geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "rahul.soa" <rahul....@googlemail.com>
Subject Re: WS-Security support for JAX-WS Web Services
Date Sun, 17 May 2009 16:02:28 GMT
Hello Jarek,

As we discussed, I have created a simple web service (receives an order
request from the client and returns the order number, this web services
expects password from the user) and client (sends the order request with the
password) and provided it ws-security support (UsernameToken only) with
Apache CXF 2.1.5. It works just fine.

In 'above mentioned test', I am using only two "ws-security" jar files
xmlsec.jar and wss4j.jar (which are mandatory). Perhaps for the other
complex security we might need other ws-security jars concerning CXF. So at
least, at this moment we can integrate these two jar files in CXF Apache
Geronimo plugin.

I was thinking to create a JIRA for this gsoc project so that I can attach
all the work on it. What do you say?

Thanks.

Best Regards,
Rahul

On Wed, May 13, 2009 at 11:41 AM, rahul.soa <rahul.soa@googlemail.com>wrote:

> Hello David, Dan
>
> Thanks for your advice. With the suggestion of Jarek, I started a simple
> webservice and client with ws-security support (with CXF first). When this
> will run with the ws-security support then we can start integrating the
> "right jars" into geronimo (into the cxf plugin). Further, once we have all
> the jars integrated in geronimo we can try using a geronimo client and
> connect to the standalone cxf service with ws-security.
>
> Many Thanks for your support.
>
> Best Regards,
> Rahul
> On Tue, May 12, 2009 at 2:51 AM, Daniel Kulp <dkulp@apache.org> wrote:
>
>> On Mon May 11 2009 7:16:46 pm David Jencks wrote:
>> > On May 11, 2009, at 3:24 PM, rahul.soa wrote:
>> > > Hello everyone,
>> > >
>> > > As you know I am working on the support of ws-security module, so I
>> > > did some research about integrating the modules in Apache Geronimo
>> > > for the same.
>> > >
>> > > For the integrating/enabling WS-Security support, I think we need to
>> > > have the following jars and modules in Geronimo:
>> > >
>> > > Apache CXF:
>> > >
>> > > For WS-Security support we need to have following jar files from the
>> > > CXF:
>> > >
>> > > - bcprov-jdk15.jar
>> >
>> > Previously when we used some bouncy castle classes the jar included
>> > some classes that may well have infringed some us patents.  I think I
>> > saw somewhere that bouncy castle had finally released a jar without
>> > thses classes.  We should verify that this jar does not contain these
>> > classes.  Also, we have copies of a bunch of the bc classes we need
>> > for other purposes in the geronimo-crypto module, so we should check
>> > that we don't already have the needed classes.
>>
>> Version 140 and later in maven have the patent covered algorithms removed.
>> Not an issue anymore.
>>
>> >
>> > > - xalan.jar
>> >
>> > really?  I'd like to know why the xml transform support in the jdk is
>> > not sufficient.
>>
>> xmlsec uses some of the internal xalan classes.   I could never get a good
>> reason as to why.
>>
>> > > - serializer.jar
>>
>> This goes with Xalan.
>>
>>
>> > > - wss4j.jar
>> > > - xmlsec.jar
>>
>> Note:  all of those jars will be required for Axis2 as well.
>>
>>
>> > > Apache Axis2
>> > >
>> > > 1. We need to integrate "Rampart*" module of axis2,
>> > >
>> > > 2. for step 1, need to download the Java Cryptography Extension
>> > > (JCE) Unlimited Strength Jurisdiction Policy Files corresponding to
>> > > JDK version and extract the jar files local_policy.jar and
>> > > US_export_policy.jar to $JAVA_HOME/jre/lib/security
>> >
>> > These are not something we can include, right?  they'd have to be
>> > installed by the end user?
>>
>> Correct.   However, for unit tests and such, we can PROBABLY use less
>> secure
>> algorithms.   I have someone looking into the same issue for the CXF test
>> cases.   We don't want to make every developer have to install the strong
>> crypto libraries.  Basically, if the user needs the strong crypto stuff,
>> they
>> WILL need to download and install the strong crypto libs from Sun.
>>
>> Dan
>>
>> > > 3. for step 1, need to download bouncycastle according to java
>> > > version separately
>> > >
>> > > *Rampart is the security module of Axis2
>> > >
>> > >
>> > > Please let me know if I am missing something and please also guide
>> > > me how can I get them in Geronimo.
>> >
>> > That depends partly on the classloader relationships needed between
>> > the main cxf/axis2 jars and these new ones.  If appropriate cxf/axis2
>> > jars and these jars can be in a classloader that is a child of the cxf/
>> > axis2 "main" plugin classloaders, you should probably make cxf-wss and
>> > axis2-wss plugins with all the security related jars as dependencies.
>> > If this doesn't work and the classes need to be in the main cxf/axis2
>> > plugin classloader then you probably need to just add these as
>> > dependencies.
>> >
>> > thanks
>> > david jencks
>> >
>> > > Thanks in advance.
>> > >
>> > > Regards,
>> > > Rahul
>>
>> --
>> Daniel Kulp
>> dkulp@apache.org
>> http://www.dankulp.com/blog
>>
>
>

Mime
View raw message