Win a copy of Mesos in Action this week in the Cloud/Virtualizaton forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

WS Security with Axis

 
Dobrovolschi Andrei
Greenhorn
Posts: 5
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

Hello,

I'm having an issue with Axis and WS Security and i can't seem to find the answer.

I have an Axis client to an endpoint generated with wsdl2java that required WS Security. I tracked down some code at WSS4J, namely



I have defined my own password callback class. However the code does not seem to do anything. No WS Security headers that i can see are getting attached(i am using SOAPUI to verify). Any idea what i'm doing wrong? Is there a different way to add WS Security headers to a Axis client? Any help would be appreciated
 
Ulf Dittmer
Rancher
Posts: 42967
73
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I've never tried to apply WS-Security programmatically, but if a solution that works declaratively through external config files is OK, then check out this article I wrote about that: http://www.javaranch.com/journal/200709/Journal200709.jsp#a3
 
Dobrovolschi Andrei
Greenhorn
Posts: 5
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I don't really have that option..... the Axis client i am mentioning is part of the southbound interface of an application developed/deployed under JBOSS. I have to enable WS Security on the Axis client(and only there).

 
Tim Holloway
Saloon Keeper
Pie
Posts: 18169
53
Android Eclipse IDE Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
SOAP/Web Services has a number of security/encryption points. Here are some that I can think of offhand:

1. Server container security. SSL/TLS on the entire datastream. Access control via container-managed security and URL pattern matching against web.xml. Or, if you prefer the illusion of security while almost certainly lacking its reality, substitute a user-written Do-it-Yourself security interface. However your options for DIY security are more limited when using Axis, unless you plan to muck around inside Axis's source code.

2. Global message security. Encryption of the entire message packet. This keeps the message secure even if the message is then handed off to backend servers. However, routability suffers, since the routing information is also encrypted.

3. Content-only security. Encryption of the message contents, but not the header. Secures data while maintaining routability. However, sometimes the routability itself is informative, so not as secure as global security.

Items #2 and #3 require security built into Axis and must be configured and controlled as part of the Axis configuration. Item #1 is configured as part of the webapp configuration.
 
Dobrovolschi Andrei
Greenhorn
Posts: 5
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
A small update on my issue, i found that if i generate a WSDD file it works..... however i need to use this endpoint to connect to multiple others, so i cannot have a fixed user/password combination .... since the commands i mentioned do not work, is there a way to change the user property directly into the EngineConfiguration and then initialize the endpoint with that engine config? Something like

engine.getHandler(new QName(<not sure what should go here>)).setOption(WSHandlerConstants.USER, endpointConfig.getUser()) .

Here is my WSDD file
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic