How to secure spring ws

[vdvj]

I use xws to secure my service server and client. But when I run Client call the server it has the problem, Not found [404]. here is my server and client config.
---------------------------
Server:

Code:

<!--
Copyright 2004 Sun Microsystems, Inc. All rights reserved.
SUN PROPRIETARY/CONFIDENTIAL. Use is subject to license terms.
-->
<!--
 This server side config file pairs with wss-client-config-1.0.xml on the client
 and supports the following UseCases:
 Usecase 1: Authentication using Protected UsernameToken
 Usecase 3: Encrypted UsernameToken and MessageBody
 Usecase 4: Response Encryption Key Learnt from Incoming Message
-->

<xwss:SecurityConfiguration xmlns:xwss="http://java.sun.com/xml/ns/xwss/config" 
                            dumpMessages="false">
    <xwss:Timestamp/>
    <xwss:RequireEncryption>
        <xwss:Target type="qname">SOAP-BODY</xwss:Target>
    </xwss:RequireEncryption>
   
    <xwss:RequireSignature>
        <xwss:Target type="qname">SOAP-BODY</xwss:Target>
    </xwss:RequireSignature>     
    
  
    <xwss:Encrypt>
        <xwss:X509Token certificateAlias="s1as"/>
        <xwss:KeyEncryptionMethod algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
        <xwss:Target type="qname">SOAP-BODY</xwss:Target>
    </xwss:Encrypt>
    
    <xwss:Sign>
        <xwss:X509Token certificateAlias="s1as"/>
    </xwss:Sign>
</xwss:SecurityConfiguration>

and the Client:

Code:

<!--
Copyright 2004 Sun Microsystems, Inc. All rights reserved.
SUN PROPRIETARY/CONFIDENTIAL. Use is subject to license terms.
-->
<!--
 This client side config file pairs with wss-server-config-1.0.xml on the server
 and supports the following UseCases:
 Usecase 1: Authentication by Protected UsernameToken
 Usecase 3: Encrypted UsernameToken and MessageBody
 Usecase 4: Response Encryption Key Learnt from Incoming Message
-->

<xwss:SecurityConfiguration xmlns:xwss="http://java.sun.com/xml/ns/xwss/config" 
                            dumpMessages="true">                           
    <xwss:Timestamp/>
    <xwss:UsernameToken name="epay" password="epay" digestPassword="false" useNonce="true"/>
    <xwss:RequireEncryption>
        <xwss:Target type="qname">SOAP-BODY</xwss:Target>
    </xwss:RequireEncryption>
    
     <xwss:Encrypt>
        <xwss:X509Token certificateAlias="s1as"/>
        <xwss:KeyEncryptionMethod algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>  
        <xwss:Target type="qname">SOAP-BODY</xwss:Target>
    </xwss:Encrypt>
    

</xwss:SecurityConfiguration>

--------------------------------
In server I use keystoreCallbackHandler

Here is spring-ws-servlet on server side:

Code:

 
<bean id="wsSecurityInterceptor" class="org.springframework.ws.soap.security.xwss.XwsSecurityInterceptor">  
	   	<property name="policyConfiguration" value="/WEB-INF/config/wss-server-config.xml" />  
	  	<property name="callbackHandlers">  
	    	<list>  
	 	      	<bean id="passwordValidationHandler"  
		        		class="org.springframework.ws.soap.security.xwss.callback.SimplePasswordValidationCallbackHandler">  
			        <property name="users">  
			        	<props>  
			            	<prop key="epay">epay</prop>  
			            </props>  
			        </property>  
		      	</bean>  
	 
	 			<bean id="keystoreHandler" class="org.springframework.ws.soap.security.xwss.callback.KeyStoreCallbackHandler">
	 				<property name="keyStore" ref="keyStore"></property>
	 				<property name="trustStore" ref="trustStore"></property>
	 				<property name="symmetricStore" ref="symmetricStore"></property>
	 			</bean>	 			
	 	   	</list>  
	  	</property>  
	</bean>
 	<bean id="keyStore" class="org.springframework.ws.soap.security.support.KeyStoreFactoryBean">
		<property name="location" value="/WEB-INF/config/server-keystore.jks"/>
	 	<property name="password" value="changeit"></property>
	 	<property name="type" value="jks"></property>
	</bean>
	<bean id="trustStore" class="org.springframework.ws.soap.security.support.KeyStoreFactoryBean">
		<property name="location" value="/WEB-INF/config/server-truststore.jks"></property>
		<property name="password" value="changeit"></property>
		<property name="type" value="jks"></property>
	</bean>
	<bean id="symmetricStore" class="org.springframework.ws.soap.security.support.KeyStoreFactoryBean">
		<property name="location" value="/WEB-INF/config/server-symmkeystore.jceks"></property>
		<property name="password" value="changeit"></property>
		<property name="type" value="jceks"></property>
	</bean>
	<bean id="loggingInterceptor" class="org.springframework.ws.server.endpoint.interceptor.PayloadLoggingInterceptor"/>

</beans>

and the application context on client side, I use stand alone saaj, but I use keystoreCallbackHandler as SecurityEnvirontmenthandler so I use spring Applicationcontext to get keystore handler bean.
here is the code:

Code:

	public static void main(String[] args)throws Exception  {
		// TODO Auto-generated method stub
		final String PREFIX = "tns";
		final String NAME_SPACE = "http://www.onlinepayment.org/schemas";
			
		//create soap message
		SOAPMessage msg = MessageFactory.newInstance().createMessage();
        SOAPBody body = msg.getSOAPBody();
        	SOAPBodyElement requestElement = body.addBodyElement(SOAPFactory.newInstance().createName("loginRequest",PREFIX, NAME_SPACE));
        
		        SOAPElement username = requestElement.addChildElement(SOAPFactory.newInstance().createElement("username",PREFIX, NAME_SPACE));
		        username.setTextContent("epay");

		        SOAPElement password = requestElement.addChildElement(SOAPFactory.newInstance().createElement("password",PREFIX, NAME_SPACE));
		        password.setTextContent("epay");
		//--End of message--
		
		//load spring application context to get SecurityEnvironmentHandler
		XWSSProcessorFactory factory = XWSSProcessorFactory.newInstance();
		
		ClassPathResource resource = new ClassPathResource("config/applicationContext.xml");
		BeanFactory beanfact = new XmlBeanFactory(resource);	
		
		//load security policy configuration file 
		
		ClassPathResource configrsrc = new ClassPathResource("config/wss-client-config.xml");
		XWSSProcessor cprocessor = factory.createProcessorForSecurityConfiguration(configrsrc.getInputStream(), (CallbackHandler)beanfact.getBean("callbackHandler"));        
					
		//create context which hold message        
		ProcessingContext context = new ProcessingContext();
		context.setSOAPMessage(msg);
		
		//secure message
		SOAPMessage secureMsg = cprocessor.secureOutboundMessage(context);
        secureMsg.saveChanges();
        
        //create connection call the webservice
        SOAPConnection connection = SOAPConnectionFactory.newInstance().createConnection();
        
        //send message to service
        System.out.println("Sending... ");
        SOAPMessage reply = connection.call(secureMsg, "http://127.0.0.1:8080/service_server");
        
        System.out.println("Done Sending request");
...

finally is generate not found Exception:

Code:

log4j:WARN No appenders could be found for logger (org.springframework.util.ClassUtils).
log4j:WARN Please initialize the log4j system properly.
Nov 28, 2007 3:38:25 PM com.sun.xml.wss.impl.filter.DumpFilter process

Sending... 
Nov 28, 2007 3:38:30 PM com.sun.xml.internal.messaging.saaj.client.p2p.HttpSOAPConnection post
SEVERE: SAAJ0008: Bad Response; Not Found
Exception in thread "main" com.sun.xml.internal.messaging.saaj.SOAPExceptionImpl: java.security.PrivilegedActionException: com.sun.xml.internal.messaging.saaj.SOAPExceptionImpl: Bad response: (404Not Found
	at com.sun.xml.internal.messaging.saaj.client.p2p.HttpSOAPConnection.call(Unknown Source)
	at org.epay.call.CallWS.main(CallWS.java:77)
Caused by: java.security.PrivilegedActionException: com.sun.xml.internal.messaging.saaj.SOAPExceptionImpl: Bad response: (404Not Found
	at java.security.AccessController.doPrivileged(Native Method)
	... 2 more
Caused by: com.sun.xml.internal.messaging.saaj.SOAPExceptionImpl: Bad response: (404Not Found
	at com.sun.xml.internal.messaging.saaj.client.p2p.HttpSOAPConnection.post(Unknown Source)
	at com.sun.xml.internal.messaging.saaj.client.p2p.HttpSOAPConnection$PriviledgedPost.run(Unknown Source)
	... 3 more

CAUSE:

java.security.PrivilegedActionException: com.sun.xml.internal.messaging.saaj.SOAPExceptionImpl: Bad response: (404Not Found
	at java.security.AccessController.doPrivileged(Native Method)
	at com.sun.xml.internal.messaging.saaj.client.p2p.HttpSOAPConnection.call(Unknown Source)
	at org.epay.call.CallWS.main(CallWS.java:77)
Caused by: com.sun.xml.internal.messaging.saaj.SOAPExceptionImpl: Bad response: (404Not Found
	at com.sun.xml.internal.messaging.saaj.client.p2p.HttpSOAPConnection.post(Unknown Source)
	at com.sun.xml.internal.messaging.saaj.client.p2p.HttpSOAPConnection$PriviledgedPost.run(Unknown Source)
	... 3 more

what's that problem?
please help me.
thanks.

[erimag]

It looks like your web service request is not being routed to Spring WS's MessageDispatcherServlet, but instead to the default servlet. What does your web.xml look like?

[vdvj]

oh No!

I use MessageDispatcher servlet. when I use UsernameToken It's all right. If I use Encrypt or RequirerEncryption it generate that problems.

Can you see that problem and debug for me.

Thank you very much.

[portlet2]

Hello all,

I have read chapter 7 of the reference manual. It's still not clear to me whether the xwws policy defined on the server side is supposed to show up in the wsdl generated by spring ws.

Any hint would be appreciated.

Spring-WS doesn't directly support WS-Policy. You can edit the Spring-WS generated WSDL file to add policies.

[portlet2]

Remember that you can't use PayloadRootQNameEndpointMapping when encrypting the whole soap body. You would need to use SoapAction header or WS-Addressing when doing full body encryption.

Use SimpleActionEndpointMapping for WS-Addressing

Use SoapActionMapping for soap 1.1 SoapAction header values

These two mappings will have key entries which are supposed to be passed as Action WS Address element or SoapAction header whereas the first one goes by the rootelement of the request.

If you are encrypting whole body, the rootelement would be "EncryptedData"

[SaDymn]

Vikas and Agoo, you both claim its possible but you dont seem to have details on how its done?
Possible or no?