Search...
FAQs Subscribe
Pie
FAQs
Recent topics Flagged topics Hot topics Best topics
Search...
Search within Web Services Search Coderanch
Advance search Google search
Register / Login
granny thread boost book review grid polymorphism advertise on coderanch
Win a copy of Cloud Application Architecture Patterns: Designing, Building, and Modernizing for the Cloud this week in the Cloud/Virtualization forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
thread boost advertise on coderanch building better world book meaningless drivel book review grid
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Tim Cooke
  • paul wheaton
  • Paul Clapham
  • Ron McLeod
Sheriffs:
  • Jeanne Boyarsky
  • Liutauras Vilda
Saloon Keepers:
  • Tim Holloway
  • Carey Brown
  • Roland Mueller
  • Piet Souris
Bartenders:

Interview Question : Webservice security for jax-ws services

 
Guy Emerson
Ranch Hand
Posts: 42
posted 8 years ago
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
    Send
  • Quote
  • Report post to moderator
Hello All,

In one of the interview questions I was asked "What are the APIs  available to provide security to Webservices in SOAP and which one did you use."

I dont remember using any particular api for webservice security . I searched google and did not find any api for sole use in Webservice..  I saw use of https secured protocol , certificates for authentication but not any java api to use..

Would you please help me broaden my knowledge in webservices security . Or am I missing out on something ?


Thanks and Regards

Emerson
 
Tim Moores
Bartender
Posts: 7645
178
posted 8 years ago
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
    Send
  • Quote
  • Report post to moderator
The relevant API is called WS-Security, and is supported by all major SOAP implementations. It provides encryption and authentication at the message level (not at the transport level like HTTPS dors).
 
Guy Emerson
Ranch Hand
Posts: 42
posted 8 years ago
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
    Send
  • Quote
  • Report post to moderator

Thanks a lot Tim for your quick response.

I will come up with questions on WS-security and implementations as I read along..Please do answer to my queries..

Regards

Emerson

 
Guy Emerson
Ranch Hand
Posts: 42
posted 8 years ago
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
    Send
  • Quote
  • Report post to moderator
Hi again,

I was going through the WS-security implementation by Apache which seems to be very good. I am yet to be too sure as to whether its meant only to be used with Apache Axis2 servers as most of the materials I am getting on google tell me that its used with Apache Axes2 framework.. My requirement is WSS4J use in Weblogic server

I am a little lost to distinguish between Apache CXF and Apache WSS4J. If both are meant to provide implementation of WS-Security then why two different implementations.

Thanks a lot to anybody who help me understand these nuances

Regards

Emerson

 
Tim Moores
Bartender
Posts: 7645
178
posted 8 years ago
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
    Send
  • Quote
  • Report post to moderator
I think all Java WS-Security implementations are built on top of WSS4J. The comparison would be between Axis2 and CXF, which have different histories and feature sets, but -having used only Axis2- I'm not in a position to recommend one over the other. Axis2 always got the job done for me, so I didn't look elsewhere.
 
Guy Emerson
Ranch Hand
Posts: 42
posted 8 years ago
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
    Send
  • Quote
  • Report post to moderator
Hi Tim,

I have been reading through some website that tells me how to apply security Axis2 server with rampart framework. I have created service and clients as shown below. Could you please tell me why I am getting an error and the program fails


Service :-

import javax.xml.stream.XMLStreamException;
import org.apache.axiom.om.OMAbstractFactory;
import org.apache.axiom.om.OMElement;
import org.apache.axiom.soap.SOAPFactory;

public class CMSService {
   public OMElement getNumberOfArticles(OMElement element) throws XMLStreamException {
       element.build();
       element.detach();
       String categoryValue = element.getFirstElement().getText();
       SOAPFactory factory = OMAbstractFactory.getSOAP12Factory();
       OMElement resultElem = factory.createOMElement("numberOfArcticles", factory.createOMNamespace("http://daily-moon.com/cms/", "resp"));
       resultElem.setText(articleCount(categoryValue).toString());
       System.out.println("Service method getNumberOfArticles done");
       return resultElem;
   }

   private Integer articleCount(String catId) {
       return new Integer(42);
   }
}


callback class

import java.io.IOException;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.UnsupportedCallbackException;
import org.apache.ws.security.WSPasswordCallback;

public class PWCallback implements CallbackHandler {
   public void handle(Callback[] callbackArr) throws IOException, UnsupportedCallbackException {
       int i = 0;
       while (i < callbackArr.length) {
           if (callbackArr[i] instanceof WSPasswordCallback) {
               WSPasswordCallback wSPasswordCallback = (WSPasswordCallback) callbackArr[i];
               if (wSPasswordCallback.getIdentifer().equals("bob")) {
                   wSPasswordCallback.setPassword("password");
               } else if (wSPasswordCallback.getIdentifer().equals("alice")) {
                   wSPasswordCallback.setPassword("password");
               } else {
                   throw new UnsupportedCallbackException(callbackArr[i], "Unknown user");
               }
               i++;
           } else {
               throw new UnsupportedCallbackException(callbackArr[i], "Unrecognized Callback");
           }
       }
   }
}



services.xml

<service name="CMSService">

   <description>
       This is a sample Web Service for the newspaper's Content Managment System.
   </description>

   <parameter name="ServiceClass" locked="false">CMSService</parameter>

   <parameter name="InflowSecurity">
      <action>
           <items>Timestamp Signature</items>
           <passwordCallbackClass>PWCallback</passwordCallbackClass>
           <signaturePropFile>security.properties</signaturePropFile>
      </action>
   </parameter>

   <parameter name="OutflowSecurity">
     <action>
       <items>Timestamp Signature Encrypt</items>
       <user>alice</user>
       <passwordCallbackClass>PWCallback</passwordCallbackClass>
       <signaturePropFile>security.properties</signaturePropFile>
       <signatureKeyIdentifier>SKIKeyIdentifier</signatureKeyIdentifier>
       <encryptionKeyIdentifier>SKIKeyIdentifier</encryptionKeyIdentifier>
       <encryptionUser>bob</encryptionUser>
       <signatureParts>{Element}{http://schemas.xmlsoap.org/soap/envelope/}Body</signatureParts>
       <optimizeParts>//xenc:EncryptedData/xenc:CipherValue/xenc:CipherData</optimizeParts>
      </action>
   </parameter>

   <operation name="getNumberOfArticles">
       <messageReceiver class="org.apache.axis2.receivers.RawXMLINOutMessageReceiver"/>
   </operation>

</service>


security.properties

org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin
org.apache.ws.security.crypto.merlin.keystore.type=jks
org.apache.ws.security.crypto.merlin.keystore.password=password
org.apache.ws.security.crypto.merlin.file=sec.jks






Client side :--

axis2.xml



client class



callback class




security.properties

org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin
org.apache.ws.security.crypto.merlin.keystore.type=jks
org.apache.ws.security.crypto.merlin.keystore.password=password
org.apache.ws.security.crypto.merlin.file=sec.jks


start.bat





I deployed CMSService.aar in axis2 server in the axis2-1.7.3\repository\services folder



I was expecting to execute the start.bat file to get a response from the axis2 server.

But instead I got an error on the command prompt


C:\Users\humpa\Desktop\softcol\security-code-files\WSSecurityCodeFiles\ClientAFTER>start.bat

C:\Users\humpa\Desktop\softcol\security-code-files\WSSecurityCodeFiles\ClientAFTER>echo off
org.apache.axis2.deployment.DeploymentException: org.apache.axis2.transport.tcp.TCPTransportSender

C:\Users\humpa\Desktop\softcol\security-code-files\WSSecurityCodeFiles\ClientAFTER>



Could you please figure what is creating this Error is ?


Regards

Emerson





 
Paul Clapham
Marshal
Posts: 28425
102
I like...
Eclipse IDE Firefox Browser MySQL Database
posted 8 years ago
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
    Send
  • Quote
  • Report post to moderator


I'd suggest printing the whole stack trace of the exception instead of just the description. That should give you much more information about where it happens. Like this:



 
Guy Emerson
Ranch Hand
Posts: 42
posted 8 years ago
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
    Send
  • Quote
  • Report post to moderator
Thanks Paul,

With the stack trace I could see it was because of several jar files missing. Added them now arrived at a configuration problem showing Exception as below :--

[livecoding]C:\Users\humpa\Desktop\softcol\security-code-files\WSSecurityCodeFiles\ClientAFTER>start.bat C:\Users\humpa\Desktop\softcol\security-code-files\WSSecurityCodeFiles\ClientAFTER>echo off org.apache.axis2.deployment.DeploymentException: org.apache.axis2.transport.tcp.TCPServer at org.apache.axis2.deployment.AxisConfigBuilder.processTransportReceivers(AxisConfigBuilder.java:669) at org.apache.axis2.deployment.AxisConfigBuilder.populateConfig(AxisConfigBuilder.java:129) at org.apache.axis2.deployment.DeploymentEngine.populateAxisConfiguration(DeploymentEngine.java:629) at org.apache.axis2.deployment.FileSystemConfigurator.getAxisConfiguration(FileSystemConfigurator.java:116) at org.apache.axis2.context.ConfigurationContextFactory.createConfigurationContext(ConfigurationContextFactory.java:64) at org.apache.axis2.context.ConfigurationContextFactory.createConfigurationContextFromFileSystem(ConfigurationContextFactory.java:210) at ClassifiedClient.main(ClassifiedClient.java:33) Caused by: java.lang.InstantiationException: org.apache.axis2.transport.tcp.TCPServer at java.lang.Class.newInstance(Unknown Source) at org.apache.axis2.deployment.AxisConfigBuilder.processTransportReceivers(AxisConfigBuilder.java:653) ... 6 more[/livecoding]


I did a bit of research and added a few transport receivers as below in the axis2.xml file  :--


<parameter name="transport.tcp.port">6060</parameter>
As shown below. For transport receiver

<!-- Enable TCP message -->  
<transportReceiver name="tcp" class="org.apache.axis2.transport.tcp.TCPTransportListener">
   <parameter name="transport.tcp.port">6060</parameter>
</transportReceiver>
To add Transport Sender

<transportSender name="tcp" class="org.apache.axis2.transport.tcp.TCPTransportSender"/>



Modified axis2.xml looks like this

and the ClassifiedClient.java is remains same with a minor change to include the printStackTrace()  line number 33 shows the configuration problem..




Please advise..

Regards

Emerson




 
Don't get me started about those stupid light bulbs.
reply
reply
    Bookmark Topic Watch Topic
  • New Topic
Boost this thread!
Similar Threads
More...