help composing security header without using a cxf/axis2 framework

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

help composing security header without using a cxf/axis2 framework

Devon Miller
I am trying to create a SOAP security header but am having difficulty
understanding how to create the proper crypto and other configs. I have
attached the WSDL policy (not the entire WSDL) as well as the token request
and response from the server and a whoami request that shows a example of
the security header that I need to generate. The server is a WCF endpoint
e.g. CRM system. All of the attachments are to a small virtual machine demo
system I setup to test security processing in java. I am using wss4j 2.1.8

I've gone through the wss4j tests trying to stitch together just the right
parts as I don't need to have anything robust, just a security header that
meets this one target. When trying to use axis2 to generate the stubs, it
did not seem to generate the security part and I just need some code for
the client side in a non-servlet scenario. I tried to look at rampart to
understand it may create the config but reading that code did not help. I
have also read through the standards but that's not helped me map it to the
code I need.

Thoughts on which wss4j tests might hold critical code for me to look at
and cut and paste  from? For example, I've yet to figure out how to create
the proper crypto to use with the signature, it seems all the choices use
disk-based keystores.

Thoughts?


   val secHeader = new WSSecHeader(doc)
    secHeader.insertSecurityHeader()
    val timestamp = new WSSecTimestamp()
    timestamp.setTimeToLive(3600 * 2)
    timestamp.build(doc, secHeader)
    val x509Data = new DOMX509Data(doc,
      new DOMX509IssuerSerial(doc, "CN=DemoCrmServer, DC=Demo, DC=Local",
        new
java.math.BigInteger("825127572376036501802804159644169187033612293")))
    // This gives me an error because I do not have a crypto.properties,
but I just need a memory based version
    val crypto = CryptoFactory.getInstance()
    val signer = new WSSecSignature()
    signer.setSigCanonicalization(WSS4JConstants.C14N_EXCL_OMIT_COMMENTS)
    signer.setKeyIdentifierType(WSConstants.ISSUER_SERIAL)
    // What's the right crypto?
    val signedDoc = signer.build(doc, crypto, secHeader)
    ...

ifd-auth-request.xml (2K) Download Attachment
ifd-auth-response.xml (17K) Download Attachment
whoami.xml (16K) Download Attachment
policy.xml (7K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: help composing security header without using a cxf/axis2 framework

Colm O hEigeartaigh-2
I'd strongly encourage you to use a web services framework instead of trying to roll your own security. Take a look at some of the CXF examples here:

https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=tree;f=systests/ws-security-examples;h=0c0a7a6a32f9aa27778890440e37d74afae93d11;hb=HEAD

Colm.

On Thu, Jan 19, 2017 at 10:59 PM, Devon Miller <[hidden email]> wrote:
I am trying to create a SOAP security header but am having difficulty
understanding how to create the proper crypto and other configs. I have
attached the WSDL policy (not the entire WSDL) as well as the token request
and response from the server and a whoami request that shows a example of
the security header that I need to generate. The server is a WCF endpoint
e.g. CRM system. All of the attachments are to a small virtual machine demo
system I setup to test security processing in java. I am using wss4j 2.1.8

I've gone through the wss4j tests trying to stitch together just the right
parts as I don't need to have anything robust, just a security header that
meets this one target. When trying to use axis2 to generate the stubs, it
did not seem to generate the security part and I just need some code for
the client side in a non-servlet scenario. I tried to look at rampart to
understand it may create the config but reading that code did not help. I
have also read through the standards but that's not helped me map it to the
code I need.

Thoughts on which wss4j tests might hold critical code for me to look at
and cut and paste  from? For example, I've yet to figure out how to create
the proper crypto to use with the signature, it seems all the choices use
disk-based keystores.

Thoughts?


   val secHeader = new WSSecHeader(doc)
    secHeader.insertSecurityHeader()
    val timestamp = new WSSecTimestamp()
    timestamp.setTimeToLive(3600 * 2)
    timestamp.build(doc, secHeader)
    val x509Data = new DOMX509Data(doc,
      new DOMX509IssuerSerial(doc, "CN=DemoCrmServer, DC=Demo, DC=Local",
        new
java.math.BigInteger("825127572376036501802804159644169187033612293")))
    // This gives me an error because I do not have a crypto.properties,
but I just need a memory based version
    val crypto = CryptoFactory.getInstance()
    val signer = new WSSecSignature()
    signer.setSigCanonicalization(WSS4JConstants.C14N_EXCL_OMIT_COMMENTS)
    signer.setKeyIdentifierType(WSConstants.ISSUER_SERIAL)
    // What's the right crypto?
    val signedDoc = signer.build(doc, crypto, secHeader)
    ...



--
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com