Announcement Announcement Module
Collapse
No announcement yet.
Web Service Authentication with Spring-WS & JAX-WS Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Web Service Authentication with Spring-WS & JAX-WS

    I've been given the task to refactor some code on a project I'm working on and part of that was to remove jboss web service authentication and replace it with spring-ws authentication. Currently I'm trying to setup endpoint mapping in an application to intercept requests with XwsSecurityInterceptor to ensure a username token is given in the SOAP header. My XML config is shown below:

    spring-web-services.xml
    Code:
    <bean id="endpointMapping"
        class="org.springframework.ws.server.endpoint.mapping.PayloadRootQNameEndpointMapping">
      <property name="mappings">
        <props>
          <prop key="{http://my.domain.co.uk/}MyService">MyEndpoint</prop>
        </props>
      </property>
      <property name="interceptors">
        <list>
          <bean class="org.springframework.ws.server.endpoint.interceptor.PayloadLoggingInterceptor"/>
          <ref local="wsSecurityInterceptor"/>
        </list>
      </property>
    </bean>
    
    <bean id="wsSecurityInterceptor"
        class="org.springframework.ws.soap.security.xwss.XwsSecurityInterceptor">
      <property name="policyConfiguration" value="classpath:securityPolicy.xml"/>
      <property name="callbackHandler">
        <bean class="org.springframework.ws.soap.security.xwss.callback.SpringDigestPasswordValidationCallbackHandler">
          <property name="userDetailsService" ref="securityManager"/>
        </bean>
      </property>
    </bean>
    
    <bean id="myEndpoint" scope="prototype" class="com.my.company.webservices.MyEndpoint">
      <property ref="myServiceTarget" name="myServiceTarget"/>
    </bean>
      
    <wss:binding url="/myService">
        <wss:service>
            <ws:service bean="#myEndpoint" />
        </wss:service>
    </wss:binding>

    securityPolicy.xml
    Code:
    <xwss:SecurityConfiguration xmlns:xwss="http://java.sun.com/xml/ns/xwss/config">
      <xwss:RequireUsernameToken passwordDigestRequired="true" nonceRequired="true" />
    </xwss:SecurityConfiguration>

    web.xml
    Code:
    <listener>
      <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
    </listener>
    
    <servlet>
      <servlet-name>jaxws-servlet</servlet-name>
      <servlet-class>com.sun.xml.ws.transport.http.servlet.WSSpringServlet</servlet-class>
    </servlet>
    
    <servlet-mapping>
      <servlet-name>jaxws-servlet</servlet-name>
      <url-pattern>/myService</url-pattern>
    </servlet-mapping>

    I assume the mapping is not working correctly their is no indication wsSecurityInterceptor is being called at all so I added the PayloadLoggingInterceptor but nothing is logged in the Jboss console when I make a request using SOAP UI.

    Is their something I'm missing or a error with my configuration, I'm new to both Spring and web services in general so if theirs anything else I need to help to diagnose the problem let me know.

    Ollie.

  • #2
    Also the bean securityManager is an instance of a class implementing UserDetailsService which has been tested and works, I've not modified it as part if the refactor.

    Comment


    • #3
      After further reading through documentation I've noticed I need to use a servlet that automatically detects EndpointMappings, WSSpringServlet does not. Here in the Sping documentation MessageDispatcherServlet is used, however I need to use WSSpringServlet to plug JAX-WS into Spring. From searching online I can't find way to use both JAX-WS and Spring-WS security together, any ideas? I'd rather not rip out all the JAX-WS stuff.
      Last edited by ollie.petch; Jan 20th, 2010, 12:16 PM.

      Comment


      • #4
        How interesting... I'm planning to do the same thing, that is drop JBoss (EJB) for Spring-WS+WebMVC.

        Anyway, can't you just use both servlets? I'm sure I've seen this on the JAX-WS Commons site somewhere. I don't think WSSpringServlet is meant to be a replacement for Spring's DispatcherServlet, rather if provides Spring with JAX-WS support.

        Have a read of this and the following couple of chapters and see how it goes trying both servlets.

        Do you see the console output of Spring starting up?

        Also watch out for endpoint collision - once you get this working, it seems like you have two webservices trying to handle calls to '/myService'.

        Pls post back as I'll want to know how it's done.

        Cheers

        Comment

        Working...
        X