess I'm thinking of something along the lines of:
> >> >
> >> > <openejb-jar xmlns="http://openejb.apache.org/xml/ns/openejb-jar-2.2
> ">
> >> >   <global-ws-security>
> >> >     <configuration>
> >> > wss4j.in.action = Encrypt Signature
> >> > wss4j.in.signaturePropFile = path to
> file/CalculatorSecurity.properties
> >> > wss4j.in.encryptionPropFile = path to
> >> file/CalculatorSecurity.properties
> >> >
> >> > wss4j.out.action = Encrypt Signature
> >> > wss4j.out.signaturePropFile = path to
> >> file/CalculatorSecurity.properties
> >> > wss4j.out.encryptionPropFile = path to
> >> file/CalculatorSecurity.properties
> >> > wss4j.out.user = something
> >> > wss4j.out.encryptionUser = bod
> >> > wss4j.out.signatureKeyIdentifier = DirectReference
> >> > wss4j.out.encryptionSymAlgorithm =
> >> > http://www.w3.org/2001/04/xmlenc#tripledes-cbc
> >> > ...
> >> >     </configuration>
> >> >   </global-ws-security>
> >> >
> >> >   <enterprise-beans>
> >> >       <session>
> >> >           <ejb-name>CalculatorImpl</ejb-name>
> >> >           <web-service-security>
> >> >               <security-realm-name/>
> >> >               <transport-guarantee>NONE</transport-guarantee>
> >> >               <auth-method>WS-SECURITY</auth-method>
> >> >
> >> >               <configuration>
> >> > wss4j.some_bean_specific_property = foo
> >> > ...
> >> >               </configuration>
> >> >
> >> >           </web-service-security>
> >> >       </session>
> >> >   </enterprise-beans>
> >> > </openejb-jar>
> >> >
> >> > I'm very happy to help with some of the code and/or testing.
> >> >
> >> > Cheers,
> >> >
> >> > Jon
> >> >
> >> > On Fri, Mar 20, 2009 at 4:57 PM, David Blevins
> >> > <da...@visi.com>wrote:
> >> >
> >> >> On Mar 20, 2009, at 8:13 AM, Jean-Louis MONTEIRO wrote:
> >> >>
> >> >>  <openejb-jar
> >> xmlns="http://openejb.apache.org/xml/ns/openejb-jar-2.2">
> >> >>>   <enterprise-beans>
> >> >>>       <session>
> >> >>>           <ejb-name>CalculatorImpl</ejb-name>
> >> >>>           <web-service-security>
> >> >>>               <security-realm-name/>
> >> >>>               <transport-guarantee>NONE</transport-guarantee>
> >> >>>               <auth-method>WS-SECURITY</auth-method>
> >> >>>
> >> >>>               <configuration>
> >> >>> wss4j.in.action = Encrypt Signature
> >> >>> wss4j.in.signaturePropFile = path to
> >> file/CalculatorSecurity.properties
> >> >>> wss4j.in.encryptionPropFile = path to
> >> file/CalculatorSecurity.properties
> >> >>>
> >> >>> wss4j.out.action = Encrypt Signature
> >> >>> wss4j.out.signaturePropFile = path to
> >> file/CalculatorSecurity.properties
> >> >>> wss4j.out.encryptionPropFile = path to
> >> >>> file/CalculatorSecurity.properties
> >> >>> wss4j.out.user = something
> >> >>> wss4j.out.encryptionUser = bod
> >> >>> wss4j.out.signatureKeyIdentifier = DirectReference
> >> >>> wss4j.out.encryptionSymAlgorithm =
> >> >>> http://www.w3.org/2001/04/xmlenc#tripledes-cbc
> >> >>> ...
> >> >>>               </configuration>
> >> >>>
> >> >>>           </web-service-security>
> >> >>>       </session>
> >> >>>   </enterprise-beans>
> >> >>> </openejb-jar>
> >> >>>
> >> >>
> >> >> I'm curious on how bean specific that above configuration is.  If I
> >> have
> >> >> say 10 web services that need to be secured, which properties will
> >> likely
> >> >> be
> >> >> the same and which would I typically want to be different?  Just
> >> >> wondering
> >> >> if we'll want some more general way to setup the security in addition
> >> to
> >> >> 100% bean defined.
> >> >>
> >> >> -David
> >> >>
> >> >>
> >> >>
> >> >>
> >> >
> >> >
> >> http://www.nabble.com/file/p22782120/patch-ws-security.txt
> >> patch-ws-security.txt
> >> --
> >> View this message in context:
> >>
> http://www.nabble.com/Re%3A-Securing-a-webservice-tp22265166p22782120.html
> >> Sent from the OpenEJB Dev mailing list archive at Nabble.com.
> >>
> >>
> >
> >
>
> --
> View this message in context:
> http://www.nabble.com/Re%3A-Securing-a-webservice-tp22265166p22844980.html
> Sent from the OpenEJB Dev mailing list archive at Nabble.com.
>
>

Re: Securing a webservice

[Jonathan Gallimore <jo...@gmail.com>]

I've committed this - thanks for the patch!

Jon

On Thu, Apr 23, 2009 at 9:34 AM, Jean-Louis MONTEIRO <
jean-louis.monteiro@atosorigin.com> wrote:

>
>
>
> Jonathan Gallimore-2 wrote:
> >
> > You're right the TODO's are still there, sorry about that, I was way too
> > tired when I wrote that last night. I'll get the patch in this evening.
> >
> > Jon
> >
> >
> Don't worry and thanks in advance.
> JLouis
> --
> View this message in context:
> http://www.nabble.com/Re%3A-Securing-a-webservice-tp22265166p23192611.html
> Sent from the OpenEJB Dev mailing list archive at Nabble.com.
>
>

Re: Securing a webservice

[Jean-Louis MONTEIRO <je...@atosorigin.com>]

Jonathan Gallimore-2 wrote:
> 
> You're right the TODO's are still there, sorry about that, I was way too
> tired when I wrote that last night. I'll get the patch in this evening.
> 
> Jon
> 
> 
Don't worry and thanks in advance.
JLouis
-- 
View this message in context: http://www.nabble.com/Re%3A-Securing-a-webservice-tp22265166p23192611.html
Sent from the OpenEJB Dev mailing list archive at Nabble.com.

Re: Securing a webservice

[Jonathan Gallimore <jo...@gmail.com>]

You're right the TODO's are still there, sorry about that, I was way too
tired when I wrote that last night. I'll get the patch in this evening.

Jon

On Thu, Apr 23, 2009 at 8:09 AM, Jean-Louis MONTEIRO <
jean-louis.monteiro@atosorigin.com> wrote:

>
> Thanks for the reply.
>
>
> Jonathan Gallimore-2 wrote:
> >
> > The basic stuff I did (supporting basic auth, and simple
> username/password
> > WS-Security) is there in trunk, and seems to be working to me. It seems
> to
> > honour the @RolesAllowed too.
> >
> Yea, nice feature.
>
>
> Jonathan Gallimore-2 wrote:
> >
> > I did apply the patch you provided previously to my working copy and it
> > looked good - this one attached to the JIRA looks like a more up to date
> > version of the same patch - is that right?
> >
> Yes, I've done some enhancements and some piece of code has be re factored.
>
>
> Jonathan Gallimore-2 wrote:
> >
> > I notice that your new patch removes the TODOs discussed in this thread a
> > couple of days ago, is that intentional?
> >
> If you are talking about TODOs added by David, they are still in the patch
> (AppInfoBuilder.configureWebserviceScurity(List<PortInfo> infoList, Object
> altDD) {
> )
>
>
> Jonathan Gallimore-2 wrote:
> >
> > Apart from that, my quick glance at this patch looks good, I'll give it a
> > proper test and try and get it committed for you tomorrow.
> >
>
> Thanks again.
> Jean-Louis
> --
> View this message in context:
> http://www.nabble.com/Re%3A-Securing-a-webservice-tp22265166p23191481.html
> Sent from the OpenEJB Dev mailing list archive at Nabble.com.
>
>

Re: Securing a webservice

[Jean-Louis MONTEIRO <je...@atosorigin.com>]

Thanks for the reply.


Jonathan Gallimore-2 wrote:
> 
> The basic stuff I did (supporting basic auth, and simple username/password
> WS-Security) is there in trunk, and seems to be working to me. It seems to
> honour the @RolesAllowed too.
> 
Yea, nice feature.


Jonathan Gallimore-2 wrote:
> 
> I did apply the patch you provided previously to my working copy and it
> looked good - this one attached to the JIRA looks like a more up to date
> version of the same patch - is that right?
> 
Yes, I've done some enhancements and some piece of code has be re factored.


Jonathan Gallimore-2 wrote:
> 
> I notice that your new patch removes the TODOs discussed in this thread a
> couple of days ago, is that intentional?
> 
If you are talking about TODOs added by David, they are still in the patch
(AppInfoBuilder.configureWebserviceScurity(List<PortInfo> infoList, Object
altDD) {
)


Jonathan Gallimore-2 wrote:
> 
> Apart from that, my quick glance at this patch looks good, I'll give it a
> proper test and try and get it committed for you tomorrow.
> 

Thanks again.
Jean-Louis
-- 
View this message in context: http://www.nabble.com/Re%3A-Securing-a-webservice-tp22265166p23191481.html
Sent from the OpenEJB Dev mailing list archive at Nabble.com.

Re: Securing a webservice

[Jonathan Gallimore <jo...@gmail.com>]

Hi Jean-Louis,

The basic stuff I did (supporting basic auth, and simple username/password
WS-Security) is there in trunk, and seems to be working to me. It seems to
honour the @RolesAllowed too.

I did apply the patch you provided previously to my working copy and it
looked good - this one attached to the JIRA looks like a more up to date
version of the same patch - is that right?

I notice that your new patch removes the TODOs discussed in this thread a
couple of days ago, is that intentional?

Apart from that, my quick glance at this patch looks good, I'll give it a
proper test and try and get it committed for you tomorrow.

Cheers

Jon

On Wed, Apr 22, 2009 at 3:53 PM, Jean-Louis MONTEIRO <
jean-louis.monteiro@atosorigin.com> wrote:

>
> David, Jonathan,
>
> I had a look on the trunk and saw nothing about WS-Security.
> I attached a patch file to OPENEJB-1004.


>
> @David: I took into account your changes to avoid NPE.
> @Jon: Maven (thought pom.xml file) creates public/private keys and
> associated keystores to enable test cases.
>
> Any input is welcome.
>
> Hope to submit a first draft to describe this feature this evening.
>
> I changed a little the JaxWsUtils (see patch file) to be more compliant
> with
> the specification.
>
> Index:
>
> container/openejb-core/src/main/java/org/apache/openejb/core/webservices/JaxWsUtils.java
> ===================================================================
> ---
>
> container/openejb-core/src/main/java/org/apache/openejb/core/webservices/JaxWsUtils.java
> (revision 756243)
> +++
>
> container/openejb-core/src/main/java/org/apache/openejb/core/webservices/JaxWsUtils.java
> (working copy)
> @@ -47,7 +47,7 @@
>         if (webService != null) {
>             String localName = webService.name();
>             if (localName == null || localName.length() == 0) {
> -                localName = seiClass.getName();
> +                localName = seiClass.getSimpleName();
>             }
>             String namespace = webService.targetNamespace();
>             return new QName(getNamespace(seiClass, namespace), localName);
>
> Finally, tests have been made using CXF 2.0.9 which is much more stable and
> functional.
> So, to create a web service stub, Service.create now requires a QName. So
> don't be afraid if the simple-webservice and webservice-security tests
> fail.
> You can change
>
> Service calcService = Service.create(new
> URL("http://127.0.0.1:4204/CalculatorImpl?wsdl"), null);
>
> To
>
> Service calcService = Service.create(
>        new URL("http://127.0.0.1:4204/CalculatorImpl?wsdl"),
>         new QName("http://superbiz.org/wsdl", "CalculatorWsService"));
>
>
> OPENEJB-977 is about moving from 2.0.4-incubator to 2.0.9. It can be done
> out of the box (only changing pom.xml file). We are actually working to
> update to a 2.1.x as suggested by Jacek. But it requires some other
> changes.
>
> Jean-Louis
>
>
>
>
> David Blevins wrote:
> >
> > Had to change up part of this code to fix OPENEJB-1021: "NPE in
> > AppInfoBuilder.configureWebserviceSecurity()" which shows up in the
> > Geronimo build.
> >
> > I rearranged the configureWebserviceSecurity method just slightly.
> > It's functionally equivalent, the only behavior change is the null
> > check on sessionBean.getWebServiceSecurity().
> >
> > Added some TODOs as it seems like there's some room to be more vocal
> > about potential user mistakes and issues.  Not too familiar with the
> > config setup, no not sure what to recommend.   Here's the code in
> > question:
> >
> >      List<PortInfo> infoList = ejbJarInfo.portInfos;
> >      for (PortInfo portInfo : infoList) {
> >
> >          org.apache.openejb.jee.oejb2.EnterpriseBean bean =
> > beans.get(portInfo.serviceLink);
> >
> >          if (bean == null) continue; /* TODO: throw something? */
> >          if (!(bean instanceof SessionBeanType)) continue; /* TODO:
> > throw something? */
> >
> >          SessionBeanType sessionBean = (SessionBeanType) bean;
> >          WebServiceSecurityType webServiceSecurityType =
> > sessionBean.getWebServiceSecurity();
> >
> >          if (webServiceSecurityType == null) {
> >              //TODO: this ok?
> >              continue;
> >          }
> >
> >          portInfo.realmName = webServiceSecurityType.getRealmName();
> >          portInfo.securityRealmName =
> > webServiceSecurityType.getSecurityRealmName();
> >          if (webServiceSecurityType.getTransportGuarantee() != null) {
> >              portInfo.transportGuarantee =
> > webServiceSecurityType.getTransportGuarantee().value();
> >          } else {
> >              portInfo.transportGuarantee = "NONE";
> >          }
> >
> >          if (webServiceSecurityType.getAuthMethod() != null) {
> >              portInfo.authMethod =
> > webServiceSecurityType.getAuthMethod().value();
> >          } else {
> >              portInfo.authMethod = "NONE";
> >          }
> >      }
> >
> >
> > Any thoughts on what we should do with the todos?
> >
> > Seems like the first one indicates they don't have any metadata in the
> > openejb-jar.xml for the bean.  Are there defaults that we want to fill
> > in in that situation?
> >
> > The second seems to indicate there is metadata for the bean, but it is
> > not what we expect.  Seems there's definitely some action to be taken
> > there.
> >
> > The third (the one I just added), not sure what the right approach
> > is.  Seems like a variation on the first one.  Might be fine to ignore
> > it, wonder if we need some defaults in there.  Seems we supply "NONE"
> > for transportGuarantee and authMethod as the defaults when there is
> > some metadata give, wonder if we need to do that for when there is no
> > metadata given.
> >
> > -David
> >
> >
> >
>
> --
> View this message in context:
> http://www.nabble.com/Re%3A-Securing-a-webservice-tp22265166p23175502.html
> Sent from the OpenEJB Dev mailing list archive at Nabble.com.
>
>

Re: Securing a webservice

[Jean-Louis MONTEIRO <je...@atosorigin.com>]

David Blevins wrote:
> 
>> The third item strikes me like we're ok to assume that there is no  
>> security
>> for the specified web service as it looks like everything is  
>> configured
>> correctly but there is no security defined in openejb-jar.xml.
> 
> Is it safe to assume that null and "NONE" for transportGuarantee and  
> authMethod is essentially the same?
> 
> 
> David Blevins wrote:
>> 
>> It sounds good for me !
>> 
> 
>> Thanks for sorting the NPE, and sorry again if it caused any hassle.
> 
> No mistake was made.  The openejb build worked, patch checked in,  
> snapshots published.  When the snaps flow out to the other projects  
> that use them (geronimo, servicemix, tuscany, etc.) sometimes we get  
> bug reports coming back in.  We fix 'em, and the process starts over  
> again.
> 
> Tempted to tell a joke about the word "circle" starting with CI for a  
> reason, but it's just too cheesy even for me :)
> 
> 
Jean-Louis
-- 
View this message in context: http://www.nabble.com/Re%3A-Securing-a-webservice-tp22265166p23172189.html
Sent from the OpenEJB Dev mailing list archive at Nabble.com.

Re: Securing a webservice

[David Blevins <da...@visi.com>]

On Apr 21, 2009, at 1:52 PM, Jonathan Gallimore wrote:

> I think some defaults here would be nice - I agree, it looks like  
> the first
> two TODOs would come about if there was some sort of config error with
> openejb-jar.xml - I think we ought to handle it by assuming no  
> security and
> carry on deploying, but log these so the user can fix the problem.

Logging seems good.

> The third item strikes me like we're ok to assume that there is no  
> security
> for the specified web service as it looks like everything is  
> configured
> correctly but there is no security defined in openejb-jar.xml.

Is it safe to assume that null and "NONE" for transportGuarantee and  
authMethod is essentially the same?

> Thanks for sorting the NPE, and sorry again if it caused any hassle.

No mistake was made.  The openejb build worked, patch checked in,  
snapshots published.  When the snaps flow out to the other projects  
that use them (geronimo, servicemix, tuscany, etc.) sometimes we get  
bug reports coming back in.  We fix 'em, and the process starts over  
again.

Tempted to tell a joke about the word "circle" starting with CI for a  
reason, but it's just too cheesy even for me :)

-David

> On Tue, Apr 21, 2009 at 8:09 PM, David Blevins  
> <da...@visi.com>wrote:
>
>> Had to change up part of this code to fix OPENEJB-1021: "NPE in
>> AppInfoBuilder.configureWebserviceSecurity()" which shows up in the  
>> Geronimo
>> build.
>>
>> I rearranged the configureWebserviceSecurity method just slightly.   
>> It's
>> functionally equivalent, the only behavior change is the null check  
>> on
>> sessionBean.getWebServiceSecurity().
>>
>> Added some TODOs as it seems like there's some room to be more  
>> vocal about
>> potential user mistakes and issues.  Not too familiar with the  
>> config setup,
>> no not sure what to recommend.   Here's the code in question:
>>
>>   List<PortInfo> infoList = ejbJarInfo.portInfos;
>>   for (PortInfo portInfo : infoList) {
>>
>>       org.apache.openejb.jee.oejb2.EnterpriseBean bean =
>> beans.get(portInfo.serviceLink);
>>
>>       if (bean == null) continue; /* TODO: throw something? */
>>       if (!(bean instanceof SessionBeanType)) continue; /* TODO:  
>> throw
>> something? */
>>
>>       SessionBeanType sessionBean = (SessionBeanType) bean;
>>       WebServiceSecurityType webServiceSecurityType =
>> sessionBean.getWebServiceSecurity();
>>
>>       if (webServiceSecurityType == null) {
>>           //TODO: this ok?
>>           continue;
>>       }
>>
>>       portInfo.realmName = webServiceSecurityType.getRealmName();
>>       portInfo.securityRealmName =
>> webServiceSecurityType.getSecurityRealmName();
>>       if (webServiceSecurityType.getTransportGuarantee() != null) {
>>           portInfo.transportGuarantee =
>> webServiceSecurityType.getTransportGuarantee().value();
>>       } else {
>>           portInfo.transportGuarantee = "NONE";
>>       }
>>
>>       if (webServiceSecurityType.getAuthMethod() != null) {
>>           portInfo.authMethod =
>> webServiceSecurityType.getAuthMethod().value();
>>       } else {
>>           portInfo.authMethod = "NONE";
>>       }
>>   }
>>
>>
>> Any thoughts on what we should do with the todos?
>>
>> Seems like the first one indicates they don't have any metadata in  
>> the
>> openejb-jar.xml for the bean.  Are there defaults that we want to  
>> fill in in
>> that situation?
>>
>> The second seems to indicate there is metadata for the bean, but it  
>> is not
>> what we expect.  Seems there's definitely some action to be taken  
>> there.
>>
>> The third (the one I just added), not sure what the right approach  
>> is.
>> Seems like a variation on the first one.  Might be fine to ignore it,
>> wonder if we need some defaults in there.  Seems we supply "NONE" for
>> transportGuarantee and authMethod as the defaults when there is some
>> metadata give, wonder if we need to do that for when there is no  
>> metadata
>> given.
>>
>> -David
>>
>>

Re: Securing a webservice

[Jonathan Gallimore <jo...@gmail.com>]

Ooops... sorry if I've caused any problems.

I think some defaults here would be nice - I agree, it looks like the first
two TODOs would come about if there was some sort of config error with
openejb-jar.xml - I think we ought to handle it by assuming no security and
carry on deploying, but log these so the user can fix the problem.

The third item strikes me like we're ok to assume that there is no security
for the specified web service as it looks like everything is configured
correctly but there is no security defined in openejb-jar.xml.

Thanks for sorting the NPE, and sorry again if it caused any hassle.

Jon

On Tue, Apr 21, 2009 at 8:09 PM, David Blevins <da...@visi.com>wrote:

> Had to change up part of this code to fix OPENEJB-1021: "NPE in
> AppInfoBuilder.configureWebserviceSecurity()" which shows up in the Geronimo
> build.
>
> I rearranged the configureWebserviceSecurity method just slightly.  It's
> functionally equivalent, the only behavior change is the null check on
> sessionBean.getWebServiceSecurity().
>
> Added some TODOs as it seems like there's some room to be more vocal about
> potential user mistakes and issues.  Not too familiar with the config setup,
> no not sure what to recommend.   Here's the code in question:
>
>    List<PortInfo> infoList = ejbJarInfo.portInfos;
>    for (PortInfo portInfo : infoList) {
>
>        org.apache.openejb.jee.oejb2.EnterpriseBean bean =
> beans.get(portInfo.serviceLink);
>
>        if (bean == null) continue; /* TODO: throw something? */
>        if (!(bean instanceof SessionBeanType)) continue; /* TODO: throw
> something? */
>
>        SessionBeanType sessionBean = (SessionBeanType) bean;
>        WebServiceSecurityType webServiceSecurityType =
> sessionBean.getWebServiceSecurity();
>
>        if (webServiceSecurityType == null) {
>            //TODO: this ok?
>            continue;
>        }
>
>        portInfo.realmName = webServiceSecurityType.getRealmName();
>        portInfo.securityRealmName =
> webServiceSecurityType.getSecurityRealmName();
>        if (webServiceSecurityType.getTransportGuarantee() != null) {
>            portInfo.transportGuarantee =
> webServiceSecurityType.getTransportGuarantee().value();
>        } else {
>            portInfo.transportGuarantee = "NONE";
>        }
>
>        if (webServiceSecurityType.getAuthMethod() != null) {
>            portInfo.authMethod =
> webServiceSecurityType.getAuthMethod().value();
>        } else {
>            portInfo.authMethod = "NONE";
>        }
>    }
>
>
> Any thoughts on what we should do with the todos?
>
> Seems like the first one indicates they don't have any metadata in the
> openejb-jar.xml for the bean.  Are there defaults that we want to fill in in
> that situation?
>
> The second seems to indicate there is metadata for the bean, but it is not
> what we expect.  Seems there's definitely some action to be taken there.
>
> The third (the one I just added), not sure what the right approach is.
>  Seems like a variation on the first one.  Might be fine to ignore it,
> wonder if we need some defaults in there.  Seems we supply "NONE" for
> transportGuarantee and authMethod as the defaults when there is some
> metadata give, wonder if we need to do that for when there is no metadata
> given.
>
> -David
>
>

Re: Securing a webservice

[Jean-Louis MONTEIRO <je...@atosorigin.com>]

David, Jonathan,

I had a look on the trunk and saw nothing about WS-Security.
I attached a patch file to OPENEJB-1004.

@David: I took into account your changes to avoid NPE.
@Jon: Maven (thought pom.xml file) creates public/private keys and
associated keystores to enable test cases.

Any input is welcome.

Hope to submit a first draft to describe this feature this evening.

I changed a little the JaxWsUtils (see patch file) to be more compliant with
the specification.

Index:
container/openejb-core/src/main/java/org/apache/openejb/core/webservices/JaxWsUtils.java
===================================================================
---
container/openejb-core/src/main/java/org/apache/openejb/core/webservices/JaxWsUtils.java
(revision 756243)
+++
container/openejb-core/src/main/java/org/apache/openejb/core/webservices/JaxWsUtils.java
(working copy)
@@ -47,7 +47,7 @@
         if (webService != null) {
             String localName = webService.name();
             if (localName == null || localName.length() == 0) {
-                localName = seiClass.getName();
+                localName = seiClass.getSimpleName();
             }
             String namespace = webService.targetNamespace();
             return new QName(getNamespace(seiClass, namespace), localName);

Finally, tests have been made using CXF 2.0.9 which is much more stable and
functional.
So, to create a web service stub, Service.create now requires a QName. So
don't be afraid if the simple-webservice and webservice-security tests fail.
You can change 

Service calcService = Service.create(new
URL("http://127.0.0.1:4204/CalculatorImpl?wsdl"), null);

To 

Service calcService = Service.create(
      	new URL("http://127.0.0.1:4204/CalculatorImpl?wsdl"), 
      	new QName("http://superbiz.org/wsdl", "CalculatorWsService"));


OPENEJB-977 is about moving from 2.0.4-incubator to 2.0.9. It can be done
out of the box (only changing pom.xml file). We are actually working to
update to a 2.1.x as suggested by Jacek. But it requires some other changes.

Jean-Louis




David Blevins wrote:
> 
> Had to change up part of this code to fix OPENEJB-1021: "NPE in  
> AppInfoBuilder.configureWebserviceSecurity()" which shows up in the  
> Geronimo build.
> 
> I rearranged the configureWebserviceSecurity method just slightly.   
> It's functionally equivalent, the only behavior change is the null  
> check on sessionBean.getWebServiceSecurity().
> 
> Added some TODOs as it seems like there's some room to be more vocal  
> about potential user mistakes and issues.  Not too familiar with the  
> config setup, no not sure what to recommend.   Here's the code in  
> question:
> 
>      List<PortInfo> infoList = ejbJarInfo.portInfos;
>      for (PortInfo portInfo : infoList) {
> 
>          org.apache.openejb.jee.oejb2.EnterpriseBean bean =  
> beans.get(portInfo.serviceLink);
> 
>          if (bean == null) continue; /* TODO: throw something? */
>          if (!(bean instanceof SessionBeanType)) continue; /* TODO:  
> throw something? */
> 
>          SessionBeanType sessionBean = (SessionBeanType) bean;
>          WebServiceSecurityType webServiceSecurityType =  
> sessionBean.getWebServiceSecurity();
> 
>          if (webServiceSecurityType == null) {
>              //TODO: this ok?
>              continue;
>          }
> 
>          portInfo.realmName = webServiceSecurityType.getRealmName();
>          portInfo.securityRealmName =  
> webServiceSecurityType.getSecurityRealmName();
>          if (webServiceSecurityType.getTransportGuarantee() != null) {
>              portInfo.transportGuarantee =  
> webServiceSecurityType.getTransportGuarantee().value();
>          } else {
>              portInfo.transportGuarantee = "NONE";
>          }
> 
>          if (webServiceSecurityType.getAuthMethod() != null) {
>              portInfo.authMethod =  
> webServiceSecurityType.getAuthMethod().value();
>          } else {
>              portInfo.authMethod = "NONE";
>          }
>      }
> 
> 
> Any thoughts on what we should do with the todos?
> 
> Seems like the first one indicates they don't have any metadata in the  
> openejb-jar.xml for the bean.  Are there defaults that we want to fill  
> in in that situation?
> 
> The second seems to indicate there is metadata for the bean, but it is  
> not what we expect.  Seems there's definitely some action to be taken  
> there.
> 
> The third (the one I just added), not sure what the right approach  
> is.  Seems like a variation on the first one.  Might be fine to ignore  
> it, wonder if we need some defaults in there.  Seems we supply "NONE"  
> for transportGuarantee and authMethod as the defaults when there is  
> some metadata give, wonder if we need to do that for when there is no  
> metadata given.
> 
> -David
> 
> 
> 

-- 
View this message in context: http://www.nabble.com/Re%3A-Securing-a-webservice-tp22265166p23175502.html
Sent from the OpenEJB Dev mailing list archive at Nabble.com.

Re: Securing a webservice

[David Blevins <da...@visi.com>]

Had to change up part of this code to fix OPENEJB-1021: "NPE in  
AppInfoBuilder.configureWebserviceSecurity()" which shows up in the  
Geronimo build.

I rearranged the configureWebserviceSecurity method just slightly.   
It's functionally equivalent, the only behavior change is the null  
check on sessionBean.getWebServiceSecurity().

Added some TODOs as it seems like there's some room to be more vocal  
about potential user mistakes and issues.  Not too familiar with the  
config setup, no not sure what to recommend.   Here's the code in  
question:

     List<PortInfo> infoList = ejbJarInfo.portInfos;
     for (PortInfo portInfo : infoList) {

         org.apache.openejb.jee.oejb2.EnterpriseBean bean =  
beans.get(portInfo.serviceLink);

         if (bean == null) continue; /* TODO: throw something? */
         if (!(bean instanceof SessionBeanType)) continue; /* TODO:  
throw something? */

         SessionBeanType sessionBean = (SessionBeanType) bean;
         WebServiceSecurityType webServiceSecurityType =  
sessionBean.getWebServiceSecurity();

         if (webServiceSecurityType == null) {
             //TODO: this ok?
             continue;
         }

         portInfo.realmName = webServiceSecurityType.getRealmName();
         portInfo.securityRealmName =  
webServiceSecurityType.getSecurityRealmName();
         if (webServiceSecurityType.getTransportGuarantee() != null) {
             portInfo.transportGuarantee =  
webServiceSecurityType.getTransportGuarantee().value();
         } else {
             portInfo.transportGuarantee = "NONE";
         }

         if (webServiceSecurityType.getAuthMethod() != null) {
             portInfo.authMethod =  
webServiceSecurityType.getAuthMethod().value();
         } else {
             portInfo.authMethod = "NONE";
         }
     }


Any thoughts on what we should do with the todos?

Seems like the first one indicates they don't have any metadata in the  
openejb-jar.xml for the bean.  Are there defaults that we want to fill  
in in that situation?

The second seems to indicate there is metadata for the bean, but it is  
not what we expect.  Seems there's definitely some action to be taken  
there.

The third (the one I just added), not sure what the right approach  
is.  Seems like a variation on the first one.  Might be fine to ignore  
it, wonder if we need some defaults in there.  Seems we supply "NONE"  
for transportGuarantee and authMethod as the defaults when there is  
some metadata give, wonder if we need to do that for when there is no  
metadata given.

-David

Re: Securing a webservice

[Jonathan Gallimore <jo...@gmail.com>]

Awesome. I'd be very happy to look at your howto and put it on the site,
just attach it to the JIRA when you're ready.

Thanks for your work in this area, I think this functionality is looking
really good.

Jon

On Fri, Apr 3, 2009 at 11:49 AM, Jean-Louis MONTEIRO <
jean-louis.monteiro@atosorigin.com> wrote:

>
> Jon,
>
> Yes, my company and I, filed the Apache CLA by the end of August (2008).
>
> Regarding write access on the wiki, It's OK (David gave me write access).
> As you probably noticed in posts, my english is not as good, so I gonna
> give
> you a draft for validation.
>
> Jean-Louis
>
>
>
> Jonathan Gallimore-2 wrote:
> >
> > Absolutely! Do you already have write access to the wiki? It looks like
> > you've already filed a CLA with Apache so I imagine you can get write
> > access
> > if you don't already have it. Alternatively, I'm happy to test out your
> > instructions and add them to the site.
> >
> > Jon
> >
> > On Thu, Apr 2, 2009 at 12:00 PM, Jean-Louis MONTEIRO <
> > jean-louis.monteiro@atosorigin.com> wrote:
> >
> >>
> >> Jon,
> >>
> >> One more suggestion: can I try to produce a small HowTo for the web site
> >> ?
> >>
> >> Jean-Louis
> >>
> >>
> >> Jonathan Gallimore-2 wrote:
> >> >
> >> > I've fired this up and run the tests. It looks really good to me -
> many
> >> > thanks for this! If you're happy to add this patch to jira
> OPENEJB-1004
> >> > I'm
> >> > happy to get it committed.
> >> >
> >> > Do you think it would be ok to include the keys I generated from your
> >> > batch
> >> > file, so that people can just do the usual 'mvn test' without any
> extra
> >> > work
> >> > for the test in the example project to work (I'd keep the batch file
> as
> >> > well
> >> > as I think its useful)?
> >> >
> >> > Jon
> >> >
> >> > On Mon, Mar 30, 2009 at 1:24 PM, Jean-Louis MONTEIRO <
> >> > jean-louis.monteiro@atosorigin.com> wrote:
> >> >
> >> >>
> >> >> Hi Jonathan,
> >> >>
> >> >> I spent some time this week end to get WS-Security integrated.
> >> >> Sorry in advance because I changed some of your co
> >> >> http://www.nabble.com/file/p22782120/patch-ws-security.txt
> >> >> patch-ws-security.txt de (but it allowed me to go faster).
> >> >>
> >> >> I enhanced the sample application to illustrate how to use
> >> WS-Security.
> >> >> Here is a patch file with all changes.
> >> >>
> >> >> Please, can you apply it on your local working copy and have a look
> on
> >> >> tests
> >> >> ?
> >> >> I think you can launch the CalculatorTest test case from the
> >> >> webservice-ws-security project.
> >> >>
> >> >> It would be very nice to have some feedback.
> >> >> @David: for the moment, no special properties management has been
> >> done.
> >> >>
> >> >> Jean-Louis
> >> >>
> >> >>
> >> >>
> >> >> Jonathan Gallimore-2 wrote:
> >> >> >
> >> >> > I really like the idea of this configuration.
> >> >> >
> >> >> > I think David's point is a good one - I don't know how bean
> specific
> >> >> these
> >> >> > properties are, but if you want to use a set of properties for more
> >> >> than
> >> >> > one
> >> >> > webservice I guess  we could have a node with the global webservice
> >> >> > security
> >> >> > config for the app, with any bean specific properties defined
> >> >> overriding
> >> >> > this.
> >> >> >
> >> >> > I guess I'm thinking of something along the lines of:
> >> >> >
> >> >> > <openejb-jar xmlns="
> http://openejb.apache.org/xml/ns/openejb-jar-2.2
> >> ">
> >> >> >   <global-ws-security>
> >> >> >     <configuration>
> >> >> > wss4j.in.action = Encrypt Signature
> >> >> > wss4j.in.signaturePropFile = path to
> >> file/CalculatorSecurity.properties
> >> >> > wss4j.in.encryptionPropFile = path to
> >> >> file/CalculatorSecurity.properties
> >> >> >
> >> >> > wss4j.out.action = Encrypt Signature
> >> >> > wss4j.out.signaturePropFile = path to
> >> >> file/CalculatorSecurity.properties
> >> >> > wss4j.out.encryptionPropFile = path to
> >> >> file/CalculatorSecurity.properties
> >> >> > wss4j.out.user = something
> >> >> > wss4j.out.encryptionUser = bod
> >> >> > wss4j.out.signatureKeyIdentifier = DirectReference
> >> >> > wss4j.out.encryptionSymAlgorithm =
> >> >> > http://www.w3.org/2001/04/xmlenc#tripledes-cbc
> >> >> > ...
> >> >> >     </configuration>
> >> >> >   </global-ws-security>
> >> >> >
> >> >> >   <enterprise-beans>
> >> >> >       <session>
> >> >> >           <ejb-name>CalculatorImpl</ejb-name>
> >> >> >           <web-service-security>
> >> >> >               <security-realm-name/>
> >> >> >               <transport-guarantee>NONE</transport-guarantee>
> >> >> >               <auth-method>WS-SECURITY</auth-method>
> >> >> >
> >> >> >               <configuration>
> >> >> > wss4j.some_bean_specific_property = foo
> >> >> > ...
> >> >> >               </configuration>
> >> >> >
> >> >> >           </web-service-security>
> >> >> >       </session>
> >> >> >   </enterprise-beans>
> >> >> > </openejb-jar>
> >> >> >
> >> >> > I'm very happy to help with some of the code and/or testing.
> >> >> >
> >> >> > Cheers,
> >> >> >
> >> >> > Jon
> >> >> >
> >> >> > On Fri, Mar 20, 2009 at 4:57 PM, David Blevins
> >> >> > <da...@visi.com>wrote:
> >> >> >
> >> >> >> On Mar 20, 2009, at 8:13 AM, Jean-Louis MONTEIRO wrote:
> >> >> >>
> >> >> >>  <openejb-jar
> >> >> xmlns="http://openejb.apache.org/xml/ns/openejb-jar-2.2">
> >> >> >>>   <enterprise-beans>
> >> >> >>>       <session>
> >> >> >>>           <ejb-name>CalculatorImpl</ejb-name>
> >> >> >>>           <web-service-security>
> >> >> >>>               <security-realm-name/>
> >> >> >>>               <transport-guarantee>NONE</transport-guarantee>
> >> >> >>>               <auth-method>WS-SECURITY</auth-method>
> >> >> >>>
> >> >> >>>               <configuration>
> >> >> >>> wss4j.in.action = Encrypt Signature
> >> >> >>> wss4j.in.signaturePropFile = path to
> >> >> file/CalculatorSecurity.properties
> >> >> >>> wss4j.in.encryptionPropFile = path to
> >> >> file/CalculatorSecurity.properties
> >> >> >>>
> >> >> >>> wss4j.out.action = Encrypt Signature
> >> >> >>> wss4j.out.signaturePropFile = path to
> >> >> file/CalculatorSecurity.properties
> >> >> >>> wss4j.out.encryptionPropFile = path to
> >> >> >>> file/CalculatorSecurity.properties
> >> >> >>> wss4j.out.user = something
> >> >> >>> wss4j.out.encryptionUser = bod
> >> >> >>> wss4j.out.signatureKeyIdentifier = DirectReference
> >> >> >>> wss4j.out.encryptionSymAlgorithm =
> >> >> >>> http://www.w3.org/2001/04/xmlenc#tripledes-cbc
> >> >> >>> ...
> >> >> >>>               </configuration>
> >> >> >>>
> >> >> >>>           </web-service-security>
> >> >> >>>       </session>
> >> >> >>>   </enterprise-beans>
> >> >> >>> </openejb-jar>
> >> >> >>>
> >> >> >>
> >> >> >> I'm curious on how bean specific that above configuration is.  If
> I
> >> >> have
> >> >> >> say 10 web services that need to be secured, which properties will
> >> >> likely
> >> >> >> be
> >> >> >> the same and which would I typically want to be different?  Just
> >> >> >> wondering
> >> >> >> if we'll want some more general way to setup the security in
> >> addition
> >> >> to
> >> >> >> 100% bean defined.
> >> >> >>
> >> >> >> -David
> >> >> >>
> >> >> >>
> >> >> >>
> >> >> >>
> >> >> >
> >> >> >
> >> >> http://www.nabble.com/file/p22782120/patch-ws-security.txt
> >> >> patch-ws-security.txt
> >> >> --
> >> >> View this message in context:
> >> >>
> >>
> http://www.nabble.com/Re%3A-Securing-a-webservice-tp22265166p22782120.html
> >> >> Sent from the OpenEJB Dev mailing list archive at Nabble.com.
> >> >>
> >> >>
> >> >
> >> >
> >>
> >>
> >>
> >> --
> >> View this message in context:
> >>
> http://www.nabble.com/Re%3A-Securing-a-webservice-tp22265166p22845394.html
> >> Sent from the OpenEJB Dev mailing list archive at Nabble.com.
> >>
> >>
> >
> >
>
> --
> View this message in context:
> http://www.nabble.com/Re%3A-Securing-a-webservice-tp22265166p22866063.html
> Sent from the OpenEJB Dev mailing list archive at Nabble.com.
>
>

Re: Securing a webservice

[Jean-Louis MONTEIRO <je...@atosorigin.com>]

Jon,

Yes, my company and I, filed the Apache CLA by the end of August (2008).

Regarding write access on the wiki, It's OK (David gave me write access).
As you probably noticed in posts, my english is not as good, so I gonna give
you a draft for validation.

Jean-Louis



Jonathan Gallimore-2 wrote:
> 
> Absolutely! Do you already have write access to the wiki? It looks like
> you've already filed a CLA with Apache so I imagine you can get write
> access
> if you don't already have it. Alternatively, I'm happy to test out your
> instructions and add them to the site.
> 
> Jon
> 
> On Thu, Apr 2, 2009 at 12:00 PM, Jean-Louis MONTEIRO <
> jean-louis.monteiro@atosorigin.com> wrote:
> 
>>
>> Jon,
>>
>> One more suggestion: can I try to produce a small HowTo for the web site
>> ?
>>
>> Jean-Louis
>>
>>
>> Jonathan Gallimore-2 wrote:
>> >
>> > I've fired this up and run the tests. It looks really good to me - many
>> > thanks for this! If you're happy to add this patch to jira OPENEJB-1004
>> > I'm
>> > happy to get it committed.
>> >
>> > Do you think it would be ok to include the keys I generated from your
>> > batch
>> > file, so that people can just do the usual 'mvn test' without any extra
>> > work
>> > for the test in the example project to work (I'd keep the batch file as
>> > well
>> > as I think its useful)?
>> >
>> > Jon
>> >
>> > On Mon, Mar 30, 2009 at 1:24 PM, Jean-Louis MONTEIRO <
>> > jean-louis.monteiro@atosorigin.com> wrote:
>> >
>> >>
>> >> Hi Jonathan,
>> >>
>> >> I spent some time this week end to get WS-Security integrated.
>> >> Sorry in advance because I changed some of your co
>> >> http://www.nabble.com/file/p22782120/patch-ws-security.txt
>> >> patch-ws-security.txt de (but it allowed me to go faster).
>> >>
>> >> I enhanced the sample application to illustrate how to use
>> WS-Security.
>> >> Here is a patch file with all changes.
>> >>
>> >> Please, can you apply it on your local working copy and have a look on
>> >> tests
>> >> ?
>> >> I think you can launch the CalculatorTest test case from the
>> >> webservice-ws-security project.
>> >>
>> >> It would be very nice to have some feedback.
>> >> @David: for the moment, no special properties management has been
>> done.
>> >>
>> >> Jean-Louis
>> >>
>> >>
>> >>
>> >> Jonathan Gallimore-2 wrote:
>> >> >
>> >> > I really like the idea of this configuration.
>> >> >
>> >> > I think David's point is a good one - I don't know how bean specific
>> >> these
>> >> > properties are, but if you want to use a set of properties for more
>> >> than
>> >> > one
>> >> > webservice I guess  we could have a node with the global webservice
>> >> > security
>> >> > config for the app, with any bean specific properties defined
>> >> overriding
>> >> > this.
>> >> >
>> >> > I guess I'm thinking of something along the lines of:
>> >> >
>> >> > <openejb-jar xmlns="http://openejb.apache.org/xml/ns/openejb-jar-2.2
>> ">
>> >> >   <global-ws-security>
>> >> >     <configuration>
>> >> > wss4j.in.action = Encrypt Signature
>> >> > wss4j.in.signaturePropFile = path to
>> file/CalculatorSecurity.properties
>> >> > wss4j.in.encryptionPropFile = path to
>> >> file/CalculatorSecurity.properties
>> >> >
>> >> > wss4j.out.action = Encrypt Signature
>> >> > wss4j.out.signaturePropFile = path to
>> >> file/CalculatorSecurity.properties
>> >> > wss4j.out.encryptionPropFile = path to
>> >> file/CalculatorSecurity.properties
>> >> > wss4j.out.user = something
>> >> > wss4j.out.encryptionUser = bod
>> >> > wss4j.out.signatureKeyIdentifier = DirectReference
>> >> > wss4j.out.encryptionSymAlgorithm =
>> >> > http://www.w3.org/2001/04/xmlenc#tripledes-cbc
>> >> > ...
>> >> >     </configuration>
>> >> >   </global-ws-security>
>> >> >
>> >> >   <enterprise-beans>
>> >> >       <session>
>> >> >           <ejb-name>CalculatorImpl</ejb-name>
>> >> >           <web-service-security>
>> >> >               <security-realm-name/>
>> >> >               <transport-guarantee>NONE</transport-guarantee>
>> >> >               <auth-method>WS-SECURITY</auth-method>
>> >> >
>> >> >               <configuration>
>> >> > wss4j.some_bean_specific_property = foo
>> >> > ...
>> >> >               </configuration>
>> >> >
>> >> >           </web-service-security>
>> >> >       </session>
>> >> >   </enterprise-beans>
>> >> > </openejb-jar>
>> >> >
>> >> > I'm very happy to help with some of the code and/or testing.
>> >> >
>> >> > Cheers,
>> >> >
>> >> > Jon
>> >> >
>> >> > On Fri, Mar 20, 2009 at 4:57 PM, David Blevins
>> >> > <da...@visi.com>wrote:
>> >> >
>> >> >> On Mar 20, 2009, at 8:13 AM, Jean-Louis MONTEIRO wrote:
>> >> >>
>> >> >>  <openejb-jar
>> >> xmlns="http://openejb.apache.org/xml/ns/openejb-jar-2.2">
>> >> >>>   <enterprise-beans>
>> >> >>>       <session>
>> >> >>>           <ejb-name>CalculatorImpl</ejb-name>
>> >> >>>           <web-service-security>
>> >> >>>               <security-realm-name/>
>> >> >>>               <transport-guarantee>NONE</transport-guarantee>
>> >> >>>               <auth-method>WS-SECURITY</auth-method>
>> >> >>>
>> >> >>>               <configuration>
>> >> >>> wss4j.in.action = Encrypt Signature
>> >> >>> wss4j.in.signaturePropFile = path to
>> >> file/CalculatorSecurity.properties
>> >> >>> wss4j.in.encryptionPropFile = path to
>> >> file/CalculatorSecurity.properties
>> >> >>>
>> >> >>> wss4j.out.action = Encrypt Signature
>> >> >>> wss4j.out.signaturePropFile = path to
>> >> file/CalculatorSecurity.properties
>> >> >>> wss4j.out.encryptionPropFile = path to
>> >> >>> file/CalculatorSecurity.properties
>> >> >>> wss4j.out.user = something
>> >> >>> wss4j.out.encryptionUser = bod
>> >> >>> wss4j.out.signatureKeyIdentifier = DirectReference
>> >> >>> wss4j.out.encryptionSymAlgorithm =
>> >> >>> http://www.w3.org/2001/04/xmlenc#tripledes-cbc
>> >> >>> ...
>> >> >>>               </configuration>
>> >> >>>
>> >> >>>           </web-service-security>
>> >> >>>       </session>
>> >> >>>   </enterprise-beans>
>> >> >>> </openejb-jar>
>> >> >>>
>> >> >>
>> >> >> I'm curious on how bean specific that above configuration is.  If I
>> >> have
>> >> >> say 10 web services that need to be secured, which properties will
>> >> likely
>> >> >> be
>> >> >> the same and which would I typically want to be different?  Just
>> >> >> wondering
>> >> >> if we'll want some more general way to setup the security in
>> addition
>> >> to
>> >> >> 100% bean defined.
>> >> >>
>> >> >> -David
>> >> >>
>> >> >>
>> >> >>
>> >> >>
>> >> >
>> >> >
>> >> http://www.nabble.com/file/p22782120/patch-ws-security.txt
>> >> patch-ws-security.txt
>> >> --
>> >> View this message in context:
>> >>
>> http://www.nabble.com/Re%3A-Securing-a-webservice-tp22265166p22782120.html
>> >> Sent from the OpenEJB Dev mailing list archive at Nabble.com.
>> >>
>> >>
>> >
>> >
>>
>>
>>
>> --
>> View this message in context:
>> http://www.nabble.com/Re%3A-Securing-a-webservice-tp22265166p22845394.html
>> Sent from the OpenEJB Dev mailing list archive at Nabble.com.
>>
>>
> 
> 

-- 
View this message in context: http://www.nabble.com/Re%3A-Securing-a-webservice-tp22265166p22866063.html
Sent from the OpenEJB Dev mailing list archive at Nabble.com.

Re: Securing a webservice

[Jonathan Gallimore <jo...@gmail.com>]

Absolutely! Do you already have write access to the wiki? It looks like
you've already filed a CLA with Apache so I imagine you can get write access
if you don't already have it. Alternatively, I'm happy to test out your
instructions and add them to the site.

Jon

On Thu, Apr 2, 2009 at 12:00 PM, Jean-Louis MONTEIRO <
jean-louis.monteiro@atosorigin.com> wrote:

>
> Jon,
>
> One more suggestion: can I try to produce a small HowTo for the web site ?
>
> Jean-Louis
>
>
> Jonathan Gallimore-2 wrote:
> >
> > I've fired this up and run the tests. It looks really good to me - many
> > thanks for this! If you're happy to add this patch to jira OPENEJB-1004
> > I'm
> > happy to get it committed.
> >
> > Do you think it would be ok to include the keys I generated from your
> > batch
> > file, so that people can just do the usual 'mvn test' without any extra
> > work
> > for the test in the example project to work (I'd keep the batch file as
> > well
> > as I think its useful)?
> >
> > Jon
> >
> > On Mon, Mar 30, 2009 at 1:24 PM, Jean-Louis MONTEIRO <
> > jean-louis.monteiro@atosorigin.com> wrote:
> >
> >>
> >> Hi Jonathan,
> >>
> >> I spent some time this week end to get WS-Security integrated.
> >> Sorry in advance because I changed some of your co
> >> http://www.nabble.com/file/p22782120/patch-ws-security.txt
> >> patch-ws-security.txt de (but it allowed me to go faster).
> >>
> >> I enhanced the sample application to illustrate how to use WS-Security.
> >> Here is a patch file with all changes.
> >>
> >> Please, can you apply it on your local working copy and have a look on
> >> tests
> >> ?
> >> I think you can launch the CalculatorTest test case from the
> >> webservice-ws-security project.
> >>
> >> It would be very nice to have some feedback.
> >> @David: for the moment, no special properties management has been done.
> >>
> >> Jean-Louis
> >>
> >>
> >>
> >> Jonathan Gallimore-2 wrote:
> >> >
> >> > I really like the idea of this configuration.
> >> >
> >> > I think David's point is a good one - I don't know how bean specific
> >> these
> >> > properties are, but if you want to use a set of properties for more
> >> than
> >> > one
> >> > webservice I guess  we could have a node with the global webservice
> >> > security
> >> > config for the app, with any bean specific properties defined
> >> overriding
> >> > this.
> >> >
> >> > I guess I'm thinking of something along the lines of:
> >> >
> >> > <openejb-jar xmlns="http://openejb.apache.org/xml/ns/openejb-jar-2.2
> ">
> >> >   <global-ws-security>
> >> >     <configuration>
> >> > wss4j.in.action = Encrypt Signature
> >> > wss4j.in.signaturePropFile = path to
> file/CalculatorSecurity.properties
> >> > wss4j.in.encryptionPropFile = path to
> >> file/CalculatorSecurity.properties
> >> >
> >> > wss4j.out.action = Encrypt Signature
> >> > wss4j.out.signaturePropFile = path to
> >> file/CalculatorSecurity.properties
> >> > wss4j.out.encryptionPropFile = path to
> >> file/CalculatorSecurity.properties
> >> > wss4j.out.user = something
> >> > wss4j.out.encryptionUser = bod
> >> > wss4j.out.signatureKeyIdentifier = DirectReference
> >> > wss4j.out.encryptionSymAlgorithm =
> >> > http://www.w3.org/2001/04/xmlenc#tripledes-cbc
> >> > ...
> >> >     </configuration>
> >> >   </global-ws-security>
> >> >
> >> >   <enterprise-beans>
> >> >       <session>
> >> >           <ejb-name>CalculatorImpl</ejb-name>
> >> >           <web-service-security>
> >> >               <security-realm-name/>
> >> >               <transport-guarantee>NONE</transport-guarantee>
> >> >               <auth-method>WS-SECURITY</auth-method>
> >> >
> >> >               <configuration>
> >> > wss4j.some_bean_specific_property = foo
> >> > ...
> >> >               </configuration>
> >> >
> >> >           </web-service-security>
> >> >       </session>
> >> >   </enterprise-beans>
> >> > </openejb-jar>
> >> >
> >> > I'm very happy to help with some of the code and/or testing.
> >> >
> >> > Cheers,
> >> >
> >> > Jon
> >> >
> >> > On Fri, Mar 20, 2009 at 4:57 PM, David Blevins
> >> > <da...@visi.com>wrote:
> >> >
> >> >> On Mar 20, 2009, at 8:13 AM, Jean-Louis MONTEIRO wrote:
> >> >>
> >> >>  <openejb-jar
> >> xmlns="http://openejb.apache.org/xml/ns/openejb-jar-2.2">
> >> >>>   <enterprise-beans>
> >> >>>       <session>
> >> >>>           <ejb-name>CalculatorImpl</ejb-name>
> >> >>>           <web-service-security>
> >> >>>               <security-realm-name/>
> >> >>>               <transport-guarantee>NONE</transport-guarantee>
> >> >>>               <auth-method>WS-SECURITY</auth-method>
> >> >>>
> >> >>>               <configuration>
> >> >>> wss4j.in.action = Encrypt Signature
> >> >>> wss4j.in.signaturePropFile = path to
> >> file/CalculatorSecurity.properties
> >> >>> wss4j.in.encryptionPropFile = path to
> >> file/CalculatorSecurity.properties
> >> >>>
> >> >>> wss4j.out.action = Encrypt Signature
> >> >>> wss4j.out.signaturePropFile = path to
> >> file/CalculatorSecurity.properties
> >> >>> wss4j.out.encryptionPropFile = path to
> >> >>> file/CalculatorSecurity.properties
> >> >>> wss4j.out.user = something
> >> >>> wss4j.out.encryptionUser = bod
> >> >>> wss4j.out.signatureKeyIdentifier = DirectReference
> >> >>> wss4j.out.encryptionSymAlgorithm =
> >> >>> http://www.w3.org/2001/04/xmlenc#tripledes-cbc
> >> >>> ...
> >> >>>               </configuration>
> >> >>>
> >> >>>           </web-service-security>
> >> >>>       </session>
> >> >>>   </enterprise-beans>
> >> >>> </openejb-jar>
> >> >>>
> >> >>
> >> >> I'm curious on how bean specific that above configuration is.  If I
> >> have
> >> >> say 10 web services that need to be secured, which properties will
> >> likely
> >> >> be
> >> >> the same and which would I typically want to be different?  Just
> >> >> wondering
> >> >> if we'll want some more general way to setup the security in addition
> >> to
> >> >> 100% bean defined.
> >> >>
> >> >> -David
> >> >>
> >> >>
> >> >>
> >> >>
> >> >
> >> >
> >> http://www.nabble.com/file/p22782120/patch-ws-security.txt
> >> patch-ws-security.txt
> >> --
> >> View this message in context:
> >>
> http://www.nabble.com/Re%3A-Securing-a-webservice-tp22265166p22782120.html
> >> Sent from the OpenEJB Dev mailing list archive at Nabble.com.
> >>
> >>
> >
> >
>
>
>
> --
> View this message in context:
> http://www.nabble.com/Re%3A-Securing-a-webservice-tp22265166p22845394.html
> Sent from the OpenEJB Dev mailing list archive at Nabble.com.
>
>

Re: Securing a webservice

[Jean-Louis MONTEIRO <je...@atosorigin.com>]

Jon,

One more suggestion: can I try to produce a small HowTo for the web site ?

Jean-Louis


Jonathan Gallimore-2 wrote:
> 
> I've fired this up and run the tests. It looks really good to me - many
> thanks for this! If you're happy to add this patch to jira OPENEJB-1004
> I'm
> happy to get it committed.
> 
> Do you think it would be ok to include the keys I generated from your
> batch
> file, so that people can just do the usual 'mvn test' without any extra
> work
> for the test in the example project to work (I'd keep the batch file as
> well
> as I think its useful)?
> 
> Jon
> 
> On Mon, Mar 30, 2009 at 1:24 PM, Jean-Louis MONTEIRO <
> jean-louis.monteiro@atosorigin.com> wrote:
> 
>>
>> Hi Jonathan,
>>
>> I spent some time this week end to get WS-Security integrated.
>> Sorry in advance because I changed some of your co
>> http://www.nabble.com/file/p22782120/patch-ws-security.txt
>> patch-ws-security.txt de (but it allowed me to go faster).
>>
>> I enhanced the sample application to illustrate how to use WS-Security.
>> Here is a patch file with all changes.
>>
>> Please, can you apply it on your local working copy and have a look on
>> tests
>> ?
>> I think you can launch the CalculatorTest test case from the
>> webservice-ws-security project.
>>
>> It would be very nice to have some feedback.
>> @David: for the moment, no special properties management has been done.
>>
>> Jean-Louis
>>
>>
>>
>> Jonathan Gallimore-2 wrote:
>> >
>> > I really like the idea of this configuration.
>> >
>> > I think David's point is a good one - I don't know how bean specific
>> these
>> > properties are, but if you want to use a set of properties for more
>> than
>> > one
>> > webservice I guess  we could have a node with the global webservice
>> > security
>> > config for the app, with any bean specific properties defined
>> overriding
>> > this.
>> >
>> > I guess I'm thinking of something along the lines of:
>> >
>> > <openejb-jar xmlns="http://openejb.apache.org/xml/ns/openejb-jar-2.2">
>> >   <global-ws-security>
>> >     <configuration>
>> > wss4j.in.action = Encrypt Signature
>> > wss4j.in.signaturePropFile = path to file/CalculatorSecurity.properties
>> > wss4j.in.encryptionPropFile = path to
>> file/CalculatorSecurity.properties
>> >
>> > wss4j.out.action = Encrypt Signature
>> > wss4j.out.signaturePropFile = path to
>> file/CalculatorSecurity.properties
>> > wss4j.out.encryptionPropFile = path to
>> file/CalculatorSecurity.properties
>> > wss4j.out.user = something
>> > wss4j.out.encryptionUser = bod
>> > wss4j.out.signatureKeyIdentifier = DirectReference
>> > wss4j.out.encryptionSymAlgorithm =
>> > http://www.w3.org/2001/04/xmlenc#tripledes-cbc
>> > ...
>> >     </configuration>
>> >   </global-ws-security>
>> >
>> >   <enterprise-beans>
>> >       <session>
>> >           <ejb-name>CalculatorImpl</ejb-name>
>> >           <web-service-security>
>> >               <security-realm-name/>
>> >               <transport-guarantee>NONE</transport-guarantee>
>> >               <auth-method>WS-SECURITY</auth-method>
>> >
>> >               <configuration>
>> > wss4j.some_bean_specific_property = foo
>> > ...
>> >               </configuration>
>> >
>> >           </web-service-security>
>> >       </session>
>> >   </enterprise-beans>
>> > </openejb-jar>
>> >
>> > I'm very happy to help with some of the code and/or testing.
>> >
>> > Cheers,
>> >
>> > Jon
>> >
>> > On Fri, Mar 20, 2009 at 4:57 PM, David Blevins
>> > <da...@visi.com>wrote:
>> >
>> >> On Mar 20, 2009, at 8:13 AM, Jean-Louis MONTEIRO wrote:
>> >>
>> >>  <openejb-jar
>> xmlns="http://openejb.apache.org/xml/ns/openejb-jar-2.2">
>> >>>   <enterprise-beans>
>> >>>       <session>
>> >>>           <ejb-name>CalculatorImpl</ejb-name>
>> >>>           <web-service-security>
>> >>>               <security-realm-name/>
>> >>>               <transport-guarantee>NONE</transport-guarantee>
>> >>>               <auth-method>WS-SECURITY</auth-method>
>> >>>
>> >>>               <configuration>
>> >>> wss4j.in.action = Encrypt Signature
>> >>> wss4j.in.signaturePropFile = path to
>> file/CalculatorSecurity.properties
>> >>> wss4j.in.encryptionPropFile = path to
>> file/CalculatorSecurity.properties
>> >>>
>> >>> wss4j.out.action = Encrypt Signature
>> >>> wss4j.out.signaturePropFile = path to
>> file/CalculatorSecurity.properties
>> >>> wss4j.out.encryptionPropFile = path to
>> >>> file/CalculatorSecurity.properties
>> >>> wss4j.out.user = something
>> >>> wss4j.out.encryptionUser = bod
>> >>> wss4j.out.signatureKeyIdentifier = DirectReference
>> >>> wss4j.out.encryptionSymAlgorithm =
>> >>> http://www.w3.org/2001/04/xmlenc#tripledes-cbc
>> >>> ...
>> >>>               </configuration>
>> >>>
>> >>>           </web-service-security>
>> >>>       </session>
>> >>>   </enterprise-beans>
>> >>> </openejb-jar>
>> >>>
>> >>
>> >> I'm curious on how bean specific that above configuration is.  If I
>> have
>> >> say 10 web services that need to be secured, which properties will
>> likely
>> >> be
>> >> the same and which would I typically want to be different?  Just
>> >> wondering
>> >> if we'll want some more general way to setup the security in addition
>> to
>> >> 100% bean defined.
>> >>
>> >> -David
>> >>
>> >>
>> >>
>> >>
>> >
>> >
>> http://www.nabble.com/file/p22782120/patch-ws-security.txt
>> patch-ws-security.txt
>> --
>> View this message in context:
>> http://www.nabble.com/Re%3A-Securing-a-webservice-tp22265166p22782120.html
>> Sent from the OpenEJB Dev mailing list archive at Nabble.com.
>>
>>
> 
> 



-- 
View this message in context: http://www.nabble.com/Re%3A-Securing-a-webservice-tp22265166p22845394.html
Sent from the OpenEJB Dev mailing list archive at Nabble.com.

Re: Securing a webservice

[Jean-Louis MONTEIRO <je...@atosorigin.com>]

Hi Jon,

thanks for the feedback.

If it sounds good for you, I will provide a patch file.
No problem to add your generated keys in the project to eases maven usage.
But we have to take care with keys expiration.

Again, thanks for the feedback.

Jean-Louis


Jonathan Gallimore-2 wrote:
> 
> I've fired this up and run the tests. It looks really good to me - many
> thanks for this! If you're happy to add this patch to jira OPENEJB-1004
> I'm
> happy to get it committed.
> 
> Do you think it would be ok to include the keys I generated from your
> batch
> file, so that people can just do the usual 'mvn test' without any extra
> work
> for the test in the example project to work (I'd keep the batch file as
> well
> as I think its useful)?
> 
> Jon
> 
> On Mon, Mar 30, 2009 at 1:24 PM, Jean-Louis MONTEIRO <
> jean-louis.monteiro@atosorigin.com> wrote:
> 
>>
>> Hi Jonathan,
>>
>> I spent some time this week end to get WS-Security integrated.
>> Sorry in advance because I changed some of your co
>> http://www.nabble.com/file/p22782120/patch-ws-security.txt
>> patch-ws-security.txt de (but it allowed me to go faster).
>>
>> I enhanced the sample application to illustrate how to use WS-Security.
>> Here is a patch file with all changes.
>>
>> Please, can you apply it on your local working copy and have a look on
>> tests
>> ?
>> I think you can launch the CalculatorTest test case from the
>> webservice-ws-security project.
>>
>> It would be very nice to have some feedback.
>> @David: for the moment, no special properties management has been done.
>>
>> Jean-Louis
>>
>>
>>
>> Jonathan Gallimore-2 wrote:
>> >
>> > I really like the idea of this configuration.
>> >
>> > I think David's point is a good one - I don't know how bean specific
>> these
>> > properties are, but if you want to use a set of properties for more
>> than
>> > one
>> > webservice I guess  we could have a node with the global webservice
>> > security
>> > config for the app, with any bean specific properties defined
>> overriding
>> > this.
>> >
>> > I guess I'm thinking of something along the lines of:
>> >
>> > <openejb-jar xmlns="http://openejb.apache.org/xml/ns/openejb-jar-2.2">
>> >   <global-ws-security>
>> >     <configuration>
>> > wss4j.in.action = Encrypt Signature
>> > wss4j.in.signaturePropFile = path to file/CalculatorSecurity.properties
>> > wss4j.in.encryptionPropFile = path to
>> file/CalculatorSecurity.properties
>> >
>> > wss4j.out.action = Encrypt Signature
>> > wss4j.out.signaturePropFile = path to
>> file/CalculatorSecurity.properties
>> > wss4j.out.encryptionPropFile = path to
>> file/CalculatorSecurity.properties
>> > wss4j.out.user = something
>> > wss4j.out.encryptionUser = bod
>> > wss4j.out.signatureKeyIdentifier = DirectReference
>> > wss4j.out.encryptionSymAlgorithm =
>> > http://www.w3.org/2001/04/xmlenc#tripledes-cbc
>> > ...
>> >     </configuration>
>> >   </global-ws-security>
>> >
>> >   <enterprise-beans>
>> >       <session>
>> >           <ejb-name>CalculatorImpl</ejb-name>
>> >           <web-service-security>
>> >               <security-realm-name/>
>> >               <transport-guarantee>NONE</transport-guarantee>
>> >               <auth-method>WS-SECURITY</auth-method>
>> >
>> >               <configuration>
>> > wss4j.some_bean_specific_property = foo
>> > ...
>> >               </configuration>
>> >
>> >           </web-service-security>
>> >       </session>
>> >   </enterprise-beans>
>> > </openejb-jar>
>> >
>> > I'm very happy to help with some of the code and/or testing.
>> >
>> > Cheers,
>> >
>> > Jon
>> >
>> > On Fri, Mar 20, 2009 at 4:57 PM, David Blevins
>> > <da...@visi.com>wrote:
>> >
>> >> On Mar 20, 2009, at 8:13 AM, Jean-Louis MONTEIRO wrote:
>> >>
>> >>  <openejb-jar
>> xmlns="http://openejb.apache.org/xml/ns/openejb-jar-2.2">
>> >>>   <enterprise-beans>
>> >>>       <session>
>> >>>           <ejb-name>CalculatorImpl</ejb-name>
>> >>>           <web-service-security>
>> >>>               <security-realm-name/>
>> >>>               <transport-guarantee>NONE</transport-guarantee>
>> >>>               <auth-method>WS-SECURITY</auth-method>
>> >>>
>> >>>               <configuration>
>> >>> wss4j.in.action = Encrypt Signature
>> >>> wss4j.in.signaturePropFile = path to
>> file/CalculatorSecurity.properties
>> >>> wss4j.in.encryptionPropFile = path to
>> file/CalculatorSecurity.properties
>> >>>
>> >>> wss4j.out.action = Encrypt Signature
>> >>> wss4j.out.signaturePropFile = path to
>> file/CalculatorSecurity.properties
>> >>> wss4j.out.encryptionPropFile = path to
>> >>> file/CalculatorSecurity.properties
>> >>> wss4j.out.user = something
>> >>> wss4j.out.encryptionUser = bod
>> >>> wss4j.out.signatureKeyIdentifier = DirectReference
>> >>> wss4j.out.encryptionSymAlgorithm =
>> >>> http://www.w3.org/2001/04/xmlenc#tripledes-cbc
>> >>> ...
>> >>>               </configuration>
>> >>>
>> >>>           </web-service-security>
>> >>>       </session>
>> >>>   </enterprise-beans>
>> >>> </openejb-jar>
>> >>>
>> >>
>> >> I'm curious on how bean specific that above configuration is.  If I
>> have
>> >> say 10 web services that need to be secured, which properties will
>> likely
>> >> be
>> >> the same and which would I typically want to be different?  Just
>> >> wondering
>> >> if we'll want some more general way to setup the security in addition
>> to
>> >> 100% bean defined.
>> >>
>> >> -David
>> >>
>> >>
>> >>
>> >>
>> >
>> >
>> http://www.nabble.com/file/p22782120/patch-ws-security.txt
>> patch-ws-security.txt
>> --
>> View this message in context:
>> http://www.nabble.com/Re%3A-Securing-a-webservice-tp22265166p22782120.html
>> Sent from the OpenEJB Dev mailing list archive at Nabble.com.
>>
>>
> 
> 

-- 
View this message in context: http://www.nabble.com/Re%3A-Securing-a-webservice-tp22265166p22844980.html
Sent from the OpenEJB Dev mailing list archive at Nabble.com.

Re: Securing a webservice

[Jonathan Gallimore <jo...@gmail.com>]

I've fired this up and run the tests. It looks really good to me - many
thanks for this! If you're happy to add this patch to jira OPENEJB-1004 I'm
happy to get it committed.

Do you think it would be ok to include the keys I generated from your batch
file, so that people can just do the usual 'mvn test' without any extra work
for the test in the example project to work (I'd keep the batch file as well
as I think its useful)?

Jon

On Mon, Mar 30, 2009 at 1:24 PM, Jean-Louis MONTEIRO <
jean-louis.monteiro@atosorigin.com> wrote:

>
> Hi Jonathan,
>
> I spent some time this week end to get WS-Security integrated.
> Sorry in advance because I changed some of your co
> http://www.nabble.com/file/p22782120/patch-ws-security.txt
> patch-ws-security.txt de (but it allowed me to go faster).
>
> I enhanced the sample application to illustrate how to use WS-Security.
> Here is a patch file with all changes.
>
> Please, can you apply it on your local working copy and have a look on
> tests
> ?
> I think you can launch the CalculatorTest test case from the
> webservice-ws-security project.
>
> It would be very nice to have some feedback.
> @David: for the moment, no special properties management has been done.
>
> Jean-Louis
>
>
>
> Jonathan Gallimore-2 wrote:
> >
> > I really like the idea of this configuration.
> >
> > I think David's point is a good one - I don't know how bean specific
> these
> > properties are, but if you want to use a set of properties for more than
> > one
> > webservice I guess  we could have a node with the global webservice
> > security
> > config for the app, with any bean specific properties defined overriding
> > this.
> >
> > I guess I'm thinking of something along the lines of:
> >
> > <openejb-jar xmlns="http://openejb.apache.org/xml/ns/openejb-jar-2.2">
> >   <global-ws-security>
> >     <configuration>
> > wss4j.in.action = Encrypt Signature
> > wss4j.in.signaturePropFile = path to file/CalculatorSecurity.properties
> > wss4j.in.encryptionPropFile = path to file/CalculatorSecurity.properties
> >
> > wss4j.out.action = Encrypt Signature
> > wss4j.out.signaturePropFile = path to file/CalculatorSecurity.properties
> > wss4j.out.encryptionPropFile = path to file/CalculatorSecurity.properties
> > wss4j.out.user = something
> > wss4j.out.encryptionUser = bod
> > wss4j.out.signatureKeyIdentifier = DirectReference
> > wss4j.out.encryptionSymAlgorithm =
> > http://www.w3.org/2001/04/xmlenc#tripledes-cbc
> > ...
> >     </configuration>
> >   </global-ws-security>
> >
> >   <enterprise-beans>
> >       <session>
> >           <ejb-name>CalculatorImpl</ejb-name>
> >           <web-service-security>
> >               <security-realm-name/>
> >               <transport-guarantee>NONE</transport-guarantee>
> >               <auth-method>WS-SECURITY</auth-method>
> >
> >               <configuration>
> > wss4j.some_bean_specific_property = foo
> > ...
> >               </configuration>
> >
> >           </web-service-security>
> >       </session>
> >   </enterprise-beans>
> > </openejb-jar>
> >
> > I'm very happy to help with some of the code and/or testing.
> >
> > Cheers,
> >
> > Jon
> >
> > On Fri, Mar 20, 2009 at 4:57 PM, David Blevins
> > <da...@visi.com>wrote:
> >
> >> On Mar 20, 2009, at 8:13 AM, Jean-Louis MONTEIRO wrote:
> >>
> >>  <openejb-jar xmlns="http://openejb.apache.org/xml/ns/openejb-jar-2.2">
> >>>   <enterprise-beans>
> >>>       <session>
> >>>           <ejb-name>CalculatorImpl</ejb-name>
> >>>           <web-service-security>
> >>>               <security-realm-name/>
> >>>               <transport-guarantee>NONE</transport-guarantee>
> >>>               <auth-method>WS-SECURITY</auth-method>
> >>>
> >>>               <configuration>
> >>> wss4j.in.action = Encrypt Signature
> >>> wss4j.in.signaturePropFile = path to file/CalculatorSecurity.properties
> >>> wss4j.in.encryptionPropFile = path to
> file/CalculatorSecurity.properties
> >>>
> >>> wss4j.out.action = Encrypt Signature
> >>> wss4j.out.signaturePropFile = path to
> file/CalculatorSecurity.properties
> >>> wss4j.out.encryptionPropFile = path to
> >>> file/CalculatorSecurity.properties
> >>> wss4j.out.user = something
> >>> wss4j.out.encryptionUser = bod
> >>> wss4j.out.signatureKeyIdentifier = DirectReference
> >>> wss4j.out.encryptionSymAlgorithm =
> >>> http://www.w3.org/2001/04/xmlenc#tripledes-cbc
> >>> ...
> >>>               </configuration>
> >>>
> >>>           </web-service-security>
> >>>       </session>
> >>>   </enterprise-beans>
> >>> </openejb-jar>
> >>>
> >>
> >> I'm curious on how bean specific that above configuration is.  If I have
> >> say 10 web services that need to be secured, which properties will
> likely
> >> be
> >> the same and which would I typically want to be different?  Just
> >> wondering
> >> if we'll want some more general way to setup the security in addition to
> >> 100% bean defined.
> >>
> >> -David
> >>
> >>
> >>
> >>
> >
> >
> http://www.nabble.com/file/p22782120/patch-ws-security.txt
> patch-ws-security.txt
> --
> View this message in context:
> http://www.nabble.com/Re%3A-Securing-a-webservice-tp22265166p22782120.html
> Sent from the OpenEJB Dev mailing list archive at Nabble.com.
>
>

Re: Securing a webservice

[Jean-Louis MONTEIRO <je...@atosorigin.com>]

Hi Jonathan,

I spent some time this week end to get WS-Security integrated.
Sorry in advance because I changed some of your co
http://www.nabble.com/file/p22782120/patch-ws-security.txt
patch-ws-security.txt de (but it allowed me to go faster).

I enhanced the sample application to illustrate how to use WS-Security.
Here is a patch file with all changes.

Please, can you apply it on your local working copy and have a look on tests
?
I think you can launch the CalculatorTest test case from the
webservice-ws-security project.

It would be very nice to have some feedback.
@David: for the moment, no special properties management has been done.

Jean-Louis



Jonathan Gallimore-2 wrote:
> 
> I really like the idea of this configuration.
> 
> I think David's point is a good one - I don't know how bean specific these
> properties are, but if you want to use a set of properties for more than
> one
> webservice I guess  we could have a node with the global webservice
> security
> config for the app, with any bean specific properties defined overriding
> this.
> 
> I guess I'm thinking of something along the lines of:
> 
> <openejb-jar xmlns="http://openejb.apache.org/xml/ns/openejb-jar-2.2">
>   <global-ws-security>
>     <configuration>
> wss4j.in.action = Encrypt Signature
> wss4j.in.signaturePropFile = path to file/CalculatorSecurity.properties
> wss4j.in.encryptionPropFile = path to file/CalculatorSecurity.properties
> 
> wss4j.out.action = Encrypt Signature
> wss4j.out.signaturePropFile = path to file/CalculatorSecurity.properties
> wss4j.out.encryptionPropFile = path to file/CalculatorSecurity.properties
> wss4j.out.user = something
> wss4j.out.encryptionUser = bod
> wss4j.out.signatureKeyIdentifier = DirectReference
> wss4j.out.encryptionSymAlgorithm =
> http://www.w3.org/2001/04/xmlenc#tripledes-cbc
> ...
>     </configuration>
>   </global-ws-security>
> 
>   <enterprise-beans>
>       <session>
>           <ejb-name>CalculatorImpl</ejb-name>
>           <web-service-security>
>               <security-realm-name/>
>               <transport-guarantee>NONE</transport-guarantee>
>               <auth-method>WS-SECURITY</auth-method>
> 
>               <configuration>
> wss4j.some_bean_specific_property = foo
> ...
>               </configuration>
> 
>           </web-service-security>
>       </session>
>   </enterprise-beans>
> </openejb-jar>
> 
> I'm very happy to help with some of the code and/or testing.
> 
> Cheers,
> 
> Jon
> 
> On Fri, Mar 20, 2009 at 4:57 PM, David Blevins
> <da...@visi.com>wrote:
> 
>> On Mar 20, 2009, at 8:13 AM, Jean-Louis MONTEIRO wrote:
>>
>>  <openejb-jar xmlns="http://openejb.apache.org/xml/ns/openejb-jar-2.2">
>>>   <enterprise-beans>
>>>       <session>
>>>           <ejb-name>CalculatorImpl</ejb-name>
>>>           <web-service-security>
>>>               <security-realm-name/>
>>>               <transport-guarantee>NONE</transport-guarantee>
>>>               <auth-method>WS-SECURITY</auth-method>
>>>
>>>               <configuration>
>>> wss4j.in.action = Encrypt Signature
>>> wss4j.in.signaturePropFile = path to file/CalculatorSecurity.properties
>>> wss4j.in.encryptionPropFile = path to file/CalculatorSecurity.properties
>>>
>>> wss4j.out.action = Encrypt Signature
>>> wss4j.out.signaturePropFile = path to file/CalculatorSecurity.properties
>>> wss4j.out.encryptionPropFile = path to
>>> file/CalculatorSecurity.properties
>>> wss4j.out.user = something
>>> wss4j.out.encryptionUser = bod
>>> wss4j.out.signatureKeyIdentifier = DirectReference
>>> wss4j.out.encryptionSymAlgorithm =
>>> http://www.w3.org/2001/04/xmlenc#tripledes-cbc
>>> ...
>>>               </configuration>
>>>
>>>           </web-service-security>
>>>       </session>
>>>   </enterprise-beans>
>>> </openejb-jar>
>>>
>>
>> I'm curious on how bean specific that above configuration is.  If I have
>> say 10 web services that need to be secured, which properties will likely
>> be
>> the same and which would I typically want to be different?  Just
>> wondering
>> if we'll want some more general way to setup the security in addition to
>> 100% bean defined.
>>
>> -David
>>
>>
>>
>>
> 
> 
http://www.nabble.com/file/p22782120/patch-ws-security.txt
patch-ws-security.txt 
-- 
View this message in context: http://www.nabble.com/Re%3A-Securing-a-webservice-tp22265166p22782120.html
Sent from the OpenEJB Dev mailing list archive at Nabble.com.

Re: Securing a webservice

[Jonathan Gallimore <jo...@gmail.com>]

I really like the idea of this configuration.

I think David's point is a good one - I don't know how bean specific these
properties are, but if you want to use a set of properties for more than one
webservice I guess  we could have a node with the global webservice security
config for the app, with any bean specific properties defined overriding
this.

I guess I'm thinking of something along the lines of:

<openejb-jar xmlns="http://openejb.apache.org/xml/ns/openejb-jar-2.2">
  <global-ws-security>
    <configuration>
wss4j.in.action = Encrypt Signature
wss4j.in.signaturePropFile = path to file/CalculatorSecurity.properties
wss4j.in.encryptionPropFile = path to file/CalculatorSecurity.properties

wss4j.out.action = Encrypt Signature
wss4j.out.signaturePropFile = path to file/CalculatorSecurity.properties
wss4j.out.encryptionPropFile = path to file/CalculatorSecurity.properties
wss4j.out.user = something
wss4j.out.encryptionUser = bod
wss4j.out.signatureKeyIdentifier = DirectReference
wss4j.out.encryptionSymAlgorithm =
http://www.w3.org/2001/04/xmlenc#tripledes-cbc
...
    </configuration>
  </global-ws-security>

  <enterprise-beans>
      <session>
          <ejb-name>CalculatorImpl</ejb-name>
          <web-service-security>
              <security-realm-name/>
              <transport-guarantee>NONE</transport-guarantee>
              <auth-method>WS-SECURITY</auth-method>

              <configuration>
wss4j.some_bean_specific_property = foo
...
              </configuration>

          </web-service-security>
      </session>
  </enterprise-beans>
</openejb-jar>

I'm very happy to help with some of the code and/or testing.

Cheers,

Jon

On Fri, Mar 20, 2009 at 4:57 PM, David Blevins <da...@visi.com>wrote:

> On Mar 20, 2009, at 8:13 AM, Jean-Louis MONTEIRO wrote:
>
>  <openejb-jar xmlns="http://openejb.apache.org/xml/ns/openejb-jar-2.2">
>>   <enterprise-beans>
>>       <session>
>>           <ejb-name>CalculatorImpl</ejb-name>
>>           <web-service-security>
>>               <security-realm-name/>
>>               <transport-guarantee>NONE</transport-guarantee>
>>               <auth-method>WS-SECURITY</auth-method>
>>
>>               <configuration>
>> wss4j.in.action = Encrypt Signature
>> wss4j.in.signaturePropFile = path to file/CalculatorSecurity.properties
>> wss4j.in.encryptionPropFile = path to file/CalculatorSecurity.properties
>>
>> wss4j.out.action = Encrypt Signature
>> wss4j.out.signaturePropFile = path to file/CalculatorSecurity.properties
>> wss4j.out.encryptionPropFile = path to file/CalculatorSecurity.properties
>> wss4j.out.user = something
>> wss4j.out.encryptionUser = bod
>> wss4j.out.signatureKeyIdentifier = DirectReference
>> wss4j.out.encryptionSymAlgorithm =
>> http://www.w3.org/2001/04/xmlenc#tripledes-cbc
>> ...
>>               </configuration>
>>
>>           </web-service-security>
>>       </session>
>>   </enterprise-beans>
>> </openejb-jar>
>>
>
> I'm curious on how bean specific that above configuration is.  If I have
> say 10 web services that need to be secured, which properties will likely be
> the same and which would I typically want to be different?  Just wondering
> if we'll want some more general way to setup the security in addition to
> 100% bean defined.
>
> -David
>
>
>
>

Re: Securing a webservice

[David Blevins <da...@visi.com>]

On Mar 20, 2009, at 8:13 AM, Jean-Louis MONTEIRO wrote:

> <openejb-jar xmlns="http://openejb.apache.org/xml/ns/openejb-jar-2.2">
>    <enterprise-beans>
>        <session>
>            <ejb-name>CalculatorImpl</ejb-name>
>            <web-service-security>
>                <security-realm-name/>
>                <transport-guarantee>NONE</transport-guarantee>
>                <auth-method>WS-SECURITY</auth-method>
>
>                <configuration>
> wss4j.in.action = Encrypt Signature
> wss4j.in.signaturePropFile = path to file/ 
> CalculatorSecurity.properties
> wss4j.in.encryptionPropFile = path to file/ 
> CalculatorSecurity.properties
>
> wss4j.out.action = Encrypt Signature
> wss4j.out.signaturePropFile = path to file/ 
> CalculatorSecurity.properties
> wss4j.out.encryptionPropFile = path to file/ 
> CalculatorSecurity.properties
> wss4j.out.user = something
> wss4j.out.encryptionUser = bod
> wss4j.out.signatureKeyIdentifier = DirectReference
> wss4j.out.encryptionSymAlgorithm =
> http://www.w3.org/2001/04/xmlenc#tripledes-cbc
> ...
>                </configuration>
>
>            </web-service-security>
>        </session>
>    </enterprise-beans>
> </openejb-jar>

I'm curious on how bean specific that above configuration is.  If I  
have say 10 web services that need to be secured, which properties  
will likely be the same and which would I typically want to be  
different?  Just wondering if we'll want some more general way to  
setup the security in addition to 100% bean defined.

-David

Re: Securing a webservice

[Jean-Louis MONTEIRO <je...@atosorigin.com>]

Hi Jonathan,

First of all thanks a lot for this very well work.
I spent a small amount of time looking your WS-Security integration. I looks
fine at a first glance.
But looking deeper make me feel it can probably be enhanced.
Actually, your proposal only deals with UserToken anthentication (throughout
WS-Security headers).

It would be nice to add a complete integration (signature, encryption,
Timestamp).
Everything is well supported by CXF and more specially WSS4J.

Today, we can not fully use WSS4J because the configuration is hard coded.
EjbEndpoint.java
...
        // Install WSS4J interceptor
        if (port.isSecure()) {
            Map<String, Object> inProps = new HashMap<String, Object>();
            inProps.put(WSHandlerConstants.ACTION,
WSHandlerConstants.USERNAME_TOKEN);
            inProps.put(WSHandlerConstants.PASSWORD_TYPE,
WSConstants.PW_TEXT);
            inProps.put(WSHandlerConstants.PW_CALLBACK_CLASS,
ServerPasswordHandler.class.getName());

            WSS4JInInterceptor wssIn = new WSS4JInInterceptor(inProps);
            endpoint.getInInterceptors().add(wssIn);
        }
...

I have the feeling we can enhance a little the openejb-jar.xml file by
something like that

<openejb-jar xmlns="http://openejb.apache.org/xml/ns/openejb-jar-2.2">
    <enterprise-beans>
        <session>
            <ejb-name>CalculatorImpl</ejb-name>
            <web-service-security>
                <security-realm-name/>
                <transport-guarantee>NONE</transport-guarantee>
                <auth-method>WS-SECURITY</auth-method>
                
                <configuration>
wss4j.in.action = Encrypt Signature
wss4j.in.signaturePropFile = path to file/CalculatorSecurity.properties
wss4j.in.encryptionPropFile = path to file/CalculatorSecurity.properties

wss4j.out.action = Encrypt Signature
wss4j.out.signaturePropFile = path to file/CalculatorSecurity.properties
wss4j.out.encryptionPropFile = path to file/CalculatorSecurity.properties
wss4j.out.user = something
wss4j.out.encryptionUser = bod
wss4j.out.signatureKeyIdentifier = DirectReference 
wss4j.out.encryptionSymAlgorithm =
http://www.w3.org/2001/04/xmlenc#tripledes-cbc
...
                </configuration>
                
            </web-service-security>
        </session>
    </enterprise-beans>
</openejb-jar>

We can get more or less the same functional level than if we would use
Spring configuration.
http://cwiki.apache.org/CXF20DOC/ws-security.html

Then, in the EjbEnpoint.java, we can read the configuration, fill a map and
instantiate an In/Out Interceptor (or both).

Is it something stupid ?
Can you give me your feeling ?

kind regards,
Jean-Louis




Jonathan Gallimore-2 wrote:
> 
> I've just committed this. It's worked in all my tests for embedded,
> standalone and Tomcat. Please shout if there's any problems.
> 
> Jon
> 
> On Tue, Mar 3, 2009 at 1:34 AM, David Blevins
> <da...@visi.com>wrote:
> 
>>
>> On Feb 28, 2009, at 1:17 PM, Daniel S. Haischt wrote:
>>
>>  I think it's useful :)
>>>
>>
>> I agree.  Very cool.
>>
>> -David
>>
>>
>>  I was mainly interested in this mail thread cause I worked with the
>>> various WSS standards recently at work including their implementation
>>> as it represented by the IBM WebSphere JAX-WS runtime. AFAIK early
>>> JAX-RPC implementations of WebSphere were not able to consume a
>>> password digest - only plain text was supported.
>>>
>>> WS policy sets is another interesting topic...
>>>
>>> Regards
>>> Daniel
>>>
>>> On Sat, Feb 28, 2009 at 10:06 PM, Jonathan Gallimore
>>> <jo...@gmail.com> wrote:
>>>
>>>> Not yet, although I'd be interested in working on this some more. I
>>>> just
>>>> wanted to get a feel of whether this is something we could include in
>>>> OpenEJB, as I'd find it pretty useful for testing some webservice work
>>>> I've
>>>> done. If people feel it would be useful I'm happy to do some more work
>>>> on
>>>> adding more authentication schemes.
>>>>
>>>> Cheers
>>>>
>>>> Jon
>>>>
>>>> On Sat, Feb 28, 2009 at 8:59 PM, Daniel S. Haischt <
>>>> - Show quoted text -
>>>> daniel.haischt@googlemail.com> wrote:
>>>>
>>>>  Just out of curiosity - Did you try to use a password digest/hash
>>>>> instead? Using a nonce might be interesting as well (nonce is an
>>>>> effective countermeasure against replay attacks). If you use SoapUI as
>>>>> a WS client you could easily generate most of these WSS header
>>>>> elements for testing purposes.
>>>>>
>>>>> Cheers
>>>>> Daniel
>>>>>
>>>>> On Sat, Feb 28, 2009 at 9:51 PM, Jonathan Gallimore
>>>>> <jo...@gmail.com> wrote:
>>>>>
>>>>>> Yep. Here's the soap request captured by tcpmon:
>>>>>>
>>>>>> POST /CalculatorImpl HTTP/1.1
>>>>>> Content-Type: text/xml; charset=UTF-8
>>>>>> SOAPAction: ""
>>>>>> Accept: *
>>>>>> Cache-Control: no-cache
>>>>>> Pragma: no-cache
>>>>>> User-Agent: Java/1.6.0_11
>>>>>> Host: 127.0.0.1:42040
>>>>>> Connection: keep-alive
>>>>>> Transfer-Encoding: chunked
>>>>>>
>>>>>> 2ce
>>>>>> <soap:Envelope
>>>>>> xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
>>>>>> <soap:Header>
>>>>>> <wsse:Security xmlns:wsse="
>>>>>>
>>>>>>
>>>>> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
>>>>> "
>>>>>
>>>>>> soap:mustUnderstand="1"><wsse:UsernameToken xmlns:wsu="
>>>>>>
>>>>>>
>>>>> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
>>>>> "
>>>>>
>>>>>>
>>>>>> wsu:Id="UsernameToken-47889642"><wsse:Username>jane</wsse:Username><wsse:Password
>>>>>
>>>>>> Type="
>>>>>>
>>>>>>
>>>>> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText
>>>>>
>>>>> ">waterfall</wsse:Password></wsse:UsernameToken></wsse:Security></soap:Header><soap:Body><ns1:sum
>>>>>
>>>>>> xmlns:ns1="http://superbiz.org/wsdl
>>>>>> "><arg0>4</arg0><arg1>6</arg1></ns1:sum></soap:Body></soap:Envelope>
>>>>>>
>>>>>> Jon
>>>>>>
>>>>>> On Sat, Feb 28, 2009 at 6:42 PM, Daniel S. Haischt <
>>>>>> daniel.haischt@googlemail.com> wrote:
>>>>>>
>>>>>>  Are you using the username token profile ?
>>>>>>>
>>>>>>> On Sat, Feb 28, 2009 at 7:31 PM, Jonathan Gallimore
>>>>>>> <jo...@gmail.com> wrote:
>>>>>>>
>>>>>>>> I spent a bit more time looking at this - and added a bit more
>>>>>>>> code.
>>>>>>>> I
>>>>>>>> noticed that the Jaxb tree for openejb-jar.xml has some webservice
>>>>>>>>
>>>>>>> security
>>>>>>>
>>>>>>>> attributes that we aren't using, but I think Geronimo is. I've
>>>>>>>> added
>>>>>>>>
>>>>>>> support
>>>>>>>
>>>>>>>> that does simple username/password authentication using basic http
>>>>>>>> mechanism, and an interceptor to do username/password auth using
>>>>>>>>
>>>>>>> WS-Security
>>>>>>>
>>>>>>>> headers.
>>>>>>>>
>>>>>>>> I've uploaded a patch to
>>>>>>>> http://people.apache.org/~jgallimore/webservices.diff<http://people.apache.org/%7Ejgallimore/webservices.diff>
>>>>>>>> <http://people.apache.org/%7Ejgallimore/webservices.diff>
>>>>>>>>
>>>>>>> <http://people.apache.org/%7Ejgallimore/webservices.diff>.
>>>>>
>>>>>> - Show quoted text -
>>>>>>
>>>>>>> I be grateful on
>>>>>>>
>>>>>>>> anyone's thoughts. Its pretty basic at the moment, but I think it
>>>>>>>>
>>>>>>> would
>>>>>
>>>>>> be
>>>>>>>
>>>>>>>> nice if this could go into OpenEJB - if others agree, I'd like to
>>>>>>>> open
>>>>>>>>
>>>>>>> a
>>>>>
>>>>>> JIRA and do some more work on it.
>>>>>>>>
>>>>>>>> I've copied this to the dev@ list too in case anyone who might be
>>>>>>>>
>>>>>>> interested
>>>>>>>
>>>>>>>> missed it, hope that's ok.
>>>>>>>>
>>>>>>>> Cheers
>>>>>>>>
>>>>>>>> Jon
>>>>>>>>
>>>>>>>> On Fri, Feb 20, 2009 at 1:06 PM, Jonathan Gallimore <
>>>>>>>> jonathan.gallimore@gmail.com> wrote:
>>>>>>>>
>>>>>>>>  Hi Jean-Louis,
>>>>>>>>>
>>>>>>>>> Many thanks for your detailed reply and the link to the article.
>>>>>>>>> I'll
>>>>>>>>>
>>>>>>>> be
>>>>>
>>>>>> having a good look at this over the weekend. I had initially thought
>>>>>>>>>
>>>>>>>> just
>>>>>>>
>>>>>>>> applying basic auth was all there was to it, which is probably a
>>>>>>>> bit
>>>>>>>>>
>>>>>>>> naive
>>>>>>>
>>>>>>>> of me!
>>>>>>>>>
>>>>>>>>> I think it would be worthwhile working out whether there's some
>>>>>>>>>
>>>>>>>> samples
>>>>>
>>>>>> (and maybe some enhancements) we could add to OpenEJB in this regard
>>>>>>>>>
>>>>>>>> -
>>>>>
>>>>>> I'm
>>>>>>>
>>>>>>>> sure others would find it useful too.
>>>>>>>>>
>>>>>>>>> Cheers,
>>>>>>>>> Jon
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On Fri, Feb 20, 2009 at 8:49 AM, Jean-Louis MONTEIRO <
>>>>>>>>> jean-louis.monteiro@atosorigin.com> wrote:
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>> Jonathan,
>>>>>>>>>>
>>>>>>>>>> Here are some inputs.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Jonathan Gallimore-2 wrote:
>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> Obviously I think it would be great if the standalone and
>>>>>>>>>>> embedded
>>>>>>>>>>>
>>>>>>>>>> servers
>>>>>>>>>>
>>>>>>>>>>> which use their own HTTP listener could accept credentials via
>>>>>>>>>>>
>>>>>>>>>> basic
>>>>>
>>>>>> authentication, meanwhile Tomcat could do the authentication for
>>>>>>>>>>>
>>>>>>>>>> us
>>>>>
>>>>>> based
>>>>>>>>>>
>>>>>>>>>>> on
>>>>>>>>>>> however its been configured (currently it looks like a new
>>>>>>>>>>>
>>>>>>>>>> StandardContext
>>>>>>>>>>
>>>>>>>>>>> is created for each webservice, and there is code to setup
>>>>>>>>>>>
>>>>>>>>>> authentication,
>>>>>>>>>>
>>>>>>>>>>> but WsService.authMethod was always null when I debugged it,
>>>>>>>>>>>
>>>>>>>>>> causing
>>>>>
>>>>>> no
>>>>>>>
>>>>>>>> authentication to be applied, and I couldn't see how it could be
>>>>>>>>>>>
>>>>>>>>>> set
>>>>>
>>>>>> otherwise), and the user and role principals could be passed
>>>>>>>>>>>
>>>>>>>>>> through
>>>>>
>>>>>> from
>>>>>>>>>>
>>>>>>>>>>> Tomcat to the relevant EJB container.
>>>>>>>>>>>
>>>>>>>>>>>  Definitively! (nice to have ;-)).
>>>>>>>>>> Doing basic authentication (without ws-security) seems to be
>>>>>>>>>>
>>>>>>>>> possible
>>>>>
>>>>>> using
>>>>>>>>>> JAX-WS handlers.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Jonathan Gallimore-2 wrote:
>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> To give a bit more background on how this has come about - my
>>>>>>>>>>>
>>>>>>>>>> colleague
>>>>>>>
>>>>>>>> at
>>>>>>>>>>
>>>>>>>>>>> work has been working on some functionality as an EJB, and felt
>>>>>>>>>>> it
>>>>>>>>>>>
>>>>>>>>>> would
>>>>>>>
>>>>>>>> be
>>>>>>>>>>> nice to have it available as a webservice - and adding the
>>>>>>>>>>>
>>>>>>>>>> @WebService
>>>>>>>
>>>>>>>> annotation to the EJB seemed to be a nice idea, rather then
>>>>>>>>>>>
>>>>>>>>>> creating
>>>>>
>>>>>> a
>>>>>>>
>>>>>>>> webservice as a separate class that just delegates through to the
>>>>>>>>>>>
>>>>>>>>>> EJB
>>>>>
>>>>>> as
>>>>>>>
>>>>>>>> you
>>>>>>>>>>> describe -
>>>>>>>>>>>
>>>>>>>>>>>  I was probably not so clear.
>>>>>>>>>> It seems to me, from an architecture point of view, it's better
>>>>>>>>>> to
>>>>>>>>>>
>>>>>>>>> use
>>>>>
>>>>>> web
>>>>>>>
>>>>>>>> services as facades. They are personal concerns you know ;-)
>>>>>>>>>> Never mind, I had in mind an EJB Web Service (@stateless +
>>>>>>>>>>
>>>>>>>>> @webservice)
>>>>>
>>>>>> which delegates to other business EJB and it works fine with OpenEJB
>>>>>>>>>>
>>>>>>>>> for
>>>>>>>
>>>>>>>> simple cases.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Jonathan Gallimore-2 wrote:
>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> and we hoped the container would handle the authentication for
>>>>>>>>>>> us. When configured correctly, JBoss (4.2.2.GA) does seem to do
>>>>>>>>>>>
>>>>>>>>>> this
>>>>>
>>>>>> for
>>>>>>>>>>
>>>>>>>>>>> us,
>>>>>>>>>>> however OpenEJB doesn't at the moment - I don't actually know if
>>>>>>>>>>>
>>>>>>>>>> this
>>>>>
>>>>>> is
>>>>>>>
>>>>>>>> even supposed to work (or even whether its part of any of the JEE
>>>>>>>>>>>
>>>>>>>>>> spec -
>>>>>>>
>>>>>>>> I'll have to read up!).
>>>>>>>>>>>
>>>>>>>>>>>  I can't help you on this topic (not read this part of the
>>>>>>>>>>> spec).
>>>>>>>>>> If you have 10 minutes, here is an interesting article
>>>>>>>>>>
>>>>>>>>>>
>>>>>>> http://www.javaworld.com/javaworld/jw-02-2007/jw-02-handler.html?page=1
>>>>>>>
>>>>>>>>
>>>>>>>>>>
>>>>>>> http://www.javaworld.com/javaworld/jw-02-2007/jw-02-handler.html?page=1
>>>>>>>
>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Jonathan Gallimore-2 wrote:
>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> I think I should probably have a look at WS-Security - I'd be
>>>>>>>>>>> very
>>>>>>>>>>> interested in a seeing a sample using OpenEJB/JAX-WS/WS-Security
>>>>>>>>>>>
>>>>>>>>>> if
>>>>>
>>>>>> you're
>>>>>>>>>>
>>>>>>>>>>> putting one together.
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>> OK, I've done some tests since yesterday morning. But, the way
>>>>>>>>>>
>>>>>>>>> OpenEJB
>>>>>
>>>>>> publishes EJB as web services does not allow configuring
>>>>>>>>>>
>>>>>>>>> ws-security.
>>>>>
>>>>>>
>>>>>>>>>> When using CXF + WS-Security, it's quite simple: add a WSS4J
>>>>>>>>>>
>>>>>>>>> InInterceptor
>>>>>>>
>>>>>>>> and a WSS4J OutInterceptor giving them a set of properties.
>>>>>>>>>>
>>>>>>>>> Interceptors
>>>>>>>
>>>>>>>> can
>>>>>>>>>> be configured using both a Spring application context or CXF
>>>>>>>>>>
>>>>>>>>> annotations
>>>>>>>
>>>>>>>> (@InInterceptors @OutInterceptor).
>>>>>>>>>>
>>>>>>>>>> At a JAX-WS point of view we only have handlers (soap handlers
>>>>>>>>>> and
>>>>>>>>>>
>>>>>>>>> logical
>>>>>>>
>>>>>>>> handlers) so I have to spend some more time to look if we can
>>>>>>>> manage
>>>>>>>>>> WS-Security using handlers.
>>>>>>>>>>
>>>>>>>>>> More coming soon ;-)
>>>>>>>>>>
>>>>>>>>>> Kind regards,
>>>>>>>>>> Jean-Louis
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> --
>>>>>>>>>> View this message in context:
>>>>>>>>>>
>>>>>>>>>>
>>>>> http://www.nabble.com/Securing-a-webservice-tp22089576p22116953.html
>>>>>
>>>>>> Sent from the OpenEJB User mailing list archive at Nabble.com.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
> 
> 

-- 
View this message in context: http://www.nabble.com/Re%3A-Securing-a-webservice-tp22265166p22621761.html
Sent from the OpenEJB Dev mailing list archive at Nabble.com.

Re: Securing a webservice

[Jonathan Gallimore <jo...@gmail.com>]

I've just committed this. It's worked in all my tests for embedded,
standalone and Tomcat. Please shout if there's any problems.

Jon

On Tue, Mar 3, 2009 at 1:34 AM, David Blevins <da...@visi.com>wrote:

>
> On Feb 28, 2009, at 1:17 PM, Daniel S. Haischt wrote:
>
>  I think it's useful :)
>>
>
> I agree.  Very cool.
>
> -David
>
>
>  I was mainly interested in this mail thread cause I worked with the
>> various WSS standards recently at work including their implementation
>> as it represented by the IBM WebSphere JAX-WS runtime. AFAIK early
>> JAX-RPC implementations of WebSphere were not able to consume a
>> password digest - only plain text was supported.
>>
>> WS policy sets is another interesting topic...
>>
>> Regards
>> Daniel
>>
>> On Sat, Feb 28, 2009 at 10:06 PM, Jonathan Gallimore
>> <jo...@gmail.com> wrote:
>>
>>> Not yet, although I'd be interested in working on this some more. I just
>>> wanted to get a feel of whether this is something we could include in
>>> OpenEJB, as I'd find it pretty useful for testing some webservice work
>>> I've
>>> done. If people feel it would be useful I'm happy to do some more work on
>>> adding more authentication schemes.
>>>
>>> Cheers
>>>
>>> Jon
>>>
>>> On Sat, Feb 28, 2009 at 8:59 PM, Daniel S. Haischt <
>>> - Show quoted text -
>>> daniel.haischt@googlemail.com> wrote:
>>>
>>>  Just out of curiosity - Did you try to use a password digest/hash
>>>> instead? Using a nonce might be interesting as well (nonce is an
>>>> effective countermeasure against replay attacks). If you use SoapUI as
>>>> a WS client you could easily generate most of these WSS header
>>>> elements for testing purposes.
>>>>
>>>> Cheers
>>>> Daniel
>>>>
>>>> On Sat, Feb 28, 2009 at 9:51 PM, Jonathan Gallimore
>>>> <jo...@gmail.com> wrote:
>>>>
>>>>> Yep. Here's the soap request captured by tcpmon:
>>>>>
>>>>> POST /CalculatorImpl HTTP/1.1
>>>>> Content-Type: text/xml; charset=UTF-8
>>>>> SOAPAction: ""
>>>>> Accept: *
>>>>> Cache-Control: no-cache
>>>>> Pragma: no-cache
>>>>> User-Agent: Java/1.6.0_11
>>>>> Host: 127.0.0.1:42040
>>>>> Connection: keep-alive
>>>>> Transfer-Encoding: chunked
>>>>>
>>>>> 2ce
>>>>> <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
>>>>> <soap:Header>
>>>>> <wsse:Security xmlns:wsse="
>>>>>
>>>>>
>>>> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
>>>> "
>>>>
>>>>> soap:mustUnderstand="1"><wsse:UsernameToken xmlns:wsu="
>>>>>
>>>>>
>>>> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
>>>> "
>>>>
>>>>>
>>>>> wsu:Id="UsernameToken-47889642"><wsse:Username>jane</wsse:Username><wsse:Password
>>>>
>>>>> Type="
>>>>>
>>>>>
>>>> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText
>>>>
>>>> ">waterfall</wsse:Password></wsse:UsernameToken></wsse:Security></soap:Header><soap:Body><ns1:sum
>>>>
>>>>> xmlns:ns1="http://superbiz.org/wsdl
>>>>> "><arg0>4</arg0><arg1>6</arg1></ns1:sum></soap:Body></soap:Envelope>
>>>>>
>>>>> Jon
>>>>>
>>>>> On Sat, Feb 28, 2009 at 6:42 PM, Daniel S. Haischt <
>>>>> daniel.haischt@googlemail.com> wrote:
>>>>>
>>>>>  Are you using the username token profile ?
>>>>>>
>>>>>> On Sat, Feb 28, 2009 at 7:31 PM, Jonathan Gallimore
>>>>>> <jo...@gmail.com> wrote:
>>>>>>
>>>>>>> I spent a bit more time looking at this - and added a bit more code.
>>>>>>> I
>>>>>>> noticed that the Jaxb tree for openejb-jar.xml has some webservice
>>>>>>>
>>>>>> security
>>>>>>
>>>>>>> attributes that we aren't using, but I think Geronimo is. I've added
>>>>>>>
>>>>>> support
>>>>>>
>>>>>>> that does simple username/password authentication using basic http
>>>>>>> mechanism, and an interceptor to do username/password auth using
>>>>>>>
>>>>>> WS-Security
>>>>>>
>>>>>>> headers.
>>>>>>>
>>>>>>> I've uploaded a patch to
>>>>>>> http://people.apache.org/~jgallimore/webservices.diff<http://people.apache.org/%7Ejgallimore/webservices.diff>
>>>>>>> <http://people.apache.org/%7Ejgallimore/webservices.diff>
>>>>>>>
>>>>>> <http://people.apache.org/%7Ejgallimore/webservices.diff>.
>>>>
>>>>> - Show quoted text -
>>>>>
>>>>>> I be grateful on
>>>>>>
>>>>>>> anyone's thoughts. Its pretty basic at the moment, but I think it
>>>>>>>
>>>>>> would
>>>>
>>>>> be
>>>>>>
>>>>>>> nice if this could go into OpenEJB - if others agree, I'd like to
>>>>>>> open
>>>>>>>
>>>>>> a
>>>>
>>>>> JIRA and do some more work on it.
>>>>>>>
>>>>>>> I've copied this to the dev@ list too in case anyone who might be
>>>>>>>
>>>>>> interested
>>>>>>
>>>>>>> missed it, hope that's ok.
>>>>>>>
>>>>>>> Cheers
>>>>>>>
>>>>>>> Jon
>>>>>>>
>>>>>>> On Fri, Feb 20, 2009 at 1:06 PM, Jonathan Gallimore <
>>>>>>> jonathan.gallimore@gmail.com> wrote:
>>>>>>>
>>>>>>>  Hi Jean-Louis,
>>>>>>>>
>>>>>>>> Many thanks for your detailed reply and the link to the article.
>>>>>>>> I'll
>>>>>>>>
>>>>>>> be
>>>>
>>>>> having a good look at this over the weekend. I had initially thought
>>>>>>>>
>>>>>>> just
>>>>>>
>>>>>>> applying basic auth was all there was to it, which is probably a bit
>>>>>>>>
>>>>>>> naive
>>>>>>
>>>>>>> of me!
>>>>>>>>
>>>>>>>> I think it would be worthwhile working out whether there's some
>>>>>>>>
>>>>>>> samples
>>>>
>>>>> (and maybe some enhancements) we could add to OpenEJB in this regard
>>>>>>>>
>>>>>>> -
>>>>
>>>>> I'm
>>>>>>
>>>>>>> sure others would find it useful too.
>>>>>>>>
>>>>>>>> Cheers,
>>>>>>>> Jon
>>>>>>>>
>>>>>>>>
>>>>>>>> On Fri, Feb 20, 2009 at 8:49 AM, Jean-Louis MONTEIRO <
>>>>>>>> jean-louis.monteiro@atosorigin.com> wrote:
>>>>>>>>
>>>>>>>>
>>>>>>>>> Jonathan,
>>>>>>>>>
>>>>>>>>> Here are some inputs.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Jonathan Gallimore-2 wrote:
>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Obviously I think it would be great if the standalone and embedded
>>>>>>>>>>
>>>>>>>>> servers
>>>>>>>>>
>>>>>>>>>> which use their own HTTP listener could accept credentials via
>>>>>>>>>>
>>>>>>>>> basic
>>>>
>>>>> authentication, meanwhile Tomcat could do the authentication for
>>>>>>>>>>
>>>>>>>>> us
>>>>
>>>>> based
>>>>>>>>>
>>>>>>>>>> on
>>>>>>>>>> however its been configured (currently it looks like a new
>>>>>>>>>>
>>>>>>>>> StandardContext
>>>>>>>>>
>>>>>>>>>> is created for each webservice, and there is code to setup
>>>>>>>>>>
>>>>>>>>> authentication,
>>>>>>>>>
>>>>>>>>>> but WsService.authMethod was always null when I debugged it,
>>>>>>>>>>
>>>>>>>>> causing
>>>>
>>>>> no
>>>>>>
>>>>>>> authentication to be applied, and I couldn't see how it could be
>>>>>>>>>>
>>>>>>>>> set
>>>>
>>>>> otherwise), and the user and role principals could be passed
>>>>>>>>>>
>>>>>>>>> through
>>>>
>>>>> from
>>>>>>>>>
>>>>>>>>>> Tomcat to the relevant EJB container.
>>>>>>>>>>
>>>>>>>>>>  Definitively! (nice to have ;-)).
>>>>>>>>> Doing basic authentication (without ws-security) seems to be
>>>>>>>>>
>>>>>>>> possible
>>>>
>>>>> using
>>>>>>>>> JAX-WS handlers.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Jonathan Gallimore-2 wrote:
>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> To give a bit more background on how this has come about - my
>>>>>>>>>>
>>>>>>>>> colleague
>>>>>>
>>>>>>> at
>>>>>>>>>
>>>>>>>>>> work has been working on some functionality as an EJB, and felt it
>>>>>>>>>>
>>>>>>>>> would
>>>>>>
>>>>>>> be
>>>>>>>>>> nice to have it available as a webservice - and adding the
>>>>>>>>>>
>>>>>>>>> @WebService
>>>>>>
>>>>>>> annotation to the EJB seemed to be a nice idea, rather then
>>>>>>>>>>
>>>>>>>>> creating
>>>>
>>>>> a
>>>>>>
>>>>>>> webservice as a separate class that just delegates through to the
>>>>>>>>>>
>>>>>>>>> EJB
>>>>
>>>>> as
>>>>>>
>>>>>>> you
>>>>>>>>>> describe -
>>>>>>>>>>
>>>>>>>>>>  I was probably not so clear.
>>>>>>>>> It seems to me, from an architecture point of view, it's better to
>>>>>>>>>
>>>>>>>> use
>>>>
>>>>> web
>>>>>>
>>>>>>> services as facades. They are personal concerns you know ;-)
>>>>>>>>> Never mind, I had in mind an EJB Web Service (@stateless +
>>>>>>>>>
>>>>>>>> @webservice)
>>>>
>>>>> which delegates to other business EJB and it works fine with OpenEJB
>>>>>>>>>
>>>>>>>> for
>>>>>>
>>>>>>> simple cases.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Jonathan Gallimore-2 wrote:
>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> and we hoped the container would handle the authentication for
>>>>>>>>>> us. When configured correctly, JBoss (4.2.2.GA) does seem to do
>>>>>>>>>>
>>>>>>>>> this
>>>>
>>>>> for
>>>>>>>>>
>>>>>>>>>> us,
>>>>>>>>>> however OpenEJB doesn't at the moment - I don't actually know if
>>>>>>>>>>
>>>>>>>>> this
>>>>
>>>>> is
>>>>>>
>>>>>>> even supposed to work (or even whether its part of any of the JEE
>>>>>>>>>>
>>>>>>>>> spec -
>>>>>>
>>>>>>> I'll have to read up!).
>>>>>>>>>>
>>>>>>>>>>  I can't help you on this topic (not read this part of the spec).
>>>>>>>>> If you have 10 minutes, here is an interesting article
>>>>>>>>>
>>>>>>>>>
>>>>>> http://www.javaworld.com/javaworld/jw-02-2007/jw-02-handler.html?page=1
>>>>>>
>>>>>>>
>>>>>>>>>
>>>>>> http://www.javaworld.com/javaworld/jw-02-2007/jw-02-handler.html?page=1
>>>>>>
>>>>>>>
>>>>>>>>>
>>>>>>>>> Jonathan Gallimore-2 wrote:
>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> I think I should probably have a look at WS-Security - I'd be very
>>>>>>>>>> interested in a seeing a sample using OpenEJB/JAX-WS/WS-Security
>>>>>>>>>>
>>>>>>>>> if
>>>>
>>>>> you're
>>>>>>>>>
>>>>>>>>>> putting one together.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>> OK, I've done some tests since yesterday morning. But, the way
>>>>>>>>>
>>>>>>>> OpenEJB
>>>>
>>>>> publishes EJB as web services does not allow configuring
>>>>>>>>>
>>>>>>>> ws-security.
>>>>
>>>>>
>>>>>>>>> When using CXF + WS-Security, it's quite simple: add a WSS4J
>>>>>>>>>
>>>>>>>> InInterceptor
>>>>>>
>>>>>>> and a WSS4J OutInterceptor giving them a set of properties.
>>>>>>>>>
>>>>>>>> Interceptors
>>>>>>
>>>>>>> can
>>>>>>>>> be configured using both a Spring application context or CXF
>>>>>>>>>
>>>>>>>> annotations
>>>>>>
>>>>>>> (@InInterceptors @OutInterceptor).
>>>>>>>>>
>>>>>>>>> At a JAX-WS point of view we only have handlers (soap handlers and
>>>>>>>>>
>>>>>>>> logical
>>>>>>
>>>>>>> handlers) so I have to spend some more time to look if we can manage
>>>>>>>>> WS-Security using handlers.
>>>>>>>>>
>>>>>>>>> More coming soon ;-)
>>>>>>>>>
>>>>>>>>> Kind regards,
>>>>>>>>> Jean-Louis
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> --
>>>>>>>>> View this message in context:
>>>>>>>>>
>>>>>>>>>
>>>> http://www.nabble.com/Securing-a-webservice-tp22089576p22116953.html
>>>>
>>>>> Sent from the OpenEJB User mailing list archive at Nabble.com.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>

Re: Securing a webservice

[David Blevins <da...@visi.com>]

On Feb 28, 2009, at 1:17 PM, Daniel S. Haischt wrote:

> I think it's useful :)

I agree.  Very cool.

-David

> I was mainly interested in this mail thread cause I worked with the
> various WSS standards recently at work including their implementation
> as it represented by the IBM WebSphere JAX-WS runtime. AFAIK early
> JAX-RPC implementations of WebSphere were not able to consume a
> password digest - only plain text was supported.
>
> WS policy sets is another interesting topic...
>
> Regards
> Daniel
>
> On Sat, Feb 28, 2009 at 10:06 PM, Jonathan Gallimore
> <jo...@gmail.com> wrote:
>> Not yet, although I'd be interested in working on this some more. I  
>> just
>> wanted to get a feel of whether this is something we could include in
>> OpenEJB, as I'd find it pretty useful for testing some webservice  
>> work I've
>> done. If people feel it would be useful I'm happy to do some more  
>> work on
>> adding more authentication schemes.
>>
>> Cheers
>>
>> Jon
>>
>> On Sat, Feb 28, 2009 at 8:59 PM, Daniel S. Haischt <
>> - Show quoted text -
>> daniel.haischt@googlemail.com> wrote:
>>
>>> Just out of curiosity - Did you try to use a password digest/hash
>>> instead? Using a nonce might be interesting as well (nonce is an
>>> effective countermeasure against replay attacks). If you use  
>>> SoapUI as
>>> a WS client you could easily generate most of these WSS header
>>> elements for testing purposes.
>>>
>>> Cheers
>>> Daniel
>>>
>>> On Sat, Feb 28, 2009 at 9:51 PM, Jonathan Gallimore
>>> <jo...@gmail.com> wrote:
>>>> Yep. Here's the soap request captured by tcpmon:
>>>>
>>>> POST /CalculatorImpl HTTP/1.1
>>>> Content-Type: text/xml; charset=UTF-8
>>>> SOAPAction: ""
>>>> Accept: *
>>>> Cache-Control: no-cache
>>>> Pragma: no-cache
>>>> User-Agent: Java/1.6.0_11
>>>> Host: 127.0.0.1:42040
>>>> Connection: keep-alive
>>>> Transfer-Encoding: chunked
>>>>
>>>> 2ce
>>>> <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/ 
>>>> ">
>>>> <soap:Header>
>>>> <wsse:Security xmlns:wsse="
>>>>
>>> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
>>> "
>>>> soap:mustUnderstand="1"><wsse:UsernameToken xmlns:wsu="
>>>>
>>> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
>>> "
>>>>
>>> wsu:Id="UsernameToken-47889642"><wsse:Username>jane</ 
>>> wsse:Username><wsse:Password
>>>> Type="
>>>>
>>> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText
>>> ">waterfall</wsse:Password></wsse:UsernameToken></wsse:Security></ 
>>> soap:Header><soap:Body><ns1:sum
>>>> xmlns:ns1="http://superbiz.org/wsdl
>>>> "><arg0>4</arg0><arg1>6</arg1></ns1:sum></soap:Body></ 
>>>> soap:Envelope>
>>>>
>>>> Jon
>>>>
>>>> On Sat, Feb 28, 2009 at 6:42 PM, Daniel S. Haischt <
>>>> daniel.haischt@googlemail.com> wrote:
>>>>
>>>>> Are you using the username token profile ?
>>>>>
>>>>> On Sat, Feb 28, 2009 at 7:31 PM, Jonathan Gallimore
>>>>> <jo...@gmail.com> wrote:
>>>>>> I spent a bit more time looking at this - and added a bit more  
>>>>>> code. I
>>>>>> noticed that the Jaxb tree for openejb-jar.xml has some  
>>>>>> webservice
>>>>> security
>>>>>> attributes that we aren't using, but I think Geronimo is. I've  
>>>>>> added
>>>>> support
>>>>>> that does simple username/password authentication using basic  
>>>>>> http
>>>>>> mechanism, and an interceptor to do username/password auth using
>>>>> WS-Security
>>>>>> headers.
>>>>>>
>>>>>> I've uploaded a patch to
>>>>>> http://people.apache.org/~jgallimore/webservices.diff<http://people.apache.org/%7Ejgallimore/webservices.diff 
>>>>>> >
>>> <http://people.apache.org/%7Ejgallimore/webservices.diff>.
>>>> - Show quoted text -
>>>>> I be grateful on
>>>>>> anyone's thoughts. Its pretty basic at the moment, but I think it
>>> would
>>>>> be
>>>>>> nice if this could go into OpenEJB - if others agree, I'd like  
>>>>>> to open
>>> a
>>>>>> JIRA and do some more work on it.
>>>>>>
>>>>>> I've copied this to the dev@ list too in case anyone who might be
>>>>> interested
>>>>>> missed it, hope that's ok.
>>>>>>
>>>>>> Cheers
>>>>>>
>>>>>> Jon
>>>>>>
>>>>>> On Fri, Feb 20, 2009 at 1:06 PM, Jonathan Gallimore <
>>>>>> jonathan.gallimore@gmail.com> wrote:
>>>>>>
>>>>>>> Hi Jean-Louis,
>>>>>>>
>>>>>>> Many thanks for your detailed reply and the link to the  
>>>>>>> article. I'll
>>> be
>>>>>>> having a good look at this over the weekend. I had initially  
>>>>>>> thought
>>>>> just
>>>>>>> applying basic auth was all there was to it, which is probably  
>>>>>>> a bit
>>>>> naive
>>>>>>> of me!
>>>>>>>
>>>>>>> I think it would be worthwhile working out whether there's some
>>> samples
>>>>>>> (and maybe some enhancements) we could add to OpenEJB in this  
>>>>>>> regard
>>> -
>>>>> I'm
>>>>>>> sure others would find it useful too.
>>>>>>>
>>>>>>> Cheers,
>>>>>>> Jon
>>>>>>>
>>>>>>>
>>>>>>> On Fri, Feb 20, 2009 at 8:49 AM, Jean-Louis MONTEIRO <
>>>>>>> jean-louis.monteiro@atosorigin.com> wrote:
>>>>>>>
>>>>>>>>
>>>>>>>> Jonathan,
>>>>>>>>
>>>>>>>> Here are some inputs.
>>>>>>>>
>>>>>>>>
>>>>>>>> Jonathan Gallimore-2 wrote:
>>>>>>>>>
>>>>>>>>> Obviously I think it would be great if the standalone and  
>>>>>>>>> embedded
>>>>>>>> servers
>>>>>>>>> which use their own HTTP listener could accept credentials via
>>> basic
>>>>>>>>> authentication, meanwhile Tomcat could do the authentication  
>>>>>>>>> for
>>> us
>>>>>>>> based
>>>>>>>>> on
>>>>>>>>> however its been configured (currently it looks like a new
>>>>>>>> StandardContext
>>>>>>>>> is created for each webservice, and there is code to setup
>>>>>>>> authentication,
>>>>>>>>> but WsService.authMethod was always null when I debugged it,
>>> causing
>>>>> no
>>>>>>>>> authentication to be applied, and I couldn't see how it  
>>>>>>>>> could be
>>> set
>>>>>>>>> otherwise), and the user and role principals could be passed
>>> through
>>>>>>>> from
>>>>>>>>> Tomcat to the relevant EJB container.
>>>>>>>>>
>>>>>>>> Definitively! (nice to have ;-)).
>>>>>>>> Doing basic authentication (without ws-security) seems to be
>>> possible
>>>>>>>> using
>>>>>>>> JAX-WS handlers.
>>>>>>>>
>>>>>>>>
>>>>>>>> Jonathan Gallimore-2 wrote:
>>>>>>>>>
>>>>>>>>> To give a bit more background on how this has come about - my
>>>>> colleague
>>>>>>>> at
>>>>>>>>> work has been working on some functionality as an EJB, and  
>>>>>>>>> felt it
>>>>> would
>>>>>>>>> be
>>>>>>>>> nice to have it available as a webservice - and adding the
>>>>> @WebService
>>>>>>>>> annotation to the EJB seemed to be a nice idea, rather then
>>> creating
>>>>> a
>>>>>>>>> webservice as a separate class that just delegates through  
>>>>>>>>> to the
>>> EJB
>>>>> as
>>>>>>>>> you
>>>>>>>>> describe -
>>>>>>>>>
>>>>>>>> I was probably not so clear.
>>>>>>>> It seems to me, from an architecture point of view, it's  
>>>>>>>> better to
>>> use
>>>>> web
>>>>>>>> services as facades. They are personal concerns you know ;-)
>>>>>>>> Never mind, I had in mind an EJB Web Service (@stateless +
>>> @webservice)
>>>>>>>> which delegates to other business EJB and it works fine with  
>>>>>>>> OpenEJB
>>>>> for
>>>>>>>> simple cases.
>>>>>>>>
>>>>>>>>
>>>>>>>> Jonathan Gallimore-2 wrote:
>>>>>>>>>
>>>>>>>>> and we hoped the container would handle the authentication for
>>>>>>>>> us. When configured correctly, JBoss (4.2.2.GA) does seem to  
>>>>>>>>> do
>>> this
>>>>>>>> for
>>>>>>>>> us,
>>>>>>>>> however OpenEJB doesn't at the moment - I don't actually  
>>>>>>>>> know if
>>> this
>>>>> is
>>>>>>>>> even supposed to work (or even whether its part of any of  
>>>>>>>>> the JEE
>>>>> spec -
>>>>>>>>> I'll have to read up!).
>>>>>>>>>
>>>>>>>> I can't help you on this topic (not read this part of the  
>>>>>>>> spec).
>>>>>>>> If you have 10 minutes, here is an interesting article
>>>>>>>>
>>>>> http://www.javaworld.com/javaworld/jw-02-2007/jw-02-handler.html?page=1
>>>>>>>>
>>>>> http://www.javaworld.com/javaworld/jw-02-2007/jw-02-handler.html?page=1
>>>>>>>>
>>>>>>>>
>>>>>>>> Jonathan Gallimore-2 wrote:
>>>>>>>>>
>>>>>>>>> I think I should probably have a look at WS-Security - I'd  
>>>>>>>>> be very
>>>>>>>>> interested in a seeing a sample using OpenEJB/JAX-WS/WS- 
>>>>>>>>> Security
>>> if
>>>>>>>> you're
>>>>>>>>> putting one together.
>>>>>>>>>
>>>>>>>>
>>>>>>>> OK, I've done some tests since yesterday morning. But, the way
>>> OpenEJB
>>>>>>>> publishes EJB as web services does not allow configuring
>>> ws-security.
>>>>>>>>
>>>>>>>> When using CXF + WS-Security, it's quite simple: add a WSS4J
>>>>> InInterceptor
>>>>>>>> and a WSS4J OutInterceptor giving them a set of properties.
>>>>> Interceptors
>>>>>>>> can
>>>>>>>> be configured using both a Spring application context or CXF
>>>>> annotations
>>>>>>>> (@InInterceptors @OutInterceptor).
>>>>>>>>
>>>>>>>> At a JAX-WS point of view we only have handlers (soap  
>>>>>>>> handlers and
>>>>> logical
>>>>>>>> handlers) so I have to spend some more time to look if we can  
>>>>>>>> manage
>>>>>>>> WS-Security using handlers.
>>>>>>>>
>>>>>>>> More coming soon ;-)
>>>>>>>>
>>>>>>>> Kind regards,
>>>>>>>> Jean-Louis
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> --
>>>>>>>> View this message in context:
>>>>>>>>
>>> http://www.nabble.com/Securing-a-webservice-tp22089576p22116953.html
>>>>>>>> Sent from the OpenEJB User mailing list archive at Nabble.com.
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>

Re: Securing a webservice

[Jonathan Gallimore <jo...@gmail.com>]

That's awesome! I'll open a JIRA and do some more work on this. I think it
would be good to get this in, and support more than just the basic
authentication schemes.

Jon

On Sat, Feb 28, 2009 at 9:17 PM, Daniel S. Haischt <
daniel.haischt@googlemail.com> wrote:

> I think it's useful :)
>
> I was mainly interested in this mail thread cause I worked with the
> various WSS standards recently at work including their implementation
> as it represented by the IBM WebSphere JAX-WS runtime. AFAIK early
> JAX-RPC implementations of WebSphere were not able to consume a
> password digest - only plain text was supported.
>
> WS policy sets is another interesting topic...
>
> Regards
> Daniel
>
>

Re: Securing a webservice

["Daniel S. Haischt" <da...@googlemail.com>]

I think it's useful :)

I was mainly interested in this mail thread cause I worked with the
various WSS standards recently at work including their implementation
as it represented by the IBM WebSphere JAX-WS runtime. AFAIK early
JAX-RPC implementations of WebSphere were not able to consume a
password digest - only plain text was supported.

WS policy sets is another interesting topic...

Regards
Daniel

On Sat, Feb 28, 2009 at 10:06 PM, Jonathan Gallimore
<jo...@gmail.com> wrote:
> Not yet, although I'd be interested in working on this some more. I just
> wanted to get a feel of whether this is something we could include in
> OpenEJB, as I'd find it pretty useful for testing some webservice work I've
> done. If people feel it would be useful I'm happy to do some more work on
> adding more authentication schemes.
>
> Cheers
>
> Jon
>
> On Sat, Feb 28, 2009 at 8:59 PM, Daniel S. Haischt <
> - Show quoted text -
> daniel.haischt@googlemail.com> wrote:
>
>> Just out of curiosity - Did you try to use a password digest/hash
>> instead? Using a nonce might be interesting as well (nonce is an
>> effective countermeasure against replay attacks). If you use SoapUI as
>> a WS client you could easily generate most of these WSS header
>> elements for testing purposes.
>>
>> Cheers
>> Daniel
>>
>> On Sat, Feb 28, 2009 at 9:51 PM, Jonathan Gallimore
>> <jo...@gmail.com> wrote:
>> > Yep. Here's the soap request captured by tcpmon:
>> >
>> > POST /CalculatorImpl HTTP/1.1
>> > Content-Type: text/xml; charset=UTF-8
>> > SOAPAction: ""
>> > Accept: *
>> > Cache-Control: no-cache
>> > Pragma: no-cache
>> > User-Agent: Java/1.6.0_11
>> > Host: 127.0.0.1:42040
>> > Connection: keep-alive
>> > Transfer-Encoding: chunked
>> >
>> > 2ce
>> > <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
>> > <soap:Header>
>> > <wsse:Security xmlns:wsse="
>> >
>> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
>> "
>> > soap:mustUnderstand="1"><wsse:UsernameToken xmlns:wsu="
>> >
>> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
>> "
>> >
>> wsu:Id="UsernameToken-47889642"><wsse:Username>jane</wsse:Username><wsse:Password
>> > Type="
>> >
>> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText
>> ">waterfall</wsse:Password></wsse:UsernameToken></wsse:Security></soap:Header><soap:Body><ns1:sum
>> > xmlns:ns1="http://superbiz.org/wsdl
>> > "><arg0>4</arg0><arg1>6</arg1></ns1:sum></soap:Body></soap:Envelope>
>> >
>> > Jon
>> >
>> > On Sat, Feb 28, 2009 at 6:42 PM, Daniel S. Haischt <
>> > daniel.haischt@googlemail.com> wrote:
>> >
>> >> Are you using the username token profile ?
>> >>
>> >> On Sat, Feb 28, 2009 at 7:31 PM, Jonathan Gallimore
>> >> <jo...@gmail.com> wrote:
>> >> > I spent a bit more time looking at this - and added a bit more code. I
>> >> > noticed that the Jaxb tree for openejb-jar.xml has some webservice
>> >> security
>> >> > attributes that we aren't using, but I think Geronimo is. I've added
>> >> support
>> >> > that does simple username/password authentication using basic http
>> >> > mechanism, and an interceptor to do username/password auth using
>> >> WS-Security
>> >> > headers.
>> >> >
>> >> > I've uploaded a patch to
>> >> > http://people.apache.org/~jgallimore/webservices.diff<http://people.apache.org/%7Ejgallimore/webservices.diff>
>> <http://people.apache.org/%7Ejgallimore/webservices.diff>.
>> > - Show quoted text -
>> >> I be grateful on
>> >> > anyone's thoughts. Its pretty basic at the moment, but I think it
>> would
>> >> be
>> >> > nice if this could go into OpenEJB - if others agree, I'd like to open
>> a
>> >> > JIRA and do some more work on it.
>> >> >
>> >> > I've copied this to the dev@ list too in case anyone who might be
>> >> interested
>> >> > missed it, hope that's ok.
>> >> >
>> >> > Cheers
>> >> >
>> >> > Jon
>> >> >
>> >> > On Fri, Feb 20, 2009 at 1:06 PM, Jonathan Gallimore <
>> >> > jonathan.gallimore@gmail.com> wrote:
>> >> >
>> >> >> Hi Jean-Louis,
>> >> >>
>> >> >> Many thanks for your detailed reply and the link to the article. I'll
>> be
>> >> >> having a good look at this over the weekend. I had initially thought
>> >> just
>> >> >> applying basic auth was all there was to it, which is probably a bit
>> >> naive
>> >> >> of me!
>> >> >>
>> >> >> I think it would be worthwhile working out whether there's some
>> samples
>> >> >> (and maybe some enhancements) we could add to OpenEJB in this regard
>> -
>> >> I'm
>> >> >> sure others would find it useful too.
>> >> >>
>> >> >> Cheers,
>> >> >> Jon
>> >> >>
>> >> >>
>> >> >> On Fri, Feb 20, 2009 at 8:49 AM, Jean-Louis MONTEIRO <
>> >> >> jean-louis.monteiro@atosorigin.com> wrote:
>> >> >>
>> >> >>>
>> >> >>> Jonathan,
>> >> >>>
>> >> >>> Here are some inputs.
>> >> >>>
>> >> >>>
>> >> >>> Jonathan Gallimore-2 wrote:
>> >> >>> >
>> >> >>> > Obviously I think it would be great if the standalone and embedded
>> >> >>> servers
>> >> >>> > which use their own HTTP listener could accept credentials via
>> basic
>> >> >>> > authentication, meanwhile Tomcat could do the authentication for
>> us
>> >> >>> based
>> >> >>> > on
>> >> >>> > however its been configured (currently it looks like a new
>> >> >>> StandardContext
>> >> >>> > is created for each webservice, and there is code to setup
>> >> >>> authentication,
>> >> >>> > but WsService.authMethod was always null when I debugged it,
>> causing
>> >> no
>> >> >>> > authentication to be applied, and I couldn't see how it could be
>> set
>> >> >>> > otherwise), and the user and role principals could be passed
>> through
>> >> >>> from
>> >> >>> > Tomcat to the relevant EJB container.
>> >> >>> >
>> >> >>> Definitively! (nice to have ;-)).
>> >> >>> Doing basic authentication (without ws-security) seems to be
>> possible
>> >> >>> using
>> >> >>> JAX-WS handlers.
>> >> >>>
>> >> >>>
>> >> >>> Jonathan Gallimore-2 wrote:
>> >> >>> >
>> >> >>> > To give a bit more background on how this has come about - my
>> >> colleague
>> >> >>> at
>> >> >>> > work has been working on some functionality as an EJB, and felt it
>> >> would
>> >> >>> > be
>> >> >>> > nice to have it available as a webservice - and adding the
>> >> @WebService
>> >> >>> > annotation to the EJB seemed to be a nice idea, rather then
>> creating
>> >> a
>> >> >>> > webservice as a separate class that just delegates through to the
>> EJB
>> >> as
>> >> >>> > you
>> >> >>> > describe -
>> >> >>> >
>> >> >>> I was probably not so clear.
>> >> >>> It seems to me, from an architecture point of view, it's better to
>> use
>> >> web
>> >> >>> services as facades. They are personal concerns you know ;-)
>> >> >>> Never mind, I had in mind an EJB Web Service (@stateless +
>> @webservice)
>> >> >>> which delegates to other business EJB and it works fine with OpenEJB
>> >> for
>> >> >>> simple cases.
>> >> >>>
>> >> >>>
>> >> >>> Jonathan Gallimore-2 wrote:
>> >> >>> >
>> >> >>> > and we hoped the container would handle the authentication for
>> >> >>> > us. When configured correctly, JBoss (4.2.2.GA) does seem to do
>> this
>> >> >>> for
>> >> >>> > us,
>> >> >>> > however OpenEJB doesn't at the moment - I don't actually know if
>> this
>> >> is
>> >> >>> > even supposed to work (or even whether its part of any of the JEE
>> >> spec -
>> >> >>> > I'll have to read up!).
>> >> >>> >
>> >> >>> I can't help you on this topic (not read this part of the spec).
>> >> >>> If you have 10 minutes, here is an interesting article
>> >> >>>
>> >> http://www.javaworld.com/javaworld/jw-02-2007/jw-02-handler.html?page=1
>> >> >>>
>> >> http://www.javaworld.com/javaworld/jw-02-2007/jw-02-handler.html?page=1
>> >> >>>
>> >> >>>
>> >> >>> Jonathan Gallimore-2 wrote:
>> >> >>> >
>> >> >>> > I think I should probably have a look at WS-Security - I'd be very
>> >> >>> > interested in a seeing a sample using OpenEJB/JAX-WS/WS-Security
>> if
>> >> >>> you're
>> >> >>> > putting one together.
>> >> >>> >
>> >> >>>
>> >> >>> OK, I've done some tests since yesterday morning. But, the way
>> OpenEJB
>> >> >>> publishes EJB as web services does not allow configuring
>> ws-security.
>> >> >>>
>> >> >>> When using CXF + WS-Security, it's quite simple: add a WSS4J
>> >> InInterceptor
>> >> >>> and a WSS4J OutInterceptor giving them a set of properties.
>> >> Interceptors
>> >> >>> can
>> >> >>> be configured using both a Spring application context or CXF
>> >> annotations
>> >> >>> (@InInterceptors @OutInterceptor).
>> >> >>>
>> >> >>> At a JAX-WS point of view we only have handlers (soap handlers and
>> >> logical
>> >> >>> handlers) so I have to spend some more time to look if we can manage
>> >> >>> WS-Security using handlers.
>> >> >>>
>> >> >>> More coming soon ;-)
>> >> >>>
>> >> >>> Kind regards,
>> >> >>> Jean-Louis
>> >> >>>
>> >> >>>
>> >> >>>
>> >> >>>
>> >> >>> --
>> >> >>> View this message in context:
>> >> >>>
>> http://www.nabble.com/Securing-a-webservice-tp22089576p22116953.html
>> >> >>> Sent from the OpenEJB User mailing list archive at Nabble.com.
>> >> >>>
>> >> >>>
>> >> >>
>> >> >
>> >>
>> >
>>
>

Re: Securing a webservice

[Jonathan Gallimore <jo...@gmail.com>]

Not yet, although I'd be interested in working on this some more. I just
wanted to get a feel of whether this is something we could include in
OpenEJB, as I'd find it pretty useful for testing some webservice work I've
done. If people feel it would be useful I'm happy to do some more work on
adding more authentication schemes.

Cheers

Jon

On Sat, Feb 28, 2009 at 8:59 PM, Daniel S. Haischt <
daniel.haischt@googlemail.com> wrote:

> Just out of curiosity - Did you try to use a password digest/hash
> instead? Using a nonce might be interesting as well (nonce is an
> effective countermeasure against replay attacks). If you use SoapUI as
> a WS client you could easily generate most of these WSS header
> elements for testing purposes.
>
> Cheers
> Daniel
>
> On Sat, Feb 28, 2009 at 9:51 PM, Jonathan Gallimore
> <jo...@gmail.com> wrote:
> > Yep. Here's the soap request captured by tcpmon:
> >
> > POST /CalculatorImpl HTTP/1.1
> > Content-Type: text/xml; charset=UTF-8
> > SOAPAction: ""
> > Accept: *
> > Cache-Control: no-cache
> > Pragma: no-cache
> > User-Agent: Java/1.6.0_11
> > Host: 127.0.0.1:42040
> > Connection: keep-alive
> > Transfer-Encoding: chunked
> >
> > 2ce
> > <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
> > <soap:Header>
> > <wsse:Security xmlns:wsse="
> >
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
> "
> > soap:mustUnderstand="1"><wsse:UsernameToken xmlns:wsu="
> >
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
> "
> >
> wsu:Id="UsernameToken-47889642"><wsse:Username>jane</wsse:Username><wsse:Password
> > Type="
> >
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText
> ">waterfall</wsse:Password></wsse:UsernameToken></wsse:Security></soap:Header><soap:Body><ns1:sum
> > xmlns:ns1="http://superbiz.org/wsdl
> > "><arg0>4</arg0><arg1>6</arg1></ns1:sum></soap:Body></soap:Envelope>
> >
> > Jon
> >
> > On Sat, Feb 28, 2009 at 6:42 PM, Daniel S. Haischt <
> > daniel.haischt@googlemail.com> wrote:
> >
> >> Are you using the username token profile ?
> >>
> >> On Sat, Feb 28, 2009 at 7:31 PM, Jonathan Gallimore
> >> <jo...@gmail.com> wrote:
> >> > I spent a bit more time looking at this - and added a bit more code. I
> >> > noticed that the Jaxb tree for openejb-jar.xml has some webservice
> >> security
> >> > attributes that we aren't using, but I think Geronimo is. I've added
> >> support
> >> > that does simple username/password authentication using basic http
> >> > mechanism, and an interceptor to do username/password auth using
> >> WS-Security
> >> > headers.
> >> >
> >> > I've uploaded a patch to
> >> > http://people.apache.org/~jgallimore/webservices.diff<http://people.apache.org/%7Ejgallimore/webservices.diff>
> <http://people.apache.org/%7Ejgallimore/webservices.diff>.
> > - Show quoted text -
> >> I be grateful on
> >> > anyone's thoughts. Its pretty basic at the moment, but I think it
> would
> >> be
> >> > nice if this could go into OpenEJB - if others agree, I'd like to open
> a
> >> > JIRA and do some more work on it.
> >> >
> >> > I've copied this to the dev@ list too in case anyone who might be
> >> interested
> >> > missed it, hope that's ok.
> >> >
> >> > Cheers
> >> >
> >> > Jon
> >> >
> >> > On Fri, Feb 20, 2009 at 1:06 PM, Jonathan Gallimore <
> >> > jonathan.gallimore@gmail.com> wrote:
> >> >
> >> >> Hi Jean-Louis,
> >> >>
> >> >> Many thanks for your detailed reply and the link to the article. I'll
> be
> >> >> having a good look at this over the weekend. I had initially thought
> >> just
> >> >> applying basic auth was all there was to it, which is probably a bit
> >> naive
> >> >> of me!
> >> >>
> >> >> I think it would be worthwhile working out whether there's some
> samples
> >> >> (and maybe some enhancements) we could add to OpenEJB in this regard
> -
> >> I'm
> >> >> sure others would find it useful too.
> >> >>
> >> >> Cheers,
> >> >> Jon
> >> >>
> >> >>
> >> >> On Fri, Feb 20, 2009 at 8:49 AM, Jean-Louis MONTEIRO <
> >> >> jean-louis.monteiro@atosorigin.com> wrote:
> >> >>
> >> >>>
> >> >>> Jonathan,
> >> >>>
> >> >>> Here are some inputs.
> >> >>>
> >> >>>
> >> >>> Jonathan Gallimore-2 wrote:
> >> >>> >
> >> >>> > Obviously I think it would be great if the standalone and embedded
> >> >>> servers
> >> >>> > which use their own HTTP listener could accept credentials via
> basic
> >> >>> > authentication, meanwhile Tomcat could do the authentication for
> us
> >> >>> based
> >> >>> > on
> >> >>> > however its been configured (currently it looks like a new
> >> >>> StandardContext
> >> >>> > is created for each webservice, and there is code to setup
> >> >>> authentication,
> >> >>> > but WsService.authMethod was always null when I debugged it,
> causing
> >> no
> >> >>> > authentication to be applied, and I couldn't see how it could be
> set
> >> >>> > otherwise), and the user and role principals could be passed
> through
> >> >>> from
> >> >>> > Tomcat to the relevant EJB container.
> >> >>> >
> >> >>> Definitively! (nice to have ;-)).
> >> >>> Doing basic authentication (without ws-security) seems to be
> possible
> >> >>> using
> >> >>> JAX-WS handlers.
> >> >>>
> >> >>>
> >> >>> Jonathan Gallimore-2 wrote:
> >> >>> >
> >> >>> > To give a bit more background on how this has come about - my
> >> colleague
> >> >>> at
> >> >>> > work has been working on some functionality as an EJB, and felt it
> >> would
> >> >>> > be
> >> >>> > nice to have it available as a webservice - and adding the
> >> @WebService
> >> >>> > annotation to the EJB seemed to be a nice idea, rather then
> creating
> >> a
> >> >>> > webservice as a separate class that just delegates through to the
> EJB
> >> as
> >> >>> > you
> >> >>> > describe -
> >> >>> >
> >> >>> I was probably not so clear.
> >> >>> It seems to me, from an architecture point of view, it's better to
> use
> >> web
> >> >>> services as facades. They are personal concerns you know ;-)
> >> >>> Never mind, I had in mind an EJB Web Service (@stateless +
> @webservice)
> >> >>> which delegates to other business EJB and it works fine with OpenEJB
> >> for
> >> >>> simple cases.
> >> >>>
> >> >>>
> >> >>> Jonathan Gallimore-2 wrote:
> >> >>> >
> >> >>> > and we hoped the container would handle the authentication for
> >> >>> > us. When configured correctly, JBoss (4.2.2.GA) does seem to do
> this
> >> >>> for
> >> >>> > us,
> >> >>> > however OpenEJB doesn't at the moment - I don't actually know if
> this
> >> is
> >> >>> > even supposed to work (or even whether its part of any of the JEE
> >> spec -
> >> >>> > I'll have to read up!).
> >> >>> >
> >> >>> I can't help you on this topic (not read this part of the spec).
> >> >>> If you have 10 minutes, here is an interesting article
> >> >>>
> >> http://www.javaworld.com/javaworld/jw-02-2007/jw-02-handler.html?page=1
> >> >>>
> >> http://www.javaworld.com/javaworld/jw-02-2007/jw-02-handler.html?page=1
> >> >>>
> >> >>>
> >> >>> Jonathan Gallimore-2 wrote:
> >> >>> >
> >> >>> > I think I should probably have a look at WS-Security - I'd be very
> >> >>> > interested in a seeing a sample using OpenEJB/JAX-WS/WS-Security
> if
> >> >>> you're
> >> >>> > putting one together.
> >> >>> >
> >> >>>
> >> >>> OK, I've done some tests since yesterday morning. But, the way
> OpenEJB
> >> >>> publishes EJB as web services does not allow configuring
> ws-security.
> >> >>>
> >> >>> When using CXF + WS-Security, it's quite simple: add a WSS4J
> >> InInterceptor
> >> >>> and a WSS4J OutInterceptor giving them a set of properties.
> >> Interceptors
> >> >>> can
> >> >>> be configured using both a Spring application context or CXF
> >> annotations
> >> >>> (@InInterceptors @OutInterceptor).
> >> >>>
> >> >>> At a JAX-WS point of view we only have handlers (soap handlers and
> >> logical
> >> >>> handlers) so I have to spend some more time to look if we can manage
> >> >>> WS-Security using handlers.
> >> >>>
> >> >>> More coming soon ;-)
> >> >>>
> >> >>> Kind regards,
> >> >>> Jean-Louis
> >> >>>
> >> >>>
> >> >>>
> >> >>>
> >> >>> --
> >> >>> View this message in context:
> >> >>>
> http://www.nabble.com/Securing-a-webservice-tp22089576p22116953.html
> >> >>> Sent from the OpenEJB User mailing list archive at Nabble.com.
> >> >>>
> >> >>>
> >> >>
> >> >
> >>
> >
>

Re: Securing a webservice

["Daniel S. Haischt" <da...@googlemail.com>]

Just out of curiosity - Did you try to use a password digest/hash
instead? Using a nonce might be interesting as well (nonce is an
effective countermeasure against replay attacks). If you use SoapUI as
a WS client you could easily generate most of these WSS header
elements for testing purposes.

Cheers
Daniel

On Sat, Feb 28, 2009 at 9:51 PM, Jonathan Gallimore
<jo...@gmail.com> wrote:
> Yep. Here's the soap request captured by tcpmon:
>
> POST /CalculatorImpl HTTP/1.1
> Content-Type: text/xml; charset=UTF-8
> SOAPAction: ""
> Accept: *
> Cache-Control: no-cache
> Pragma: no-cache
> User-Agent: Java/1.6.0_11
> Host: 127.0.0.1:42040
> Connection: keep-alive
> Transfer-Encoding: chunked
>
> 2ce
> <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
> <soap:Header>
> <wsse:Security xmlns:wsse="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
> soap:mustUnderstand="1"><wsse:UsernameToken xmlns:wsu="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
> wsu:Id="UsernameToken-47889642"><wsse:Username>jane</wsse:Username><wsse:Password
> Type="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">waterfall</wsse:Password></wsse:UsernameToken></wsse:Security></soap:Header><soap:Body><ns1:sum
> xmlns:ns1="http://superbiz.org/wsdl
> "><arg0>4</arg0><arg1>6</arg1></ns1:sum></soap:Body></soap:Envelope>
>
> Jon
>
> On Sat, Feb 28, 2009 at 6:42 PM, Daniel S. Haischt <
> daniel.haischt@googlemail.com> wrote:
>
>> Are you using the username token profile ?
>>
>> On Sat, Feb 28, 2009 at 7:31 PM, Jonathan Gallimore
>> <jo...@gmail.com> wrote:
>> > I spent a bit more time looking at this - and added a bit more code. I
>> > noticed that the Jaxb tree for openejb-jar.xml has some webservice
>> security
>> > attributes that we aren't using, but I think Geronimo is. I've added
>> support
>> > that does simple username/password authentication using basic http
>> > mechanism, and an interceptor to do username/password auth using
>> WS-Security
>> > headers.
>> >
>> > I've uploaded a patch to
>> > http://people.apache.org/~jgallimore/webservices.diff<http://people.apache.org/%7Ejgallimore/webservices.diff>.
> - Show quoted text -
>> I be grateful on
>> > anyone's thoughts. Its pretty basic at the moment, but I think it would
>> be
>> > nice if this could go into OpenEJB - if others agree, I'd like to open a
>> > JIRA and do some more work on it.
>> >
>> > I've copied this to the dev@ list too in case anyone who might be
>> interested
>> > missed it, hope that's ok.
>> >
>> > Cheers
>> >
>> > Jon
>> >
>> > On Fri, Feb 20, 2009 at 1:06 PM, Jonathan Gallimore <
>> > jonathan.gallimore@gmail.com> wrote:
>> >
>> >> Hi Jean-Louis,
>> >>
>> >> Many thanks for your detailed reply and the link to the article. I'll be
>> >> having a good look at this over the weekend. I had initially thought
>> just
>> >> applying basic auth was all there was to it, which is probably a bit
>> naive
>> >> of me!
>> >>
>> >> I think it would be worthwhile working out whether there's some samples
>> >> (and maybe some enhancements) we could add to OpenEJB in this regard -
>> I'm
>> >> sure others would find it useful too.
>> >>
>> >> Cheers,
>> >> Jon
>> >>
>> >>
>> >> On Fri, Feb 20, 2009 at 8:49 AM, Jean-Louis MONTEIRO <
>> >> jean-louis.monteiro@atosorigin.com> wrote:
>> >>
>> >>>
>> >>> Jonathan,
>> >>>
>> >>> Here are some inputs.
>> >>>
>> >>>
>> >>> Jonathan Gallimore-2 wrote:
>> >>> >
>> >>> > Obviously I think it would be great if the standalone and embedded
>> >>> servers
>> >>> > which use their own HTTP listener could accept credentials via basic
>> >>> > authentication, meanwhile Tomcat could do the authentication for us
>> >>> based
>> >>> > on
>> >>> > however its been configured (currently it looks like a new
>> >>> StandardContext
>> >>> > is created for each webservice, and there is code to setup
>> >>> authentication,
>> >>> > but WsService.authMethod was always null when I debugged it, causing
>> no
>> >>> > authentication to be applied, and I couldn't see how it could be set
>> >>> > otherwise), and the user and role principals could be passed through
>> >>> from
>> >>> > Tomcat to the relevant EJB container.
>> >>> >
>> >>> Definitively! (nice to have ;-)).
>> >>> Doing basic authentication (without ws-security) seems to be possible
>> >>> using
>> >>> JAX-WS handlers.
>> >>>
>> >>>
>> >>> Jonathan Gallimore-2 wrote:
>> >>> >
>> >>> > To give a bit more background on how this has come about - my
>> colleague
>> >>> at
>> >>> > work has been working on some functionality as an EJB, and felt it
>> would
>> >>> > be
>> >>> > nice to have it available as a webservice - and adding the
>> @WebService
>> >>> > annotation to the EJB seemed to be a nice idea, rather then creating
>> a
>> >>> > webservice as a separate class that just delegates through to the EJB
>> as
>> >>> > you
>> >>> > describe -
>> >>> >
>> >>> I was probably not so clear.
>> >>> It seems to me, from an architecture point of view, it's better to use
>> web
>> >>> services as facades. They are personal concerns you know ;-)
>> >>> Never mind, I had in mind an EJB Web Service (@stateless + @webservice)
>> >>> which delegates to other business EJB and it works fine with OpenEJB
>> for
>> >>> simple cases.
>> >>>
>> >>>
>> >>> Jonathan Gallimore-2 wrote:
>> >>> >
>> >>> > and we hoped the container would handle the authentication for
>> >>> > us. When configured correctly, JBoss (4.2.2.GA) does seem to do this
>> >>> for
>> >>> > us,
>> >>> > however OpenEJB doesn't at the moment - I don't actually know if this
>> is
>> >>> > even supposed to work (or even whether its part of any of the JEE
>> spec -
>> >>> > I'll have to read up!).
>> >>> >
>> >>> I can't help you on this topic (not read this part of the spec).
>> >>> If you have 10 minutes, here is an interesting article
>> >>>
>> http://www.javaworld.com/javaworld/jw-02-2007/jw-02-handler.html?page=1
>> >>>
>> http://www.javaworld.com/javaworld/jw-02-2007/jw-02-handler.html?page=1
>> >>>
>> >>>
>> >>> Jonathan Gallimore-2 wrote:
>> >>> >
>> >>> > I think I should probably have a look at WS-Security - I'd be very
>> >>> > interested in a seeing a sample using OpenEJB/JAX-WS/WS-Security if
>> >>> you're
>> >>> > putting one together.
>> >>> >
>> >>>
>> >>> OK, I've done some tests since yesterday morning. But, the way OpenEJB
>> >>> publishes EJB as web services does not allow configuring ws-security.
>> >>>
>> >>> When using CXF + WS-Security, it's quite simple: add a WSS4J
>> InInterceptor
>> >>> and a WSS4J OutInterceptor giving them a set of properties.
>> Interceptors
>> >>> can
>> >>> be configured using both a Spring application context or CXF
>> annotations
>> >>> (@InInterceptors @OutInterceptor).
>> >>>
>> >>> At a JAX-WS point of view we only have handlers (soap handlers and
>> logical
>> >>> handlers) so I have to spend some more time to look if we can manage
>> >>> WS-Security using handlers.
>> >>>
>> >>> More coming soon ;-)
>> >>>
>> >>> Kind regards,
>> >>> Jean-Louis
>> >>>
>> >>>
>> >>>
>> >>>
>> >>> --
>> >>> View this message in context:
>> >>> http://www.nabble.com/Securing-a-webservice-tp22089576p22116953.html
>> >>> Sent from the OpenEJB User mailing list archive at Nabble.com.
>> >>>
>> >>>
>> >>
>> >
>>
>

Re: Securing a webservice

[Jonathan Gallimore <jo...@gmail.com>]

Yep. Here's the soap request captured by tcpmon:

POST /CalculatorImpl HTTP/1.1
Content-Type: text/xml; charset=UTF-8
SOAPAction: ""
Accept: *
Cache-Control: no-cache
Pragma: no-cache
User-Agent: Java/1.6.0_11
Host: 127.0.0.1:42040
Connection: keep-alive
Transfer-Encoding: chunked

2ce
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Header>
<wsse:Security xmlns:wsse="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
soap:mustUnderstand="1"><wsse:UsernameToken xmlns:wsu="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
wsu:Id="UsernameToken-47889642"><wsse:Username>jane</wsse:Username><wsse:Password
Type="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">waterfall</wsse:Password></wsse:UsernameToken></wsse:Security></soap:Header><soap:Body><ns1:sum
xmlns:ns1="http://superbiz.org/wsdl
"><arg0>4</arg0><arg1>6</arg1></ns1:sum></soap:Body></soap:Envelope>

Jon

On Sat, Feb 28, 2009 at 6:42 PM, Daniel S. Haischt <
daniel.haischt@googlemail.com> wrote:

> Are you using the username token profile ?
>
> On Sat, Feb 28, 2009 at 7:31 PM, Jonathan Gallimore
> <jo...@gmail.com> wrote:
> > I spent a bit more time looking at this - and added a bit more code. I
> > noticed that the Jaxb tree for openejb-jar.xml has some webservice
> security
> > attributes that we aren't using, but I think Geronimo is. I've added
> support
> > that does simple username/password authentication using basic http
> > mechanism, and an interceptor to do username/password auth using
> WS-Security
> > headers.
> >
> > I've uploaded a patch to
> > http://people.apache.org/~jgallimore/webservices.diff<http://people.apache.org/%7Ejgallimore/webservices.diff>.
> I be grateful on
> > anyone's thoughts. Its pretty basic at the moment, but I think it would
> be
> > nice if this could go into OpenEJB - if others agree, I'd like to open a
> > JIRA and do some more work on it.
> >
> > I've copied this to the dev@ list too in case anyone who might be
> interested
> > missed it, hope that's ok.
> >
> > Cheers
> >
> > Jon
> >
> > On Fri, Feb 20, 2009 at 1:06 PM, Jonathan Gallimore <
> > jonathan.gallimore@gmail.com> wrote:
> >
> >> Hi Jean-Louis,
> >>
> >> Many thanks for your detailed reply and the link to the article. I'll be
> >> having a good look at this over the weekend. I had initially thought
> just
> >> applying basic auth was all there was to it, which is probably a bit
> naive
> >> of me!
> >>
> >> I think it would be worthwhile working out whether there's some samples
> >> (and maybe some enhancements) we could add to OpenEJB in this regard -
> I'm
> >> sure others would find it useful too.
> >>
> >> Cheers,
> >> Jon
> >>
> >>
> >> On Fri, Feb 20, 2009 at 8:49 AM, Jean-Louis MONTEIRO <
> >> jean-louis.monteiro@atosorigin.com> wrote:
> >>
> >>>
> >>> Jonathan,
> >>>
> >>> Here are some inputs.
> >>>
> >>>
> >>> Jonathan Gallimore-2 wrote:
> >>> >
> >>> > Obviously I think it would be great if the standalone and embedded
> >>> servers
> >>> > which use their own HTTP listener could accept credentials via basic
> >>> > authentication, meanwhile Tomcat could do the authentication for us
> >>> based
> >>> > on
> >>> > however its been configured (currently it looks like a new
> >>> StandardContext
> >>> > is created for each webservice, and there is code to setup
> >>> authentication,
> >>> > but WsService.authMethod was always null when I debugged it, causing
> no
> >>> > authentication to be applied, and I couldn't see how it could be set
> >>> > otherwise), and the user and role principals could be passed through
> >>> from
> >>> > Tomcat to the relevant EJB container.
> >>> >
> >>> Definitively! (nice to have ;-)).
> >>> Doing basic authentication (without ws-security) seems to be possible
> >>> using
> >>> JAX-WS handlers.
> >>>
> >>>
> >>> Jonathan Gallimore-2 wrote:
> >>> >
> >>> > To give a bit more background on how this has come about - my
> colleague
> >>> at
> >>> > work has been working on some functionality as an EJB, and felt it
> would
> >>> > be
> >>> > nice to have it available as a webservice - and adding the
> @WebService
> >>> > annotation to the EJB seemed to be a nice idea, rather then creating
> a
> >>> > webservice as a separate class that just delegates through to the EJB
> as
> >>> > you
> >>> > describe -
> >>> >
> >>> I was probably not so clear.
> >>> It seems to me, from an architecture point of view, it's better to use
> web
> >>> services as facades. They are personal concerns you know ;-)
> >>> Never mind, I had in mind an EJB Web Service (@stateless + @webservice)
> >>> which delegates to other business EJB and it works fine with OpenEJB
> for
> >>> simple cases.
> >>>
> >>>
> >>> Jonathan Gallimore-2 wrote:
> >>> >
> >>> > and we hoped the container would handle the authentication for
> >>> > us. When configured correctly, JBoss (4.2.2.GA) does seem to do this
> >>> for
> >>> > us,
> >>> > however OpenEJB doesn't at the moment - I don't actually know if this
> is
> >>> > even supposed to work (or even whether its part of any of the JEE
> spec -
> >>> > I'll have to read up!).
> >>> >
> >>> I can't help you on this topic (not read this part of the spec).
> >>> If you have 10 minutes, here is an interesting article
> >>>
> http://www.javaworld.com/javaworld/jw-02-2007/jw-02-handler.html?page=1
> >>>
> http://www.javaworld.com/javaworld/jw-02-2007/jw-02-handler.html?page=1
> >>>
> >>>
> >>> Jonathan Gallimore-2 wrote:
> >>> >
> >>> > I think I should probably have a look at WS-Security - I'd be very
> >>> > interested in a seeing a sample using OpenEJB/JAX-WS/WS-Security if
> >>> you're
> >>> > putting one together.
> >>> >
> >>>
> >>> OK, I've done some tests since yesterday morning. But, the way OpenEJB
> >>> publishes EJB as web services does not allow configuring ws-security.
> >>>
> >>> When using CXF + WS-Security, it's quite simple: add a WSS4J
> InInterceptor
> >>> and a WSS4J OutInterceptor giving them a set of properties.
> Interceptors
> >>> can
> >>> be configured using both a Spring application context or CXF
> annotations
> >>> (@InInterceptors @OutInterceptor).
> >>>
> >>> At a JAX-WS point of view we only have handlers (soap handlers and
> logical
> >>> handlers) so I have to spend some more time to look if we can manage
> >>> WS-Security using handlers.
> >>>
> >>> More coming soon ;-)
> >>>
> >>> Kind regards,
> >>> Jean-Louis
> >>>
> >>>
> >>>
> >>>
> >>> --
> >>> View this message in context:
> >>> http://www.nabble.com/Securing-a-webservice-tp22089576p22116953.html
> >>> Sent from the OpenEJB User mailing list archive at Nabble.com.
> >>>
> >>>
> >>
> >
>

Re: Securing a webservice

["Daniel S. Haischt" <da...@googlemail.com>]

Are you using the username token profile ?

On Sat, Feb 28, 2009 at 7:31 PM, Jonathan Gallimore
<jo...@gmail.com> wrote:
> I spent a bit more time looking at this - and added a bit more code. I
> noticed that the Jaxb tree for openejb-jar.xml has some webservice security
> attributes that we aren't using, but I think Geronimo is. I've added support
> that does simple username/password authentication using basic http
> mechanism, and an interceptor to do username/password auth using WS-Security
> headers.
>
> I've uploaded a patch to
> http://people.apache.org/~jgallimore/webservices.diff. I be grateful on
> anyone's thoughts. Its pretty basic at the moment, but I think it would be
> nice if this could go into OpenEJB - if others agree, I'd like to open a
> JIRA and do some more work on it.
>
> I've copied this to the dev@ list too in case anyone who might be interested
> missed it, hope that's ok.
>
> Cheers
>
> Jon
>
> On Fri, Feb 20, 2009 at 1:06 PM, Jonathan Gallimore <
> jonathan.gallimore@gmail.com> wrote:
>
>> Hi Jean-Louis,
>>
>> Many thanks for your detailed reply and the link to the article. I'll be
>> having a good look at this over the weekend. I had initially thought just
>> applying basic auth was all there was to it, which is probably a bit naive
>> of me!
>>
>> I think it would be worthwhile working out whether there's some samples
>> (and maybe some enhancements) we could add to OpenEJB in this regard - I'm
>> sure others would find it useful too.
>>
>> Cheers,
>> Jon
>>
>>
>> On Fri, Feb 20, 2009 at 8:49 AM, Jean-Louis MONTEIRO <
>> jean-louis.monteiro@atosorigin.com> wrote:
>>
>>>
>>> Jonathan,
>>>
>>> Here are some inputs.
>>>
>>>
>>> Jonathan Gallimore-2 wrote:
>>> >
>>> > Obviously I think it would be great if the standalone and embedded
>>> servers
>>> > which use their own HTTP listener could accept credentials via basic
>>> > authentication, meanwhile Tomcat could do the authentication for us
>>> based
>>> > on
>>> > however its been configured (currently it looks like a new
>>> StandardContext
>>> > is created for each webservice, and there is code to setup
>>> authentication,
>>> > but WsService.authMethod was always null when I debugged it, causing no
>>> > authentication to be applied, and I couldn't see how it could be set
>>> > otherwise), and the user and role principals could be passed through
>>> from
>>> > Tomcat to the relevant EJB container.
>>> >
>>> Definitively! (nice to have ;-)).
>>> Doing basic authentication (without ws-security) seems to be possible
>>> using
>>> JAX-WS handlers.
>>>
>>>
>>> Jonathan Gallimore-2 wrote:
>>> >
>>> > To give a bit more background on how this has come about - my colleague
>>> at
>>> > work has been working on some functionality as an EJB, and felt it would
>>> > be
>>> > nice to have it available as a webservice - and adding the @WebService
>>> > annotation to the EJB seemed to be a nice idea, rather then creating a
>>> > webservice as a separate class that just delegates through to the EJB as
>>> > you
>>> > describe -
>>> >
>>> I was probably not so clear.
>>> It seems to me, from an architecture point of view, it's better to use web
>>> services as facades. They are personal concerns you know ;-)
>>> Never mind, I had in mind an EJB Web Service (@stateless + @webservice)
>>> which delegates to other business EJB and it works fine with OpenEJB for
>>> simple cases.
>>>
>>>
>>> Jonathan Gallimore-2 wrote:
>>> >
>>> > and we hoped the container would handle the authentication for
>>> > us. When configured correctly, JBoss (4.2.2.GA) does seem to do this
>>> for
>>> > us,
>>> > however OpenEJB doesn't at the moment - I don't actually know if this is
>>> > even supposed to work (or even whether its part of any of the JEE spec -
>>> > I'll have to read up!).
>>> >
>>> I can't help you on this topic (not read this part of the spec).
>>> If you have 10 minutes, here is an interesting article
>>> http://www.javaworld.com/javaworld/jw-02-2007/jw-02-handler.html?page=1
>>> http://www.javaworld.com/javaworld/jw-02-2007/jw-02-handler.html?page=1
>>>
>>>
>>> Jonathan Gallimore-2 wrote:
>>> >
>>> > I think I should probably have a look at WS-Security - I'd be very
>>> > interested in a seeing a sample using OpenEJB/JAX-WS/WS-Security if
>>> you're
>>> > putting one together.
>>> >
>>>
>>> OK, I've done some tests since yesterday morning. But, the way OpenEJB
>>> publishes EJB as web services does not allow configuring ws-security.
>>>
>>> When using CXF + WS-Security, it's quite simple: add a WSS4J InInterceptor
>>> and a WSS4J OutInterceptor giving them a set of properties. Interceptors
>>> can
>>> be configured using both a Spring application context or CXF annotations
>>> (@InInterceptors @OutInterceptor).
>>>
>>> At a JAX-WS point of view we only have handlers (soap handlers and logical
>>> handlers) so I have to spend some more time to look if we can manage
>>> WS-Security using handlers.
>>>
>>> More coming soon ;-)
>>>
>>> Kind regards,
>>> Jean-Louis
>>>
>>>
>>>
>>>
>>> --
>>> View this message in context:
>>> http://www.nabble.com/Securing-a-webservice-tp22089576p22116953.html
>>> Sent from the OpenEJB User mailing list archive at Nabble.com.
>>>
>>>
>>
>

Re: Securing a webservice

[Jonathan Gallimore <jo...@gmail.com>]

I spent a bit more time looking at this - and added a bit more code. I
noticed that the Jaxb tree for openejb-jar.xml has some webservice security
attributes that we aren't using, but I think Geronimo is. I've added support
that does simple username/password authentication using basic http
mechanism, and an interceptor to do username/password auth using WS-Security
headers.

I've uploaded a patch to
http://people.apache.org/~jgallimore/webservices.diff. I be grateful on
anyone's thoughts. Its pretty basic at the moment, but I think it would be
nice if this could go into OpenEJB - if others agree, I'd like to open a
JIRA and do some more work on it.

I've copied this to the dev@ list too in case anyone who might be interested
missed it, hope that's ok.

Cheers

Jon

On Fri, Feb 20, 2009 at 1:06 PM, Jonathan Gallimore <
jonathan.gallimore@gmail.com> wrote:

> Hi Jean-Louis,
>
> Many thanks for your detailed reply and the link to the article. I'll be
> having a good look at this over the weekend. I had initially thought just
> applying basic auth was all there was to it, which is probably a bit naive
> of me!
>
> I think it would be worthwhile working out whether there's some samples
> (and maybe some enhancements) we could add to OpenEJB in this regard - I'm
> sure others would find it useful too.
>
> Cheers,
> Jon
>
>
> On Fri, Feb 20, 2009 at 8:49 AM, Jean-Louis MONTEIRO <
> jean-louis.monteiro@atosorigin.com> wrote:
>
>>
>> Jonathan,
>>
>> Here are some inputs.
>>
>>
>> Jonathan Gallimore-2 wrote:
>> >
>> > Obviously I think it would be great if the standalone and embedded
>> servers
>> > which use their own HTTP listener could accept credentials via basic
>> > authentication, meanwhile Tomcat could do the authentication for us
>> based
>> > on
>> > however its been configured (currently it looks like a new
>> StandardContext
>> > is created for each webservice, and there is code to setup
>> authentication,
>> > but WsService.authMethod was always null when I debugged it, causing no
>> > authentication to be applied, and I couldn't see how it could be set
>> > otherwise), and the user and role principals could be passed through
>> from
>> > Tomcat to the relevant EJB container.
>> >
>> Definitively! (nice to have ;-)).
>> Doing basic authentication (without ws-security) seems to be possible
>> using
>> JAX-WS handlers.
>>
>>
>> Jonathan Gallimore-2 wrote:
>> >
>> > To give a bit more background on how this has come about - my colleague
>> at
>> > work has been working on some functionality as an EJB, and felt it would
>> > be
>> > nice to have it available as a webservice - and adding the @WebService
>> > annotation to the EJB seemed to be a nice idea, rather then creating a
>> > webservice as a separate class that just delegates through to the EJB as
>> > you
>> > describe -
>> >
>> I was probably not so clear.
>> It seems to me, from an architecture point of view, it's better to use web
>> services as facades. They are personal concerns you know ;-)
>> Never mind, I had in mind an EJB Web Service (@stateless + @webservice)
>> which delegates to other business EJB and it works fine with OpenEJB for
>> simple cases.
>>
>>
>> Jonathan Gallimore-2 wrote:
>> >
>> > and we hoped the container would handle the authentication for
>> > us. When configured correctly, JBoss (4.2.2.GA) does seem to do this
>> for
>> > us,
>> > however OpenEJB doesn't at the moment - I don't actually know if this is
>> > even supposed to work (or even whether its part of any of the JEE spec -
>> > I'll have to read up!).
>> >
>> I can't help you on this topic (not read this part of the spec).
>> If you have 10 minutes, here is an interesting article
>> http://www.javaworld.com/javaworld/jw-02-2007/jw-02-handler.html?page=1
>> http://www.javaworld.com/javaworld/jw-02-2007/jw-02-handler.html?page=1
>>
>>
>> Jonathan Gallimore-2 wrote:
>> >
>> > I think I should probably have a look at WS-Security - I'd be very
>> > interested in a seeing a sample using OpenEJB/JAX-WS/WS-Security if
>> you're
>> > putting one together.
>> >
>>
>> OK, I've done some tests since yesterday morning. But, the way OpenEJB
>> publishes EJB as web services does not allow configuring ws-security.
>>
>> When using CXF + WS-Security, it's quite simple: add a WSS4J InInterceptor
>> and a WSS4J OutInterceptor giving them a set of properties. Interceptors
>> can
>> be configured using both a Spring application context or CXF annotations
>> (@InInterceptors @OutInterceptor).
>>
>> At a JAX-WS point of view we only have handlers (soap handlers and logical
>> handlers) so I have to spend some more time to look if we can manage
>> WS-Security using handlers.
>>
>> More coming soon ;-)
>>
>> Kind regards,
>> Jean-Louis
>>
>>
>>
>>
>> --
>> View this message in context:
>> http://www.nabble.com/Securing-a-webservice-tp22089576p22116953.html
>> Sent from the OpenEJB User mailing list archive at Nabble.com.
>>
>>
>

Re: Securing a webservice

[Jonathan Gallimore <jo...@gmail.com>]

I spent a bit more time looking at this - and added a bit more code. I
noticed that the Jaxb tree for openejb-jar.xml has some webservice security
attributes that we aren't using, but I think Geronimo is. I've added support
that does simple username/password authentication using basic http
mechanism, and an interceptor to do username/password auth using WS-Security
headers.

I've uploaded a patch to
http://people.apache.org/~jgallimore/webservices.diff. I be grateful on
anyone's thoughts. Its pretty basic at the moment, but I think it would be
nice if this could go into OpenEJB - if others agree, I'd like to open a
JIRA and do some more work on it.

I've copied this to the dev@ list too in case anyone who might be interested
missed it, hope that's ok.

Cheers

Jon

On Fri, Feb 20, 2009 at 1:06 PM, Jonathan Gallimore <
jonathan.gallimore@gmail.com> wrote:

> Hi Jean-Louis,
>
> Many thanks for your detailed reply and the link to the article. I'll be
> having a good look at this over the weekend. I had initially thought just
> applying basic auth was all there was to it, which is probably a bit naive
> of me!
>
> I think it would be worthwhile working out whether there's some samples
> (and maybe some enhancements) we could add to OpenEJB in this regard - I'm
> sure others would find it useful too.
>
> Cheers,
> Jon
>
>
> On Fri, Feb 20, 2009 at 8:49 AM, Jean-Louis MONTEIRO <
> jean-louis.monteiro@atosorigin.com> wrote:
>
>>
>> Jonathan,
>>
>> Here are some inputs.
>>
>>
>> Jonathan Gallimore-2 wrote:
>> >
>> > Obviously I think it would be great if the standalone and embedded
>> servers
>> > which use their own HTTP listener could accept credentials via basic
>> > authentication, meanwhile Tomcat could do the authentication for us
>> based
>> > on
>> > however its been configured (currently it looks like a new
>> StandardContext
>> > is created for each webservice, and there is code to setup
>> authentication,
>> > but WsService.authMethod was always null when I debugged it, causing no
>> > authentication to be applied, and I couldn't see how it could be set
>> > otherwise), and the user and role principals could be passed through
>> from
>> > Tomcat to the relevant EJB container.
>> >
>> Definitively! (nice to have ;-)).
>> Doing basic authentication (without ws-security) seems to be possible
>> using
>> JAX-WS handlers.
>>
>>
>> Jonathan Gallimore-2 wrote:
>> >
>> > To give a bit more background on how this has come about - my colleague
>> at
>> > work has been working on some functionality as an EJB, and felt it would
>> > be
>> > nice to have it available as a webservice - and adding the @WebService
>> > annotation to the EJB seemed to be a nice idea, rather then creating a
>> > webservice as a separate class that just delegates through to the EJB as
>> > you
>> > describe -
>> >
>> I was probably not so clear.
>> It seems to me, from an architecture point of view, it's better to use web
>> services as facades. They are personal concerns you know ;-)
>> Never mind, I had in mind an EJB Web Service (@stateless + @webservice)
>> which delegates to other business EJB and it works fine with OpenEJB for
>> simple cases.
>>
>>
>> Jonathan Gallimore-2 wrote:
>> >
>> > and we hoped the container would handle the authentication for
>> > us. When configured correctly, JBoss (4.2.2.GA) does seem to do this
>> for
>> > us,
>> > however OpenEJB doesn't at the moment - I don't actually know if this is
>> > even supposed to work (or even whether its part of any of the JEE spec -
>> > I'll have to read up!).
>> >
>> I can't help you on this topic (not read this part of the spec).
>> If you have 10 minutes, here is an interesting article
>> http://www.javaworld.com/javaworld/jw-02-2007/jw-02-handler.html?page=1
>> http://www.javaworld.com/javaworld/jw-02-2007/jw-02-handler.html?page=1
>>
>>
>> Jonathan Gallimore-2 wrote:
>> >
>> > I think I should probably have a look at WS-Security - I'd be very
>> > interested in a seeing a sample using OpenEJB/JAX-WS/WS-Security if
>> you're
>> > putting one together.
>> >
>>
>> OK, I've done some tests since yesterday morning. But, the way OpenEJB
>> publishes EJB as web services does not allow configuring ws-security.
>>
>> When using CXF + WS-Security, it's quite simple: add a WSS4J InInterceptor
>> and a WSS4J OutInterceptor giving them a set of properties. Interceptors
>> can
>> be configured using both a Spring application context or CXF annotations
>> (@InInterceptors @OutInterceptor).
>>
>> At a JAX-WS point of view we only have handlers (soap handlers and logical
>> handlers) so I have to spend some more time to look if we can manage
>> WS-Security using handlers.
>>
>> More coming soon ;-)
>>
>> Kind regards,
>> Jean-Louis
>>
>>
>>
>>
>> --
>> View this message in context:
>> http://www.nabble.com/Securing-a-webservice-tp22089576p22116953.html
>> Sent from the OpenEJB User mailing list archive at Nabble.com.
>>
>>
>

Re: Securing a webservice

[Jonathan Gallimore <jo...@gmail.com>]

Hi Jean-Louis,

Many thanks for your detailed reply and the link to the article. I'll be
having a good look at this over the weekend. I had initially thought just
applying basic auth was all there was to it, which is probably a bit naive
of me!

I think it would be worthwhile working out whether there's some samples (and
maybe some enhancements) we could add to OpenEJB in this regard - I'm sure
others would find it useful too.

Cheers,
Jon

On Fri, Feb 20, 2009 at 8:49 AM, Jean-Louis MONTEIRO <
jean-louis.monteiro@atosorigin.com> wrote:

>
> Jonathan,
>
> Here are some inputs.
>
>
> Jonathan Gallimore-2 wrote:
> >
> > Obviously I think it would be great if the standalone and embedded
> servers
> > which use their own HTTP listener could accept credentials via basic
> > authentication, meanwhile Tomcat could do the authentication for us based
> > on
> > however its been configured (currently it looks like a new
> StandardContext
> > is created for each webservice, and there is code to setup
> authentication,
> > but WsService.authMethod was always null when I debugged it, causing no
> > authentication to be applied, and I couldn't see how it could be set
> > otherwise), and the user and role principals could be passed through from
> > Tomcat to the relevant EJB container.
> >
> Definitively! (nice to have ;-)).
> Doing basic authentication (without ws-security) seems to be possible using
> JAX-WS handlers.
>
>
> Jonathan Gallimore-2 wrote:
> >
> > To give a bit more background on how this has come about - my colleague
> at
> > work has been working on some functionality as an EJB, and felt it would
> > be
> > nice to have it available as a webservice - and adding the @WebService
> > annotation to the EJB seemed to be a nice idea, rather then creating a
> > webservice as a separate class that just delegates through to the EJB as
> > you
> > describe -
> >
> I was probably not so clear.
> It seems to me, from an architecture point of view, it's better to use web
> services as facades. They are personal concerns you know ;-)
> Never mind, I had in mind an EJB Web Service (@stateless + @webservice)
> which delegates to other business EJB and it works fine with OpenEJB for
> simple cases.
>
>
> Jonathan Gallimore-2 wrote:
> >
> > and we hoped the container would handle the authentication for
> > us. When configured correctly, JBoss (4.2.2.GA) does seem to do this for
> > us,
> > however OpenEJB doesn't at the moment - I don't actually know if this is
> > even supposed to work (or even whether its part of any of the JEE spec -
> > I'll have to read up!).
> >
> I can't help you on this topic (not read this part of the spec).
> If you have 10 minutes, here is an interesting article
> http://www.javaworld.com/javaworld/jw-02-2007/jw-02-handler.html?page=1
> http://www.javaworld.com/javaworld/jw-02-2007/jw-02-handler.html?page=1
>
>
> Jonathan Gallimore-2 wrote:
> >
> > I think I should probably have a look at WS-Security - I'd be very
> > interested in a seeing a sample using OpenEJB/JAX-WS/WS-Security if
> you're
> > putting one together.
> >
>
> OK, I've done some tests since yesterday morning. But, the way OpenEJB
> publishes EJB as web services does not allow configuring ws-security.
>
> When using CXF + WS-Security, it's quite simple: add a WSS4J InInterceptor
> and a WSS4J OutInterceptor giving them a set of properties. Interceptors
> can
> be configured using both a Spring application context or CXF annotations
> (@InInterceptors @OutInterceptor).
>
> At a JAX-WS point of view we only have handlers (soap handlers and logical
> handlers) so I have to spend some more time to look if we can manage
> WS-Security using handlers.
>
> More coming soon ;-)
>
> Kind regards,
> Jean-Louis
>
>
>
>
> --
> View this message in context:
> http://www.nabble.com/Securing-a-webservice-tp22089576p22116953.html
> Sent from the OpenEJB User mailing list archive at Nabble.com.
>
>

Re: Securing a webservice

[Jean-Louis MONTEIRO <je...@atosorigin.com>]

Jonathan,

Here are some inputs.


Jonathan Gallimore-2 wrote:
> 
> Obviously I think it would be great if the standalone and embedded servers
> which use their own HTTP listener could accept credentials via basic
> authentication, meanwhile Tomcat could do the authentication for us based
> on
> however its been configured (currently it looks like a new StandardContext
> is created for each webservice, and there is code to setup authentication,
> but WsService.authMethod was always null when I debugged it, causing no
> authentication to be applied, and I couldn't see how it could be set
> otherwise), and the user and role principals could be passed through from
> Tomcat to the relevant EJB container.
> 
Definitively! (nice to have ;-)).
Doing basic authentication (without ws-security) seems to be possible using
JAX-WS handlers.


Jonathan Gallimore-2 wrote:
> 
> To give a bit more background on how this has come about - my colleague at
> work has been working on some functionality as an EJB, and felt it would
> be
> nice to have it available as a webservice - and adding the @WebService
> annotation to the EJB seemed to be a nice idea, rather then creating a
> webservice as a separate class that just delegates through to the EJB as
> you
> describe - 
> 
I was probably not so clear. 
It seems to me, from an architecture point of view, it's better to use web
services as facades. They are personal concerns you know ;-) 
Never mind, I had in mind an EJB Web Service (@stateless + @webservice)
which delegates to other business EJB and it works fine with OpenEJB for
simple cases.


Jonathan Gallimore-2 wrote:
> 
> and we hoped the container would handle the authentication for
> us. When configured correctly, JBoss (4.2.2.GA) does seem to do this for
> us,
> however OpenEJB doesn't at the moment - I don't actually know if this is
> even supposed to work (or even whether its part of any of the JEE spec -
> I'll have to read up!).
> 
I can't help you on this topic (not read this part of the spec).
If you have 10 minutes, here is an interesting article
http://www.javaworld.com/javaworld/jw-02-2007/jw-02-handler.html?page=1
http://www.javaworld.com/javaworld/jw-02-2007/jw-02-handler.html?page=1 


Jonathan Gallimore-2 wrote:
> 
> I think I should probably have a look at WS-Security - I'd be very
> interested in a seeing a sample using OpenEJB/JAX-WS/WS-Security if you're
> putting one together.
> 

OK, I've done some tests since yesterday morning. But, the way OpenEJB
publishes EJB as web services does not allow configuring ws-security.

When using CXF + WS-Security, it's quite simple: add a WSS4J InInterceptor
and a WSS4J OutInterceptor giving them a set of properties. Interceptors can
be configured using both a Spring application context or CXF annotations
(@InInterceptors @OutInterceptor).

At a JAX-WS point of view we only have handlers (soap handlers and logical
handlers) so I have to spend some more time to look if we can manage
WS-Security using handlers.

More coming soon ;-)

Kind regards,
Jean-Louis




-- 
View this message in context: http://www.nabble.com/Securing-a-webservice-tp22089576p22116953.html
Sent from the OpenEJB User mailing list archive at Nabble.com.