Announcement Announcement Module
Collapse
No announcement yet.
How to secure spring ws Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • How to secure spring ws

    I need sign end then encrypt SOAP message outgoing and coming on. Can I use acegi security to do that. If it does, what thing I have to do. otherwise what framework help me to solve that issue.

    I'm going to write a payment module, so I must secure any message between client and services.

  • #2
    This is explained in the reference guide, see http://static.springframework.org/sp.../security.html

    Comment


    • #3
      I read them, but i don't know where to put necessary config file

      Thank Poutmas
      You can tell more about them.
      I need wrap credit card number of the merchant.

      Comment


      • #4
        WS-Security is also used in the airline sample app, so you can take a look at that.

        Comment


        • #5
          how can i use xwss to secure a payloadendpoint webservice

          Thanks Arjen

          I read xws security, but there are so many thing. I need only know what kind of endpoint I must use and what can I do to secure it with xwss.

          I'm looking for every reply from everybody.
          May you tell more detail about them.
          Thanks.

          Comment


          • #6
            I run my service on tomcat 6.0
            this is full trace error.

            Code:
            org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'wsSecurityInterceptor' defined in ServletContext resource [/WEB-INF/spring-ws-servlet.xml]: Instantiation of bean failed; nested exception is java.lang.NoClassDefFoundError: com/sun/xml/wss/impl/WssSoapFaultException
            	org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:448)
            	org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.java:251)
            	org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:156)
            	org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:248)
            	org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:160)
            	org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveReference(BeanDefinitionValueResolver.java:261)
            	org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveValueIfNecessary(BeanDefinitionValueResolver.java:109)
            	org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveManagedList(BeanDefinitionValueResolver.java:281)
            	org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveValueIfNecessary(BeanDefinitionValueResolver.java:131)
            	org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.applyPropertyValues(AbstractAutowireCapableBeanFactory.java:1099)
            	org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.populateBean(AbstractAutowireCapableBeanFactory.java:861)
            	org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:421)
            	org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.java:251)
            	org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:156)
            	org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:248)
            	org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:160)
            	org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingletons(DefaultListableBeanFactory.java:287)
            	org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:352)
            	org.springframework.web.servlet.FrameworkServlet.createWebApplicationContext(FrameworkServlet.java:331)
            	org.springframework.web.servlet.FrameworkServlet.initWebApplicationContext(FrameworkServlet.java:265)
            	org.springframework.web.servlet.FrameworkServlet.initServletBean(FrameworkServlet.java:235)
            	org.springframework.web.servlet.HttpServletBean.init(HttpServletBean.java:126)
            	javax.servlet.GenericServlet.init(GenericServlet.java:212)
            	org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
            	org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:263)
            	org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
            	org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:584)
            	org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
            	java.lang.Thread.run(Thread.java:619)
            
            
            root cause 
            
            java.lang.NoClassDefFoundError: com/sun/xml/wss/impl/WssSoapFaultException
            	java.lang.Class.getDeclaredConstructors0(Native Method)
            	java.lang.Class.privateGetDeclaredConstructors(Class.java:2389)
            	java.lang.Class.getConstructor0(Class.java:2699)
            	java.lang.Class.getDeclaredConstructor(Class.java:1985)
            	org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:54)
            	org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.instantiateBean(AbstractAutowireCapableBeanFactory.java:756)
            	org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:721)
            	org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:384)
            	org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.java:251)
            	org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:156)
            	org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:248)
            	org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:160)
            	org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveReference(BeanDefinitionValueResolver.java:261)
            	org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveValueIfNecessary(BeanDefinitionValueResolver.java:109)
            	org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveManagedList(BeanDefinitionValueResolver.java:281)
            	org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveValueIfNecessary(BeanDefinitionValueResolver.java:131)
            	org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.applyPropertyValues(AbstractAutowireCapableBeanFactory.java:1099)
            	org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.populateBean(AbstractAutowireCapableBeanFactory.java:861)
            	org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:421)
            	org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.java:251)
            	org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:156)
            	org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:248)
            	org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:160)
            	org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingletons(DefaultListableBeanFactory.java:287)
            	org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:352)
            	org.springframework.web.servlet.FrameworkServlet.createWebApplicationContext(FrameworkServlet.java:331)
            	org.springframework.web.servlet.FrameworkServlet.initWebApplicationContext(FrameworkServlet.java:265)
            	org.springframework.web.servlet.FrameworkServlet.initServletBean(FrameworkServlet.java:235)
            	org.springframework.web.servlet.HttpServletBean.init(HttpServletBean.java:126)
            	javax.servlet.GenericServlet.init(GenericServlet.java:212)
            	org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
            	org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:263)
            	org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
            	org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:584)
            	org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
            	java.lang.Thread.run(Thread.java:619)

            Comment


            • #7
              You require XWSS from SUN to make it work. It's part of the JWSDP, see http://java.sun.com/webservices/down...rvicespack.jsp

              Comment


              • #8
                thanks Arjen

                How can i decrypt the response message from encrypt require webservice?

                Can you tell me the way to create and use a keystore (jks key store).

                If i need encrypt incoming and outgoing SOAP message to/from my ws, what kind of I have to use?

                Comment


                • #9
                  As explained in the reference manual, you create a keystore by using the JDK "keytool" command. There is a link to the keytool help page provided in the reference manual.

                  Comment


                  • #10
                    xwws security elements in soap messages

                    Hello all,

                    I have read chapter 7 of the reference manual. It's still not clear to me whether the xwws policy defined on the server side is supposed to show up in the wsdl generated by spring ws.

                    Any hint would be appreciated.

                    Comment


                    • #11
                      I use xws to secure my service server and client. But when I run Client call the server it has the problem, Not found [404]. here is my server and client config.
                      ---------------------------
                      Server:
                      Code:
                      <!--
                      Copyright 2004 Sun Microsystems, Inc. All rights reserved.
                      SUN PROPRIETARY/CONFIDENTIAL. Use is subject to license terms.
                      -->
                      <!--
                       This server side config file pairs with wss-client-config-1.0.xml on the client
                       and supports the following UseCases:
                       Usecase 1: Authentication using Protected UsernameToken
                       Usecase 3: Encrypted UsernameToken and MessageBody
                       Usecase 4: Response Encryption Key Learnt from Incoming Message
                      -->
                      
                      <xwss:SecurityConfiguration xmlns:xwss="http://java.sun.com/xml/ns/xwss/config" 
                                                  dumpMessages="false">
                          <xwss:Timestamp/>
                          <xwss:RequireEncryption>
                              <xwss:Target type="qname">SOAP-BODY</xwss:Target>
                          </xwss:RequireEncryption>
                         
                          <xwss:RequireSignature>
                              <xwss:Target type="qname">SOAP-BODY</xwss:Target>
                          </xwss:RequireSignature>     
                          
                        
                          <xwss:Encrypt>
                              <xwss:X509Token certificateAlias="s1as"/>
                              <xwss:KeyEncryptionMethod algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
                              <xwss:Target type="qname">SOAP-BODY</xwss:Target>
                          </xwss:Encrypt>
                          
                          <xwss:Sign>
                              <xwss:X509Token certificateAlias="s1as"/>
                          </xwss:Sign>
                      </xwss:SecurityConfiguration>
                      and the Client:
                      Code:
                      <!--
                      Copyright 2004 Sun Microsystems, Inc. All rights reserved.
                      SUN PROPRIETARY/CONFIDENTIAL. Use is subject to license terms.
                      -->
                      <!--
                       This client side config file pairs with wss-server-config-1.0.xml on the server
                       and supports the following UseCases:
                       Usecase 1: Authentication by Protected UsernameToken
                       Usecase 3: Encrypted UsernameToken and MessageBody
                       Usecase 4: Response Encryption Key Learnt from Incoming Message
                      -->
                      
                      <xwss:SecurityConfiguration xmlns:xwss="http://java.sun.com/xml/ns/xwss/config" 
                                                  dumpMessages="true">                           
                          <xwss:Timestamp/>
                          <xwss:UsernameToken name="epay" password="epay" digestPassword="false" useNonce="true"/>
                          <xwss:RequireEncryption>
                              <xwss:Target type="qname">SOAP-BODY</xwss:Target>
                          </xwss:RequireEncryption>
                          
                           <xwss:Encrypt>
                              <xwss:X509Token certificateAlias="s1as"/>
                              <xwss:KeyEncryptionMethod algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>  
                              <xwss:Target type="qname">SOAP-BODY</xwss:Target>
                          </xwss:Encrypt>
                          
                      
                      </xwss:SecurityConfiguration>
                      --------------------------------
                      In server I use keystoreCallbackHandler

                      Here is spring-ws-servlet on server side:
                      Code:
                       
                      <bean id="wsSecurityInterceptor" class="org.springframework.ws.soap.security.xwss.XwsSecurityInterceptor">  
                      	   	<property name="policyConfiguration" value="/WEB-INF/config/wss-server-config.xml" />  
                      	  	<property name="callbackHandlers">  
                      	    	<list>  
                      	 	      	<bean id="passwordValidationHandler"  
                      		        		class="org.springframework.ws.soap.security.xwss.callback.SimplePasswordValidationCallbackHandler">  
                      			        <property name="users">  
                      			        	<props>  
                      			            	<prop key="epay">epay</prop>  
                      			            </props>  
                      			        </property>  
                      		      	</bean>  
                      	 
                      	 			<bean id="keystoreHandler" class="org.springframework.ws.soap.security.xwss.callback.KeyStoreCallbackHandler">
                      	 				<property name="keyStore" ref="keyStore"></property>
                      	 				<property name="trustStore" ref="trustStore"></property>
                      	 				<property name="symmetricStore" ref="symmetricStore"></property>
                      	 			</bean>	 			
                      	 	   	</list>  
                      	  	</property>  
                      	</bean>
                       	<bean id="keyStore" class="org.springframework.ws.soap.security.support.KeyStoreFactoryBean">
                      		<property name="location" value="/WEB-INF/config/server-keystore.jks"/>
                      	 	<property name="password" value="changeit"></property>
                      	 	<property name="type" value="jks"></property>
                      	</bean>
                      	<bean id="trustStore" class="org.springframework.ws.soap.security.support.KeyStoreFactoryBean">
                      		<property name="location" value="/WEB-INF/config/server-truststore.jks"></property>
                      		<property name="password" value="changeit"></property>
                      		<property name="type" value="jks"></property>
                      	</bean>
                      	<bean id="symmetricStore" class="org.springframework.ws.soap.security.support.KeyStoreFactoryBean">
                      		<property name="location" value="/WEB-INF/config/server-symmkeystore.jceks"></property>
                      		<property name="password" value="changeit"></property>
                      		<property name="type" value="jceks"></property>
                      	</bean>
                      	<bean id="loggingInterceptor" class="org.springframework.ws.server.endpoint.interceptor.PayloadLoggingInterceptor"/>
                      
                      </beans>
                      and the application context on client side, I use stand alone saaj, but I use keystoreCallbackHandler as SecurityEnvirontmenthandler so I use spring Applicationcontext to get keystore handler bean.
                      here is the code:
                      Code:
                      	public static void main(String[] args)throws Exception  {
                      		// TODO Auto-generated method stub
                      		final String PREFIX = "tns";
                      		final String NAME_SPACE = "http://www.onlinepayment.org/schemas";
                      			
                      		//create soap message
                      		SOAPMessage msg = MessageFactory.newInstance().createMessage();
                              SOAPBody body = msg.getSOAPBody();
                              	SOAPBodyElement requestElement = body.addBodyElement(SOAPFactory.newInstance().createName("loginRequest",PREFIX, NAME_SPACE));
                              
                      		        SOAPElement username = requestElement.addChildElement(SOAPFactory.newInstance().createElement("username",PREFIX, NAME_SPACE));
                      		        username.setTextContent("epay");
                      
                      		        SOAPElement password = requestElement.addChildElement(SOAPFactory.newInstance().createElement("password",PREFIX, NAME_SPACE));
                      		        password.setTextContent("epay");
                      		//--End of message--
                      		
                      		//load spring application context to get SecurityEnvironmentHandler
                      		XWSSProcessorFactory factory = XWSSProcessorFactory.newInstance();
                      		
                      		ClassPathResource resource = new ClassPathResource("config/applicationContext.xml");
                      		BeanFactory beanfact = new XmlBeanFactory(resource);	
                      		
                      		//load security policy configuration file 
                      		
                      		ClassPathResource configrsrc = new ClassPathResource("config/wss-client-config.xml");
                      		XWSSProcessor cprocessor = factory.createProcessorForSecurityConfiguration(configrsrc.getInputStream(), (CallbackHandler)beanfact.getBean("callbackHandler"));        
                      					
                      		//create context which hold message        
                      		ProcessingContext context = new ProcessingContext();
                      		context.setSOAPMessage(msg);
                      		
                      		//secure message
                      		SOAPMessage secureMsg = cprocessor.secureOutboundMessage(context);
                              secureMsg.saveChanges();
                              
                              //create connection call the webservice
                              SOAPConnection connection = SOAPConnectionFactory.newInstance().createConnection();
                              
                              //send message to service
                              System.out.println("Sending... ");
                              SOAPMessage reply = connection.call(secureMsg, "http://127.0.0.1:8080/service_server");
                              
                              System.out.println("Done Sending request");
                      ...
                      finally is generate not found Exception:
                      Code:
                      log4j:WARN No appenders could be found for logger (org.springframework.util.ClassUtils).
                      log4j:WARN Please initialize the log4j system properly.
                      Nov 28, 2007 3:38:25 PM com.sun.xml.wss.impl.filter.DumpFilter process
                      
                      Sending... 
                      Nov 28, 2007 3:38:30 PM com.sun.xml.internal.messaging.saaj.client.p2p.HttpSOAPConnection post
                      SEVERE: SAAJ0008: Bad Response; Not Found
                      Exception in thread "main" com.sun.xml.internal.messaging.saaj.SOAPExceptionImpl: java.security.PrivilegedActionException: com.sun.xml.internal.messaging.saaj.SOAPExceptionImpl: Bad response: (404Not Found
                      	at com.sun.xml.internal.messaging.saaj.client.p2p.HttpSOAPConnection.call(Unknown Source)
                      	at org.epay.call.CallWS.main(CallWS.java:77)
                      Caused by: java.security.PrivilegedActionException: com.sun.xml.internal.messaging.saaj.SOAPExceptionImpl: Bad response: (404Not Found
                      	at java.security.AccessController.doPrivileged(Native Method)
                      	... 2 more
                      Caused by: com.sun.xml.internal.messaging.saaj.SOAPExceptionImpl: Bad response: (404Not Found
                      	at com.sun.xml.internal.messaging.saaj.client.p2p.HttpSOAPConnection.post(Unknown Source)
                      	at com.sun.xml.internal.messaging.saaj.client.p2p.HttpSOAPConnection$PriviledgedPost.run(Unknown Source)
                      	... 3 more
                      
                      CAUSE:
                      
                      java.security.PrivilegedActionException: com.sun.xml.internal.messaging.saaj.SOAPExceptionImpl: Bad response: (404Not Found
                      	at java.security.AccessController.doPrivileged(Native Method)
                      	at com.sun.xml.internal.messaging.saaj.client.p2p.HttpSOAPConnection.call(Unknown Source)
                      	at org.epay.call.CallWS.main(CallWS.java:77)
                      Caused by: com.sun.xml.internal.messaging.saaj.SOAPExceptionImpl: Bad response: (404Not Found
                      	at com.sun.xml.internal.messaging.saaj.client.p2p.HttpSOAPConnection.post(Unknown Source)
                      	at com.sun.xml.internal.messaging.saaj.client.p2p.HttpSOAPConnection$PriviledgedPost.run(Unknown Source)
                      	... 3 more
                      what's that problem?
                      please help me.
                      thanks.

                      Comment


                      • #12
                        It looks like your web service request is not being routed to Spring WS's MessageDispatcherServlet, but instead to the default servlet. What does your web.xml look like?

                        Comment


                        • #13
                          oh No!

                          I use MessageDispatcher servlet. when I use UsernameToken It's all right. If I use Encrypt or RequirerEncryption it generate that problems.

                          Can you see that problem and debug for me.

                          Thank you very much.

                          Comment


                          • #14
                            Originally posted by netvista View Post
                            Hello all,

                            I have read chapter 7 of the reference manual. It's still not clear to me whether the xwws policy defined on the server side is supposed to show up in the wsdl generated by spring ws.

                            Any hint would be appreciated.
                            Spring-WS doesn't directly support WS-Policy. You can edit the Spring-WS generated WSDL file to add policies.

                            Comment


                            • #15
                              Remember that you can't use PayloadRootQNameEndpointMapping when encrypting the whole soap body. You would need to use SoapAction header or WS-Addressing when doing full body encryption.

                              Use SimpleActionEndpointMapping for WS-Addressing

                              Use SoapActionMapping for soap 1.1 SoapAction header values

                              These two mappings will have key entries which are supposed to be passed as Action WS Address element or SoapAction header whereas the first one goes by the rootelement of the request.

                              If you are encrypting whole body, the rootelement would be "EncryptedData"

                              Comment

                              Working...
                              X