Not yet, although I'd be interested in working on this some more. I just wanted to get a feel of whether this is something we could include in OpenEJB, as I'd find it pretty useful for testing some webservice work I've done. If people feel it would be useful I'm happy to do some more work on adding more authentication schemes.
Cheers Jon On Sat, Feb 28, 2009 at 8:59 PM, Daniel S. Haischt < [email protected]> wrote: > Just out of curiosity - Did you try to use a password digest/hash > instead? Using a nonce might be interesting as well (nonce is an > effective countermeasure against replay attacks). If you use SoapUI as > a WS client you could easily generate most of these WSS header > elements for testing purposes. > > Cheers > Daniel > > On Sat, Feb 28, 2009 at 9:51 PM, Jonathan Gallimore > <[email protected]> wrote: > > Yep. Here's the soap request captured by tcpmon: > > > > POST /CalculatorImpl HTTP/1.1 > > Content-Type: text/xml; charset=UTF-8 > > SOAPAction: "" > > Accept: * > > Cache-Control: no-cache > > Pragma: no-cache > > User-Agent: Java/1.6.0_11 > > Host: 127.0.0.1:42040 > > Connection: keep-alive > > Transfer-Encoding: chunked > > > > 2ce > > <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/";> > > <soap:Header> > > <wsse:Security xmlns:wsse=" > > > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd > " > > soap:mustUnderstand="1"><wsse:UsernameToken xmlns:wsu=" > > > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd > " > > > wsu:Id="UsernameToken-47889642"><wsse:Username>jane</wsse:Username><wsse:Password > > Type=" > > > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText > ">waterfall</wsse:Password></wsse:UsernameToken></wsse:Security></soap:Header><soap:Body><ns1:sum > > xmlns:ns1="http://superbiz.org/wsdl > > "><arg0>4</arg0><arg1>6</arg1></ns1:sum></soap:Body></soap:Envelope> > > > > Jon > > > > On Sat, Feb 28, 2009 at 6:42 PM, Daniel S. Haischt < > > [email protected]> wrote: > > > >> Are you using the username token profile ? > >> > >> On Sat, Feb 28, 2009 at 7:31 PM, Jonathan Gallimore > >> <[email protected]> wrote: > >> > I spent a bit more time looking at this - and added a bit more code. I > >> > noticed that the Jaxb tree for openejb-jar.xml has some webservice > >> security > >> > attributes that we aren't using, but I think Geronimo is. I've added > >> support > >> > that does simple username/password authentication using basic http > >> > mechanism, and an interceptor to do username/password auth using > >> WS-Security > >> > headers. > >> > > >> > I've uploaded a patch to > >> > http://people.apache.org/~jgallimore/webservices.diff<http://people.apache.org/%7Ejgallimore/webservices.diff> > <http://people.apache.org/%7Ejgallimore/webservices.diff>. > > - Show quoted text - > >> I be grateful on > >> > anyone's thoughts. Its pretty basic at the moment, but I think it > would > >> be > >> > nice if this could go into OpenEJB - if others agree, I'd like to open > a > >> > JIRA and do some more work on it. > >> > > >> > I've copied this to the dev@ list too in case anyone who might be > >> interested > >> > missed it, hope that's ok. > >> > > >> > Cheers > >> > > >> > Jon > >> > > >> > On Fri, Feb 20, 2009 at 1:06 PM, Jonathan Gallimore < > >> > [email protected]> wrote: > >> > > >> >> Hi Jean-Louis, > >> >> > >> >> Many thanks for your detailed reply and the link to the article. I'll > be > >> >> having a good look at this over the weekend. I had initially thought > >> just > >> >> applying basic auth was all there was to it, which is probably a bit > >> naive > >> >> of me! > >> >> > >> >> I think it would be worthwhile working out whether there's some > samples > >> >> (and maybe some enhancements) we could add to OpenEJB in this regard > - > >> I'm > >> >> sure others would find it useful too. > >> >> > >> >> Cheers, > >> >> Jon > >> >> > >> >> > >> >> On Fri, Feb 20, 2009 at 8:49 AM, Jean-Louis MONTEIRO < > >> >> [email protected]> wrote: > >> >> > >> >>> > >> >>> Jonathan, > >> >>> > >> >>> Here are some inputs. > >> >>> > >> >>> > >> >>> Jonathan Gallimore-2 wrote: > >> >>> > > >> >>> > Obviously I think it would be great if the standalone and embedded > >> >>> servers > >> >>> > which use their own HTTP listener could accept credentials via > basic > >> >>> > authentication, meanwhile Tomcat could do the authentication for > us > >> >>> based > >> >>> > on > >> >>> > however its been configured (currently it looks like a new > >> >>> StandardContext > >> >>> > is created for each webservice, and there is code to setup > >> >>> authentication, > >> >>> > but WsService.authMethod was always null when I debugged it, > causing > >> no > >> >>> > authentication to be applied, and I couldn't see how it could be > set > >> >>> > otherwise), and the user and role principals could be passed > through > >> >>> from > >> >>> > Tomcat to the relevant EJB container. > >> >>> > > >> >>> Definitively! (nice to have ;-)). > >> >>> Doing basic authentication (without ws-security) seems to be > possible > >> >>> using > >> >>> JAX-WS handlers. > >> >>> > >> >>> > >> >>> Jonathan Gallimore-2 wrote: > >> >>> > > >> >>> > To give a bit more background on how this has come about - my > >> colleague > >> >>> at > >> >>> > work has been working on some functionality as an EJB, and felt it > >> would > >> >>> > be > >> >>> > nice to have it available as a webservice - and adding the > >> @WebService > >> >>> > annotation to the EJB seemed to be a nice idea, rather then > creating > >> a > >> >>> > webservice as a separate class that just delegates through to the > EJB > >> as > >> >>> > you > >> >>> > describe - > >> >>> > > >> >>> I was probably not so clear. > >> >>> It seems to me, from an architecture point of view, it's better to > use > >> web > >> >>> services as facades. They are personal concerns you know ;-) > >> >>> Never mind, I had in mind an EJB Web Service (@stateless + > @webservice) > >> >>> which delegates to other business EJB and it works fine with OpenEJB > >> for > >> >>> simple cases. > >> >>> > >> >>> > >> >>> Jonathan Gallimore-2 wrote: > >> >>> > > >> >>> > and we hoped the container would handle the authentication for > >> >>> > us. When configured correctly, JBoss (4.2.2.GA) does seem to do > this > >> >>> for > >> >>> > us, > >> >>> > however OpenEJB doesn't at the moment - I don't actually know if > this > >> is > >> >>> > even supposed to work (or even whether its part of any of the JEE > >> spec - > >> >>> > I'll have to read up!). > >> >>> > > >> >>> I can't help you on this topic (not read this part of the spec). > >> >>> If you have 10 minutes, here is an interesting article > >> >>> > >> http://www.javaworld.com/javaworld/jw-02-2007/jw-02-handler.html?page=1 > >> >>> > >> http://www.javaworld.com/javaworld/jw-02-2007/jw-02-handler.html?page=1 > >> >>> > >> >>> > >> >>> Jonathan Gallimore-2 wrote: > >> >>> > > >> >>> > I think I should probably have a look at WS-Security - I'd be very > >> >>> > interested in a seeing a sample using OpenEJB/JAX-WS/WS-Security > if > >> >>> you're > >> >>> > putting one together. > >> >>> > > >> >>> > >> >>> OK, I've done some tests since yesterday morning. But, the way > OpenEJB > >> >>> publishes EJB as web services does not allow configuring > ws-security. > >> >>> > >> >>> When using CXF + WS-Security, it's quite simple: add a WSS4J > >> InInterceptor > >> >>> and a WSS4J OutInterceptor giving them a set of properties. > >> Interceptors > >> >>> can > >> >>> be configured using both a Spring application context or CXF > >> annotations > >> >>> (@InInterceptors @OutInterceptor). > >> >>> > >> >>> At a JAX-WS point of view we only have handlers (soap handlers and > >> logical > >> >>> handlers) so I have to spend some more time to look if we can manage > >> >>> WS-Security using handlers. > >> >>> > >> >>> More coming soon ;-) > >> >>> > >> >>> Kind regards, > >> >>> Jean-Louis > >> >>> > >> >>> > >> >>> > >> >>> > >> >>> -- > >> >>> View this message in context: > >> >>> > http://www.nabble.com/Securing-a-webservice-tp22089576p22116953.html > >> >>> Sent from the OpenEJB User mailing list archive at Nabble.com. > >> >>> > >> >>> > >> >> > >> > > >> > > >
