I've just committed this. It's worked in all my tests for embedded, standalone and Tomcat. Please shout if there's any problems.
Jon On Tue, Mar 3, 2009 at 1:34 AM, David Blevins <[email protected]>wrote: > > On Feb 28, 2009, at 1:17 PM, Daniel S. Haischt wrote: > > I think it's useful :) >> > > I agree. Very cool. > > -David > > > I was mainly interested in this mail thread cause I worked with the >> various WSS standards recently at work including their implementation >> as it represented by the IBM WebSphere JAX-WS runtime. AFAIK early >> JAX-RPC implementations of WebSphere were not able to consume a >> password digest - only plain text was supported. >> >> WS policy sets is another interesting topic... >> >> Regards >> Daniel >> >> On Sat, Feb 28, 2009 at 10:06 PM, Jonathan Gallimore >> <[email protected]> wrote: >> >>> Not yet, although I'd be interested in working on this some more. I just >>> wanted to get a feel of whether this is something we could include in >>> OpenEJB, as I'd find it pretty useful for testing some webservice work >>> I've >>> done. If people feel it would be useful I'm happy to do some more work on >>> adding more authentication schemes. >>> >>> Cheers >>> >>> Jon >>> >>> On Sat, Feb 28, 2009 at 8:59 PM, Daniel S. Haischt < >>> - Show quoted text - >>> [email protected]> wrote: >>> >>> Just out of curiosity - Did you try to use a password digest/hash >>>> instead? Using a nonce might be interesting as well (nonce is an >>>> effective countermeasure against replay attacks). If you use SoapUI as >>>> a WS client you could easily generate most of these WSS header >>>> elements for testing purposes. >>>> >>>> Cheers >>>> Daniel >>>> >>>> On Sat, Feb 28, 2009 at 9:51 PM, Jonathan Gallimore >>>> <[email protected]> wrote: >>>> >>>>> Yep. Here's the soap request captured by tcpmon: >>>>> >>>>> POST /CalculatorImpl HTTP/1.1 >>>>> Content-Type: text/xml; charset=UTF-8 >>>>> SOAPAction: "" >>>>> Accept: * >>>>> Cache-Control: no-cache >>>>> Pragma: no-cache >>>>> User-Agent: Java/1.6.0_11 >>>>> Host: 127.0.0.1:42040 >>>>> Connection: keep-alive >>>>> Transfer-Encoding: chunked >>>>> >>>>> 2ce >>>>> <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/";> >>>>> <soap:Header> >>>>> <wsse:Security xmlns:wsse=" >>>>> >>>>> >>>> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd >>>> " >>>> >>>>> soap:mustUnderstand="1"><wsse:UsernameToken xmlns:wsu=" >>>>> >>>>> >>>> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd >>>> " >>>> >>>>> >>>>> wsu:Id="UsernameToken-47889642"><wsse:Username>jane</wsse:Username><wsse:Password >>>> >>>>> Type=" >>>>> >>>>> >>>> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText >>>> >>>> ">waterfall</wsse:Password></wsse:UsernameToken></wsse:Security></soap:Header><soap:Body><ns1:sum >>>> >>>>> xmlns:ns1="http://superbiz.org/wsdl >>>>> "><arg0>4</arg0><arg1>6</arg1></ns1:sum></soap:Body></soap:Envelope> >>>>> >>>>> Jon >>>>> >>>>> On Sat, Feb 28, 2009 at 6:42 PM, Daniel S. Haischt < >>>>> [email protected]> wrote: >>>>> >>>>> Are you using the username token profile ? >>>>>> >>>>>> On Sat, Feb 28, 2009 at 7:31 PM, Jonathan Gallimore >>>>>> <[email protected]> wrote: >>>>>> >>>>>>> I spent a bit more time looking at this - and added a bit more code. >>>>>>> I >>>>>>> noticed that the Jaxb tree for openejb-jar.xml has some webservice >>>>>>> >>>>>> security >>>>>> >>>>>>> attributes that we aren't using, but I think Geronimo is. I've added >>>>>>> >>>>>> support >>>>>> >>>>>>> that does simple username/password authentication using basic http >>>>>>> mechanism, and an interceptor to do username/password auth using >>>>>>> >>>>>> WS-Security >>>>>> >>>>>>> headers. >>>>>>> >>>>>>> I've uploaded a patch to >>>>>>> http://people.apache.org/~jgallimore/webservices.diff<http://people.apache.org/%7Ejgallimore/webservices.diff> >>>>>>> <http://people.apache.org/%7Ejgallimore/webservices.diff> >>>>>>> >>>>>> <http://people.apache.org/%7Ejgallimore/webservices.diff>. >>>> >>>>> - Show quoted text - >>>>> >>>>>> I be grateful on >>>>>> >>>>>>> anyone's thoughts. Its pretty basic at the moment, but I think it >>>>>>> >>>>>> would >>>> >>>>> be >>>>>> >>>>>>> nice if this could go into OpenEJB - if others agree, I'd like to >>>>>>> open >>>>>>> >>>>>> a >>>> >>>>> JIRA and do some more work on it. >>>>>>> >>>>>>> I've copied this to the dev@ list too in case anyone who might be >>>>>>> >>>>>> interested >>>>>> >>>>>>> missed it, hope that's ok. >>>>>>> >>>>>>> Cheers >>>>>>> >>>>>>> Jon >>>>>>> >>>>>>> On Fri, Feb 20, 2009 at 1:06 PM, Jonathan Gallimore < >>>>>>> [email protected]> wrote: >>>>>>> >>>>>>> Hi Jean-Louis, >>>>>>>> >>>>>>>> Many thanks for your detailed reply and the link to the article. >>>>>>>> I'll >>>>>>>> >>>>>>> be >>>> >>>>> having a good look at this over the weekend. I had initially thought >>>>>>>> >>>>>>> just >>>>>> >>>>>>> applying basic auth was all there was to it, which is probably a bit >>>>>>>> >>>>>>> naive >>>>>> >>>>>>> of me! >>>>>>>> >>>>>>>> I think it would be worthwhile working out whether there's some >>>>>>>> >>>>>>> samples >>>> >>>>> (and maybe some enhancements) we could add to OpenEJB in this regard >>>>>>>> >>>>>>> - >>>> >>>>> I'm >>>>>> >>>>>>> sure others would find it useful too. >>>>>>>> >>>>>>>> Cheers, >>>>>>>> Jon >>>>>>>> >>>>>>>> >>>>>>>> On Fri, Feb 20, 2009 at 8:49 AM, Jean-Louis MONTEIRO < >>>>>>>> [email protected]> wrote: >>>>>>>> >>>>>>>> >>>>>>>>> Jonathan, >>>>>>>>> >>>>>>>>> Here are some inputs. >>>>>>>>> >>>>>>>>> >>>>>>>>> Jonathan Gallimore-2 wrote: >>>>>>>>> >>>>>>>>>> >>>>>>>>>> Obviously I think it would be great if the standalone and embedded >>>>>>>>>> >>>>>>>>> servers >>>>>>>>> >>>>>>>>>> which use their own HTTP listener could accept credentials via >>>>>>>>>> >>>>>>>>> basic >>>> >>>>> authentication, meanwhile Tomcat could do the authentication for >>>>>>>>>> >>>>>>>>> us >>>> >>>>> based >>>>>>>>> >>>>>>>>>> on >>>>>>>>>> however its been configured (currently it looks like a new >>>>>>>>>> >>>>>>>>> StandardContext >>>>>>>>> >>>>>>>>>> is created for each webservice, and there is code to setup >>>>>>>>>> >>>>>>>>> authentication, >>>>>>>>> >>>>>>>>>> but WsService.authMethod was always null when I debugged it, >>>>>>>>>> >>>>>>>>> causing >>>> >>>>> no >>>>>> >>>>>>> authentication to be applied, and I couldn't see how it could be >>>>>>>>>> >>>>>>>>> set >>>> >>>>> otherwise), and the user and role principals could be passed >>>>>>>>>> >>>>>>>>> through >>>> >>>>> from >>>>>>>>> >>>>>>>>>> Tomcat to the relevant EJB container. >>>>>>>>>> >>>>>>>>>> Definitively! (nice to have ;-)). >>>>>>>>> Doing basic authentication (without ws-security) seems to be >>>>>>>>> >>>>>>>> possible >>>> >>>>> using >>>>>>>>> JAX-WS handlers. >>>>>>>>> >>>>>>>>> >>>>>>>>> Jonathan Gallimore-2 wrote: >>>>>>>>> >>>>>>>>>> >>>>>>>>>> To give a bit more background on how this has come about - my >>>>>>>>>> >>>>>>>>> colleague >>>>>> >>>>>>> at >>>>>>>>> >>>>>>>>>> work has been working on some functionality as an EJB, and felt it >>>>>>>>>> >>>>>>>>> would >>>>>> >>>>>>> be >>>>>>>>>> nice to have it available as a webservice - and adding the >>>>>>>>>> >>>>>>>>> @WebService >>>>>> >>>>>>> annotation to the EJB seemed to be a nice idea, rather then >>>>>>>>>> >>>>>>>>> creating >>>> >>>>> a >>>>>> >>>>>>> webservice as a separate class that just delegates through to the >>>>>>>>>> >>>>>>>>> EJB >>>> >>>>> as >>>>>> >>>>>>> you >>>>>>>>>> describe - >>>>>>>>>> >>>>>>>>>> I was probably not so clear. >>>>>>>>> It seems to me, from an architecture point of view, it's better to >>>>>>>>> >>>>>>>> use >>>> >>>>> web >>>>>> >>>>>>> services as facades. They are personal concerns you know ;-) >>>>>>>>> Never mind, I had in mind an EJB Web Service (@stateless + >>>>>>>>> >>>>>>>> @webservice) >>>> >>>>> which delegates to other business EJB and it works fine with OpenEJB >>>>>>>>> >>>>>>>> for >>>>>> >>>>>>> simple cases. >>>>>>>>> >>>>>>>>> >>>>>>>>> Jonathan Gallimore-2 wrote: >>>>>>>>> >>>>>>>>>> >>>>>>>>>> and we hoped the container would handle the authentication for >>>>>>>>>> us. When configured correctly, JBoss (4.2.2.GA) does seem to do >>>>>>>>>> >>>>>>>>> this >>>> >>>>> for >>>>>>>>> >>>>>>>>>> us, >>>>>>>>>> however OpenEJB doesn't at the moment - I don't actually know if >>>>>>>>>> >>>>>>>>> this >>>> >>>>> is >>>>>> >>>>>>> even supposed to work (or even whether its part of any of the JEE >>>>>>>>>> >>>>>>>>> spec - >>>>>> >>>>>>> I'll have to read up!). >>>>>>>>>> >>>>>>>>>> I can't help you on this topic (not read this part of the spec). >>>>>>>>> If you have 10 minutes, here is an interesting article >>>>>>>>> >>>>>>>>> >>>>>> http://www.javaworld.com/javaworld/jw-02-2007/jw-02-handler.html?page=1 >>>>>> >>>>>>> >>>>>>>>> >>>>>> http://www.javaworld.com/javaworld/jw-02-2007/jw-02-handler.html?page=1 >>>>>> >>>>>>> >>>>>>>>> >>>>>>>>> Jonathan Gallimore-2 wrote: >>>>>>>>> >>>>>>>>>> >>>>>>>>>> I think I should probably have a look at WS-Security - I'd be very >>>>>>>>>> interested in a seeing a sample using OpenEJB/JAX-WS/WS-Security >>>>>>>>>> >>>>>>>>> if >>>> >>>>> you're >>>>>>>>> >>>>>>>>>> putting one together. >>>>>>>>>> >>>>>>>>>> >>>>>>>>> OK, I've done some tests since yesterday morning. But, the way >>>>>>>>> >>>>>>>> OpenEJB >>>> >>>>> publishes EJB as web services does not allow configuring >>>>>>>>> >>>>>>>> ws-security. >>>> >>>>> >>>>>>>>> When using CXF + WS-Security, it's quite simple: add a WSS4J >>>>>>>>> >>>>>>>> InInterceptor >>>>>> >>>>>>> and a WSS4J OutInterceptor giving them a set of properties. >>>>>>>>> >>>>>>>> Interceptors >>>>>> >>>>>>> can >>>>>>>>> be configured using both a Spring application context or CXF >>>>>>>>> >>>>>>>> annotations >>>>>> >>>>>>> (@InInterceptors @OutInterceptor). >>>>>>>>> >>>>>>>>> At a JAX-WS point of view we only have handlers (soap handlers and >>>>>>>>> >>>>>>>> logical >>>>>> >>>>>>> handlers) so I have to spend some more time to look if we can manage >>>>>>>>> WS-Security using handlers. >>>>>>>>> >>>>>>>>> More coming soon ;-) >>>>>>>>> >>>>>>>>> Kind regards, >>>>>>>>> Jean-Louis >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> -- >>>>>>>>> View this message in context: >>>>>>>>> >>>>>>>>> >>>> http://www.nabble.com/Securing-a-webservice-tp22089576p22116953.html >>>> >>>>> Sent from the OpenEJB User mailing list archive at Nabble.com. >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>> >>>>>> >>>>> >>>> >>> >> >
