• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Tim Cooke
  • paul wheaton
  • Jeanne Boyarsky
  • Ron McLeod
Sheriffs:
  • Paul Clapham
  • Liutauras Vilda
  • Devaka Cooray
Saloon Keepers:
  • Tim Holloway
  • Roland Mueller
Bartenders:

WS-Security Token Passing implementation

 
Greenhorn
Posts: 11
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi,

I need to write something that interfaces with a .Net soap service. I've been given the WSDL file. This 3rd party service dictates the use of WSS tokens which are attached in the soap header. The username token will contain the username, password (sent as a digest), nonce and timestamp elements.

I'm using Weblogic 8.1.3 but there from the answer I got from BEA there is no inbuilt support for passing such a token which contains a password digest (only plain text passwords supported in WL). I'm therefore looking for an existing library / framework that can provide this.

I've been researching this on the internet and from what I found I have the following options below.

1. Use Apache Axis with WSS4J (although this seems very much in development at the moment.)

2. Use the Sun Web Service Developer Pack 1.5 (JWSDP)

3. Use a licensed application such as Glue

Has anyone got any previous experience with implementing token passing including nonce generation, creating password digests, with any of the options below. Is one of these a better implementation than the others or is there one missing from the list I should be considering???

Any help would be very useful.
Thanks in advance.
 
Ranch Hand
Posts: 548
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Pete-

Can you please explain more about WSS tokens fundamentals !

I have used XML Signatures/Encryption using IBM XSS, WSS4J, VeriSign TSIK. I guess some of these framework may support WSS tokens.

Please try them and let me know your experiences ...
 
Pete Tibbster
Greenhorn
Posts: 11
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi R Kumar,

The token passing is part of the OASIS WS-Security standard. It details a mechanism for authentication through passing tokens (xml elements) within the header of the soap envelope. The specification for this is available using the URL below (page 7 starts details the the UsernameToken) ----> OASIS WSS Username Token profile

Typically a username token is sent initially to authenticate a user in a SOAP request. Here is an example.

<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wsse:UsernameToken>
<wsse:Username>Pete</wsse:Username>
<wsse assword Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest">
od61xScYr9hAukzvz/DQXAtdxAA=</wsse assword>
<wsse:Nonce>dL9uL5lBBm6eHwblHY4lVg==</wsse:Nonce>
<wsse:Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">9VRW1tSrc7175HQ+X2cXLe75</wsse:Nonce>
<wsu:Created xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2004-11-18T10:46:19Z</wsu:Created>
</wsse:UsernameToken>
</wsse:Security>

If authentication is successful, in my case, the external webservice returns a custom token which is appended to the header of future requests.

It seems that some vendors, such as Microsoft in the .Net framework, fully implement the full standard whereas others only implement parts. This microsoft link details the .Net implementation --->WS-Security Drilldown in Web Services Enhancements 2.0

As per my original post, the latest version of weblogic does not have out-of-the-box functionality to create username tokens with a password digest (only supports plain text passwords).

I'm currently looking into using the Apache Axis libraries to interface with this webservice, based on this source code -->AXIS-WSSE

From my research it seems the apache project 'WSS4J' is aiming to fully implement these token passing standards but is still very much in development. I found very little documentation on WSS4J other than api javadocs.

R Kumar - you mention you've been using the WSS4J libraries. I'm guessing you downloaded the source code and built it yourself? What has your experience been with WSS4J?

Has anyone else implemented the WS-Security token passing mechanism in Java to communicate with a .Net (or other) web service that implements these standards?

Best Regards,
Pete.

[ February 14, 2005: Message edited by: Pete Tibbster ]
[ February 14, 2005: Message edited by: Pete Tibbster ]
 
Rr Kumaran
Ranch Hand
Posts: 548
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Pete-

Thanks for the response. So WS Tokens are used for authentication purpose.

I have experiementd with IBM XSS, WSS4J, VeriSign TSIK for implementing signing soap message and verify the xml signature in them but never used for WS Token implementation.

Did you try IBM XSS and VeriSign TSIK since it has good support for all aspects of WS Security.
 
Pete Tibbster
Greenhorn
Posts: 11
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I have previously looked at IBM XSS which does not seem to implement libraries to help with token passing. The verisign toolkit looks interesting and is not one i've come across before. However again appears nothing to aid token passing.
 
Pete Tibbster
Greenhorn
Posts: 11
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Here is a very recent article which references the WSS token passing mechanism and the need for a standard framework for implementing these standards - just what i'm after ! I've included it here in case anyone else might be interested and hasn't seen it.

This may be the answer to all my questions! - i look forward to the next part of the series : -

WS-Security in the Enterprise, Part 1: Problem Introduction
 
With a little knowledge, a cast iron skillet is non-stick and lasts a lifetime.
reply
    Bookmark Topic Watch Topic
  • New Topic