geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "rahul.soa" <>
Subject Initial Draft for gsoc [WS-Security support for JAX-WS Web Services] project
Date Tue, 31 Mar 2009 00:04:19 GMT
Hello Devs,

I have written a very initial draft for gsoc "WS-Security support for
JAX-WS Web Services" project [1]. Please suggest any modifications.
Thanks to Jarek for his thoughts and immediate help.

// Quote

Title: WS-Security support for JAX-WS Web Services


To integrate and enable the WS-Security features of Apache Axis2 and
Apache CXF in Apache Geronimo on web services.


Apache Geronimo supports two JAX-WS providers: Axis2 and CXF and both
of these libraries have some WS-Security features. But these features
are not integrated/enabled in Geronimo. So the goal is to enable these
features from within Geronimo. That involves basically two things:

1) that the modules (i.e. WSS4J) that provide the WS-Security features
for Axis2 and CXF are installed with Geronimo, and

2) that the WS-Security features such as [XML Security ('XML
Signature' - allows one to send along with the message a digital
signature of it, which assures that no one modified the message
content between the sender and receiver, 'XML Encryption' -allows one
to encrypt the message body or only its part using the given
cryptography algorithm) and Tokens ('Username Tokens' - WS-Security
scenario adds username and password values to the message header,
'Timestamps' - Timestamps specify how long the security data remains
valid, 'SAML Tokens')] can be enabled and configured on web services
via Geronimo deployment descriptors and/or annotations. For example,
given some web service that is annotated with @WebService; so to
ensure that the service only accepts WS-Security -secured messages, it
should be something like “to add @WS-Security annotation”.

Further in detail, we can consider WS-Security policies which can be
applied to the SOAP messages that pass between web services and web
service controls. A WS-Security is controlled in WS-Security policy
files. The WS-Security policy file (WSSE file) defines the security
policy applied to the SOAP messages that pass between web services and
their clients.[1]

So we can use something like following annotation
@WS-Security file="MyWebServicePolicy.wsse"
@WS-Security file="MyWebServicePolicy.wsse"
public class xyz

The @WS-Security annotation determines the WS-Security policy file
(WSSE) to be applied to (1) incoming SOAP invocations of the web
service's methods and (2) the outgoing SOAP messages containing the
value returned by the web service's methods.[1]. The attribute file in
the above mentioned annotation specifies the path to the WS-Security
policy file (WSSE file - MyWebServicePolicy.wsse) used by the web

In addition, I think we can also define some security feature
something like SecurityFeature similar to other WebService Feature(s)
such as AddressingFeature, MTOMFeature
 and RespectBindingFeature
. This new feature can also have the “enabled property” like other
features that is used to store whether a particular feature should be
enabled or disabled. This type should provide either a constructor
 and/or a method that will allow the web service developer to set the
enabled property. The meaning of enabled or disabled is determined by
each individual WebServiceFeature. It is important that web services
developers be able to enable/disable specific features when writing
their web applications. [2]




Any suggestion will be appreciable.

* Please put my email id in cc if you reply to mailing list only as I
am not on the mailing list at this time. I have sent requests many
times but could not get the confirmation reply for joining the mailing
list so far.

Many Thanks.

Best Regards,


View raw message