geronimo-scm mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From conflue...@apache.org
Subject [CONF] Apache Geronimo v2.2 > Securing Web Service
Date Tue, 18 Aug 2009 03:33:01 GMT
<html>
<head>
    <base href="http://cwiki.apache.org/confluence">
            <link rel="stylesheet" href="/confluence/s/1519/1/1/_/styles/combined.css?spaceKey=GMOxDOC22&amp;forWysiwyg=true"
type="text/css">
    </head>
<body style="background-color: white" bgcolor="white">
<div id="pageContent">
<div id="notificationFormat">
<div class="wiki-content">
<div class="email">
     <h2><a href="http://cwiki.apache.org/confluence/display/GMOxDOC22/Securing+Web+Service">Securing
Web Service</a></h2>
     <h4>Page <b>edited</b> by             <a href="http://cwiki.apache.org/confluence/display/~sophia">Ying
Tang</a>
    </h4>
     
          <br/>
     <div class="notificationGreySide">
         <p>Web Service security (WS-security) is an SOAP-based security standard that
provides Web services with message-level integrity, confidentiality and authentication. </p>

<p>With WS-security, the Simple Object Access Protocol (SOAP) message contains a SOAP
header, which includes signature, encryption information, protocols for processing the secured
information, and security tokens for credential propagation.</p>

<p>A WS-Security policy file (WSSE) is associated with a Web service so that both inbound
and outbound SOAP messages are handled according to the security policy in the WSSE file.</p>

<p>Geronimo 2.2 has two WS-security providers: Axis2 for Tomcat Web container and CXF
for Jetty.  They enable the following WS-security features in Web service development for
Geronimo:</p>
<ul>
	<li><b>XML Security</b>  - allows one to send along with the message a
digital signature of it, which assures that no one modified the message content between the
sender and receiver.</li>
	<li><b>XML Encryption</b> -allows one to encrypt the message body or only
its part using the given cryptography algorithm.</li>
	<li><b>Username Tokens</b> - adds username and password values to the message
header.</li>
	<li><b>Security Assertions Markup Language (SAML) Tokens</b> - configured
on web services via Geronimo deployment descriptors and/or annotations.</li>
	<li><b>Timestamps</b> - specifies how long the security data remains valid.</li>
</ul>


<p>In this guide, CXF/Jetty will be used as an example.</p>

<h2><a name="SecuringWebService-EnablingWSsecurityinWebserviceclient"></a>Enabling
WS-security in Web service client</h2>
<h3><a name="SecuringWebService-Configuringsecurityproperties"></a>Configuring
security properties</h3>
<p>You can specify various properties using a &lt;property&gt; element in the
&lt;port&gt; section in <tt>geronimo-web.xml</tt> for a CXF/Jetty client.
<br/>
To configure ws-security properties, you only need to prefix each property with a <tt>wss4j.in</tt>
file for inbound settings, or <tt>wss4j.out</tt> for outbound settings. For example:</p>
<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="code-java">
&lt;property name=<span class="code-quote">"wss4j.out.action"</span>&gt;UsernameToken
Timestamp&lt;/property&gt;
&lt;property name=<span class="code-quote">"wss4j.out.user"</span>&gt;foo&lt;/property&gt;
&lt;property name=<span class="code-quote">"wss4j.out.password"</span>&gt;bar&lt;/property&gt;
</pre>
</div></div>

<h3><a name="SecuringWebService-EnablingsignedorencryptedSOAPmessages"></a>Enabling
signed or encrypted SOAP messages </h3>
<p>Geronimo allows the CXF/Jetty client to sendor receive the signed or encrypted SOAP
messages. You can enable this feature inside &lt;port&gt; in the <tt>geronimo-web.xml</tt>
at client side. For example, for both signing and encrypting, add the following lines to &lt;port&gt;:</p>
<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="code-java">
&lt;port&gt;
&lt;port-name&gt;DoubleItPort&lt;/port-name&gt;
&lt;protocol&gt;http&lt;/protocol&gt;
&lt;host&gt;localhost&lt;/host&gt;
&lt;port&gt;8080&lt;/port&gt;
&lt;uri&gt;/doubleit/services/doubleit&lt;/uri&gt;
...
&lt;port&gt;
</pre>
</div></div>

<h2><a name="SecuringWebService-EnablingWSsecurityatserviceside"></a>Enabling
WS-security at service side</h2>
<h3><a name="SecuringWebService-ConfiguringUsernametoken"></a>Configuring
Username token </h3>
<p>Geronimo CXF/Jetty support of UsernameToken Profile at server side. For example,
to involve UsernameToken profile for  <b>CalculatorService</b>, add the following
lines in <tt>geronimo-web.xml</tt>:</p>
<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="code-java">
&lt;servlet&gt;
&lt;servlet-name&gt;CalculatorService&lt;/servlet-name&gt;
&lt;ws-security-binding&gt;
&lt;security-realm-name&gt;geronimo-admin&lt;/security-realm-name&gt;
&lt;property name=<span class="code-quote">"wss4j.in.action"</span>&gt;UsernameToken&lt;/property&gt;
&lt;/ws-security-binding&gt;
</pre>
</div></div>
<p>&lt;/servlet&gt;</p>

<h3><a name="SecuringWebService-EnablingsignedorencryptedSOAPmessages"></a>Enabling
signed or encrypted SOAP messages </h3>
<p>Similarly, you can enable the service side to sendor receive the signed or encrypted
SOAP messages by configuring the &lt;port&gt; section in <tt>geronimo-web.xml</tt>:</p>
<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="code-java">
&lt;port&gt;
&lt;port-name&gt;DoubleItPort&lt;/port-name&gt;
&lt;protocol&gt;http&lt;/protocol&gt;
&lt;host&gt;localhost&lt;/host&gt;
&lt;port&gt;8080&lt;/port&gt;
&lt;uri&gt;/doubleit/services/doubleit&lt;/uri&gt;
..
&lt;port&gt;
</pre>
</div></div>
     </div>
     <div id="commentsSection" class="wiki-content pageSection">
       <div style="float: right;">
            <a href="http://cwiki.apache.org/confluence/users/viewnotifications.action"
class="grey">Change Notification Preferences</a>
       </div>

       <a href="http://cwiki.apache.org/confluence/display/GMOxDOC22/Securing+Web+Service">View
Online</a>
       |
       <a href="http://cwiki.apache.org/confluence/pages/diffpagesbyversion.action?pageId=2851327&revisedVersion=2&originalVersion=1">View
Change</a>
              |
       <a href="http://cwiki.apache.org/confluence/display/GMOxDOC22/Securing+Web+Service?showComments=true&amp;showCommentArea=true#addcomment">Add
Comment</a>
            </div>
</div>
</div>
</div>
</div>
</body>
</html>

Mime
View raw message