Help Wanted: WSS SOAP PKI encryption with CXF

[Joe Schaefer <jo...@sunstarsys.com>]

Hi,
I have a business customer who needs a stand-alone web application that can
connect to a SOAP endpoint that requires support for the Oasis WSS
standards for XML encryption and signatures.

Looking over the documentation for CXF it seems that may be the answer I'm
looking for on some level.  However I am a perl guy, so I may need some
assistance braving the java world.  My company will naturally compensate on
a contract basis for any coding we need done, but it should be
straightforward.

I realize the Oasis specs cover a lot of ground, but I do not need more
than a small handset supported.  We have familiarity with SOAP UI from
SoftBear which does the job, but is the wrong architecture for a
concurrent, multi-user web services based solution.

Any advice in this area would be greatly appreciated- I can try to answer
any questions about our needs and requirements to the best of my ability,
but at this point I'm just looking to know if the CXF community can support
this type of use case.


TIA!

Re: Help Wanted: WSS SOAP PKI encryption with CXF

[Joe Schaefer <jo...@sunstarsys.com>]

Thanks Dan!  I appreciate the suggestions to dive in myself, but in the
interests of my employer my time is better spent elsewhere on this
project.  Let me instead try to describe what I'd like to have someone in
the CXF community code up for us.  Interested parties can contact me
off-list about costs, timeframes, etc.  It is a relatively urgent need of
ours at this point, but unfortunately none of our coding talent has direct
Java experience.

What I'm looking for is a stand-alone Java Web Application (we've looked at
the support for WS-Security policies for SOAP in other programming
languages and they fall short of our needs) that I can front-end with an
apache proxy server with some cookie authentication code to protect the
service.
What the Application needs to do is accept HTML form-data to populate a
handful of different calls to a specific WSS-encrypted SOAP endpoint.  The
app is really just a gateway from a web-form to a SOAP request/response:
the response simply needs to be decrypted and passed along as XML to the
web client.  That's pretty much it- there are databases involved but the
invoking code we're writing ourselves can deal with the storage
requirements.

This shouldn't be hard to achieve given familiarity with the requisite
software and knowledge about the WSDL for the service.  If there's some
other place I should be asking please let me know- I've spoken with Talend
sales and they weren't able to offer anything directly relevant to this
task.


On Wed, Jun 15, 2016 at 7:30 PM, Daniel Kulp <dk...@apache.org> wrote:

>
> > On Jun 15, 2016, at 4:59 PM, Joe Schaefer <jo...@sunstarsys.com> wrote:
> >
> > Yes I found a version of the WSDL that contains ws-policy elements.
>
> Great!   Let’s hope the policy is correct and complete.  ;-)
>
> Once you have the wsdl, you should just be able to generate a client from
> it (wsdl2java) and use the standard client Service object to obtain the
> port you need.   You would then configure the client using whatever
> security configuration options that are dictated by the policy.   Without
> seeing the policy, that will be hard to determine.      Since you mention
> both encryption and signature, you might be able to get an idea by looking
> at the “samples/ws_security/sign_enc_policy” example that comes in the CXF
> download.   That uses spring to configure the client, but configuring via
> java code is relatively straightforward.   The trick is getting the
> “Client_Encrypt.properties” file created (thats the name of the file in the
> sample, can be anything) which  creates your keystrokes and alias’s and
> such that you will need.
>
>
> Dan
>
>
>
>
>
> >
> >
> > On Wed, Jun 15, 2016 at 4:27 PM, Joe Schaefer <jo...@sunstarsys.com>
> wrote:
> >
> >> Yes there is a wsdl including wsse elements.  I'm just not at liberty
> >> to share it publicly.  I'm not sure it includes a ws-policy but I can
> >> investigate.
> >>
> >> Thanks Dan!
> >>
> >> Sent from my iPhone
> >>
> >>> On Jun 15, 2016, at 4:14 PM, Daniel Kulp <dk...@apache.org> wrote:
> >>>
> >>> Joe,
> >>>
> >>> This isn’t really a lot to go on.    Does the soap endpoint that you
> are
> >> connecting to have a published WSDL?   Does the WSDL provide a WS-Policy
> >> definition that describes the security requirements?   If so, things are
> >> significantly easier than if it doesn’t.    With the WS-Policy stuff, it
> >> should just be a matter of configuring properties on the client (java
> code,
> >> spring config, etc…) for the stuff the policy requires (keystrokes, key
> >> aliases, etc…).    If the WSDL doesn’t have a policy, things are quite a
> >> bit more complex.  In that case, you’d have to figure out what the
> security
> >> requirements are and configure in appropriate actions onto a set of
> WSS4J
> >> interceptors.
> >>>
> >>> Anyway, start with looking at the WSDL and see what information is
> there
> >> and then we can figure out the next step.
> >>>
> >>> Dan
> >>>
> >>>
> >>>> On Jun 15, 2016, at 1:14 PM, Joe Schaefer <jo...@sunstarsys.com> wrote:
> >>>>
> >>>> Hi,
> >>>> I have a business customer who needs a stand-alone web application
> that
> >> can
> >>>> connect to a SOAP endpoint that requires support for the Oasis WSS
> >>>> standards for XML encryption and signatures.
> >>>>
> >>>> Looking over the documentation for CXF it seems that may be the answer
> >> I'm
> >>>> looking for on some level.  However I am a perl guy, so I may need
> some
> >>>> assistance braving the java world.  My company will naturally
> >> compensate on
> >>>> a contract basis for any coding we need done, but it should be
> >>>> straightforward.
> >>>>
> >>>> I realize the Oasis specs cover a lot of ground, but I do not need
> more
> >>>> than a small handset supported.  We have familiarity with SOAP UI from
> >>>> SoftBear which does the job, but is the wrong architecture for a
> >>>> concurrent, multi-user web services based solution.
> >>>>
> >>>> Any advice in this area would be greatly appreciated- I can try to
> >> answer
> >>>> any questions about our needs and requirements to the best of my
> >> ability,
> >>>> but at this point I'm just looking to know if the CXF community can
> >> support
> >>>> this type of use case.
> >>>>
> >>>>
> >>>> TIA!
> >>>
> >>> --
> >>> Daniel Kulp
> >>> dkulp@apache.org - http://dankulp.com/blog
> >>> Talend Community Coder - http://coders.talend.com
> >>>
> >>
>
> --
> Daniel Kulp
> dkulp@apache.org - http://dankulp.com/blog
> Talend Community Coder - http://coders.talend.com
>
>

Re: Help Wanted: WSS SOAP PKI encryption with CXF

[Daniel Kulp <dk...@apache.org>]

> On Jun 15, 2016, at 4:59 PM, Joe Schaefer <jo...@sunstarsys.com> wrote:
> 
> Yes I found a version of the WSDL that contains ws-policy elements.

Great!   Let’s hope the policy is correct and complete.  ;-)

Once you have the wsdl, you should just be able to generate a client from it (wsdl2java) and use the standard client Service object to obtain the port you need.   You would then configure the client using whatever security configuration options that are dictated by the policy.   Without seeing the policy, that will be hard to determine.      Since you mention both encryption and signature, you might be able to get an idea by looking at the “samples/ws_security/sign_enc_policy” example that comes in the CXF download.   That uses spring to configure the client, but configuring via java code is relatively straightforward.   The trick is getting the “Client_Encrypt.properties” file created (thats the name of the file in the sample, can be anything) which  creates your keystrokes and alias’s and such that you will need.   


Dan





> 
> 
> On Wed, Jun 15, 2016 at 4:27 PM, Joe Schaefer <jo...@sunstarsys.com> wrote:
> 
>> Yes there is a wsdl including wsse elements.  I'm just not at liberty
>> to share it publicly.  I'm not sure it includes a ws-policy but I can
>> investigate.
>> 
>> Thanks Dan!
>> 
>> Sent from my iPhone
>> 
>>> On Jun 15, 2016, at 4:14 PM, Daniel Kulp <dk...@apache.org> wrote:
>>> 
>>> Joe,
>>> 
>>> This isn’t really a lot to go on.    Does the soap endpoint that you are
>> connecting to have a published WSDL?   Does the WSDL provide a WS-Policy
>> definition that describes the security requirements?   If so, things are
>> significantly easier than if it doesn’t.    With the WS-Policy stuff, it
>> should just be a matter of configuring properties on the client (java code,
>> spring config, etc…) for the stuff the policy requires (keystrokes, key
>> aliases, etc…).    If the WSDL doesn’t have a policy, things are quite a
>> bit more complex.  In that case, you’d have to figure out what the security
>> requirements are and configure in appropriate actions onto a set of WSS4J
>> interceptors.
>>> 
>>> Anyway, start with looking at the WSDL and see what information is there
>> and then we can figure out the next step.
>>> 
>>> Dan
>>> 
>>> 
>>>> On Jun 15, 2016, at 1:14 PM, Joe Schaefer <jo...@sunstarsys.com> wrote:
>>>> 
>>>> Hi,
>>>> I have a business customer who needs a stand-alone web application that
>> can
>>>> connect to a SOAP endpoint that requires support for the Oasis WSS
>>>> standards for XML encryption and signatures.
>>>> 
>>>> Looking over the documentation for CXF it seems that may be the answer
>> I'm
>>>> looking for on some level.  However I am a perl guy, so I may need some
>>>> assistance braving the java world.  My company will naturally
>> compensate on
>>>> a contract basis for any coding we need done, but it should be
>>>> straightforward.
>>>> 
>>>> I realize the Oasis specs cover a lot of ground, but I do not need more
>>>> than a small handset supported.  We have familiarity with SOAP UI from
>>>> SoftBear which does the job, but is the wrong architecture for a
>>>> concurrent, multi-user web services based solution.
>>>> 
>>>> Any advice in this area would be greatly appreciated- I can try to
>> answer
>>>> any questions about our needs and requirements to the best of my
>> ability,
>>>> but at this point I'm just looking to know if the CXF community can
>> support
>>>> this type of use case.
>>>> 
>>>> 
>>>> TIA!
>>> 
>>> --
>>> Daniel Kulp
>>> dkulp@apache.org - http://dankulp.com/blog
>>> Talend Community Coder - http://coders.talend.com
>>> 
>> 

-- 
Daniel Kulp
dkulp@apache.org - http://dankulp.com/blog
Talend Community Coder - http://coders.talend.com

Re: Help Wanted: WSS SOAP PKI encryption with CXF

[Joe Schaefer <jo...@sunstarsys.com>]

Yes I found a version of the WSDL that contains ws-policy elements.


On Wed, Jun 15, 2016 at 4:27 PM, Joe Schaefer <jo...@sunstarsys.com> wrote:

> Yes there is a wsdl including wsse elements.  I'm just not at liberty
> to share it publicly.  I'm not sure it includes a ws-policy but I can
> investigate.
>
> Thanks Dan!
>
> Sent from my iPhone
>
> > On Jun 15, 2016, at 4:14 PM, Daniel Kulp <dk...@apache.org> wrote:
> >
> > Joe,
> >
> > This isn’t really a lot to go on.    Does the soap endpoint that you are
> connecting to have a published WSDL?   Does the WSDL provide a WS-Policy
> definition that describes the security requirements?   If so, things are
> significantly easier than if it doesn’t.    With the WS-Policy stuff, it
> should just be a matter of configuring properties on the client (java code,
> spring config, etc…) for the stuff the policy requires (keystrokes, key
> aliases, etc…).    If the WSDL doesn’t have a policy, things are quite a
> bit more complex.  In that case, you’d have to figure out what the security
> requirements are and configure in appropriate actions onto a set of WSS4J
> interceptors.
> >
> > Anyway, start with looking at the WSDL and see what information is there
> and then we can figure out the next step.
> >
> > Dan
> >
> >
> >> On Jun 15, 2016, at 1:14 PM, Joe Schaefer <jo...@sunstarsys.com> wrote:
> >>
> >> Hi,
> >> I have a business customer who needs a stand-alone web application that
> can
> >> connect to a SOAP endpoint that requires support for the Oasis WSS
> >> standards for XML encryption and signatures.
> >>
> >> Looking over the documentation for CXF it seems that may be the answer
> I'm
> >> looking for on some level.  However I am a perl guy, so I may need some
> >> assistance braving the java world.  My company will naturally
> compensate on
> >> a contract basis for any coding we need done, but it should be
> >> straightforward.
> >>
> >> I realize the Oasis specs cover a lot of ground, but I do not need more
> >> than a small handset supported.  We have familiarity with SOAP UI from
> >> SoftBear which does the job, but is the wrong architecture for a
> >> concurrent, multi-user web services based solution.
> >>
> >> Any advice in this area would be greatly appreciated- I can try to
> answer
> >> any questions about our needs and requirements to the best of my
> ability,
> >> but at this point I'm just looking to know if the CXF community can
> support
> >> this type of use case.
> >>
> >>
> >> TIA!
> >
> > --
> > Daniel Kulp
> > dkulp@apache.org - http://dankulp.com/blog
> > Talend Community Coder - http://coders.talend.com
> >
>

Re: Help Wanted: WSS SOAP PKI encryption with CXF

[Joe Schaefer <jo...@sunstarsys.com>]

Yes there is a wsdl including wsse elements.  I'm just not at liberty
to share it publicly.  I'm not sure it includes a ws-policy but I can
investigate.

Thanks Dan!

Sent from my iPhone

> On Jun 15, 2016, at 4:14 PM, Daniel Kulp <dk...@apache.org> wrote:
>
> Joe,
>
> This isn’t really a lot to go on.    Does the soap endpoint that you are connecting to have a published WSDL?   Does the WSDL provide a WS-Policy definition that describes the security requirements?   If so, things are significantly easier than if it doesn’t.    With the WS-Policy stuff, it should just be a matter of configuring properties on the client (java code, spring config, etc…) for the stuff the policy requires (keystrokes, key aliases, etc…).    If the WSDL doesn’t have a policy, things are quite a bit more complex.  In that case, you’d have to figure out what the security requirements are and configure in appropriate actions onto a set of WSS4J interceptors.
>
> Anyway, start with looking at the WSDL and see what information is there and then we can figure out the next step.
>
> Dan
>
>
>> On Jun 15, 2016, at 1:14 PM, Joe Schaefer <jo...@sunstarsys.com> wrote:
>>
>> Hi,
>> I have a business customer who needs a stand-alone web application that can
>> connect to a SOAP endpoint that requires support for the Oasis WSS
>> standards for XML encryption and signatures.
>>
>> Looking over the documentation for CXF it seems that may be the answer I'm
>> looking for on some level.  However I am a perl guy, so I may need some
>> assistance braving the java world.  My company will naturally compensate on
>> a contract basis for any coding we need done, but it should be
>> straightforward.
>>
>> I realize the Oasis specs cover a lot of ground, but I do not need more
>> than a small handset supported.  We have familiarity with SOAP UI from
>> SoftBear which does the job, but is the wrong architecture for a
>> concurrent, multi-user web services based solution.
>>
>> Any advice in this area would be greatly appreciated- I can try to answer
>> any questions about our needs and requirements to the best of my ability,
>> but at this point I'm just looking to know if the CXF community can support
>> this type of use case.
>>
>>
>> TIA!
>
> --
> Daniel Kulp
> dkulp@apache.org - http://dankulp.com/blog
> Talend Community Coder - http://coders.talend.com
>

Re: Help Wanted: WSS SOAP PKI encryption with CXF

[Daniel Kulp <dk...@apache.org>]

Joe,

This isn’t really a lot to go on.    Does the soap endpoint that you are connecting to have a published WSDL?   Does the WSDL provide a WS-Policy definition that describes the security requirements?   If so, things are significantly easier than if it doesn’t.    With the WS-Policy stuff, it should just be a matter of configuring properties on the client (java code, spring config, etc…) for the stuff the policy requires (keystrokes, key aliases, etc…).    If the WSDL doesn’t have a policy, things are quite a bit more complex.  In that case, you’d have to figure out what the security requirements are and configure in appropriate actions onto a set of WSS4J interceptors.   

Anyway, start with looking at the WSDL and see what information is there and then we can figure out the next step.

Dan


> On Jun 15, 2016, at 1:14 PM, Joe Schaefer <jo...@sunstarsys.com> wrote:
> 
> Hi,
> I have a business customer who needs a stand-alone web application that can
> connect to a SOAP endpoint that requires support for the Oasis WSS
> standards for XML encryption and signatures.
> 
> Looking over the documentation for CXF it seems that may be the answer I'm
> looking for on some level.  However I am a perl guy, so I may need some
> assistance braving the java world.  My company will naturally compensate on
> a contract basis for any coding we need done, but it should be
> straightforward.
> 
> I realize the Oasis specs cover a lot of ground, but I do not need more
> than a small handset supported.  We have familiarity with SOAP UI from
> SoftBear which does the job, but is the wrong architecture for a
> concurrent, multi-user web services based solution.
> 
> Any advice in this area would be greatly appreciated- I can try to answer
> any questions about our needs and requirements to the best of my ability,
> but at this point I'm just looking to know if the CXF community can support
> this type of use case.
> 
> 
> TIA!

-- 
Daniel Kulp
dkulp@apache.org - http://dankulp.com/blog
Talend Community Coder - http://coders.talend.com