Granny's Programming Pearls
"inside of every large program is a small program struggling to get out"
JavaRanch.com/granny.jsp
  • Post Reply Bookmark Topic Watch Topic
  • New Topic

JAX-WS & WS-Security  RSS feed

 
Gavin Tranter
Ranch Hand
Posts: 333
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi all,
I am a bit, confussed, ok more than a bit.
I am trying to implement WS-security in some of our webservices, everything I see seems to suggest I need to use some sort of external product, such as AXIS.

Cant I just add the tokens to the headers manually and configure tomcat with the requried certificates? I am already assing a security header, with a username token, is this enough? will it be passed in teh clear or will it be encrypted? (I am guessing the former).

I cant seem to find a clear explanination of what is requried to use WS-Security, all I wish to do is encrypt the response from certain endpoints.

Thanks
G
 
Ulf Dittmer
Rancher
Posts: 42970
73
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
While it is possible not to use a WS-Security toolkit, I'd advise not to try that. So many things need to be set up correctly, and so much considered in the implementation, that you'd be spending a large amount of time gtting it right.

The mechanics of how to set up WS-Security depend on the SOAP toolkit you're using. If it's Axis 1, you need the WSS4J package, if its's Axis 2 then you need the Rampart module, and if you're using JAX-WS then everything you need is part of the Metro implementation.

The only ready-to-run examples of WS-Sec encryption I'm aware of are part of the Rampart module for Axis 2.

Which SOAP toolkit are you using, if any? What is the "security header with username token" - is that an HTTP header or a SOAP header?
 
Gavin Tranter
Ranch Hand
Posts: 333
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks Ulf,
I dont think we are using any soap toolkit as such, just the jax-ws stuff, we do have saaj, which seems to be part of metro(?)

security header with username token is a soap thing, I think, I am using this to provide authentication.

I have been thrown in at the deepend, and its a bit confussion, but I often find thats the best way.
 
Ulf Dittmer
Rancher
Posts: 42970
73
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
SAAJ is just an API -like JAX-WS-, but something must implement it. If it's part of an JEE 5-compatible server (like WebSphere, WebLogic or JBoss), then the server documentation should mention how to apply WS-Sec.

The encryption stuff is way harder than the authentication stuff, which is why I recommend not to do it manually, but let the implementation classes do that.
 
Gavin Tranter
Ranch Hand
Posts: 333
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Yes, it appears that way, that its more difficult. I think (could be wrong) that my requirment is just for the authentication stuff I have been informed we will be using https.

Thanks for your time and help Ulf.
 
With a little knowledge, a cast iron skillet is non-stick and lasts a lifetime.
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!