File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
http://aspose.com/file-tools
The moose likes Web Services and the fly likes WS-Security Token Passing implementation Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » Web Services
Bookmark "WS-Security Token Passing implementation" Watch "WS-Security Token Passing implementation" New topic
Author

WS-Security Token Passing implementation

Pete Tibbster
Greenhorn

Joined: Aug 29, 2004
Posts: 11
Hi,

I need to write something that interfaces with a .Net soap service. I've been given the WSDL file. This 3rd party service dictates the use of WSS tokens which are attached in the soap header. The username token will contain the username, password (sent as a digest), nonce and timestamp elements.

I'm using Weblogic 8.1.3 but there from the answer I got from BEA there is no inbuilt support for passing such a token which contains a password digest (only plain text passwords supported in WL). I'm therefore looking for an existing library / framework that can provide this.

I've been researching this on the internet and from what I found I have the following options below.

1. Use Apache Axis with WSS4J (although this seems very much in development at the moment.)

2. Use the Sun Web Service Developer Pack 1.5 (JWSDP)

3. Use a licensed application such as Glue

Has anyone got any previous experience with implementing token passing including nonce generation, creating password digests, with any of the options below. Is one of these a better implementation than the others or is there one missing from the list I should be considering???

Any help would be very useful.
Thanks in advance.
Rr Kumaran
Ranch Hand

Joined: Sep 17, 2001
Posts: 548
Pete-

Can you please explain more about WSS tokens fundamentals !

I have used XML Signatures/Encryption using IBM XSS, WSS4J, VeriSign TSIK. I guess some of these framework may support WSS tokens.

Please try them and let me know your experiences ...


RR Kumaran
SCJP 1.4
Pete Tibbster
Greenhorn

Joined: Aug 29, 2004
Posts: 11
Hi R Kumar,

The token passing is part of the OASIS WS-Security standard. It details a mechanism for authentication through passing tokens (xml elements) within the header of the soap envelope. The specification for this is available using the URL below (page 7 starts details the the UsernameToken) ----> OASIS WSS Username Token profile

Typically a username token is sent initially to authenticate a user in a SOAP request. Here is an example.

<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wsse:UsernameToken>
<wsse:Username>Pete</wsse:Username>
<wsse assword Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest">
od61xScYr9hAukzvz/DQXAtdxAA=</wsse assword>
<wsse:Nonce>dL9uL5lBBm6eHwblHY4lVg==</wsse:Nonce>
<wsse:Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">9VRW1tSrc7175HQ+X2cXLe75</wsse:Nonce>
<wsu:Created xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2004-11-18T10:46:19Z</wsu:Created>
</wsse:UsernameToken>
</wsse:Security>

If authentication is successful, in my case, the external webservice returns a custom token which is appended to the header of future requests.

It seems that some vendors, such as Microsoft in the .Net framework, fully implement the full standard whereas others only implement parts. This microsoft link details the .Net implementation --->WS-Security Drilldown in Web Services Enhancements 2.0

As per my original post, the latest version of weblogic does not have out-of-the-box functionality to create username tokens with a password digest (only supports plain text passwords).

I'm currently looking into using the Apache Axis libraries to interface with this webservice, based on this source code -->AXIS-WSSE

From my research it seems the apache project 'WSS4J' is aiming to fully implement these token passing standards but is still very much in development. I found very little documentation on WSS4J other than api javadocs.

R Kumar - you mention you've been using the WSS4J libraries. I'm guessing you downloaded the source code and built it yourself? What has your experience been with WSS4J?

Has anyone else implemented the WS-Security token passing mechanism in Java to communicate with a .Net (or other) web service that implements these standards?

Best Regards,
Pete.

[ February 14, 2005: Message edited by: Pete Tibbster ]
[ February 14, 2005: Message edited by: Pete Tibbster ]
Rr Kumaran
Ranch Hand

Joined: Sep 17, 2001
Posts: 548
Pete-

Thanks for the response. So WS Tokens are used for authentication purpose.

I have experiementd with IBM XSS, WSS4J, VeriSign TSIK for implementing signing soap message and verify the xml signature in them but never used for WS Token implementation.

Did you try IBM XSS and VeriSign TSIK since it has good support for all aspects of WS Security.
Pete Tibbster
Greenhorn

Joined: Aug 29, 2004
Posts: 11
I have previously looked at IBM XSS which does not seem to implement libraries to help with token passing. The verisign toolkit looks interesting and is not one i've come across before. However again appears nothing to aid token passing.
Pete Tibbster
Greenhorn

Joined: Aug 29, 2004
Posts: 11
Here is a very recent article which references the WSS token passing mechanism and the need for a standard framework for implementing these standards - just what i'm after ! I've included it here in case anyone else might be interested and hasn't seen it.

This may be the answer to all my questions! - i look forward to the next part of the series : -

WS-Security in the Enterprise, Part 1: Problem Introduction
 
Consider Paul's rocket mass heater.
 
subject: WS-Security Token Passing implementation