You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@ws.apache.org by Devon Miller <aa...@gmail.com> on 2017/01/19 22:59:16 UTC

help composing security header without using a cxf/axis2 framework

I am trying to create a SOAP security header but am having difficulty
understanding how to create the proper crypto and other configs. I have
attached the WSDL policy (not the entire WSDL) as well as the token request
and response from the server and a whoami request that shows a example of
the security header that I need to generate. The server is a WCF endpoint
e.g. CRM system. All of the attachments are to a small virtual machine demo
system I setup to test security processing in java. I am using wss4j 2.1.8

I've gone through the wss4j tests trying to stitch together just the right
parts as I don't need to have anything robust, just a security header that
meets this one target. When trying to use axis2 to generate the stubs, it
did not seem to generate the security part and I just need some code for
the client side in a non-servlet scenario. I tried to look at rampart to
understand it may create the config but reading that code did not help. I
have also read through the standards but that's not helped me map it to the
code I need.

Thoughts on which wss4j tests might hold critical code for me to look at
and cut and paste  from? For example, I've yet to figure out how to create
the proper crypto to use with the signature, it seems all the choices use
disk-based keystores.

Thoughts?


   val secHeader = new WSSecHeader(doc)
    secHeader.insertSecurityHeader()
    val timestamp = new WSSecTimestamp()
    timestamp.setTimeToLive(3600 * 2)
    timestamp.build(doc, secHeader)
    val x509Data = new DOMX509Data(doc,
      new DOMX509IssuerSerial(doc, "CN=DemoCrmServer, DC=Demo, DC=Local",
        new
java.math.BigInteger("825127572376036501802804159644169187033612293")))
    // This gives me an error because I do not have a crypto.properties,
but I just need a memory based version
    val crypto = CryptoFactory.getInstance()
    val signer = new WSSecSignature()
    signer.setSigCanonicalization(WSS4JConstants.C14N_EXCL_OMIT_COMMENTS)
    signer.setKeyIdentifierType(WSConstants.ISSUER_SERIAL)
    // What's the right crypto?
    val signedDoc = signer.build(doc, crypto, secHeader)
    ...

Re: help composing security header without using a cxf/axis2 framework

Posted by Colm O hEigeartaigh <co...@apache.org>.

I'd strongly encourage you to use a web services framework instead of
trying to roll your own security. Take a look at some of the CXF examples
here:

https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=tree;f=systests/ws-security-examples;h=0c0a7a6a32f9aa27778890440e37d74afae93d11;hb=HEAD

Colm.

On Thu, Jan 19, 2017 at 10:59 PM, Devon Miller <aa...@gmail.com> wrote:

> I am trying to create a SOAP security header but am having difficulty
> understanding how to create the proper crypto and other configs. I have
> attached the WSDL policy (not the entire WSDL) as well as the token request
> and response from the server and a whoami request that shows a example of
> the security header that I need to generate. The server is a WCF endpoint
> e.g. CRM system. All of the attachments are to a small virtual machine demo
> system I setup to test security processing in java. I am using wss4j 2.1.8
>
> I've gone through the wss4j tests trying to stitch together just the right
> parts as I don't need to have anything robust, just a security header that
> meets this one target. When trying to use axis2 to generate the stubs, it
> did not seem to generate the security part and I just need some code for
> the client side in a non-servlet scenario. I tried to look at rampart to
> understand it may create the config but reading that code did not help. I
> have also read through the standards but that's not helped me map it to the
> code I need.
>
> Thoughts on which wss4j tests might hold critical code for me to look at
> and cut and paste  from? For example, I've yet to figure out how to create
> the proper crypto to use with the signature, it seems all the choices use
> disk-based keystores.
>
> Thoughts?
>
>
>    val secHeader = new WSSecHeader(doc)
>     secHeader.insertSecurityHeader()
>     val timestamp = new WSSecTimestamp()
>     timestamp.setTimeToLive(3600 * 2)
>     timestamp.build(doc, secHeader)
>     val x509Data = new DOMX509Data(doc,
>       new DOMX509IssuerSerial(doc, "CN=DemoCrmServer, DC=Demo, DC=Local",
>         new
> java.math.BigInteger("825127572376036501802804159644169187033612293")))
>     // This gives me an error because I do not have a crypto.properties,
> but I just need a memory based version
>     val crypto = CryptoFactory.getInstance()
>     val signer = new WSSecSignature()
>     signer.setSigCanonicalization(WSS4JConstants.C14N_EXCL_OMIT_COMMENTS)
>     signer.setKeyIdentifierType(WSConstants.ISSUER_SERIAL)
>     // What's the right crypto?
>     val signedDoc = signer.build(doc, crypto, secHeader)
>     ...
>
>


-- 
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com