Announcement Announcement Module
Collapse
No announcement yet.
WSS4J - binary security token example Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • WSS4J - binary security token example

    Any help - sample code....?

  • #2
    If you are talking about certificate token authentication using wss4j, the support does not yet exist. (see this post: http://forum.springframework.org/showthread.php?t=53675)

    I am working on the same problem, please post if you find a solution.

    Comment


    • #3
      Its same thing I am talking about. Is that a bug in Spring WS? I believe, WSS4J supports binary (certificate) token and token reference based security i.e. both....

      I do not see binary token in webservice message but just see binary token reference...

      Is there any way to add token itself? Do we need to create new JIRA issue for this one?

      Comment


      • #4
        Since spring-ws doesn't officially support Certificate Authentication with wss4j at this point (it DOES support it using xwss) it's technically not a bug but a feature request. I would definitely vote for the request though.

        Looking through the wss4j forums I saw a post that said the x.509 token profile usage is demonstrated in the "interop" sample application which is shipped with the binary distribution of wss4j 1.5.*. Hope this helps.

        Comment


        • #5
          I'll definitely look into it. Thanks for the info.

          Comment


          • #6
            Any update on this one?

            Comment


            • #7
              As I understand it now, wss4j "Signature" securement/validation action does BOTH signature validation AND x.509 token authentication (aka x.509 token profile). This makes sense b/c in order to validate the signature the server has to validate the x.509 certificate which was used to create the signature. For an example showing plain wss4j configuration for x.509 token profile configuration, look at this post.

              I also found that if I set the securementSignatureKeyIdentifier to DirectReference on my Wss4jSecurityInterceptor bean I do get a wsse:BinarySecurityToken security header in the produced soap message. Here is my client config:

              Code:
                  <bean id="wsDigSignSecurityInterceptor"
                      class="org.springframework.ws.soap.security.wss4j.Wss4jSecurityInterceptor">
                      
                      <property name="securementActions" value="Signature" />        
                      <property name="securementUsername" value="alias" />
                      <property name="securementPassword" value="keypass" />
                      <property name="securementSignatureCrypto">
                          <bean
              class="org.springframework.ws.soap.security.wss4j.support.CryptoFactoryBean">
                              <property name="keyStorePassword" value="storepass" />
                              <property name="keyStoreLocation"
                                  value="classpath:/keystore.jks" />
                          </bean>
                      </property>
                      <property name="securementSignatureKeyIdentifier" value="DirectReference"/>
                  </bean>
              Server config:
              Code:
              	<bean id="wsDigSignSecurityInterceptor"
              	    class="org.springframework.ws.soap.security.wss4j.Wss4jSecurityInterceptor">
                      
              	    <property name="validationActions" value="Signature" />
              	    <property name="validationSignatureCrypto">            
                          <bean
                              class="org.springframework.ws.soap.security.wss4j.support.CryptoFactoryBean">
                              <property name="keyStorePassword" value="storepass" />
                              <property name="keyStoreLocation" value="classpath:/keystore.jks" />
                          </bean>
                      </property>
              	</bean>
              Please correct me if my assumptions are wrong.
              Thanks,
              Paul

              Comment


              • #8
                For your entertainment and education, I've created http://jira.springframework.org/browse/SWS-356, which you can track.

                Comment


                • #9
                  I'm confused. I thought this was already working as of 1.5, at least on the client side. This is my config - pretty much the same as pdotsenko's - and it's working great for me. I'm getting a BinarySecurityToken and everything.

                  Code:
                  <bean id="loginServiceTemplate" class="org.springframework.ws.client.core.WebServiceTemplate">
                    <constructor-arg ref="messageFactory"/>
                    <property name="messageSender" ref="messageSender" />
                    <property name="defaultUri" value="https://foo.com/bar/Login" />
                    <property name="interceptors">
                      <list>
                        <ref bean="securityInterceptor" />
                      </list>
                    </property>
                  </bean>
                  
                  <!-- ClientInterceptor that signs an outgoing message with our X509 certificate. -->
                  <bean id="securityInterceptor"
                    class="org.springframework.ws.soap.security.wss4j.Wss4jSecurityInterceptor">
                    <property name="securementActions" value="Signature" />
                    <property name="securementUsername" value="12345e2c56614e11240fe67890b5bdf0_abcdeffd-e775-4a98-825c-a92a12345678" />
                    <property name="securementPassword" value="secret" />
                    <property name="securementSignatureCrypto">
                      <bean
                        class="org.springframework.ws.soap.security.wss4j.support.CryptoFactoryBean">
                        <property name="keyStorePassword" value="password" />
                        <property name="keyStoreLocation" value="classpath:/ACES.p12" />
                        <property name="keyStoreType" value="pkcs12" />
                        <property name="defaultX509Alias"
                          value="12345e2c56614e11240fe67890b5bdf0_abcdeffd-e775-4a98-825c-a92a12345678" />
                      </bean>
                    </property>
                    <property name="securementSignatureKeyIdentifier" value="DirectReference" />
                    <!-- Sign the body and a custom header element called FooBar -->
                    <property name="securementSignatureParts"
                      value="{}{http://foo.com/bar/baz.xsd}FooBar;{}{http://schemas.xmlsoap.org/soap/envelope/}Body" />
                  </bean>
                  
                  <bean id="messageFactory"
                    class="org.springframework.ws.soap.axiom.AxiomSoapMessageFactory">
                    <property name="payloadCaching" value="true" />
                  </bean>
                  
                  <bean id="messageSender"
                    class="org.springframework.ws.transport.http.CommonsHttpMessageSender"> 
                  </bean>
                  Again, this is for a WebServiceTemplate used for outgoing client requests.

                  I must be misunderstanding what you all are asking for, but I figured I'd post just in case this is helpful.

                  Comment


                  • #10
                    barsimp47 - thanks for the post. I agree that x.509 token profile is indeed supported by spring-ws using wss4j since 1.5, it just wasn't obvious to me (and at least a few others) earlier. It is working for me as well.

                    Arjen, perhaps the JIRA task you created could be repurposed to request a short reference doc section like "Certificate Authentication" for Wss4jSecurityInterceptor, I think it would help other users.

                    Thanks,
                    Paul

                    Comment


                    • #11
                      Hey, what do you know? Seems like this is fixed before we started any work on it! If only all issues were this easy

                      I will update the JIRA issue to reflect the requirement for documentation on this.

                      Comment


                      • #12
                        I was missing "securementSignatureKeyIdentifier" with proper value..... It will be better if we update documentation.

                        Comment

                        Working...
                        X