Tuesday, January 4, 2011

Spring-WS 2: WS-Security Using XWSS

In this tutorial we will explore how to add WS-Security using XWSS in an existing Spring-WS application. We will secure our web service using Spring's XwsSecurityInterceptor. In the client-side, we will use soapUI to verify the results.

What is WS-Security?
WS-Security (Web Services Security, short WSS) is a flexible and feature-rich extension to SOAP to apply security to web services. It is a member of the WS-* family of web service specifications and was published by OASIS.

The protocol specifies how integrity and confidentiality can be enforced on messages and allows the communication of various security token formats, such as SAML, Kerberos, and X.509. Its main focus is the use of XML Signature and XML Encryption to provide end-to-end security.

WS-Security describes three main mechanisms:
  • How to sign SOAP messages to assure integrity. Signed messages provide also non-repudiation.
  • How to encrypt SOAP messages to assure confidentiality.
  • How to attach security tokens.
Source: Wikipedia (http://en.wikipedia.org/wiki/WS-Security

To view the official specification please visit OASIS Web Services Security (WSS) TC

What is XWSS?
XWSS stands for XML and Web Services Security. This is a SUN's implementation of WS-Security, which is part of the Java Web Services Developer Pack

Source: Spring WS 2.0 Reference (paraphrased due to lack of official definition)
As mentioned earlier, we will be adding security to an existing unsecured web service using Spring's XwsSecurityInterceptor. This web service is available at the following tutorial Spring WS 2 and Spring 3 MVC Integration Tutorial.

What is XwsSecurityInterceptor?
The XwsSecurityInterceptor is an EndpointInterceptor (see Section 5.5.2, “Intercepting requests - the EndpointInterceptor interface”) that is based on SUN's XML and Web Services Security package (XWSS). This WS-Security implementation is part of the Java Web Services Developer Pack (Java WSDP).

Note that XWSS requires both a SUN 1.5 JDK and the SUN SAAJ reference implementation.
Source: Spring WS 2.0 Reference
We will not recreate the whole web service. We'll just focus on what needs to be added to enable an XWSS-based security.

Open the spring-ws.xml file and replace it with the following configuration:


Actually we don't need to replace everything. What we did is add a XwsSecurityInterceptor inside the sws-interceptors element:

Then we declared a bean SimplePasswordValidationCallbackHandler referenced as callbackHandler:

Inside the XwsSecurityInterceptor we referenced a securityPolicy.xml, which is located an the WEB-INF/ folder:

The securityPolicy.xml contains a list of actions to be performed when an incoming message has arrived. This is marked by the RequireXXXXXX elements. The RequireTimestamp and RequireUsernameToken means that the web service expects an Timestamp and UsernameToken from the incoming message. If these don't exist, an exception is thrown.

When the web service replies back, it will add a timestamp and username tokens as well. This is indicated by the elements xwss:Timestamp and xwss:UsernameToken.

Now let's test our web service using soapUI.

What is soapUI?
soapUI is the world's leading Web Service Testware. With over 2 million downloads, it's the de facto tool for SOA testing.

Source: http://www.eviware.com/soapUI/soapui-products-overview.html

It's also mentioned as one of the tools for testing Spring-WS applications:
These tools can help you test your Web service applications.

- soapui is a desktop application for inspecting, invoking and testing (functional and load) of web services over HTTP.
- the WS-I testing tools, which make sure your Web service is interoperable.
- Axis Tcpmon is a monitoring tool which allows you to see the XML as it is sent and received across the wire.

Source: http://static.springsource.org/spring-ws/sites/2.0/resources.html

Follow the steps below to perform a test:
1. Open soapUI.

2. Create a new soapUI project:

3. Open the project and create a new request:

4. On the right side window, you should see a request template. To add a WSS UsernameToken or Timestamp, right-click on the request and select Add WSS UsernameToken or Add WSS Timestamp.

5. To send the message, hit the Submit button (the green arrow).

Using soapUI we send the following SOAP message:

Our web service responds back with the following SOAP message:

If we remove the Timestamp element from the client, the web responds back with an exception:

If we remove the UsernameToken instead, the web service replies:

If the username or password is incorrect, we get the following exception instead:

Our web service has been secured but this doesn't mean it's fool-proof. Security is a serious and complicated matter. There are many numerous variables that needs to be considered. By adding security in our web service we have lessened the risk of being exposed. But remember no matter how small is the risk, it's still a risk.

To access the web service, use the following endpoint in soapUI:
http://localhost:8080/{project name}/krams/ws
where {project name} is either spring-ws (if you're using the sample application from the other tutorial) or spring-ws-xwss (fi you're using the sample application at the end of this tutorial).

The best way to learn further is to try the actual application.

Download the project
You can access the project site at Google's Project Hosting at http://code.google.com/p/spring-ws-2-0-0-rc2-tutorial/

You can download the project as a Maven build. Look for the spring-ws-xwss.zip in the Download sections.

You can run the project directly using an embedded server via Maven.
For Tomcat: mvn tomcat:run
For Jetty: mvn jetty:run

If you want to learn more about Spring MVC and integration with other technologies, feel free to read my other tutorials in the Tutorials section.

For an in-depth look of the XWSS Security Configuration file (including all possible elements) , please visit the following link What is the XWS-Security Framework?

Related OASIS Specification and References:
- WS-Security Core Specification 1.1
- Username Token Profile 1.1
- To see the complete list, visit http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=wss
StumpleUpon DiggIt! Del.icio.us Blinklist Yahoo Furl Technorati Simpy Spurl Reddit Google I'm reading: Spring-WS 2: WS-Security Using XWSS ~ Twitter FaceBook

Subscribe by reader Subscribe by email Share


  1. With your spring configuration, how did you actually get the SimplePasswordValidationCallbackHandler to validate the timestamp with xwss classes?

    I have a similar configuration with that handler, but it only validates that the timestamp exists and ignores configurations such as maxClockSkew and freshnessLimit.

  2. Hi,

    securityPolicy.xml and SimplePasswordValidationCallbackHandler both should match the user name and password?

    Why we have to specify in two places?

  3. ERROR] Failed to execute goal org.apache.maven.plugins:maven-compiler-plugin:2.3.2:compile (default-compile) on project spring-ws-xwss: Compilation failure: Compilation failure:
    [ERROR] /usr/local/users/jbossserv/spring-ws-xwss/src/main/java/org/krams/tutorial/endpoint/SubscriptionEndpoint.java:[13,56] package org.springframework.ws.server.endpoint.annotation does not exist
    [ERROR] /usr/local/users/jbossserv/spring-ws-xwss/src/main/java/org/krams/tutorial/endpoint/SubscriptionEndpoint.java:[14,56] package org.springframework.ws.server.endpoint.annotation does not exist
    [ERROR] /usr/local/users/jbossserv/spring-ws-xwss/src/main/java/org/krams/tutorial/endpoint/SubscriptionEndpoint.java:[15,56] package org.springframework.ws.server.endpoint.annotation does not exist
    [ERROR] /usr/local/users/jbossserv/spring-ws-xwss/src/main/java/org/krams/tutorial/endpoint/SubscriptionEndpoint.java:[16,56] package org.springframework.ws.server.endpoint.annotation does not exist
    [ERROR] /usr/local/users/jbossserv/spring-ws-xwss/src/main/java/org/krams/tutorial/endpoint/SubscriptionEndpoint.java:[26,1] cannot find symbol

  4. I have read your blog its very attractive and impressive. I like it your blog.

    Spring online training Spring online training Spring Hibernate online training Spring Hibernate online training Java online training

    spring training in chennai spring hibernate training in chennai

  5. BlueHost is definitely one of the best website hosting company with plans for any hosting needs.

  6. Good Post! Thank you so much for sharing this pretty post, it was so good to read and useful to improve my knowledge as updated one, keep blogging.

    core java training in Electronic City

    Hibernate Training in electronic city

    spring training in electronic city

    java j2ee training in electronic city