tags:

views:

333

answers:

2
Q: 

WS-securitypolicy in cxf-bc deploy in servicemix

Hi, I was wondering if it is possible to build a cxf-bc with WS-SecurityPolicy instead of just the WS-Security. WS-SecurityPolicy seems to be a more elegant solution since everything is in the WSDL. Examples welcome. :)

Well with David's help I got the CXF-BC to install and running on the ESB, but I can't seem to test it. It keeps coming back with:

<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"&gt;
 <soap:Body>
  <soap:Fault>
     <faultcode>soap:Server</faultcode>
     <faultstring>These policy alternatives can not be satisfied: 
        {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}UsernameToken&lt;/faultstring&gt;
  </soap:Fault>
 </soap:Body>
</soap:Envelope>

My msg:

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:typ="http://nwec.faa.gov/wxrec/UserAccount/types"&gt;
  <soapenv:Header xmlns:wsa="http://www.w3.org/2005/08/addressing"&gt;
   <wsse:Security soapenv:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/ws-securitypolicy-1.2.xsd"&gt;
     <wsse:UsernameToken wsu:Id="UsernameToken-25" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"&gt;
        <wsse:Username>bob</wsse:Username>
        <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText"&gt;bobspassword&lt;/wsse:Password&gt;
     </wsse:UsernameToken>
   </wsse:Security>
  <wsa:Action>http://nwec.faa.gov/wxrec/UserAccount/UserAccountPortType/ApproveDenyAccountRequest&lt;/wsa:Action&gt;
 </soapenv:Header>
 <soapenv:Body>
   ...
 </soapenv:Body>

Here's the policy in the wsdl:

<wsp:Policy wsu:Id="UserAccountBindingPolicy" xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"&gt;
  <wsp:ExactlyOne>
    <wsp:All>
      <wsaw:UsingAddressing xmlns:wsaw="http://www.w3.org/2006/05/addressing/wsdl" wsp:Optional="true" />
        <wsp:Policy >
          <sp:UsernameToken sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Always"&gt;
            <wsp:Policy>
              <sp:WssUsernameToken10 />
            </wsp:Policy>
          </sp:UsernameToken>
        </wsp:Policy>
      </wsp:All>
   </wsp:ExactlyOne>
 </wsp:Policy>
A: 

As of the resolution of https://issues.apache.org/activemq/browse/SMXCOMP-711 and https://issues.apache.org/activemq/browse/SMXCOMP-712 (servicemix-cxf-bc-2010.01) it should be possible and easy to do.

See http://fisheye6.atlassian.com/browse/servicemix/components/bindings/servicemix-cxf-bc/trunk/src/test/java/org/apache/servicemix/cxfbc/ws/security/CxfBcSecurityJAASTest.java?r=HEAD for an example. Specifically the testJAASPolicy method.

As for the error relating to asserting the UsernameToken assertion, you may want to try putting the UsernameToken assertion inside of a SupportingToken or binding assertion depending on what you want to do with the token. It looks like you just want a username and password to be passed in the message without any other security such as a cryptographic binding of the token to the message or encryption so a supporting token will likely fit your needs.

I also urge you to consider the following additional precautions when using a UsernameToken:

  1. Cryptographically bind the token to the message using a signature.
  2. Use a nonce and created timestamp and cache the token on the server to prevent replay
  3. Consider encrypting the token (before signing if you also sign) using XML enc
  4. Using TLS either in lieu of or in addition to the above suggestions
DavidValeri  2010-04-01 13:27:28
Ok, after looking at the JAASTest I still haven't the slightest clue on how to implement it. Also it doesn't seem the JAASTest even use a wsdl with ws-security policy defined in it, unless I'm missing something, and it doesn't seem that apache has publish the servicemix-cxf-bc-2010.01.xsd just yet, so I can't use that.
Vinh  2010-04-06 18:24:57
Example of the CXF bus with external policy attachment:http://fisheye6.atlassian.com/browse/servicemix/components/bindings/servicemix-cxf-bc/tags/servicemix-cxf-bc-2010.01/src/test/resources/org/apache/servicemix/cxfbc/ws/security/xbean-jaas-policy-bus-context.xml?r=HEADSee http://cxf.apache.org/docs/ws-securitypolicy.html for other ways to attach policy.Configure your CXF-BC Consumer:http://fisheye6.atlassian.com/browse/servicemix/components/bindings/servicemix-cxf-bc/tags/servicemix-cxf-bc-2010.01/src/test/resources/org/apache/servicemix/cxfbc/ws/security/xbean-jaas.xml?r=HEAD
DavidValeri  2010-04-07 12:14:36
Everything you need should be here http://repo2.maven.org/maven2/org/apache/servicemix/servicemix-cxf-bc/2010.01/
DavidValeri  2010-04-07 12:15:45
Thanks for your help so far, I was wondering if you could help with the last problem. (original question is updated)
Vinh  2010-04-08 18:14:56
Updated response above. In the future, starting a new question would probably be better instead of stretching out a single question after it has been answered.
DavidValeri  2010-04-13 13:35:50
A: 

With david's and Freeman over at the servicemix-user mailing-list. I was able finally get the correct configuration to implement WS-Security Policy.

Here's my final beans.xml for the my BC

<beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 xmlns:cxfbc="http://servicemix.apache.org/cxfbc/1.0" xmlns:util="http://www.springframework.org/schema/util"
 xmlns:httpj="http://cxf.apache.org/transports/http-jetty/configuration"
 xmlns:http="http://cxf.apache.org/transports/http/configuration" xmlns:sec="http://cxf.apache.org/configuration/security"
 xmlns:person="http://www.mycompany.com/ws-sec-proto"
 xsi:schemaLocation="
   http://www.springframework.org/schema/beans
   http://www.springframework.org/schema/beans/spring-beans.xsd
   http://www.springframework.org/schema/util
   http://www.springframework.org/schema/util/spring-util.xsd
   http://servicemix.apache.org/cxfbc/1.0
   http://repo2.maven.org/maven2/org/apache/servicemix/servicemix-cxf-bc/2010.01/servicemix-cxf-bc-2010.01.xsd
   http://cxf.apache.org/transports/http-jetty/configuration
   http://cxf.apache.org/schemas/configuration/http-jetty.xsd
   http://cxf.apache.oarg/transports/http/configuration
   http://cxf.apache.org/schemas/configuration/http-conf.xsd"&gt;

 <import resource="classpath:META-INF/cxf/cxf.xml" />
 <import resource="classpath:META-INF/cxf/cxf-extension-soap.xml" />
 <import resource="classpath:META-INF/cxf/cxf-extension-http.xml" />
 <import resource="classpath:META-INF/cxf/osgi/cxf-extension-osgi.xml" />
 <import resource="classpath:META-INF/cxf/cxf-extension-policy.xml" />
 <import resource="classpath:META-INF/cxf/cxf-extension-ws-security.xml" />

 <bean id="myPasswordCallback" class="com.mycompany.ServerPasswordCallback" />

 <cxfbc:consumer wsdl="classpath:wsdl/person.wsdl"
  targetService="person:PersonService" targetInterface="person:Person"
  properties="#properties" delegateToJaas="false" >
 <!-- not important for ws-security
 <cxfbc:inInterceptors>
   <bean class="com.mycompany.SaveSubjectInterceptor" />
   <bean class="org.apache.cxf.interceptor.LoggingInInterceptor" />
 </cxfbc:inInterceptors> 
 -->
 </cxfbc:consumer>

 <util:map id="properties">
   <entry>
    <key>
     <util:constant
      static-field="org.apache.cxf.ws.security.SecurityConstants.CALLBACK_HANDLER" />
    </key>
    <ref bean="myPasswordCallback" />
   </entry>
 </util:map>

 <httpj:engine-factory bus="cxf">
  <httpj:engine port="9001">
   <httpj:tlsServerParameters>
    <sec:keyManagers keyPassword="password">
      <sec:keyStore type="JKS" password="password" resource="certs/cherry.jks" />
    </sec:keyManagers>
    <sec:cipherSuitesFilter>
      <sec:include>.*_WITH_3DES_.*</sec:include>
      <sec:include>.*_WITH_DES_.*</sec:include>
      <sec:exclude>.*_WITH_NULL_.*</sec:exclude>
      <sec:exclude>.*_DH_anon_.*</sec:exclude>
    </sec:cipherSuitesFilter>
    <sec:clientAuthentication want="false"
      required="false" />
  </httpj:tlsServerParameters>
 </httpj:engine>
 </httpj:engine-factory>

 <bean id="cxf" class="org.apache.cxf.bus.CXFBusImpl" />

 <bean class="org.apache.servicemix.common.osgi.EndpointExporter" />

</beans>

Full example can be found here but it may not be there after a while.

Vinh  2010-06-30 03:22:13

related questions

Is WS-Security truly interoperable across platforms?
Connecting to WS-Security protected Web Service with PHP
Any good step by step tutorial to implement a secure token service with Java?
How to use Forms Auth when SSL is on a proxy in front of the IIS Farm (WCF) ?
JAX-WS Consuming web service with WS-Security and WS-Addressing
How do I build a secure webservice with .Net?
How do I add a <UsernameToken> header programatically to a SOAP message in JAX-WS?
How do you build an EAR with policy files included using WLS Ant Tasks?
How do you use TLS/SSL Http Authentication with a CXF client to a web service?
webservice using security UserNameToken
User/Pass Authentication using RESTful WCF & Windows Forms
Spring-WS: how to use WebserviceTemplate with pre-generated SOAP-envelope
how to protect the ws discovery ad hoc network from man-in-the-middle attacks
How to use WS-Security with EJB3 ?
Developing a secure WS client for consuming a Axis2 Web Service with Rampart WS Security module?
Standard web services v Secure web services
Using WCF to send a signed Request and receive an unsigned Response
TLS handshake event in Tomcat, is there something like that ?
Encryption of SOAP message in Axis 2
Specify parts of the header that have to be signed and/or encrypted in WCF with binding that support standards
How do I create a cold fusion web service client that uses ws-security?
Ruby and WS-Security
How can I authenticate using client credentials in WCF just once?
Calling .NET Web Service (WSE 2/3, WS-Security) from Java
Where can I find some good WS-Security introductions and tutorials?