Home » Enterprise Java » Web Services » JAX-WS » JAX-WS Secure Web Services with Signatures and Encryption: WS-Security with Metro and WSIT

11 Flares Twitter 0 Facebook 1 Google+ 9 LinkedIn 1 Email -- Filament.io 11 Flares ×

Java Web Services: Create Secure JAX-WS Metro Web Service Signed and Encrypted Using Public-Key Cryptography Asymmetric Encryption

Security is the primary concern when web services exchange critical business data. WS-Security is an is an extension to SOAP to apply security to web services. It is one of the main part of WS-* specification from OASIS. WS-Security focuses on XML Signature and XML Encryption to provide end-to-end security.
In this tutorial, we discuss about developing secure web services with signature and encryption using public-key cryptography method. Using asymmetric encryption and message signing, we secure web service and achieve message confidentiality, integrity and authenticity, the three main aspects of WS-Security. We use JAX-WS reference implementation Metro web service stack to develop and run the secure web service java example and secure web service client.

Creating Secure JAX-WS Metro Web Service Using WSIT to Use Public-key Cryptography.

In this article, we will use the same sample program which we discussed in JAX-WS and Secure Java Web Services using UsernameToken : WS-Security with Metro and WSIT.
It is a good idea to read the above article first and understand how the basic plain text UsernameToken Policy is implemented. That will help you to understand WSIT configuration required for this example. The only difference here is that, we are not going to use usernameToken here but we use public-key asymmetric encryption and signature to achieve the three major aspects of WS-security namely confidentiality, authenticity and integrity.

Create keystore and self signed certificates for web service message signature and encryption

To make the web service secure using signature and encryption, we need to have keystore, public-private keypairs and certificates configured for client and server. We can utilize the java keytool tool to create and maintain keystores. The keystore is a file that contains key and certificate entries in encrypted form. You need keystore password to access keystore and keypassword to maintain private key.
For testing purpose, you can create self signed certificates. Depends on need, you can purchase digital certificates from certificate authorities such as VeriSign, Thawte and Geotrus.
You need to create keystore and keys for client and server. Then export and import (self signed/trusted) certificates from and to client and server. If you need encryption on both ends (request and response), you need to import client certificate to server keystore and server certificate to client keystore. This is because, encryption requires access to public key of the other party. This is available in certificate. If you don’t need to encrypt the response from server to client, you don’t need to export the client certificate to server if the certificate is signed by a trust authority. If it is self signed, you need import client certificate to server since the server cannot validate self signed certificate otherwise.


Keep the keystores and certificates ready so that we can use the same in our secure JAX-WS web service example.

Quick look at Public-key cryptography

Public-key cryptography offers authenticity, confidentiality and integrity. These three are the major aspects of message exchange security. Integrity ensure that the message is received without modification, authenticity means that the origin of the message can be verified and confidentiality ensure that only the intended recipient of a message has access to the message content.

Ensuring confidentiality using public-key cryptography

Public-key cryptography uses asymmetric key algorithm, where, each user has a pair of cryptographic keys. The public key which is used to encrypt the message is distributed either publicly or to the client, who sends the message. Only the private key, which is confidential and is available only with the user, can be used to decrypt the encrypted message. The message cannot be decrypted by anyone who does not possess the matching private key. Since only the owner has the private key and only he can decrypt the message. This ensures confidentiality.

Digital certificates (ex. X.509 v3 digital certificate – X.509 is an ITU-T standard for a public key infrastructure (PKI)) is an electronic document that uses a digital signature to bind a public key with an identity. This certificate, which is essentially a wrapper around public key, is used to verify that the public key belongs to an entity. This wrapper is typically signed by a trusted signing authority.

Ensuring Authenticity and Integrity Using Public-key Cryptography

The sender calculate the hash value/digest of the message using hash algorithm and then encrypt that digest using your private key and send the encrypted digest value with the message. The receiver can use the same hash algorithm on that message, then decrypt the supplied encrypted digest using sender’s public key. Now the receiver can compare the two values and if they match, the receiver can then be certain that the message is from you. This ensures authenticity.

This also ensures message integrity because it is really hard to make any changes to a message without changing the hash value for that message, or to find another message with the same hash value as a original message.

JAX-WS Web Service SEI,Implementation Classes and WSIT configurations

You will be using the same SEI and implementation classes used for UsernameToken example. Here you don’t have to include the MyServicePasswordValidator class as that is meant for UsernameToken example.
There is no change in web.xml. In sun-jaxws.xml you can disable the MTOM by changing the line enable-mtom=”false” since we don’t want to try MTOM feature here.
The only difference is the configuration of WS Policy in WSDL files. That is explained below.

Update the Server WSIT file to include the signatures and encryption to make the web service WS-Security complaint.

<?xml version="1.0" encoding="UTF-8"?>
<definitions xmlns="http://schemas.xmlsoap.org/wsdl/"
	xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/" xmlns:xsd="http://www.w3.org/2001/XMLSchema"
	xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" name="MyWebServiceService"
	targetNamespace="http://com.globinch.service/" xmlns:tns="http://com.globinch.service/"
	xmlns:wsam="http://www.w3.org/2007/05/addressing/metadata" xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
	xmlns:wsp1_2="http://schemas.xmlsoap.org/ws/2004/09/policy"
	xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
	xmlns:wsaws="http://www.w3.org/2005/08/addressing" xmlns:wspp="http://java.sun.com/xml/ns/wsit/policy"
	xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
	<message name="uploadImage">
		<part name="parameters" element="tns:uploadImage" />
	</message>
	<message name="uploadImageResponse">
		<part name="parameters" element="tns:uploadImageResponse" />
	</message>
	<message name="greetCustomer">
		<part name="parameters" element="tns:greetCustomer" />
	</message>
	<message name="greetCustomerResponse">
		<part name="parameters" element="tns:greetCustomerResponse" />
	</message>
	<message name="retrieveImage">
		<part name="parameters" element="tns:retrieveImage" />
	</message>
	<message name="retrieveImageResponse">
		<part name="parameters" element="tns:retrieveImageResponse" />
	</message>
	<portType name="MyWebService">
		<operation name="uploadImage">
			<input wsam:Action="http://service.globinch.com/MyWebService/uploadImageRequest"
				message="tns:uploadImage" />
			<output
				wsam:Action="http://service.globinch.com/MyWebService/uploadImageResponse"
				message="tns:uploadImageResponse" />
		</operation>
		<operation name="greetCustomer">
			<input
				wsam:Action="http://service.globinch.com/MyWebService/greetCustomerRequest"
				message="tns:greetCustomer" />
			<output
				wsam:Action="http://service.globinch.com/MyWebService/greetCustomerResponse"
				message="tns:greetCustomerResponse" />
		</operation>
		<operation name="retrieveImage">
			<input
				wsam:Action="http://service.globinch.com/MyWebService/retrieveImageRequest"
				message="tns:retrieveImage" />
			<output
				wsam:Action="http://service.globinch.com/MyWebService/retrieveImageResponse"
				message="tns:retrieveImageResponse" />
		</operation>
	</portType>
	<binding name="MyWebServicePortBinding" type="tns:MyWebService">
		<wsp1_2:PolicyReference URI="#MyWebServicePortBindingPolicy" />
		<soap:binding transport="http://schemas.xmlsoap.org/soap/http"
			style="document" />
		<operation name="uploadImage">
			<soap:operation soapAction="" />
			<input>
				<soap:body use="literal" />
			</input>
			<output>
				<soap:body use="literal" />
			</output>
		</operation>
		<operation name="greetCustomer">
			<soap:operation soapAction="" />
			<input>
				<soap:body use="literal" />
			</input>
			<output>
				<soap:body use="literal" />
			</output>
		</operation>
		<operation name="retrieveImage">
			<soap:operation soapAction="" />
			<input>
				<soap:body use="literal" />
			</input>
			<output>
				<soap:body use="literal" />
			</output>
		</operation>
	</binding>
	<service name="MyWebServiceService">
	<port name="MyWebServicePort" binding="tns:MyWebServicePortBinding" />
	</service>
	<wsp1_2:Policy wsu:Id="MyWebServicePortBindingPolicy" xmlns:wsu=
     "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
     xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
    <wsp:ExactlyOne>
      <wsp1_2:All>
        <sp:AsymmetricBinding
            xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
          <wsp1_2:Policy>
            <sp:InitiatorToken>
              <wsp:Policy>
                <sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
                  <wsp:Policy>
                    <sp: WssX509V3Token10/>
                  </wsp:Policy>
                </sp:X509Token>
              </wsp:Policy>
            </sp:InitiatorToken>
            <sp:RecipientToken>
              <wsp:Policy>
                <sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToInitiator">
                  <wsp1_2:Policy>
                    <sp: WssX509V3Token10/>
                  </wsp1_2:Policy>
                </sp:X509Token>
              </wsp:Policy>
            </sp:RecipientToken>
            <sp:AlgorithmSuite>
              <wsp:Policy>
                <sp:TripleDesRsa15/>
              </wsp:Policy>
            </sp:AlgorithmSuite>
            <sp:Layout>
              <wsp:Policy>
                <sp:Strict/>
              </wsp:Policy>
            </sp:Layout>
            <sp:IncludeTimestamp/>
            <sp:OnlySignEntireHeadersAndBody/>
          </wsp1_2:Policy>
        </sp:AsymmetricBinding>
        <sp:SignedParts
            xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
          <sp:Body/>
        </sp:SignedParts>
        <sp:EncryptedParts
            xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
          <sp:Body/>
        </sp:EncryptedParts>
        <wsss:KeyStore alias="serverkey" 
          keypass="nosecret"
          location="server.keystore" storepass="nosecret"
          xmlns:wspp="http://java.sun.com/xml/ns/wsit/policy" wspp:visibility="private"
          xmlns:wsss="http://schemas.sun.com/2006/03/wss/server"/>
      <wsss:TrustStore location="server.keystore" storepass="nosecret"
          xmlns:wspp="http://java.sun.com/xml/ns/wsit/policy" wspp:visibility="private"
          xmlns:wsss="http://schemas.sun.com/2006/03/wss/server"/>
      </wsp1_2:All>
    </wsp:ExactlyOne>
  </wsp1_2:Policy>
</definitions>

The above “wsit-com.globinch.service.MyWebService.xml” file now includes the security policy configurations. This is explained below.

<sp:AsymmetricBinding> :

Indicates that the this policy element is configured to use Public-key asymmetric cryptography during message exchange.

<sp:InitiatorToken> :

Indicates that the public key (to sign the message) will be in the form of an X.509 certificate and will be sent with each message from the client to server.(Here from server to client also uses the same policy)

<sp:AlgorithmSuite> :

Indicate the algorithm used for signing.

<sp:IncludeTimestamp> :

Indicate that timestamp will be used with each message. A sample in a message is given below.

<wsu:Timestamp	xmlns:ns17="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512"
		xmlns:ns16="http://www.w3.org/2003/05/soap-envelope" wsu:Id="_3">
		<wsu:Created>2013-05-16T08:41:35Z</wsu:Created>
		<wsu:Expires>2013-05-16T08:46:35Z</wsu:Expires>
</wsu:Timestamp>
<sp:OnlySignEntireHeadersAndBody/> :

Indicates that signing will be done on the entire header or body of the message.

<sp:SignedParts> :

Indicate the message parts to be signed.

<sp:EncryptedParts> :

Indicate the message parts to be encrypted.

<sp:WssX509V3Token10/> :

This tells runtime to use the certificate. Alternate is to use

<sp:RequireThumbprintReference/>

that tells the runtime to use thumbprint reference instead for the certificate. If your certificate supports SKI (Subject Key Identifier) then you can use the default <sp:WssX509V3Token10>.

You also add the server keystore details by adding <wsss:KeyStore> policy element. Here you need to provide the location of the keystore also. You can either provide the absolute location or just the keystore name. If no absolute location is provided the metro/wsit runtime will look for the keystore META-INF child directory of a directory in the classpath.

Now our service is ready for deployment. Once you deploy the service you can access the WSDL file from the URL similar to the below.
http://{host}:{port}/MyService/?wsdl
You will see the WSDL as follows

<definitions
	xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
	xmlns:wsp="http://www.w3.org/ns/ws-policy" xmlns:wsp1_2="http://schemas.xmlsoap.org/ws/2004/09/policy"
	xmlns:wsam="http://www.w3.org/2007/05/addressing/metadata" xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/"
	xmlns:tns="http://service.globinch.com/" xmlns:xsd="http://www.w3.org/2001/XMLSchema"
	xmlns="http://schemas.xmlsoap.org/wsdl/" targetNamespace="http://service.globinch.com/"
	name="MyWebServiceService">
	<wsp1_2:Policy
		xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"
		xmlns:ssp="http://schemas.sun.com/2006/03/wss/server" xmlns:sunwsp="http://java.sun.com/xml/ns/wsit/policy"
		wsu:Id="MyWebServicePortBindingPolicy">
		<sp:AsymmetricBinding>
			<wsp1_2:Policy>
				<sp:AlgorithmSuite>
					<wsp1_2:Policy>
						<sp:TripleDesRsa15 />
					</wsp1_2:Policy>
				</sp:AlgorithmSuite>
				<sp:IncludeTimestamp />
				<sp:InitiatorToken>
					<wsp1_2:Policy>
						<sp:X509Token
							sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
							<wsp1_2:Policy>
								<sp:WssX509V3Token10 />
							</wsp1_2:Policy>
						</sp:X509Token>
					</wsp1_2:Policy>
				</sp:InitiatorToken>
				<sp:Layout>
					<wsp1_2:Policy>
						<sp:Strict />
					</wsp1_2:Policy>
				</sp:Layout>
				<sp:OnlySignEntireHeadersAndBody />
				<sp:RecipientToken>
					<wsp1_2:Policy>
						<sp:X509Token
							sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToInitiator">
							<wsp1_2:Policy>
								<sp:WssX509V3Token10 />
							</wsp1_2:Policy>
						</sp:X509Token>
					</wsp1_2:Policy>
				</sp:RecipientToken>
			</wsp1_2:Policy>
		</sp:AsymmetricBinding>
		<sp:EncryptedParts>
			<sp:Body />
		</sp:EncryptedParts>
		<sp:SignedParts>
			<sp:Body />
		</sp:SignedParts>
	</wsp1_2:Policy>
	<types>
		<xsd:schema>
			<xsd:import namespace="http://service.globinch.com/"
				schemaLocation="http://localhost:8080/MyService/?xsd=1" />
		</xsd:schema>
	</types>
	<message name="uploadImage">
		<part name="parameters" element="tns:uploadImage" />
	</message>
	<message name="uploadImageResponse">
		<part name="parameters" element="tns:uploadImageResponse" />
	</message>
	<message name="greetCustomer">
		<part name="parameters" element="tns:greetCustomer" />
	</message>
	<message name="greetCustomerResponse">
		<part name="parameters" element="tns:greetCustomerResponse" />
	</message>
	<message name="retrieveImage">
		<part name="parameters" element="tns:retrieveImage" />
	</message>
	<message name="retrieveImageResponse">
		<part name="parameters" element="tns:retrieveImageResponse" />
	</message>
	<portType name="MyWebService">
		<operation name="uploadImage">
			<input wsam:Action="http://service.globinch.com/MyWebService/uploadImageRequest"
				message="tns:uploadImage" />
			<output
				wsam:Action="http://service.globinch.com/MyWebService/uploadImageResponse"
				message="tns:uploadImageResponse" />
		</operation>
		<operation name="greetCustomer">
			<input
				wsam:Action="http://service.globinch.com/MyWebService/greetCustomerRequest"
				message="tns:greetCustomer" />
			<output
				wsam:Action="http://service.globinch.com/MyWebService/greetCustomerResponse"
				message="tns:greetCustomerResponse" />
		</operation>
		<operation name="retrieveImage">
			<input
				wsam:Action="http://service.globinch.com/MyWebService/retrieveImageRequest"
				message="tns:retrieveImage" />
			<output
				wsam:Action="http://service.globinch.com/MyWebService/retrieveImageResponse"
				message="tns:retrieveImageResponse" />
		</operation>
	</portType>
	<binding name="MyWebServicePortBinding" type="tns:MyWebService">
		<wsp1_2:PolicyReference URI="#MyWebServicePortBindingPolicy" />
		<soap:binding transport="http://schemas.xmlsoap.org/soap/http"
			style="document" />
		<operation name="uploadImage">
			<soap:operation soapAction="" />
			<input>
				<soap:body use="literal" />
			</input>
			<output>
				<soap:body use="literal" />
			</output>
		</operation>
		<operation name="greetCustomer">
			<soap:operation soapAction="" />
			<input>
				<soap:body use="literal" />
			</input>
			<output>
				<soap:body use="literal" />
			</output>
		</operation>
		<operation name="retrieveImage">
			<soap:operation soapAction="" />
			<input>
				<soap:body use="literal" />
			</input>
			<output>
				<soap:body use="literal" />
			</output>
		</operation>
	</binding>
	<service name="MyWebServiceService">
		<port name="MyWebServicePort" binding="tns:MyWebServicePortBinding">
			<soap:address location="http://localhost:8080/MyService/" />
		</port>
	</service>
</definitions>

Creating Secure Web Service Client Using Signature and Encryption

To update the web service proxy classes you need to run the wsimport utility as explained in the UsernameToken example

wsimport -keep -XadditionalHeaders http://localhost:8080/MyService/?wsdl

Now you need to add the WS security policy configuration to client WSIT file. Update the client WSIT file (MyWebServiceService.xml) to include the signatures and encryption to make the web service WS-Security complaint.

<?xml version="1.0" encoding="UTF-8"?> 
<definitions
	xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
	xmlns:wsp="http://www.w3.org/ns/ws-policy" xmlns:wsp1_2="http://schemas.xmlsoap.org/ws/2004/09/policy"
	xmlns:wsam="http://www.w3.org/2007/05/addressing/metadata" xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/"
	xmlns:tns="http://service.globinch.com/" xmlns:xsd="http://www.w3.org/2001/XMLSchema"
	xmlns="http://schemas.xmlsoap.org/wsdl/" targetNamespace="http://service.globinch.com/"
	xmlns:sc="http://schemas.sun.com/2006/03/wss/client"
	xmlns:wspp="http://java.sun.com/xml/ns/wsit/policy"
	name="MyWebServiceService">
	
<wsp1_2:Policy wsu:Id="MyWebServicePortBindingPolicy" xmlns:wsu=
     "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
     xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
    <wsp:ExactlyOne>
      <wsp1_2:All>
        <sp:AsymmetricBinding
            xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
          <wsp1_2:Policy>
            <sp:InitiatorToken>
              <wsp:Policy>
                <sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
                  <wsp:Policy>
                  <sp:WssX509V3Token10/>
                   </wsp:Policy>
                </sp:X509Token>
              </wsp:Policy>
            </sp:InitiatorToken>
            <sp:RecipientToken>
              <wsp:Policy>
                <sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToInitiator">
                  <wsp1_2:Policy>
                  <sp:WssX509V3Token10/>
                    
</wsp1_2:Policy>
                </sp:X509Token>
              </wsp:Policy>
            </sp:RecipientToken>
            <sp:AlgorithmSuite>
              <wsp:Policy>
                <sp:TripleDesRsa15/>
              </wsp:Policy>
            </sp:AlgorithmSuite>
            <sp:Layout>
              <wsp:Policy>
                <sp:Strict/>
              </wsp:Policy>
            </sp:Layout>
            <sp:IncludeTimestamp/>
            <sp:OnlySignEntireHeadersAndBody/>
          </wsp1_2:Policy>
        </sp:AsymmetricBinding>
        <sp:SignedParts
            xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
          <sp:Body/>
        </sp:SignedParts>
        <sp:EncryptedParts
            xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
          <sp:Body/>
        </sp:EncryptedParts>
      <sc:KeyStore wspp:visibility="private" location="client.keystore"
            storepass="nosecret" alias="clientkey" keypass="nosecret"/>
        <sc:TrustStore wspp:visibility="private" location="client.keystore"
            storepass="nosecret" peeralias="serverkey"/>
      </wsp1_2:All>
    </wsp:ExactlyOne>
  </wsp1_2:Policy>
	<types>
		<xsd:schema>
			<xsd:import namespace="http://service.globinch.com/"
				schemaLocation="http://localhost:8080/MyService/?xsd=1" />
		</xsd:schema>
	</types>
	<message name="uploadImage">
		<part name="parameters" element="tns:uploadImage" />
	</message>
	<message name="uploadImageResponse">
		<part name="parameters" element="tns:uploadImageResponse" />
	</message>
	<message name="greetCustomer">
		<part name="parameters" element="tns:greetCustomer" />
	</message>
	<message name="greetCustomerResponse">
		<part name="parameters" element="tns:greetCustomerResponse" />
	</message>
	<message name="retrieveImage">
		<part name="parameters" element="tns:retrieveImage" />
	</message>
	<message name="retrieveImageResponse">
		<part name="parameters" element="tns:retrieveImageResponse" />
	</message>
	<portType name="MyWebService">
		<operation name="uploadImage">
			<input wsam:Action="http://service.globinch.com/MyWebService/uploadImageRequest"
				message="tns:uploadImage" />
			<output
				wsam:Action="http://service.globinch.com/MyWebService/uploadImageResponse"
				message="tns:uploadImageResponse" />
		</operation>
		<operation name="greetCustomer">
			<input
				wsam:Action="http://service.globinch.com/MyWebService/greetCustomerRequest"
				message="tns:greetCustomer" />
			<output
				wsam:Action="http://service.globinch.com/MyWebService/greetCustomerResponse"
				message="tns:greetCustomerResponse" />
		</operation>
		<operation name="retrieveImage">
			<input
				wsam:Action="http://service.globinch.com/MyWebService/retrieveImageRequest"
				message="tns:retrieveImage" />
			<output
				wsam:Action="http://service.globinch.com/MyWebService/retrieveImageResponse"
				message="tns:retrieveImageResponse" />
		</operation>
	</portType>
	<binding name="MyWebServicePortBinding" type="tns:MyWebService">
		<wsp1_2:PolicyReference URI="#MyWebServicePortBindingPolicy" />
		<soap:binding transport="http://schemas.xmlsoap.org/soap/http"
			style="document" />
		<operation name="uploadImage">
			<soap:operation soapAction="" />
			<input>
				<soap:body use="literal" />
			</input>
			<output>
				<soap:body use="literal" />
			</output>
		</operation>
		<operation name="greetCustomer">
			<soap:operation soapAction="" />
			<input>
				<soap:body use="literal" />
			</input>
			<output>
				<soap:body use="literal" />
			</output>
		</operation>
		<operation name="retrieveImage">
			<soap:operation soapAction="" />
			<input>
				<soap:body use="literal" />
			</input>
			<output>
				<soap:body use="literal" />
			</output>
		</operation>
	</binding>
	<service name="MyWebServiceService">
		<port name="MyWebServicePort" binding="tns:MyWebServicePortBinding">
			<soap:address location="http://localhost:8080/MyService/" />
		</port>
	</service>
</definitions>

As with server you need to configure the in wsit file as above. You can either provide the absolute location or just the keystore name. If no absolute location is provided the metro/wsit runtime will look for the keystore META-INF child directory of a directory in the classpath.
You don’t need to change wsit-client.xml or web.xml.

Now you can deploy the application and run the client. You can see the messages transferred between clinet and server are signed and encrypted. For example when the client invokes the “greetCustomer(name)” method of the MyWebService, you will see the request and response similar to the below.

Sample signed and encrypted Web Service Request

---[HTTP request - http://localhost:8080/MyService/]---
Accept: text/xml,
multipart/related
Content-Type: text/xml; charset=utf-8
SOAPAction:"http://service.globinch.com/MyWebService/greetCustomerRequest"
User-Agent: Metro/2.2.1-1 (tags/2.2.1-1-7267; 2012-08-30T14:04:51+0000)
JAXWS-RI/2.2.7 JAXWS/2.2 svn-revision#unknown
<?xml version='1.0' encoding='UTF-8'?>
<S:Envelope xmlns:S="http://schemas.xmlsoap.org/soap/envelope/"
	xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
	xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
	xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
	xmlns:exc14n="http://www.w3.org/2001/10/xml-exc-c14n#" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
	<S:Header>
		<wsse:Security S:mustUnderstand="1">
			<wsu:Timestamp
				xmlns:ns17="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512"
				xmlns:ns16="http://www.w3.org/2003/05/soap-envelope" wsu:Id="_3">
				<wsu:Created>2013-05-16T13:00:09Z</wsu:Created>
				<wsu:Expires>2013-05-16T13:05:09Z</wsu:Expires>
			</wsu:Timestamp>
				<wsse:BinarySecurityToken
					xmlns:ns17="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512"
					xmlns:ns16="http://www.w3.org/2003/05/soap-envelope"
					ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"
					EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"
					wsu:Id="uuid_bdf727e2-aabb-4e6b-9f77-3911c09168b2">
					MIIDWzCCAkOgAwIBAgIEacWOSTANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJpbjEOMAwGA1UECBMFc3RhdGUxDTALBgNVBAcTBGNpdHkxDTALBgNVBAoTBGhvbWUxDTALBgNVBAsTBGhvbWU
					xEjAQBgNVBAMTCWxvY2FsaG9zdDAeFw0xMzA1MTUxNzA1MzNaFw0xMzA4MTMxNzA1MzNaMF4xCzAJBgNVBAYTAmluMQ4wDAYDVQQIEwVzdGF0ZTENMAsGA1UEBxMEY2l0eTENMAsGA1UEChMEaG9tZTENMAsGA1UECxMEaG9tZTESMBAGA1UEAxMJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAj5W7GLe5guoS1Q23xVnKU5FSOr8U4X
					Anj1ZoCyhyE0idzEzqG5k94dDz24tkcpvZzoMsIQ+cvEwjQJcvDSJboZHL78UlT5Zvu8K8Cnq9GEoC+5Uow+iaBIP2B4WP1U62sa+tpnL2f6mL+egkS+YVROMclspaJHIeSs2bmVvwbLC5paiD496yHXXa6c27wLmIX7nQMEp6uPDfCBXj9elDd/bNBjgm1mQkwu8DdFvnANTT/E6LAukmYCZwz/QUOLp+Vl0mPA62i8doQnGKHIZmCisIuALXwXEtLOpTjQsAgjOVQ
					NnIJIJJ7e6CbTpp54UoRdoY4CzhDK6P7P8+CjmOzwIDAQABoyEwHzAdBgNVHQ4EFgQUbK+AM4o4miKvscmneQKFQxE8zE4wDQYJKoZIhvcNAQEFBQADggEBABwLuZN4glEo1TlkwVcvT5pHz5RewdZSxpuwW2Rfvq0CGG3N3lvmGefgM5Ha5YYxFjDy/TDXipcupCyANXc7UgiZsFmfUhvpWL9y74lkvnVU62T5pht6+DpL2jVjlLx5zTFtI6Fh+yBdRN9XhpM5bLY+
					KAt9rrS0CnTnQOdowVjWuCG893Gr/0lna9GJ4b+vAMR3iKE7NYqly8a1ULcP9mXm3WmD4ut4gdhO2Rh038gMgaE/IWb+WILjd1lOG7E4x+FQKgas0eXeE8QxjU+Y6Z4dqiojW3ENJ8bj44oWEQo6kjcHbifMqsKSeeHGNQ0pTlyQ4VdlJ+XqZSIbTdY6FIs=
				</wsse:BinarySecurityToken>
					<xenc:EncryptedKey
						xmlns:ns17="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512"
						xmlns:ns16="http://www.w3.org/2003/05/soap-envelope" Id="_5003">
						<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5" />
						<ds:KeyInfo xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
							xsi:type="KeyInfoType">
							<wsse:SecurityTokenReference>
								<ds:X509Data>
									<ds:X509IssuerSerial>
										<ds:X509IssuerName>CN=localhost, OU=home, O=home, L=city,
											ST=state, C=in</ds:X509IssuerName>
										<ds:X509SerialNumber>173056135</ds:X509SerialNumber>
									</ds:X509IssuerSerial>
								</ds:X509Data>
							</wsse:SecurityTokenReference>
						</ds:KeyInfo>
						<xenc:CipherData>
							<xenc:CipherValue>DmCPyY75NZOflXsZjL65sKMeylS2c03YtfjoS3g6FC9D/r5UqrejHYruPnXSNMADASUa47/All6PcfRNd50rUL0Yt6fofygvL5Cg6x5zrbqzgP/lqpLgw4pmy/gR04PkIJo8LX4pTkJrQ4rCW3CTs4KlSCzyD4hN6BNwBHbPBGTfGm+ghmlELO8Hwn6NEcfqdjCErBUWHdiuHaPzyee4Ld6lvvwZ
								EH1mVkqUEUgwH45G0yzi5xV+533TqdS8dFeuLsH0ZUHshtT5UNA/P0XjkmxkTlNn50GP4oVKbcAWonF0tx3QZKWYiIDL31gKtdkYFrMQTwIvzQCekA+djK3lMw==
							</xenc:CipherValue>
						</xenc:CipherData>
						<xenc:ReferenceList>
							<xenc:DataReference URI="#_5004" />
						</xenc:ReferenceList>
					</xenc:EncryptedKey>
					<ds:Signature xmlns:ns17="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512"
						xmlns:ns16="http://www.w3.org/2003/05/soap-envelope" Id="_1">
						<ds:SignedInfo>
							<ds:CanonicalizationMethod
								Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
								<exc14n:InclusiveNamespaces
									PrefixList="wsse S" />
							</ds:CanonicalizationMethod>
							<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
							<ds:Reference URI="#_5002">
								<ds:Transforms>
									<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
										<exc14n:InclusiveNamespaces
											PrefixList="S" />
									</ds:Transform>
								</ds:Transforms>
								<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
								<ds:DigestValue>WXv4E01QJyY+7QRL6OSyjd7nqsk=</ds:DigestValue>
							</ds:Reference>
							<ds:Reference URI="#_3">
								<ds:Transforms>
									<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
										<exc14n:InclusiveNamespaces
											PrefixList="wsu wsse S" />
									</ds:Transform>
								</ds:Transforms>
								<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
								<ds:DigestValue>wNApA3La+5PNpw5+SuTz9tZJ+eY=</ds:DigestValue>
							</ds:Reference>
						</ds:SignedInfo>
						<ds:SignatureValue>GJ4Ef
							cvGn/AWKDcND4P6xnbP34ROLDdQZqpcbRY4t5AgKuLrc65N3dUNaT/tRN+pHQslS/4Ik3SIZentrgCON1SErryMhZltoIUBgHnaKtunYHu8URzrq3kfXndLe3UFqHqAeVGvWQNCkWkG818h2Lzqy7JjjvIxek3Evre+DHTauaorHwhNBd4hqFMrN7UON3tJDNJyrjbeKqOroOSwgn8VEw9ky/Qn3UtXFVzTdhdVPkTvqdFmNW5/6pp4TU8jZ7djmOf9r48RciCcmjp7
							eNRHnUzMwjK5zYjObpyxjshyl7OBmfkyA7xRK45wZhx6hPD9uyjQCqZoWwqIb0+q1Q==
						</ds:SignatureValue>
						<ds:KeyInfo>
							<wsse:SecurityTokenReference>
								<wsse:Reference URI="#uuid_bdf727e2-aabb-4e6b-9f77-3911c09168b2"
									ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" />
							</wsse:SecurityTokenReference>
						</ds:KeyInfo>
					</ds:Signature>
		</wsse:Security>
	</S:Header>
	<S:Body wsu:Id="_5002">
		<xenc:EncryptedData
			xmlns:ns17="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512"
			xmlns:ns16="http://www.w3.org/2003/05/soap-envelope" Id="_5004"
			Type="http://www.w3.org/2001/04/xmlenc#Content">
			<xenc:EncryptionMethod
				Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc" />
			<xenc:CipherData>
				<xenc:CipherValue>mL4nMJ5OJFDpsY0JZ1wYXVZc+hjSX3djsiul+EqZ7t1k9IAyo0gf/UT380w0mEditEnTu4YkmMImy23pFwO/NHf
					wKiJjzhU3nr4Os63pcbKbNLBYb42O8zDqJtHiM/BHSz5Dzh2FFYWXlPolJ96DoA==
				</xenc:CipherValue>
			</xenc:CipherData>
		</xenc:EncryptedData>
	</S:Body>
</S:Envelope>

Sample signed and encrypted Web Service Response

---[HTTP response - http://localhost:8080/MyService/
- 200]---
null: HTTP/1.1 200 OK
Content-Type: text/xml;charset=utf-8
Date:
Thu, 16 May 2013 13:00:09 GMT
Server: Apache-Coyote/1.1
Transfer-Encoding: chunked
<?xml version='1.0' encoding='UTF-8'?>
<S:Envelope xmlns:S="http://schemas.xmlsoap.org/soap/envelope/"
	xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
	xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
	xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
	xmlns:exc14n="http://www.w3.org/2001/10/xml-exc-c14n#" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
	<S:Header>
		<wsse:Security S:mustUnderstand="1">
			<wsu:Timestamp
				xmlns:ns17="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512"
				xmlns:ns16="http://www.w3.org/2003/05/soap-envelope" wsu:Id="_3">
				<wsu:Created>2013-05-16T13:00:10Z</wsu:Created>
				<wsu:Expires>2013-05-16T13:05:10Z</wsu:Expires>
			</wsu:Timestamp>
				<wsse:BinarySecurityToken
					xmlns:ns17="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512"
					xmlns:ns16="http://www.w3.org/2003/05/soap-envelope"
					ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"
					EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"
					wsu:Id="uuid_21ae8d5d-4fe1-49bf-9395-22712d10736c">
					MIIDWzCCAkOgAwIBAgIEClCghzANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJpbjEOMAwGA1UECBMFc3RhdGUxDTALBgNVBAcTBGNpdHkxDTALBgNVBAoTBGhvbWUxDTALBgNVBAsTBGhvbWU
					xEjAQBgNVBAMTCWxvY2FsaG9zdDAeFw0xMzA1MTUxNzA1MTJaFw0xMzA4MTMxNzA1MTJaMF4xCzAJBgNVBAYTAmluMQ4wDAYDVQQIEwVzdGF0ZTENMAsGA1UEBxMEY2l0eTENMAsGA1UEChMEaG9tZTENMAsGA1UECxMEaG9tZTESMBAGA1UEAxMJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAlqGZPNokoOd38IfVnbgJuFSJvBgrUu
					45gPo4M6XvWuopWrjCDJRRRnae1aRF8p6/n/oUPvByGxL5QwA45ZAakusRpPiIgxgbq5sONCMqmlocU7OTIU6UVih33ssb2SD6kjbr4zUeLfjOTAc0p5HQJVFPYnPer7zntz9wRaaSrNY98koPmDLPKEe4Ub5hzFlunn6dyzhgdCvmBYvX0g8iccfXi28dHolDuRcUjfu2Pk1T06or3B3owPbWB/BKACNj7kIBACsx6dZGYG0Y7StWGXHbq0Fzaf+gRMZRErMcEsh3H
					DtewE4HAskXD28W6DiiLeH9rSly0hEoVY2C8mqL0wIDAQABoyEwHzAdBgNVHQ4EFgQUBkFKLe/fqjCmux53N8m6QSktdLkwDQYJKoZIhvcNAQEFBQADggEBAHe0cqrjCwj3k6kEdXkUyybMbEjnsASxeIkTPpRdySaMtvUaTOdnwC2eaZgfRyh7mffDubJjTJfmRN3uj31Tua0r1t3DuI+ZqNGI3x5KTVa5Zqx7VTrWkzGQ2itqhxfML6EW7zbEdo3qSVIsHZcVg4q5
					XacWRUy/SM56BdRAsRxlAKu/dUkIF486HMwBsILtsPNbVYmZUoNG25HeNRYEoV+APlSpjrlGHiKpgSgcrunc+lYq9YsC7ogCzzLRH0qq0CWuakiJs+rXp30SZEF/85cSgYa67bffc20DCU+Bj8TyUXfe15rWnrtj2IT5e30/PB6WPntHB3phP5riOhX2Org=
				</wsse:BinarySecurityToken>
					<xenc:EncryptedKey
						xmlns:ns17="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512"
						xmlns:ns16="http://www.w3.org/2003/05/soap-envelope" Id="_5003">
						<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5" />
						<ds:KeyInfo xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
							xsi:type="KeyInfoType">
							<wsse:SecurityTokenReference>
								<ds:X509Data>
									<ds:X509IssuerSerial>
										<ds:X509IssuerName>CN=localhost, OU=home, O=home, L=city,
											ST=state, C=in</ds:X509IssuerName>
										<ds:X509SerialNumber>1774554697</ds:X509SerialNumber>
									</ds:X509IssuerSerial>
								</ds:X509Data>
							</wsse:SecurityTokenReference>
						</ds:KeyInfo>
						<xenc:CipherData>
							<xenc:CipherValue>RF0ASmWAupelcF9t8epLZ11z3A+qCQw7QKGPcPj6dBfqFTjVyL4gLoIGVMLYnfNVm89g+JqBNGgx22gRpPPyVeotHBkTQcAe/Tkedcvqvs/ZXdwjcr+NThmIBQMfN4ouyXKpdWPcflX2RntNbqVM03ci6YiDdywbCVbj+eTlj16Fv6RCdFbE0MHqVWtLwwRcFUZeqL7amD/kZI7qXxHq55MJNJa
								yWpzSBH4qzSV6aTrkcqh7NU97xupmgLHS2rIuJU75izuh2HsIzj3mvW2vx78zHryp72AhrQ39lVZB7zVzGy+HYtERAHGzmAZrLuexEyMawH5nnwDHfDONe1sU2Q==
							</xenc:CipherValue>
						</xenc:CipherData>
						<xenc:ReferenceList>
							<xenc:DataReference URI="#_5004" />
						</xenc:ReferenceList>
					</xenc:EncryptedKey>
					<ds:Signature
						xmlns:ns17="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512"
						xmlns:ns16="http://www.w3.org/2003/05/soap-envelope" Id="_1">
						<ds:SignedInfo>
							<ds:CanonicalizationMethod
								Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
								<exc14n:InclusiveNamespaces
									PrefixList="wsse S" />
							</ds:CanonicalizationMethod>
							<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
							<ds:Reference URI="#_5002">
								<ds:Transforms>
									<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
										<exc14n:InclusiveNamespaces
											PrefixList="S" />
									</ds:Transform>
								</ds:Transforms>
								<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
								<ds:DigestValue>3S7TJlX5oL7dCnuCJuBKgaNCnVk=</ds:DigestValue>
							</ds:Reference>
							<ds:Reference URI="#_3">
								<ds:Transforms>
									<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
										<exc14n:InclusiveNamespaces
											PrefixList="wsu wsse S" />
									</ds:Transform>
								</ds:Transforms>
								<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
								<ds:DigestValue>j8OWFlN7GQwWKrgmDeVieZ6aWLA=</ds:DigestValue>
							</ds:Reference>
						</ds:SignedInfo>
						<ds:SignatureValue>i1MA
							4JsNVDOpNK3Hee7DX58WKym6tIJdOdhxQSAaXBlXH7cjNszRf3XXMHWrn5cDqfz5/omARvMIxvjl6ZFBnNomBgBipL1jxo8JbryIi/s7RpWO1owj1azw1eYgMRtJpjw9uRL3ZGFPfTFTyT9C2SANe5JnwTCr5S6CWVEfWRh+rVQSxszX9zckun2dQXH//ljBaqmW5/6zYbZFfaVknpW7xz8khSx7Oqpj6/qciUhd+tc5hxZJ+yxlYdLvfIQii5o8Rb/Hp9iFta/dm99
							auafEhqBr/ZQm8Lz73LqxWiXnsrapxCXa0MfUDaWS/MLD4v7s5cJ9QTC103ZjsfXa7g==
						</ds:SignatureValue>
						<ds:KeyInfo>
							<wsse:SecurityTokenReference>
								<wsse:Reference URI="#uuid_21ae8d5d-4fe1-49bf-9395-22712d10736c"
									ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" />
							</wsse:SecurityTokenReference>
						</ds:KeyInfo>
					</ds:Signature>
		</wsse:Security>
	</S:Header>
	<S:Body wsu:Id="_5002">
		<xenc:EncryptedData
			xmlns:ns17="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512"
			xmlns:ns16="http://www.w3.org/2003/05/soap-envelope" Id="_5004"
			Type="http://www.w3.org/2001/04/xmlenc#Content">
			<xenc:EncryptionMethod
				Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc" />
			<xenc:CipherData>
				<xenc:CipherValue>Umshfd2Ux6PF48P5oTRJMlX8NuIPECyY+JbQmx81q5RaKcyvSTyO8yFvlkbtR+QDriNpUgVApL3X9ZfCHejTxj
					2C3sJCNXkIbi16kcbqtkM193i5KWPXNN6EMcMcU6MXymwh/xaxQNRmZb2hJKaw+K5WEQ8dkpXxR7RwmVcJkvfsi18GEIXuIA==
				</xenc:CipherValue>
			</xenc:CipherData>
		</xenc:EncryptedData>
	</S:Body>
</S:Envelope>

Notes

  • The private key password and keystore passwords are made available to the metro runtime to encrypt and sign messages. This may be exposed if someone gets access to the source code. It is recommended to make additional security to secure private-key and keystore.
  • If you are using Tomcat web container to deploy this application please ensure that you must use same password for key password as well as keystore. Otherwsie you may get the following error.
    java.io.IOException: Cannot recover key  
            at org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.java:465)  
            at org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:130)  
            at org.apache.tomcat.util.net.JIoEndpoint.init(JIoEndpoint.java:538)  Or 
    SEVERE: WSS1538: Exception during getting the private key
    java.security.UnrecoverableKeyException: Password must not be null
            at sun.security.provider.JavaKeyStore.engineGetKey(JavaKeyStore.java:124)
            at sun.security.provider.JavaKeyStore$JKS.engineGetKey(JavaKeyStore.java:55)
            at java.security.KeyStore.getKey(KeyStore.java:792)
    

References:

Incoming search terms:

11 Flares Twitter 0 Facebook 1 Google+ 9 LinkedIn 1 Email -- Filament.io 11 Flares ×

About Binu George

3 thoughts on “JAX-WS Secure Web Services with Signatures and Encryption: WS-Security with Metro and WSIT

  1. Andreas says:

    Hi Binu,

    thank you for sharing the tutorials for JAX-WS-based web services utilizing WS-Security! I have been struggling quite some time to get web service and -client run in freshly created maven projects (Dynamic Web Project for the service itself and a separate JAR project for the client), but now everything runs quite smoothly 🙂

    Now I would like to give the XML signature/encryption variant a try. However your example uses a Security Policy TripleDesRsa15, which ends up in using #tripledes-cbc encryption from the XML Encryption 1.0 standard.

    Since the CBC mode has to be considered as broken, I am searching for an elegant solution to using AES encryption in GCM mode, as proposed in XML Encryption 1.1. Are you aware, if and how this can be accomplished with JAX-WS/Metro? Since WS-SecurityPolicy 1.3 does not include such a mode of operation, there won’t be any “standard” way of doing this?!

    Thanks in advance

    Andreas

  2. Binu George says:

    Hey Andreas,
    Thanks for the comments. I will be soon writing an article on AES encryption in GCM mode. I will update you once the article is published.

    Thanks
    Binu George

  3. Pablo says:

    Hi. I find this examples really really usefull.

    But I was wondering How do you managed to learn all of these things !!!!.

    I’ve tried with books but I can’t find the level of knowledge that you are showing on this post.

    Could you please guide me in order to learn about these topics?

Leave a Reply

Your email address will not be published. Required fields are marked *

Paged comment generated by AJAX Comment Page

Google+ Plus Follow on Twitter Like On Facebook Linked Follow

Popular post

JAX-WS Web Services and Clients Java JAX-WS Tutorial: Develop Web Services and Clients (Consumers) Using JAX-WS
jax-ws usernametoken example JAX-WS and Secure Java Web Services using UsernameToken : WS-Security with Metro and WSIT
How to Fix : java.security.cert.CertificateException: No name matching localhost found
JAX-WS exception fault handling example JAX-WS Exceptions and Faults: Annotation, Exception and Fault Handling Examples
SOAP Binding: Difference between Document and RPC Style Web Services

Subscribe to Enterprise Java newsletter
Subscribe
Get Enterprise Java Newsletter

Enter your email and stay on top of things,