tags:

views:

1435

answers:

2
Q: 

Spring WS-Security visible in WSDL

I've implemented authentication through WS-Security on my webservice as described at http://static.springframework.org/spring-ws/sites/1.5/reference/html/security.html, like so:

<bean id="callbackHandler" class="org.springframework.ws.soap.security.wss4j.callback.SimplePasswordValidationCallbackHandler">
    <property name="users">
        <props>
            <prop key="bart">arnie</prop>
        </props>
    </property>
</bean>

<bean id="annotationMapping" class="org.springframework.ws.server.endpoint.mapping.PayloadRootAnnotationMethodEndpointMapping">
 <property name="interceptors">
  <list>
   <bean class="org.springframework.ws.soap.security.wss4j.Wss4jSecurityInterceptor">
    <property name="validationActions" value="UsernameToken" />
    <property name="securementActions" value="NoSecurity" />
    <property name="validationCallbackHandler" ref="callbackHandler" />
   </bean> ...

However, clients (like SoapUI) don't know that they should use security, because it's not mentioned in the WSDL. How can I get it to be? This is how I generate it:

<bean id="qwertyService" class="org.springframework.ws.wsdl.wsdl11.DefaultWsdl11Definition">
 <property name="schemaCollection" ref="schemaCollection" />
 <property name="portTypeName" value="QwertyService" />
 <property name="locationUri" value="/QwertyService/" />
 <property name="targetNamespace" value="http://www.ead2.nl/demo/wsdl" />
</bean>
A: 

It is entirely possible to convey ws-security information in a wsdl!!!!!

Look at ws-policy and specifically ws-securitypolicy (the two go together)

However, i am unable to specifcally help you with the implementation.

hope this helps

Jon  2009-08-23 10:04:32
+1  A: 

WS-Security by itself is not placed in the WSDL. WS-Policy builds upon WS-Security, it may be possible to use these more sophisticated standards to add it to the WSDL but it doesn't sound like that is what you want.

In SOAPUI the security information is built as settings to the project. If you double click the project there is a security tab. Keys-stores can be added if you are using a PKI based scheme and you can define outgoing and incoming configurations. A pair of configurations can be applied to each message depending on what in the message you would like to secure. It seems a little clunky and buggy.

See: http://www.soapui.org/userguide/projects/wss.html

andygavin  2009-08-28 15:34:18
This is indeed what I did. Accepted your answer for others' sake
Bart van Heukelom  2009-09-03 00:33:01

related questions

Is WS-Security truly interoperable across platforms?
Connecting to WS-Security protected Web Service with PHP
Any good step by step tutorial to implement a secure token service with Java?
How to use Forms Auth when SSL is on a proxy in front of the IIS Farm (WCF) ?
JAX-WS Consuming web service with WS-Security and WS-Addressing
How do I build a secure webservice with .Net?
How do I add a <UsernameToken> header programatically to a SOAP message in JAX-WS?
How do you build an EAR with policy files included using WLS Ant Tasks?
How do you use TLS/SSL Http Authentication with a CXF client to a web service?
webservice using security UserNameToken
User/Pass Authentication using RESTful WCF & Windows Forms
Spring-WS: how to use WebserviceTemplate with pre-generated SOAP-envelope
how to protect the ws discovery ad hoc network from man-in-the-middle attacks
How to use WS-Security with EJB3 ?
Developing a secure WS client for consuming a Axis2 Web Service with Rampart WS Security module?
Standard web services v Secure web services
Using WCF to send a signed Request and receive an unsigned Response
TLS handshake event in Tomcat, is there something like that ?
Encryption of SOAP message in Axis 2
Specify parts of the header that have to be signed and/or encrypted in WCF with binding that support standards
How do I create a cold fusion web service client that uses ws-security?
Ruby and WS-Security
How can I authenticate using client credentials in WCF just once?
Calling .NET Web Service (WSE 2/3, WS-Security) from Java
Where can I find some good WS-Security introductions and tutorials?