File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
http://aspose.com/file-tools
The moose likes JBoss/WildFly and the fly likes Enabling WS Security for XML Encryption of an EJB Web Service Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Spring in Action this week in the Spring forum!
JavaRanch » Java Forums » Products » JBoss/WildFly
Bookmark "Enabling WS Security for XML Encryption of an EJB Web Service" Watch "Enabling WS Security for XML Encryption of an EJB Web Service" New topic
Author

Enabling WS Security for XML Encryption of an EJB Web Service

Alex Mbatra
Greenhorn

Joined: Jun 16, 2008
Posts: 7
Hello,

I am having a hard time getting XML Encryption to work. I have an EJB endpoint as my web service. The web service works great, I have written a standalone client using SAAJ to send it SOAP requests in plain text and the responses are great as plain text. The problem comes when I want the responses to be returned encrypted. From what I have learned, all I need to do is include a properly written jboss-wsse-server.xml and place it underneath the META-INF folder in my -ejb.jar file. I have done that, and I can see in the JBoss server.log that it is being loaded. It says:



But when I get the response back from the server, it is not encrypted, its the same as before, totally plain text. Then I dug around some more, and saw some stuff about enabling WSSE in JBoss by somehow triggering something called Standard WSSecurity Endpoint. I have exhaustedly tried to find how to use that, and I have only seen two ways.

1) Add it to web.xml under the <web-app> element:

<context-param>
<param-name>jbossws-config-name</param-name>>
<param-value>Standard Secure Endpoint</param-value>
</context-param>

2) Use the annotation @EndpointConfig( configName = "Standard WSSecurity Endpoint" )

The 1st does not apply because I am not using a servlet for my web service, like I said above, my webservice is implemented as an EJB stateless session bean. The 2nd one doesn't seem to be working either. I added the @EndpointConfig annotation to both my endpoint interface:


and my web service stateless session bean:


Those annotations do nothing, still plain text, I don't really see those annotations having any impact at all. Is there any way to tell if the @EndpointConfig annotation is being read or loaded? At this point I am stuck and just playing around searching for answers and fiddling with JBoss deployment descriptors. One other thing, the way I am verifying the SOAP request and response, is by adding soapMessage.writeTo() before the client sends the SOAP message and right after it receives the SOAP response. Any help appreciated!
[ December 16, 2008: Message edited by: Alex Mbatra ]
Peter Johnson
author
Bartender

Joined: May 14, 2008
Posts: 5836
    
    7

JBoss in Action has a chapter on web services and it has a section on WS-Security. There are quite a few steps involved to get it to work. If you don't feel like handing over $$$ for the book, you could download the source code and check it out. Even though the source code is specific to 5.0.0.CR2, the web services examples should also work on 4.2.x. (Well, the steps should be the same, but config files might be in different locations.)


JBoss In Action
Alex Mbatra
Greenhorn

Joined: Jun 16, 2008
Posts: 7
Thank you for your response. I actually do happen to have JBoss In Action! Are you talking about section 9.5 "Encrypting SOAP Messages?" I have read through that one quite a bit, and like I said above, I believe the jboss-wsse-server.xml is being read in properly, I just don't thing the @EndpointConfig annotation is being read. I have very little experience with annotations. The example in there shows how to use the annotation with a regular POJO object, while mine is an EJB (session bean). Do you know of a way to check if @EndpointConfig is being used or turned on?
Peter Johnson
author
Bartender

Joined: May 14, 2008
Posts: 5836
    
    7

Grab the source code and look at target 10 for ch09, it does an EJB web service and uses annotations. Here is the full set of annotations I use:

Peter Johnson
author
Bartender

Joined: May 14, 2008
Posts: 5836
    
    7

Hold on, something changed and I am not getting encrypted messages with 5.0.0.GA either. Time to figure out what changed, and what I need to change to get it to work again. Sigh.
Alex Mbatra
Greenhorn

Joined: Jun 16, 2008
Posts: 7
That sucks, maybe my bad luck dragged you down with me! I downloaded the source and looked at chapter 09. I'm not sure what you mean by "target 10" though. The problem with that example is it is implemented as a POJO (plain old java object). Mine is implemented as a session bean, meaning, it looks like this:



I know these annotations are really just replacements for deployment descriptors. Does anyone know what deployment descriptor in JBoss is updated when you add the @EndpointConfig annotation?

I do have good news. I decided to just write a simple POJO web service, similar to the SalesTax example. I packaged it into a WAR file, and added all the appropriate stuff under the WEB-INF folder, such as jboss-wsse-server.xml, my keystore, wsdl, mapping.xml, etc etc. Again, I tried adding the @EndpointConfig annotation to this POJO, still no luck...however, I added the following to my WEB-INF/web.xml



Then it worked! My SOAP response is being encrypted by the JBoss simple POJO web service. This tells me that the whole time the problem definitely is the @EndpointConfig annotation. Would you agree? Now, my -ejb.jar does not have a web.xml, so I am not sure what to do. Does anyone know a similar thing I can do for my EJB deployment as I did in my WAR deployment with web.xml? So strange that the @EndpointConfig annotation isn't taking effect though.
[ December 17, 2008: Message edited by: Alex Mbatra ]
Peter Johnson
author
Bartender

Joined: May 14, 2008
Posts: 5836
    
    7

Do not look at the source - the source is ambiguous and is used as both a POJO and an EJB - the source gets run through a pre-processor which builds the real source.

By target 10, I mean run Ant specifying 10 as the target. After you run the target, you will find the real source in the target/gen directory. (Double-click the index.html file in the base directory for instructions!)

You should not be implementing SesisonBean - that is old EJB 2.1 stuff. What I posted earlier is the entire class declaration that is needed.

Also, I found what changed - the logging data. In CR2, the log showed a TRACE entry containing the encrypted message, but in GA I am not seeing the TRACE entry (I need to find out why). However the message is still being encrypted.
[ December 17, 2008: Message edited by: Peter Johnson ]
Peter Johnson
author
Bartender

Joined: May 14, 2008
Posts: 5836
    
    7

Found the problem - the server log logs only DEBUG and higher messages, while the web services message is done at level TRACE. Once I set the server log to TRACE, I see the encrypted messages.
Alex Mbatra
Greenhorn

Joined: Jun 16, 2008
Posts: 7
Ahhhhh, interesting, so you think if I replace the "implements SessionBean" with your annotation suggestions:



then I should be good to go? I'm still wondering what, if any, deployment descriptor is modified by the @EndpointConfig annotation. Thanks for all the help and suggestions.
Peter Johnson
author
Bartender

Joined: May 14, 2008
Posts: 5836
    
    7

The @EndpointConfig annotation references a configuration defined in server/xxx/deploy/jbossws.sar/META-INF/standard-jaxws-endpoint-config.xml. The configuration declares the handlers that will be applied to the messages.
Himaja Thovi
Greenhorn

Joined: Jan 05, 2011
Posts: 2
Hi Alex & Peter,
We made a Ejb exposed as Web Service. And our client is Web Application.
In WS we have configured like

Also added a file named jboss-wsse-server.xml and my keystore and truststore.
At client side we tried the same that you described to make changes in the web.xml by adding context param tag.

But getting same error as

Even we used Annotation @EndPointConfig thats also not working.
Kindly suggest us what to do.?
Thanks in advance

Regards,
Alex Mbatra
Greenhorn

Joined: Jun 16, 2008
Posts: 7
I haven't worked on this in a long time, but I did write down directions for myself which I will share here. I wrote up two different ways of doing it, 1) using WSS4J and 2) using Axis and Rampart. I'll share the 1st one because I think that is what you are doing.


How to Sign a SOAP Message

Part 1: Client setup
On the client side, using WSS4J (Web Service Security For Java), create the SOAP header to include a signed message digest of the outgoing SOAP message. The body of the SOAP message must be created before signing, otherwise verification on the server will fail since the message digests, which is derived from the body, won’t match.

Libraries needed:
opensaml.jar and wss4j.jar

1. Generate client keystore using “keytool” utility from JDK 1.6
keytool -genkey -alias MyClientCert -keystore MyClient.keystore

2. Create a crypto.properties file
Example:
org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin
org.apache.ws.security.crypto.merlin.keystore.type=jks
org.apache.ws.security.crypto.merlin.keystore.password=[some_password]
org.apache.ws.security.crypto.merlin.keystore.alias=MyClientCert
org.apache.ws.security.crypto.merlin.alias.password=[some_password]
org.apache.ws.security.crypto.merlin.file=C:/Temp/MyClient.keystore

3. Generate the SOAP message using SAAJ and WSS4J. The message construction should look like the following:




Part 2: Server setup
On the server side, using EJB 3.0 to implement the web service under JBoss 4.2.2 makes it pretty simple to verify the signed SOAP.

Libraries needed:
jbossws-core.jar

1. In the stateless web service bean, add the @EndpointConfig annotation. The web service annotation should look something like this:
Example;


2. Create a server keystore
keytool -genkey -alias MyServerCert –keystore MyServer.keystore

3. Create a public certificate of the client and create a server truststore that includes the client’s certificate.
keytool -export -alias MyClientCert -keystore MyClient.keystore -file MyClient.cer
keytool -import -alias MyClientCert -keystore MyServer.truststore -file MyClient.cer

NOTE: To list the certificates contained in the MyServer.truststore (or any keystore) to verify it was imported, do the following:
keytool -list -keystore MyServer.truststore -v

4. In the META-INF folder of your web service “-ejb.jar” package, you must include the MyServer.keystore and MyServer.truststore and a new configuration file called jboss-wsse-server.xml. This new file should look like the following.





I hope this helps.

-Alex
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Enabling WS Security for XML Encryption of an EJB Web Service