wood burning stoves 2.0*
The moose likes Web Services and the fly likes how to configure rampart with axis2 Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » Web Services
Bookmark "how to configure rampart with axis2 " Watch "how to configure rampart with axis2 " New topic
Author

how to configure rampart with axis2

vivek kumar gupta
Greenhorn

Joined: Jul 09, 2010
Posts: 1
Hi all,


how i provide security in webservice.

Thanks
vivek
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 41101
    
  45
Check the "samples" directory that comes with Rampart; it contains examples of most basic (and not so basic) usage scenarios.

If you're looking for more hand-holding, check out the three articles I've published on WS-Security with Axis in the JavaRanch Journal.


Ping & DNS - my free Android networking tools app
Kamal Wickramanayake
Greenhorn

Joined: Jul 10, 2010
Posts: 27
Use Apache Axis2 security only for learning purposes, but not for production. WS-Security in Axis2 is broken and creators themselves say you should depend on WS-SecurityPolicy. But WS-SecurityPolicy is also broken and policy enforcement does not work well. Last time I checked, it was version 1.4.1. I doubt if the latest version (1.5.1) has fixed these - probably not. Particularly I remember the issues with time stamping, digital certificate based authentication and possible man-in-the-middle attacks.
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 41101
    
  45
Kamal Wickramanayake wrote:Use Apache Axis2 security only for learning purposes, but not for production. WS-Security in Axis2 is broken

Interesting. Do you have a source for this?
kri shan
Ranch Hand

Joined: Apr 08, 2004
Posts: 1371
mutual authentication between WebService provider and WebService consumer using digital certificate from CAs.
Kamal Wickramanayake
Greenhorn

Joined: Jul 10, 2010
Posts: 27
@Ulf Dittmer:

I myself found all these issues. And these issues are not that difficult to figure out if you use a proxy in the middle and replay messages after tampering. I should retry these and document somewhere for anyone interested in details.

Preference for WS-SecurityPolicy over WS-Security had been described somewhere in the axis2 web site. But I just searched in Google and couldn't locate the exact page. But here are some evidences:

"Parameter based Rampart configuration is sort of deprecated now"
http://blog.sweetxml.org/2007/12/rampart-basic-examples-how-you-add-ws.html

"The bottom line is parameter based configuration ( WSS4J handlers ) is deprecated and most of the new development happens in the policy based configuration ( Rampart handlers ). So if you are starting to use Rampart, I think is always better to use policy based configuration for all the scenarios whether it is simple or complex."
http://markmail.org/message/hxebpckqiqxpzl2g
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 41101
    
  45
@Kamal:

Both those references talk about the difficulty in configuring certain aspects of Rampart, and that other approaches are now preferred. Nowhere do I see any suggestion that anything is broken or should not be used in a production environment (which is what you said). Unless you have actual evidence that Rampart does not provide the security it claims to provide, I strongly suggest to stay away from the kind of advice you gave.
Kamal Wickramanayake
Greenhorn

Joined: Jul 10, 2010
Posts: 27
Unless you have actual evidence that Rampart does not provide the security it claims to provide...


"WS-SecuityPolicy is preferred over WS-Security" is their statement. WS-Security was deprecated and there were reasons behind. What I don't know is if they reversed in version 1.5.

"Axis2 security is broken" is my comment. But I never said anything without facts with me. Wait for a day or two. I'll also try with their latest version.

I strongly suggest to stay away from the kind of advice you gave


"Don't do something" is as good as "do something" I know, you need evidence when the advice goes against what is generally accepted, which I am going to send.
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 41101
    
  45
Kamal Wickramanayake wrote:"WS-SecuityPolicy is preferred over WS-Security" is their statement. WS-Security was deprecated and there were reasons behind.

Hm, I don't see anything resembling either of these two statements in the links you posted. Also, "to prefer WS-SecurityPolicy over WS-Security" does not make sense, since WS-SecurityPolicy is used to specify how to apply WS-Security (amongst other things).
If this is just about changes in the way something is configured, then that has no impact on the actual security provided. Rampart itself is certainly not deprecated or obsolete.

I know, you need evidence when the advice goes against what is generally accepted, which I am going to send.

That would be great. It's a subject that interests me a lot.
Kamal Wickramanayake
Greenhorn

Joined: Jul 10, 2010
Posts: 27
Hm, I don't see anything resembling either of these two statements in the links you posted. Also, "to prefer WS-SecurityPolicy over WS-Security" does not make sense, since WS-SecurityPolicy is used to specify how to apply WS-Security (amongst other things).
If this is just about changes in the way something is configured, then that has no impact on the actual security provided. Rampart itself is certainly not deprecated or obsolete.


What you say is very correct. I got it written in the wrong way. It's a configuration matter. At the beginning there was WS-Security support which required you to configure using the previously said "parameter based approach". What they deprecated was that "parameter based approach". Then the WS-SecurityPolicy based approach was introduced. The plain and dominant approach used by many to configure WS-Security was the "parameter based approach". That's what was in my mind and the cause for my error. Thanks for pointing out.

As said, I'll send evidence showing the issues with both "parameter based approach" and WS-SecurityPolicy based approach.
Kamal Wickramanayake
Greenhorn

Joined: Jul 10, 2010
Posts: 27
Was tied up with work and hence couldn't respond quickly.

Here's one issue in detail: Apache Axis2 WS-Security message signing vulnerability (Version 1.5.1)
 
 
subject: how to configure rampart with axis2
 
Similar Threads
Ant and Cactus - classpath issues
http-method not specified
Clock problem
thanks!!! another SCJP born~
Args in Netbeans