• Post Reply Bookmark Topic Watch Topic
  • New Topic

Interview Question : Webservice security for jax-ws services  RSS feed

 
Guy Emerson
Ranch Hand
Posts: 41
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hello All,

In one of the interview questions I was asked "What are the APIs  available to provide security to Webservices in SOAP and which one did you use."

I dont remember using any particular api for webservice security . I searched google and did not find any api for sole use in Webservice..  I saw use of https secured protocol , certificates for authentication but not any java api to use..

Would you please help me broaden my knowledge in webservices security . Or am I missing out on something ?


Thanks and Regards

Emerson
 
Tim Moores
Saloon Keeper
Posts: 3512
77
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
The relevant API is called WS-Security, and is supported by all major SOAP implementations. It provides encryption and authentication at the message level (not at the transport level like HTTPS dors).
 
Guy Emerson
Ranch Hand
Posts: 41
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

Thanks a lot Tim for your quick response.

I will come up with questions on WS-security and implementations as I read along..Please do answer to my queries..

Regards

Emerson

 
Guy Emerson
Ranch Hand
Posts: 41
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi again,

I was going through the WS-security implementation by Apache which seems to be very good. I am yet to be too sure as to whether its meant only to be used with Apache Axis2 servers as most of the materials I am getting on google tell me that its used with Apache Axes2 framework.. My requirement is WSS4J use in Weblogic server

I am a little lost to distinguish between Apache CXF and Apache WSS4J. If both are meant to provide implementation of WS-Security then why two different implementations.

Thanks a lot to anybody who help me understand these nuances

Regards

Emerson

 
Tim Moores
Saloon Keeper
Posts: 3512
77
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I think all Java WS-Security implementations are built on top of WSS4J. The comparison would be between Axis2 and CXF, which have different histories and feature sets, but -having used only Axis2- I'm not in a position to recommend one over the other. Axis2 always got the job done for me, so I didn't look elsewhere.
 
Guy Emerson
Ranch Hand
Posts: 41
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Tim,

I have been reading through some website that tells me how to apply security Axis2 server with rampart framework. I have created service and clients as shown below. Could you please tell me why I am getting an error and the program fails


Service :-

import javax.xml.stream.XMLStreamException;
import org.apache.axiom.om.OMAbstractFactory;
import org.apache.axiom.om.OMElement;
import org.apache.axiom.soap.SOAPFactory;

public class CMSService {
    public OMElement getNumberOfArticles(OMElement element) throws XMLStreamException {
        element.build();
        element.detach();
        String categoryValue = element.getFirstElement().getText();
        SOAPFactory factory = OMAbstractFactory.getSOAP12Factory();
        OMElement resultElem = factory.createOMElement("numberOfArcticles", factory.createOMNamespace("http://daily-moon.com/cms/", "resp"));
        resultElem.setText(articleCount(categoryValue).toString());
        System.out.println("Service method getNumberOfArticles done");
        return resultElem;
    }

    private Integer articleCount(String catId) {
        return new Integer(42);
    }
}


callback class

import java.io.IOException;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.UnsupportedCallbackException;
import org.apache.ws.security.WSPasswordCallback;

public class PWCallback implements CallbackHandler {
    public void handle(Callback[] callbackArr) throws IOException, UnsupportedCallbackException {
        int i = 0;
        while (i < callbackArr.length) {
            if (callbackArr[i] instanceof WSPasswordCallback) {
                WSPasswordCallback wSPasswordCallback = (WSPasswordCallback) callbackArr[i];
                if (wSPasswordCallback.getIdentifer().equals("bob")) {
                    wSPasswordCallback.setPassword("password");
                } else if (wSPasswordCallback.getIdentifer().equals("alice")) {
                    wSPasswordCallback.setPassword("password");
                } else {
                    throw new UnsupportedCallbackException(callbackArr[i], "Unknown user");
                }
                i++;
            } else {
                throw new UnsupportedCallbackException(callbackArr[i], "Unrecognized Callback");
            }
        }
    }
}



services.xml

<service name="CMSService">

    <description>
        This is a sample Web Service for the newspaper's Content Managment System.
    </description>

    <parameter name="ServiceClass" locked="false">CMSService</parameter>

    <parameter name="InflowSecurity">
       <action>
            <items>Timestamp Signature</items>
            <passwordCallbackClass>PWCallback</passwordCallbackClass>
            <signaturePropFile>security.properties</signaturePropFile>
       </action>
    </parameter>

    <parameter name="OutflowSecurity">
      <action>
        <items>Timestamp Signature Encrypt</items>
        <user>alice</user>
        <passwordCallbackClass>PWCallback</passwordCallbackClass>
        <signaturePropFile>security.properties</signaturePropFile>
        <signatureKeyIdentifier>SKIKeyIdentifier</signatureKeyIdentifier>
        <encryptionKeyIdentifier>SKIKeyIdentifier</encryptionKeyIdentifier>
        <encryptionUser>bob</encryptionUser>
        <signatureParts>{Element}{http://schemas.xmlsoap.org/soap/envelope/}Body</signatureParts>
        <optimizeParts>//xenc:EncryptedData/xenc:CipherValue/xenc:CipherData</optimizeParts>
       </action>
    </parameter>

    <operation name="getNumberOfArticles">
        <messageReceiver class="org.apache.axis2.receivers.RawXMLINOutMessageReceiver"/>
    </operation>

</service>


security.properties

org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin
org.apache.ws.security.crypto.merlin.keystore.type=jks
org.apache.ws.security.crypto.merlin.keystore.password=password
org.apache.ws.security.crypto.merlin.file=sec.jks






Client side :--

axis2.xml



client class



callback class




security.properties

org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin
org.apache.ws.security.crypto.merlin.keystore.type=jks
org.apache.ws.security.crypto.merlin.keystore.password=password
org.apache.ws.security.crypto.merlin.file=sec.jks


start.bat





I deployed CMSService.aar in axis2 server in the axis2-1.7.3\repository\services folder



I was expecting to execute the start.bat file to get a response from the axis2 server.

But instead I got an error on the command prompt


C:\Users\humpa\Desktop\softcol\security-code-files\WSSecurityCodeFiles\ClientAFTER>start.bat

C:\Users\humpa\Desktop\softcol\security-code-files\WSSecurityCodeFiles\ClientAFTER>echo off
org.apache.axis2.deployment.DeploymentException: org.apache.axis2.transport.tcp.TCPTransportSender

C:\Users\humpa\Desktop\softcol\security-code-files\WSSecurityCodeFiles\ClientAFTER>



Could you please figure what is creating this Error is ?


Regards

Emerson





 
Paul Clapham
Sheriff
Posts: 22185
38
Eclipse IDE Firefox Browser MySQL Database
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator


I'd suggest printing the whole stack trace of the exception instead of just the description. That should give you much more information about where it happens. Like this:



 
Guy Emerson
Ranch Hand
Posts: 41
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks Paul,

With the stack trace I could see it was because of several jar files missing. Added them now arrived at a configuration problem showing Exception as below :--

[livecoding]C:\Users\humpa\Desktop\softcol\security-code-files\WSSecurityCodeFiles\ClientAFTER>start.bat C:\Users\humpa\Desktop\softcol\security-code-files\WSSecurityCodeFiles\ClientAFTER>echo off org.apache.axis2.deployment.DeploymentException: org.apache.axis2.transport.tcp.TCPServer at org.apache.axis2.deployment.AxisConfigBuilder.processTransportReceivers(AxisConfigBuilder.java:669) at org.apache.axis2.deployment.AxisConfigBuilder.populateConfig(AxisConfigBuilder.java:129) at org.apache.axis2.deployment.DeploymentEngine.populateAxisConfiguration(DeploymentEngine.java:629) at org.apache.axis2.deployment.FileSystemConfigurator.getAxisConfiguration(FileSystemConfigurator.java:116) at org.apache.axis2.context.ConfigurationContextFactory.createConfigurationContext(ConfigurationContextFactory.java:64) at org.apache.axis2.context.ConfigurationContextFactory.createConfigurationContextFromFileSystem(ConfigurationContextFactory.java:210) at ClassifiedClient.main(ClassifiedClient.java:33) Caused by: java.lang.InstantiationException: org.apache.axis2.transport.tcp.TCPServer at java.lang.Class.newInstance(Unknown Source) at org.apache.axis2.deployment.AxisConfigBuilder.processTransportReceivers(AxisConfigBuilder.java:653) ... 6 more[/livecoding]


I did a bit of research and added a few transport receivers as below in the axis2.xml file  :--


<parameter name="transport.tcp.port">6060</parameter>
As shown below. For transport receiver

<!-- Enable TCP message --> 
<transportReceiver name="tcp" class="org.apache.axis2.transport.tcp.TCPTransportListener">
    <parameter name="transport.tcp.port">6060</parameter>
</transportReceiver>
To add Transport Sender

<transportSender name="tcp" class="org.apache.axis2.transport.tcp.TCPTransportSender"/>



Modified axis2.xml looks like this

and the ClassifiedClient.java is remains same with a minor change to include the printStackTrace()  line number 33 shows the configuration problem..




Please advise..

Regards

Emerson




 
It is sorta covered in the JavaRanch Style Guide.
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!