Tuesday, January 4, 2011

Spring-WS 2: WS-Security Using XWSS

In this tutorial we will explore how to add WS-Security using XWSS in an existing Spring-WS application. We will secure our web service using Spring's XwsSecurityInterceptor. In the client-side, we will use soapUI to verify the results.

What is WS-Security?
WS-Security (Web Services Security, short WSS) is a flexible and feature-rich extension to SOAP to apply security to web services. It is a member of the WS-* family of web service specifications and was published by OASIS.

The protocol specifies how integrity and confidentiality can be enforced on messages and allows the communication of various security token formats, such as SAML, Kerberos, and X.509. Its main focus is the use of XML Signature and XML Encryption to provide end-to-end security.

WS-Security describes three main mechanisms:
  • How to sign SOAP messages to assure integrity. Signed messages provide also non-repudiation.
  • How to encrypt SOAP messages to assure confidentiality.
  • How to attach security tokens.
Source: Wikipedia (http://en.wikipedia.org/wiki/WS-Security
)

To view the official specification please visit OASIS Web Services Security (WSS) TC

What is XWSS?
XWSS stands for XML and Web Services Security. This is a SUN's implementation of WS-Security, which is part of the Java Web Services Developer Pack

Source: Spring WS 2.0 Reference (paraphrased due to lack of official definition)
As mentioned earlier, we will be adding security to an existing unsecured web service using Spring's XwsSecurityInterceptor. This web service is available at the following tutorial Spring WS 2 and Spring 3 MVC Integration Tutorial.

What is XwsSecurityInterceptor?
The XwsSecurityInterceptor is an EndpointInterceptor (see Section 5.5.2, “Intercepting requests - the EndpointInterceptor interface”) that is based on SUN's XML and Web Services Security package (XWSS). This WS-Security implementation is part of the Java Web Services Developer Pack (Java WSDP).

Note that XWSS requires both a SUN 1.5 JDK and the SUN SAAJ reference implementation.
Source: Spring WS 2.0 Reference
We will not recreate the whole web service. We'll just focus on what needs to be added to enable an XWSS-based security.

Open the spring-ws.xml file and replace it with the following configuration:

spring-ws.xml

Actually we don't need to replace everything. What we did is add a XwsSecurityInterceptor inside the sws-interceptors element:

Then we declared a bean SimplePasswordValidationCallbackHandler referenced as callbackHandler:

Inside the XwsSecurityInterceptor we referenced a securityPolicy.xml, which is located an the WEB-INF/ folder:

The securityPolicy.xml contains a list of actions to be performed when an incoming message has arrived. This is marked by the RequireXXXXXX elements. The RequireTimestamp and RequireUsernameToken means that the web service expects an Timestamp and UsernameToken from the incoming message. If these don't exist, an exception is thrown.

When the web service replies back, it will add a timestamp and username tokens as well. This is indicated by the elements xwss:Timestamp and xwss:UsernameToken.

Now let's test our web service using soapUI.

What is soapUI?
soapUI is the world's leading Web Service Testware. With over 2 million downloads, it's the de facto tool for SOA testing.

Source: http://www.eviware.com/soapUI/soapui-products-overview.html

It's also mentioned as one of the tools for testing Spring-WS applications:
These tools can help you test your Web service applications.

- soapui is a desktop application for inspecting, invoking and testing (functional and load) of web services over HTTP.
- the WS-I testing tools, which make sure your Web service is interoperable.
- Axis Tcpmon is a monitoring tool which allows you to see the XML as it is sent and received across the wire.

Source: http://static.springsource.org/spring-ws/sites/2.0/resources.html

Follow the steps below to perform a test:
1. Open soapUI.

2. Create a new soapUI project:

3. Open the project and create a new request:

4. On the right side window, you should see a request template. To add a WSS UsernameToken or Timestamp, right-click on the request and select Add WSS UsernameToken or Add WSS Timestamp.

5. To send the message, hit the Submit button (the green arrow).

Using soapUI we send the following SOAP message:

Our web service responds back with the following SOAP message:

If we remove the Timestamp element from the client, the web responds back with an exception:

If we remove the UsernameToken instead, the web service replies:

If the username or password is incorrect, we get the following exception instead:


Our web service has been secured but this doesn't mean it's fool-proof. Security is a serious and complicated matter. There are many numerous variables that needs to be considered. By adding security in our web service we have lessened the risk of being exposed. But remember no matter how small is the risk, it's still a risk.

To access the web service, use the following endpoint in soapUI:
http://localhost:8080/{project name}/krams/ws
where {project name} is either spring-ws (if you're using the sample application from the other tutorial) or spring-ws-xwss (fi you're using the sample application at the end of this tutorial).

The best way to learn further is to try the actual application.

Download the project
You can access the project site at Google's Project Hosting at http://code.google.com/p/spring-ws-2-0-0-rc2-tutorial/

You can download the project as a Maven build. Look for the spring-ws-xwss.zip in the Download sections.

You can run the project directly using an embedded server via Maven.
For Tomcat: mvn tomcat:run
For Jetty: mvn jetty:run

If you want to learn more about Spring MVC and integration with other technologies, feel free to read my other tutorials in the Tutorials section.

For an in-depth look of the XWSS Security Configuration file (including all possible elements) , please visit the following link What is the XWS-Security Framework?

Related OASIS Specification and References:
- WS-Security Core Specification 1.1
- Username Token Profile 1.1
- To see the complete list, visit http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=wss
StumpleUpon DiggIt! Del.icio.us Blinklist Yahoo Furl Technorati Simpy Spurl Reddit Google I'm reading: Spring-WS 2: WS-Security Using XWSS ~ Twitter FaceBook

Subscribe by reader Subscribe by email Share

Spring-WS 2: WS-Security Using WSS4J

In this tutorial we will explore how to add WS-Security using WSS4J in an existing Spring-WS application. We will secure our web service using Spring's Wss4jSecurityInterceptor. In the client-side, we will use soapUI to verify the results.

What is WS-Security?
WS-Security (Web Services Security, short WSS) is a flexible and feature-rich extension to SOAP to apply security to web services. It is a member of the WS-* family of web service specifications and was published by OASIS.

The protocol specifies how integrity and confidentiality can be enforced on messages and allows the communication of various security token formats, such as SAML, Kerberos, and X.509. Its main focus is the use of XML Signature and XML Encryption to provide end-to-end security.

WS-Security describes three main mechanisms:
  • How to sign SOAP messages to assure integrity. Signed messages provide also non-repudiation.
  • How to encrypt SOAP messages to assure confidentiality.
  • How to attach security tokens.
Source: Wikipedia (http://en.wikipedia.org/wiki/WS-Security
)

To view the official specification please visit OASIS Web Services Security (WSS) TC

What is WSS4J?
Apache WSS4J is an implementation of the OASIS Web Services Security (WS-Security) from OASIS Web Services Security TC. WSS4J is primarily a Java library that can be used to sign and verify SOAP Messages with WS-Security information. WSS4J will use Apache Axis and Apache XML-Security projects and will be interoperable with JAX-RPC based server/clients and .NET server/clients.

WSS4J implements:
- Web Services Security: SOAP Message Security 1.1
- Username Token Profile 1.1
- X.509 Certificate Token Profile 1.1

Source: Apache WSS4J (http://ws.apache.org/wss4j/)

What is Wss4jSecurityInterceptor?
The Wss4jSecurityInterceptor is an EndpointInterceptor that is based on Apache's WSS4J.

Source: Spring WS 2.0 Reference
We will not recreate the whole web service. We'll just focus on what needs to be added to enable an WSS4J-based security.

Open the spring-ws.xml file and replace it with the following configuration:

spring-ws.xml

Actually we don't need to replace everything. What we did is add a Wss4jSecurityInterceptor inside the sws-interceptors element:

The validationActions is a list of actions composed of space-separated strings. When a client sends a message, the validationActions will be executed. In our example, it will check if there's a Timestamp element in the incoming message. It also checks if the Timestamp hasn't expired. It also checks if there's a UsernameToken present in the message.

The securementActions is a list of actions composed of space-separated strings. These actions will be performed when the web service is replying back to the client. In this example, the web service is returning a Timestamp element and UsernameToken. Both can be customized. timestampPrecisionInMilliseconds declares the precision of the time. The securementUsername and securementPassword declares the actual username and password values, as well as the type of password PasswordText. The outgoing message also include a Nonce and the date Created.

To authenticate the credentials from the incoming message, we declared a bean callbackHandler that references a SimplePasswordValidationCallbackHandler bean:

Watch the package name! There's also an equivalent SimplePasswordValidationCallbackHandler for XWSS! Unlike the XWSS implementation, we don't need to declare an extra securityPolicy.xml here. Everything is contained within this configuration.

What is soapUI?
soapUI is the world's leading Web Service Testware. With over 2 million downloads, it's the de facto tool for SOA testing.

Source: http://www.eviware.com/soapUI/soapui-products-overview.html

It's also mentioned as one of the tools for testing Spring-WS applications:
These tools can help you test your Web service applications.

- soapui is a desktop application for inspecting, invoking and testing (functional and load) of web services over HTTP.
- the WS-I testing tools, which make sure your Web service is interoperable.
- Axis Tcpmon is a monitoring tool which allows you to see the XML as it is sent and received across the wire.

Source: http://static.springsource.org/spring-ws/sites/2.0/resources.html

Follow the steps below to perform a test:
1. Open soapUI.

2. Create a new soapUI project:

3. Open the project and create a new request:

4. On the right side window, you should see a request template. To add a WSS UsernameToken or Timestamp, right-click on the request and select Add WSS UsernameToken or Add WSS Timestamp.

5. To send the message, hit the Submit button (the green arrow).

Using soapUI we send the following SOAP message:

Our web service responds back with the following SOAP message:

If we remove the Timestamp element from the client, the web responds back with an exception:

If the Timestamp is expired, we get the following:

If we remove the UsernameToken instead, the web service replies:

If the username or password is incorrect, we get the following exception instead:


Our web service has been secured but this doesn't mean it's fool-proof. Security is a serious and complicated matter. There are many numerous variables that needs to be considered. By adding security in our web service we have lessened the risk of being exposed. But remember no matter how small is the risk, it's still a risk.

To access the web service, use the following endpoint in soapUI:
http://localhost:8080/{project name}/krams/ws
where {project name} is either spring-ws (if you're using the sample application from the other tutorial) or spring-ws-wss4j (fi you're using the sample application at the end of this tutorial).

The best way to learn further is to try the actual application.

Download the project
You can access the project site at Google's Project Hosting at http://code.google.com/p/spring-ws-2-0-0-rc2-tutorial/

You can download the project as a Maven build. Look for the spring-ws-wss4j.zip in the Download sections.

You can run the project directly using an embedded server via Maven.
For Tomcat: mvn tomcat:run
For Jetty: mvn jetty:run

If you want to learn more about Spring MVC and integration with other technologies, feel free to read my other tutorials in the Tutorials section.

Related OASIS Specification and References:
- WS-Security Core Specification 1.1
- Username Token Profile 1.1
- To see the complete list, visit http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=wss
StumpleUpon DiggIt! Del.icio.us Blinklist Yahoo Furl Technorati Simpy Spurl Reddit Google I'm reading: Spring-WS 2: WS-Security Using WSS4J ~ Twitter FaceBook

Subscribe by reader Subscribe by email Share