ws-security

Where can I find some good WS-Security introductions and tutorials?

Can anyone point me to some decent introductions to WS-Security? I'm looking for tutorials or something that provide a fairly gentle introduction to the subject, though I don't mind if it assumes basic knowledge of web services and SOAP. Most of the stuff I've seen so far is very technical and you need a lot of complex, detailed backgro...

Calling .NET Web Service (WSE 2/3, WS-Security) from Java

I need to call a web service written in .NET from Java. The web service implements the WS-Security stack (either WSE 2 or WSE 3, it's not clear from the information I have). The information that I received from the service provider included WSDL, a policyCache.config file, some sample C# code, and a sample application that can succes...

How can I authenticate using client credentials in WCF just once?

What is the best approach to make sure you only need to authenticate once when using an API built on WCF? My current bindings and behaviors are listed below <bindings> <wsHttpBinding> <binding name="wsHttp"> <security mode="TransportWithMessageCredential"> <transport/> <message clientCredentialType="UserName" negoti...

Ruby and WS-Security

I'm having troubles finding good Ruby libraries that implement WS-Security. I've seen wss4r but have yet to use it (and the documentation is a bit light on it). What libraries do you use for this task, or is there a better alternative? ...

How do I create a cold fusion web service client that uses ws-security?

I've exposed several web services in our product using java and WS-Security. One of our customers wants to consume the web service using Coldfusion. Does coldfusion support ws-security? Can I get around it by writing a java client and using that in coldfusion? (I don't know much about coldfusion). ...

Specify parts of the header that have to be signed and/or encrypted in WCF with binding that support standards

Using Ws2007HttpBinding and securing the service, the WSDL file generated shows in the policy section that all the ws-addressing headers and the body will be signed, and that the body will be encrypted. <sp:SignedParts> <sp:Body /> <sp:Header Name="To" Namespace="http://www.w3.org/2005/08/addressing" /> <sp:Header Name="From" Na...

Encryption of SOAP message in Axis 2

Hi, I need to use encryption (and signature) for a web-service (server side). I use axis2 and successfully added the rampart module (for WS-Security implementation). But rampart page (http://ws.apache.org/axis2/modules/rampart/1_2/security-module.html) is missing examples and the sample file are not really documented. So my question is ...

TLS handshake event in Tomcat, is there something like that ?

Hi I'm running an application (web service) in tomcat with TLS enabled (with certificates both for the client and the server). I want that my application will be able to send audit message (logging) when TLS handshake fails. for example I want to log when: the client certificate is expired, the client certificate is unknown (not in th...

Using WCF to send a signed Request and receive an unsigned Response

I'm working with a .NET dev team who are trying to interface with a web service that uses WS-Security, and although the service requires signed requests it only returns unsigned responses. The team knows of a way to call the service using WSE, but they're required to use WCF, so can anyone suggest how to configure WCF to send signed req...

Standard web services v Secure web services

I ask this question in anticipation as part of a project. I have experience of developing and consuming web services in the past and am au fait with those. However I have been told that as part of this next project I will need to use "secure" web services. Can you provide some insight into what additional development tasks there will be ...

Developing a secure WS client for consuming a Axis2 Web Service with Rampart WS Security module?

I have a Axis2 web service secured using Rampart. I do want to develop secure clients for it, preferably JAX-WS based. I tried a lot of tutorials but they are so closed tied with each other, like including Axis2 libraries in the client side. The client should be fairly independent of the WS service framework, as the service can be consum...

How to use WS-Security with EJB3 ?

Hi, For one of our projects, I should be able to call a webservice that uses WS-Security, i.e. the SOAP request should be signed with an X.509 certificate. I've been doing some tests to call the webservice through the use of the WebServiceRef annotation and I'm able to call the webservice without WS-Security. So my question is: how can...

how to protect the ws discovery ad hoc network from man-in-the-middle attacks

the ws-discovery specifications explains how to protect your network from message alteration Denial of service replay spoofing but what about man-in-the-middle attack? ...

Spring-WS: how to use WebserviceTemplate with pre-generated SOAP-envelope

Can you use a Spring-WS WebserviceTemplate for calling a webservice and avoid that it generates a SOAP-envelope? That is, the message already contains an SOAP-Envelope and I don't want that the WebserviceTemplate wraps another one around it. :-) The reason I want this is that I'd like to call a webservice that uses ws-security and do no...

User/Pass Authentication using RESTful WCF & Windows Forms

Hi all, What is the best approach to implementing authorisation/authentication for a Windows Forms app talking to an IIS-hosted RESTful WCF Service? The reason I ask is I am very confused, after sifting through different articles and posts expressing a different method and eventually hitting a ~650 page document on WCF Security Best Pr...

webservice using security UserNameToken

Hi guys, I am trying to resolve a problem we have using glassfish V2 to publish a simple web service using a plain UserNameToken for security reasons. Since we were using Netbeans 6.5 to archive this we were looking into this tutorial: http://testwww.netbeans.org/kb/60/javaee/identity-amsecurity.html enter code here Therefore the foll...

How do you use TLS/SSL Http Authentication with a CXF client to a web service?

I'm trying to access a web service secured by a certificate. The security is setup on IIS and the web service is behind it. I don't think WS-SECURITY will do this type of authentication. Is there any way to pass the client certificate when you call the web service? I'm just getting an IIS Error Page that says "The page requires a clien...

How do you build an EAR with policy files included using WLS Ant Tasks?

I've been working with JAX-WS with Weblogic Server, using their Ant tasks to build EAR files that can be deployed on the server. I've gotten basic SOAP calls to work with JAX-WS, but now I'm trying to add some message-level security via WS-Security. According to the documentation, there are two ways of adding security policies to web s...

How do I add a <UsernameToken> header programatically to a SOAP message in JAX-WS?

I'm writing a simple proof-of-concept webservice client using the JBoss-WS library. I need to send messages to a remote service that requires a <Security> header with a <UsernameToken> element. I would like to add this header in the most JAX-WS-kosher way, without having to manually add XML elements by hand, without having to read in a ...

How do I build a secure webservice with .Net?

I need to build a simple webservice to get data in and out of a HR System over the Internet (it's a hosted solution). I am using IIS and ASP.Net with .Net 2.0. Having looked into it, there are several ways of making the webservice secure - I am after some advice on which method to choose, with some views on pros and cons. These are th...