Social Icons

Pages

Wednesday, March 5, 2014

Apache Axis 2+ Apache Rampart (Secure Web Services)

Overview

This post will show you about how to engage Apache Rampart Module by using basic username token authentication. I presume that you already have the Working Apache Axis 2 Web Service Project.

Sample Source Code for this post can be found here.

This article applies to:

Apache Axis2 1.6.2 and Apache Rampart 1.6.2

Step by Step Tutorial

Step 1. Adding Maven Dependency to our existing Maven project (pom.xml)

  
  
      org.apache.ws.security
   wss4j
   1.6.14
  
  
   org.apache.rampart
   rampart-core
   ${org.apache.axis2.version}
  
  
   org.apache.rampart
   rampart-policy
   ${org.apache.axis2.version}
  
  
   org.apache.rampart
   rampart-trust
   ${org.apache.axis2.version}
  
  
   org.bouncycastle
   bcprov-jdk15
   1.46
  
  
   org.apache.velocity
   velocity
   1.5
  
  
   org.owasp.esapi
   esapi
   2.1.0

Step 2. Adding Rampart Module

  • Download Apache Rampart Standard Binary Distribution here if you don't have one.
  • Copy rampart modules from (\rampart-1.6.2\modules\) to our module directory.
Now we are ready to implement some Java Code to secure our web services...

Step 3. Implementing Our Web Service Password Call Back

As I mentioned above we are going to implement the web service security by using  "basic username token authentication"
  • We need our web service password call back ...
Watch OUT! if we are using "WSS4J 1.6"

WSPasswordCallback changes in WSS4J 1.6

From the WSS4J 1.6 , we need to change the way to implement our PasswordCallback

Example of our "WSPasswordCallback" implementation Using "WSS4J 1.5" :

package com.kovitad.rampart.service;
import org.apache.ws.security.WSPasswordCallback;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.UnsupportedCallbackException;
import java.io.IOException;

public class PWCBHandler implements CallbackHandler {
    public void handle(Callback[] callbacks) throws IOException,
            UnsupportedCallbackException {
         for (Callback callback : callbacks) {
            //When the server side need to authenticate the user
            WSPasswordCallback pwcb = (WSPasswordCallback)callback;
            if(pwcb.getIdentifer().equals("apache") && pwcb.getPassword().equals("password")) {
                return;
            } else {
                throw new UnsupportedCallbackException(callback,"check failed");
            }
        }
    }
}

Example of our "WSPasswordCallback" implementation Using"WSS4J 1.6" 

package com.kovitad.rampart.service;

import org.apache.ws.security.WSPasswordCallback;

import javax.security.auth.callback.Callback;

import javax.security.auth.callback.CallbackHandler;

import javax.security.auth.callback.UnsupportedCallbackException;

import java.io.IOException;

public class PWCBHandler implements CallbackHandler {

    public void handle(Callback[] callbacks) throws IOException,
            UnsupportedCallbackException {
        for (Callback callback : callbacks) {
            WSPasswordCallback pwcb = (WSPasswordCallback)callback;
            if(pwcb.getIdentifer().equals("apache")) {
                pwcb.setPassword("password");
                return;
            } else {
                throw new UnsupportedCallbackException(callback,"check failed");
            }

        }

    }

}

Step 4. Engaging it all together

We need to add the WS-Policy and Rampart Module to enable the web service security..

Adding  WS-Policy ("<wsp:policy><sp:usernametoken sp:includetoken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">...")

Adding "Rampart Module" ("<module ref="rampart" />")

 
 
  Simplest Web Service!
 
 
 
  
  
 
 
 com.kovitad.services.HelloWs
 
  
   
    
     
      
       
        
       
      
      
       
        
       
      
      
       
        
       
      
      
     
    
    
     
      
     
    
    
     com.kovitad.services.axis.security.MyPasswordCallback

Step 5. Testing Our Web Service Security 

Exploring the WSDL at "http://localhost:8080/webservicetutorial2/axis/HelloWs?wsdl"

NOTE:  Regarding to  the WS-Policy is set to "UsernameTokenOverHTTPS", The HTTPS required to invoke this web service.

 Prerequisite : Our application server need supporting HTTPS before testing it.



  • Adding the "wsse:Security" to the header of our SOAP Request, if it is all healthy, we will see the testing result as following.. (Invoke this web services at this Endpoint: https://localhost:8443/webservicetutorial2/axis/HelloWs.HelloWsHttpSoap11Endpoint/)

    • 
 
  
   
    apache
    password
    8LZdX3yhUf7fG5WGDeynrA==
    2014-03-07T02:28:40.720Z
   
   
    2014-03-07T02:28:40.719Z
    2014-03-07T10:48:40.719Z
   
  
 
 
  
   
   Tony
  
 





    
   
      
         
            2014-03-07T02:28:40.768Z
            2014-03-07T02:33:40.768Z
         
      
   
   
      
         Hello, Tony!
    Posted by at
    Labels: , , , , , , , , ,

    No comments:

    Post a Comment

    Subscribe to: Post Comments (Atom)
     
    Blogger Templates