Mule 3.3 – Ws Security

In this post I’d like to speak about enable the Ws-Security level in Web Service.

As usual, the example come from Official Mule Guide  from this link.

Briefly, for avoid code duplication from Mule example, I’ll show the configuration added to mule’s file.

Server

<spring:beans>
	<spring:bean id="serverCallback" class="org.example.security.ServerPasswordCallback"/>
</spring:beans>

<cxf:jaxws-service serviceClass="org.example.HelloWorld">
	 <cxf:inInterceptors>
  		<spring:bean class="org.apache.cxf.interceptor.LoggingInInterceptor" />
       	<spring:bean class="org.apache.cxf.binding.soap.saaj.SAAJInInterceptor" />
      	<spring:bean class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
          <spring:constructor-arg>
              <spring:map>
                  <spring:entry key="action" value="UsernameToken" />
                  <spring:entry key="passwordCallbackRef" value-ref="serverCallback" />
              </spring:map>
          </spring:constructor-arg>
      </spring:bean>
  </cxf:inInterceptors>
  <cxf:outInterceptors>
  <spring:bean class="org.apache.cxf.interceptor.LoggingOutInterceptor" />
  </cxf:outInterceptors>
</cxf:jaxws-service>

We’ve added WSS4JInInterceptor. This performs the autentication of the message. More information are available here.

Client

<spring:beans>
	<spring:bean id="clientCallback" class="org.example.security.ClientPasswordCallback"/>
</spring:beans>

<cxf:jaxws-client clientClass="org.example.client.HelloWorldService"
         	port="HelloWorldPort"
         	wsdlLocation="http://localhost:63081/hello?wsdl"
         	operation="sayHi">
         	<cxf:inInterceptors>
		<spring:bean class="org.apache.cxf.interceptor.LoggingInInterceptor" />
			</cxf:inInterceptors>
		    <cxf:outInterceptors>
		    	<spring:bean class="org.apache.cxf.interceptor.LoggingOutInterceptor" />
 		      <spring:bean class="org.apache.cxf.binding.soap.saaj.SAAJOutInterceptor" />
		      <spring:bean class="org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor">
		          <spring:constructor-arg>
		              <spring:map>
		                  <spring:entry key="action" value="UsernameToken" />
		                  <spring:entry key="user" value="joe" />
		                  <spring:entry key="passwordType" value="PasswordDigest" />
		                   <!-- The callback supplies the password so its not stored in our config file-->
		                  <spring:entry key="passwordCallbackRef" value-ref="clientCallback" />
		              </spring:map>
		          </spring:constructor-arg>
		      </spring:bean>

		    </cxf:outInterceptors>
		</cxf:jaxws-client>

At the same from the server, We’ll use WSS4JOutInterceptor to send authentication informations over the Soap message to the server.

The Soap client message will be with this header inside:

<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
	xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
	soap:mustUnderstand="1">
	<wsse:UsernameToken wsu:Id="UsernameToken-1">
	<wsse:Username>joe</wsse:Username>
	<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest">nS7HeU6wUXiwl/N34ZfIROCYP8M=</wsse:Password>
	<wsse:Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">csyk0xtzeuq2meFgOye0yA==</wsse:Nonce>
	<wsu:Created>2012-05-17T12:28:52.917Z</wsu:Created>
	</wsse:UsernameToken>
</wsse:Security>

At Line 6 and 7 we can see the authentication credential sent to the server who checks this with its credentials group.

Otherwise, we will receive something like this:

<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
   <soap:Body>
      <soap:Fault>
         <faultcode xmlns:ns1="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">ns1:FailedAuthentication</faultcode>
         <faultstring>The security token could not be authenticated or authorized</faultstring>
      </soap:Fault>
   </soap:Body>
</soap:Envelope>

That’s all. You can find other resources here:

http://ws.apache.org/wss4j
http://cxf.apache.org/docs/ws-security.html

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s