[
https://issues.apache.org/jira/browse/GERONIMO-4642?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12731544#action_12731544
]
Jarek Gawor commented on GERONIMO-4642:
---------------------------------------
Rahul,
I modified your patch for web service clients and made it a bit more generic.
Instead of specifying a <usertoken> element, the user can specify any number of
arbitrary properties that will be set of the port using a <property> element.
That way we can configure any type of properties, for ws-security or not.
To configure ws-security properties specifically, the user will need to prefix
each property with "wss4j.in." (for inbound settings) or "wss4j.out." (for
outbound settings). For example:
{code}
<property name="wss4j.out.action">UsernameToken Timestamp</property>
<property name="wss4j.out.user">foo</property>
<property name="wss4j.out.password">bar</property>
{code}
These changes were committed to trunk (revision 794318). Thanks for the patch!
> "WS-Security support for JAX-WS Web Services"
> ---------------------------------------------
>
> Key: GERONIMO-4642
> URL: https://issues.apache.org/jira/browse/GERONIMO-4642
> Project: Geronimo
> Issue Type: New Feature
> Security Level: public(Regular issues)
> Components: webservices
> Environment: Apache Geronimo, Apache CXF, Apache Axis2, Ws-Security,
> Web Services, Java, Linux
> Reporter: Rahul Mehta
> Priority: Minor
> Attachments: site.patch, usernameToken.patch, usernameToken[2].patch
>
> Original Estimate: 2016h
> Remaining Estimate: 2016h
>
> To integrate and enable the WS-Security features of Apache Axis2 and Apache
> CXF in Apache Geronimo:
> ----------------------------------------------------------------------------------------------------------------------------------------------
> Apache Geronimo supports two JAX-WS providers: Axis2 and CXF and both of
> these libraries have some WS-Security features. But these features are not
> integrated/enabled in Geronimo. So the goal is to enable these features from
> within Geronimo. That involves basically two things:
> 1) that the modules (i.e. WSS4J) that provide the WS-Security features for
> Axis2 and CXF are installed with Geronimo, and
> 2) that the WS-Security features such as [XML Security ('XML Signature' -
> allows one to send along with the message a digital signature of it, which
> assures that no one modified the message content between the sender and
> receiver, 'XML Encryption' -allows one to encrypt the message body or only
> its part using the given cryptography algorithm) and Tokens ('Username
> Tokens' - WS-Security scenario adds username and password values to the
> message header, 'Timestamps' - Timestamps specify how long the security data
> remains valid, 'SAML Tokens')] can be enabled and configured on web services
> via Geronimo deployment descriptors and/or annotations. For example, given
> some web service that is annotated with @WebService; so to ensure that the
> service only accepts WS-Security -secured messages, it should be something
> like "to add @WS-Security annotation".
> Further in detail, we can consider WS-Security policies which can be applied
> to the SOAP messages that pass between web services and web service controls.
> A WS-Security is controlled in WS-Security policy files. The WS-Security
> policy file (WSSE file) defines the security policy applied to the SOAP
> messages that pass between web services and their clients.[1]
> So we can use something like following annotation @WS-Security
> file="MyWebServicePolicy.wsse" Example: @WebService @WS-Security
> file="MyWebServicePolicy.wsse"
> public class xyz
> The @WS-Security annotation determines the WS-Security policy file (WSSE) to
> be applied to (1) incoming SOAP invocations of the web service's methods and
> (2) the outgoing SOAP messages containing the value returned by the web
> service's methods.[1]. The attribute file in the above mentioned annotation
> specifies the path to the WS-Security policy file (WSSE file -
> MyWebServicePolicy.wsse) used by the web service.
> Besides configuring WS-Security properties for web services we also need to
> configure the same sort of properties for Web Service references
> (@WebServiceRef) so that clients can also make WS-Security secured calls.
> In addition, I think we can also define some security feature something like
> SecurityFeature similar to other WebService Feature(s) such as
> AddressingFeature, MTOMFeature and RespectBindingFeature . This new feature
> can also have the "enabled property" like other features that is used to
> store whether a particular feature should be enabled or disabled. This type
> should provide either a constructor argument and/or a method that will allow
> the web service developer to set the enabled property. The meaning of enabled
> or disabled is determined by each individual WebServiceFeature. It is
> important that web services developers be able to enable/disable specific
> features when writing their web applications. [2]
> References:
> [1] [WWW] http://e-docs.bea.com/workshop/docs81/doc/en/core/index.html
> [2] [WWW] http://jcp.org/aboutJava/communityprocess/mrel/jsr224/index2.html
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
