How to get started developing WSIT enabled web service client

View: New views

2 Messages — Rating Filter: Alert me

Re: How to get started developing WSIT enabled web service client

by Glen Mazza :: Rate this Message:

Reply to Author | View Threaded | Show Only this Message

The four scenarios I've done are at the bottom of [1], point #5, for both CXF and Metro.

I haven't seen username tokens used with signatures--that might be a nonstandard use case outside what NetBeans provides by default. Two suggestions:

1.) Look at the client-side configuration files I have for UsernameToken and X.509 at the link above for Metro. You technically don't need NetBeans to create these--if you place the proper client-side config data (username passwords, signature stuff) in the *client* side config, that should be sufficient to get the client to send that security info--that fact that the web service provider does not have policy statements AFAIK will not matter. However, the policy statements that would otherwise be in the WSDL will need to be placed into the client-side config files.

2.) Apache CXF has not yet implemented WS-Security policy (it ignores those policy statements)--their security config is manually configured via Apache WSS4J, again shown at the links by [1]. If you want to avoid trying to create the correct policy statements in order to get a Metro client to send security info, you might want to try to configure CXF to send what you want, and, if you need help, ask either the CXF mailing list or WSS4J mailing list for assistance.

3.) I recommend working with Wireshark as you're trying to properly configure the SOAP requests--it is good for seeing how your SOAP requests are looking.

HTH,
Glen

[1] http://www.jroller.com/gmazza/entry/creating_a_wsdl_first_web1#WFwhatsnext

metro-3 wrote:

Here is my problem:

I need to develop a web service client that talks to a web service provided by a government authority. The authority has provided me the WSDL (not containing any WS policy stuff) and a statement saying the service I have to talk to requires WS-Security username/passwords and RSA signatures but no encryption. After pressing for further details I was given a sample XML (at the end).

Now I am stuck how to proceed. I can easily create the JAX-WS artefacts from the WSDL but have no idea how to get going with the WSIT stuff. I read the tutorials and some web blogs but they don't seem to match what I need doing. To start with my NetBeans 6.5 environment doesn't offer security options under the Quality of Service for the web service. Obviously I don't have any ws policy any where as I was hoping NetBeans would create those for me. Also as this is only the client the project is a standard Java SE project as it is from a Java SE client I need to talk to the service. Obviously I have put the Metro jars into the projects classpath.

Any suggestions or pointers would be really much appreciated.

Thank you very much

Manuel

<?xml version="1.0" encoding="UTF-8"?>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<soapenv:Header>
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" soapenv:mustUnderstand="1">
<wsse:UsernameToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="UsernameToken-18395542">
<wsse:Username>XXXXX</wsse:Username>
<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">XXXXX</wsse:Password>
<wsse:Nonce>XXXXXXXXXXX</wsse:Nonce>
<wsu:Created>2007-05-25T03:18:31Z</wsu:Created>
</wsse:UsernameToken>
<wsse:BinarySecurityToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="CertId-550709">XXXXXXXXXXXX</wsse:BinarySecurityToken>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="Signature-6058603">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#id-32859623">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>XXXXXXXXXXXXXXXXXX</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>XXXXXXXXXX</ds:SignatureValue>
<ds:KeyInfo Id="KeyId-22804747">
<wsse:SecurityTokenReference xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="STRId-20667268">
<wsse:Reference URI="#CertId-550709" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
</wsse:Security>
</soapenv:Header>
<soapenv:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="id-32859623">
<GetDealingSearch xmlns="http://wsgate.nrw.qld.gov.au/ATS/dEnquiries">
<ns1:dealing_number xmlns:ns1="java:au.gov.qld.nrm.ats.searches">123456789</ns1:dealing_number>
</GetDealingSearch>
</soapenv:Body>
</soapenv:Envelope>
[Message sent by forum member 'malm' (malm)]

http://forums.java.net/jive/thread.jspa?messageID=322902

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
For additional commands, e-mail: users-help@metro.dev.java.net

Re: How to get started developing WSIT enabled web service client

by Glen Mazza :: Rate this Message:

Reply to Author | View Threaded | Show Only this Message

I haven't done that before. The WS-SecurityPolicy spec may help you here:
http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/ws-securitypolicy-1.2-spec-os.html

What you're doing is a hybrid of the username token policy and the X.509 policy. I would try to strip down my X.509 example so that it is only doing signatures, not encryption, and then try to merge the resulting policy with the policy from the username token blog entry. Perhaps the spec above will give you clues here on this merging.

I'm not sure why the SOAP service is requiring *both* your signature and a username/password token. Unless I'm missing something here, the former normally makes the latter redundant.

Glen

metro-3 wrote:

Glen,

your blogs on using NetBeans + Metro + WSIT were a life saver. I managed to get a "working" Java SE project together with those instructions. This stuff is really anything but intuitive or straight forward. I had to put "working" in quotes because my project does produce web services messages with the WS-Security headers as specified in the WS-Policy configuration but these are not quite the headers required by the service I need to talk to. So the next challenge is to configure WS-Policy to match the services requirements which seem to be:

Username/Password tokens with "nonce"
Message signed with my private key

Any suggestion how to configure this?

Thanks again for your invaluable help.

Manuel
[Message sent by forum member 'malm' (malm)]

http://forums.java.net/jive/thread.jspa?messageID=323028

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@metro.dev.java.net
For additional commands, e-mail: users-help@metro.dev.java.net