The moose likes Tomcat and the fly likes WS Security with Axis Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Products » Tomcat
Bookmark "WS Security with Axis" Watch "WS Security with Axis" New topic

WS Security with Axis

Dobrovolschi Andrei

Joined: Nov 07, 2008
Posts: 5


I'm having an issue with Axis and WS Security and i can't seem to find the answer.

I have an Axis client to an endpoint generated with wsdl2java that required WS Security. I tracked down some code at WSS4J, namely

I have defined my own password callback class. However the code does not seem to do anything. No WS Security headers that i can see are getting attached(i am using SOAPUI to verify). Any idea what i'm doing wrong? Is there a different way to add WS Security headers to a Axis client? Any help would be appreciated
Ulf Dittmer

Joined: Mar 22, 2005
Posts: 42965
I've never tried to apply WS-Security programmatically, but if a solution that works declaratively through external config files is OK, then check out this article I wrote about that:
Dobrovolschi Andrei

Joined: Nov 07, 2008
Posts: 5
I don't really have that option..... the Axis client i am mentioning is part of the southbound interface of an application developed/deployed under JBOSS. I have to enable WS Security on the Axis client(and only there).

Tim Holloway
Saloon Keeper

Joined: Jun 25, 2001
Posts: 17410

SOAP/Web Services has a number of security/encryption points. Here are some that I can think of offhand:

1. Server container security. SSL/TLS on the entire datastream. Access control via container-managed security and URL pattern matching against web.xml. Or, if you prefer the illusion of security while almost certainly lacking its reality, substitute a user-written Do-it-Yourself security interface. However your options for DIY security are more limited when using Axis, unless you plan to muck around inside Axis's source code.

2. Global message security. Encryption of the entire message packet. This keeps the message secure even if the message is then handed off to backend servers. However, routability suffers, since the routing information is also encrypted.

3. Content-only security. Encryption of the message contents, but not the header. Secures data while maintaining routability. However, sometimes the routability itself is informative, so not as secure as global security.

Items #2 and #3 require security built into Axis and must be configured and controlled as part of the Axis configuration. Item #1 is configured as part of the webapp configuration.

An IDE is no substitute for an Intelligent Developer.
Dobrovolschi Andrei

Joined: Nov 07, 2008
Posts: 5
A small update on my issue, i found that if i generate a WSDD file it works..... however i need to use this endpoint to connect to multiple others, so i cannot have a fixed user/password combination .... since the commands i mentioned do not work, is there a way to change the user property directly into the EngineConfiguration and then initialize the endpoint with that engine config? Something like

engine.getHandler(new QName(<not sure what should go here>)).setOption(WSHandlerConstants.USER, endpointConfig.getUser()) .

Here is my WSDD file
I agree. Here's the link:
subject: WS Security with Axis
It's not a secret anymore!