Package org.apache.ws.axis.security

Provides classes and interfaces that implement WSS4J Axis handlers.

See:
          Description

Class Summary
WSDoAllReceiver  
WSDoAllSender  
 

Package org.apache.ws.axis.security Description

Provides classes and interfaces that implement WSS4J Axis handlers. These handler process SOAP requests according to the OASIS Web Service Security (WSS) specifications.

The WSS4J Axis handlers WSDoAllSender and WSDoAllReceiver control the creation and consumption of secure SOAP requests. The handlers work behind the scenes and are usually transparent to Web Service (WS) applications. The Axis deployment descriptor files (*.wsdd) may contain all necessary information to control the security processing.

A WS application may also set properties to control the handlers and provide default values. If the deployment descriptor sets the same property (parameter) then the deployment descriptor overwrites the application defined property. Thus, deployment settings overwrite application settings to fulfill site specific requirements.

Prerequisties

The WS Security Axis handlers use the WSS4J classes (Web Service Security for Java) to process the SOAP messages. WSS4J in turn uses the Apache XML Security project to handle XML Security according to XML Signature and XML Encryption. The WSS4J Axis handlers require Axis V1.2 because of some problems in previous Axis versions. WSS4J CVS contains the latest Axis libraries.

Related Documentation

The OASIS WSS specifications define a number of features and it is possible to combine them in several ways. The WSS4J Axis handlers already support a large number of WSS features and their combinations. Here are the WSS specifications.

The basics - a simple example that uses UsernameToken

This chapter gives an overview and some examples how to deploy the WSS4J Axis handlers and how the parameters and their values control the handlers. For a better understanding of this chapter the reader shall have a knowledge of the OASIS WSS specifications.

The WSHandlerConstants, WSDoAllSender, and WSDoAllReceiver provide additional and detailed documentation.

Axis deployment descriptor to insert a UsernameToken

The following snippet shows a general layout how to deploy a WS Axis handler on the client (application) side.
 <!-- define the service, use the WSDoAllSender security handler in request flow -->
 <service name="Ping1">
  <requestFlow>
   <handler type="java:org.apache.ws.axis.security.WSDoAllSender" >
    <parameter name="action" value="UsernameToken"/>
    <parameter name="user" value="werner"/>
    <parameter name="passwordType" value="PasswordText" />
    <parameter name="passwordCallbackClass" 
      value="org.apache.ws.axis.oasis.PWCallback1"/>
   </handler>
  </requestFlow>
  </service>
This is the standard way to deploy an Axis handler. Axis parses the deployment descriptor and provides the parameters and their value to the handler. Each service can have its own request and response flow definition, which provides a very flexible set-up of the security parameters.

The above setup inserts the most simple security structure into a SOAP request: the simple UsernameToken. This token includes a username and the according password. Both fields are sent in cleartext, thus it provides no real security.

The parameters and their meanings are:

The WSS4J Axis security handler interprets the parameter values and controls the WSS4J modules to generate the following SOAP request:
<?xml version="1.0" encoding="UTF-8"?>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
  xmlns:xsd="http://www.w3.org/2001/XMLSchema"
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
  <soapenv:Header>
    <wsse:Security xmlns:wsse="http://schemas.xmlsoap.org/ws/2002/07/secext" 
      soapenv:mustUnderstand="true">
      <wsse:UsernameToken>
        <wsse:Username>werner</wsse:Username>
        <wsse:Password Type="wsse:PasswordText">security</wsse:Password>
      </wsse:UsernameToken>
    </wsse:Security>
  </soapenv:Header>
  <soapenv:Body>
    <Ping xmlns="http://xmlsoap.org/Ping">
      <text>Scenario 1 text</text>
      <ticket xmlns:ns1="http://xmlsoap.org/Ping" 
        xsi:type="ns1:ticketType">scenario1</ticket>
    </Ping>
  </soapenv:Body>
</soapenv:Envelope>
This is a pretty print of the real SOAP message.

The password callback class

The deployment descriptor contains the user name that the handler inserts into the UsernameToken but not the password. In general it is not a good idea to store sensitive information like a password in cleartext. To get the password the WSS4J Axis handler uses a password callback technique similar to the JAAS mechansim. The parameter passwordCallbackClass contains the classname of the callback class. This class must implement the CallbackHandler interface. The WSS4J Axis handler gets this class, instantiates it, and calls the handle method when it needs a password. Refer also to the parameter documentation.

The following code snippet shows a simple password callback class:

package org.apache.ws.axis.oasis;

import java.io.IOException;

import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.UnsupportedCallbackException;

import org.apache.ws.security.WSPasswordCallback;

public class PWCallback implements CallbackHandler {

  private static final byte[] key = {
    (byte)0x31, (byte)0xfd, (byte)0xcb, (byte)0xda,
    (byte)0xfb, (byte)0xcd, (byte)0x6b, (byte)0xa8,
    (byte)0xe6, (byte)0x19, (byte)0xa7, (byte)0xbf,
    (byte)0x51, (byte)0xf7, (byte)0xc7, (byte)0x3e,
    (byte)0x80, (byte)0xae, (byte)0x98, (byte)0x51,
    (byte)0xc8, (byte)0x51, (byte)0x34, (byte)0x04,
  };
	
  public void handle(Callback[] callbacks)
    throws IOException, UnsupportedCallbackException {
    for (int i = 0; i < callbacks.length; i++) {
      if (callbacks[i] instanceof WSPasswordCallback) {
        WSPasswordCallback pc = (WSPasswordCallback) callbacks[i];
        /*
         * here call a function/method to lookup the password for
         * the given identifier (e.g. a user name or keystore alias)
         * e.g.: pc.setPassword(passStore.getPassword(pc.getIdentfifier))
         * for testing we supply a fixed name/fixed key here.
         */
        if (pc.getUsage() == WSPasswordCallback.KEY_NAME) {
          pc.setKey(key);
        }
        else {
          pc.setPassword("security");
        }
      } else {
        throw new UnsupportedCallbackException(
          callbacks[i], "Unrecognized Callback");
      }
    }
  }
}
The Java callback handler documentation provides a detailed description of the interface and exceptions.

The WSS4J library uses a specific class to get the required password or key informations. The WSSPasswordCallback class implements the Callback interface according to the JAAS. Depending on it usage this class either carries the required password as a Java String or it carries the required key information as a Java byte[] array. Refer to WSPasswordCallback that contains a detailed description of the usage codes.

The WSS4J Axis handler or the WSS4J modules set the usage code before they call handle method.

Application sets parameters to insert in UsernameToken

Sometimes it is not feasable or not possible to determine parameters and their values during deployment. In this case the application can set paramters during runtime. The WSS4J Axis handlers use the Axis setProperty method to support this feature.

The following code snippet shows an example how to use the dynamic setting of parameters and their values:

   ...
 Service service = new Service();
 Call call = (Call) service.createCall();
   ...  
 call.setProperty(UsernameToken.PASSWORD_TYPE, WSConstants.PASSWORD_TEXT);
 call.setProperty(WSHandlerConstants.USER, "werner");
   ...
Use this way if your application dynamically creates a call object. If your application uses stubs generated by Axis' WSDL2Java tool, the application uses the following functions:
    ...
 PingServiceLocator service = new PingServiceLocator();
    ...
 PingPort port = (PingPort) service.getPing1();
 port._setProperty(UsernameToken.PASSWORD_TYPE, WSConstants.PASSWORD_TEXT);
 port._setProperty(WSHandlerConstants.USER, "werner");
    ...
Please note that _setProperty is a Axis specific call.

The password callback object reference

In addition to the password callback class an application may set a password callback object using the setProperty() methods. Only applications (and Axis handlers that preceed the WSS4J Axis handlers in a handler chain) can use this feature.

For example:

public class Scenario1 implements CallbackHandler {

  public static void main(String args[]) {
    ...
    PingServiceLocator service = new PingServiceLocator();
    ...
    PingPort port = (PingPort) service.getPing1();
    ((org.apache.axis.client.Stub)port)._setProperty(UsernameToken.PASSWORD_TYPE, WSConstants.PASSWORD_TEXT);
    ((org.apache.axis.client.Stub)port._setProperty(WSHandlerConstants.USER, "werner");
    ((org.apache.axis.client.Stub)port._setProperty(WSHandlerConstants.PW_CALLBACK_REF, this);
    ...
  }

  public void handle(Callback[] callbacks) {
    ...
  }
}

Deployment of the WSS4J Axis WSDoAllReceiver handler

Similar to the deployment descriptor of the sending handler WSDoAllSender a deployment descriptor for the receiving handler exists. For the above example the deployment descriptor look like:
  <requestFlow>
   <handler type="java:org.apache.ws.axis.security.WSDoAllReceiver">
    <parameter name="passwordCallbackClass" 
      value="org.apache.ws.axis.oasis.PWCallback"/>
    <parameter name="action" value="UsernameToken"/>
   </handler>
  </requestFlow>
The receiving WSS4J Axis handler checks if the SOAP request matches the defined actions.

Combining security actions

Often it is necessary to combine or concatenate several security actions, for example to encrypt parts of a message and sign some other parts. The WSS4J Axis handlers provide easy and simple methods to combine or concatenate security actions.

This chapter describes simple combinations of actions.

Combine UsernameToken and Encryption

The WS Interoperability specifications define this use case: The Axis deplyment descriptor for this use case:
  <requestFlow>
   <handler type="java:org.apache.ws.axis.security.WSDoAllSender" >
    <parameter name="action" value="UsernameToken Encrypt"/>
    <parameter name="user" value="werner"/>
    <parameter name="passwordCallbackClass" 
      value="org.apache.ws.axis.oasis.PWCallback"/>
    <parameter name="passwordType" value="PasswordText" />
    <parameter name="addUTElement" value="Nonce Created" />
    <parameter name="encryptionPropFile" value="crypto.properties" />
    <parameter name="encryptionKeyIdentifier" value="X509KeyIdentifier" />
    <parameter name="encryptionUser" 
      value="16c73ab6-b892-458f-abf5-2f875f74882e" />
    <parameter name="encryptionParts" 
      value="{Element}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}UsernameToken" />  
   </handler>
  </requestFlow>  
This descriptor contains some new parameters to control the UsernameToken element and its encryption. The new parameters and their meaning are: The matching receiver deployment descriptor:
  <requestFlow>
   <handler type="java:org.apache.ws.axis.security.WSDoAllReceiver">
    <parameter name="passwordCallbackClass" 
      value="org.apache.ws.axis.oasis.PWCallback"/>
    <parameter name="action" value="UsernameToken Encrypt"/>
    <parameter name="decryptionPropFile" value="crypto.properties" />
   </handler>
  </requestFlow>
The only new parameter here is the decryptionPropFile. This parameter defines the crypto property file at the receiver side. The value of the action parameter matches the according value at the sender side. The WSS4J Axis receiver checks if the SOAP request contains the required security data.

Combine Signature and Encryption

This is a very common usage of Web Service security. The WSS4J Axis handler provides flexible parameter settings that support several ways to use the Signature/Encryption combination.

A WSS4J Axis deployment descriptor for a simple Singature/Encryption of SOAP requests:

<requestFlow>
  <handler type="java:org.apache.ws.axis.security.WSDoAllSender" >
    <parameter name="user" value="16c73ab6-b892-458f-abf5-2f875f74882e"/>
    <parameter name="passwordCallbackClass" 
      value="org.apache.ws.axis.oasis.PWCallback"/>
    <parameter name="action" value="Signature Encrypt"/>
    <parameter name="signaturePropFile" value="crypto.properties" />
  </handler>
</requestFlow>
This simple deployment descriptor signs and encrypts the SOAP Body part. The only new parameter, signaturePropFile, specifies the name of the signature crypto property file to use. Because no encryptionPropFile is declared the handler also uses the signature property file to get the encryption certificate. The same holds true for the username. The password callback class must return a password to get the user's private key (the keystore is defined in the crypto property file) that WSS4J uses to generate the signature. The encryption method uses the user's public key to encrypt the dynamically generated session key.

The action parameter defines Signature Encryption. Thus the handler first signs, then the encrypts the data. Because the deployment descriptor does not contain specific encryption or signature part parameters, WSS4J defaults to the data of the SOAP Body element.

Also all other parameters use their default setting, such as the format of the key identifiers, encryption modifiers, and so on. Please refer to the detailed documentation of the parameters.

If the WSS4J Axis handler shall perform encryption only, then the deployment descriptor must contain the encryption specific parameters. Only if sign and encryption is required the encryption method falls back to the signature parameters if the encryption specific parameters are not set.

The matching receiver deployment descriptor is also very simple:

<requestFlow>
  <handler type="java:org.apache.ws.axis.security.WSDoAllReceiver">
    <parameter name="passwordCallbackClass" 
      value="org.apache.ws.axis.oasis.PWCallback"/>
    <parameter name="action" value="Signature Encrypt"/>
    <parameter name="signaturePropFile" value="crypto.properties" />
  </handler>
 </requestFlow>	
To reverse the actions, just reverse the action specifiers. The WSS4J handler encrypts the SOAP Body first, then signs the encrypted data.

Signing and encrypting multiple XML elements

Sometimes it is necessary to sign and/or encrypt several parts of a SOAP message. The deployment parameters signatureParts and encryptionParts control which SOAP elements to sign or to encrypt. Please refer to the detailed description of these parameters.

WSS4J signs or encrypts all declared parts using the same keys, that is the signature or encryption data structures directly reference the specified parts as described in the WSS specifications. The receiver automatically detects these references and verfies and decrypts the data parts. No special settings in the depolyment descriptor is necessary.

Chaining of WSS4J Axis handlers

This is a very powerful feature that supports even more flexible signature and encryption processing such as signatures with multiple keys (overlapping signatures), multiple encryption algorithms, or different SOAP actor (role) defintions of the security headers.

Deployment at the client

A deployment descriptor to chain handlers:
  <requestFlow>
   <handler type="java:org.apache.ws.axis.security.WSDoAllSender" >
    <parameter name="action" value="Signature NoSerialization"/>
    <parameter name="user" value="firstUser"/>
    <parameter name="passwordCallbackClass" 
      value="org.apache.ws.axis.oasis.PWCallback"/>
    <parameter name="signaturePropFile" value="crypto.properties" />
    <parameter name="signatureParts" value="{}{http://xmlsoap.org/Ping}ticket" />    
   </handler>
   <handler type="java:org.apache.ws.axis.security.WSDoAllSender" >
    <parameter name="action" value="Signature"/>
    <parameter name="user" value="anotherUser"/>
    <parameter name="passwordCallbackClass" 
      value="org.apache.ws.axis.oasis.PWCallback"/>
    <parameter name="signaturePropFile" value="crypto.properties" />
   </handler>  
  </requestFlow>
Note the action specifier NoSerialization first handler. In a handler chain of WSS4J handlers every but the last handler must have this action specifier. This specifier surpresses the very last step of the handler's security processing: the serialization of the processed SOAP request in a XML string (document) that Axis sends to the reveiver. Only the last handler must perform this serialization.

Every handler specification can have its own set of parameters that define the individual values for this handler instance. Thus the deployment descriptor can define different crypto property files, different usernames, and so on. In the example the first handler signs the ticket element and the second handler the SOAP Body (default).

Parameters set by the application with setProperty are valid for all handler instances in the handler chain (setProperty is defined on the SOAP request (call) level). As already decribed, deployment settings overrule application settings. Thus it is possible to combine various parameter specifications. A special case is the definition of the username. If an application sets the username and one handler instance in the chain does not have a user parameter in its deployment part, then this one handler instance uses the username set bey the application. After the handler copied the username from the username property, the handler sets the property's content to null. Handlers that follow in the chain cannot use this username anymore and must have a user (or encryption user) parameter in their deployment part.

Deployment at the server

Note: Handler chaining at the receiver side is not yet fully tested.

Handlers at the receiver can only determine different security headers if their SOAP actors are different. The WSS4J handler processes each security structure inside one security header. Because the security structures contain most information to verify or decrypt the SOAP request this constraint is not too much of an issue.

Only the password call back class and the Crypto implementation (as defined in the crypto property file) must be able to handle all possible certificates, users, passwords, and keys that a security header may contain. The following deployment descriptor of a receiver shows this.

  <requestFlow>
   <handler type="java:org.apache.ws.axis.security.WSDoAllReceiver">
    <parameter name="passwordCallbackClass" 
      value="org.apache.ws.axis.oasis.PWCallback"/>
    <parameter name="action" value="Signature Signature"/>
    <parameter name="signaturePropFile" value="crypto.properties" />
   </handler>
  </requestFlow>
The client uses two handlers in a chain, each signing a part of the SOAP request but with different certificates. Because the handlers do not specifiy a SOAP actor WSS4J puts both signatures in the security header of the default actor. To match the security actions the deployment descriptor of the receiver needs to contain the action declaration Signature Signature. This instructs the WSS4J handler to accept and verify two distinct signatures contained in one security header. Because the signatures use different certificates the Crypto implementation must be able to handle these certificates.

Similar requirements are true for the password callback implementation if the sender uses handler chaining and uses different encryption parameters in the same security header.

If it is necessary to have different parameters for the distinct signature or decryption data then these should be put in different security headers. The easiest way to do this is to define different actor parameters for each handler in a WSS4J handler chain.

Reporting Security results to services/applications

The WSS4J WSSecurityEngine processes the security elements inside a security header. If something goes wrong, for example a signature verfication fails, then the engine throws a fault. If the security engine could perform all operations sucessfully it returns a data structure that contains the results of the performed security actions. This data structure holds information about the performed action, the usernames or identifier in case the security engine performed signature or username token processing. Please refer to the result structure.

The WSDoAllReceiver WSS4J handler takes this structure and checks if all required actions were performed. If this check fails, the WSS4J handler aborts the SOAP request and throws an Axis SOAP fault. Otherwise it creates its own data structure WSHandlerResult, copies the security results in this structure, and adds the actor name of the security header. Then it stores this new data structure in a vector and stores this vector in a specific property of the current message context. If WSS4J handlers are chained, then every handler in the chain adds its result to the vector. The vector contains the results in handler-chain order.

This code snippet shows how a Axis service can access the security result data:

    public void ping(javax.xml.rpc.holders.StringHolder text,
        org.apache.ws.axis.oasis.ping.TicketType ticket)
        throws java.rmi.RemoteException {

        text.value = "Echo " + text.value.trim();
		
        // get the message context first
        MessageContext msgContext = MessageContext.getCurrentContext();
        Message reqMsg = msgContext.getRequestMessage();

        Vector results = null;
        // get the result Vector from the property
        if ((results =
            (Vector) msgContext.getProperty(WSHandlerConstants.RECV_RESULTS))
             == null) {
            System.out.println("No security results!!");
        }
        System.out.println("Number of results: " + results.size());
        for (int i = 0; i < results.size(); i++) {
            WSHandlerResult hResult = (WSHandlerResult)results.get(i);
            String actor = hResult.getActor();
            Vector hResults = hResult.getResults();
            for (int j = 0; j < hResults.size(); j++) {
              	WSSecurityEngineResult eResult = (WSSecurityEngineResult) hResults.get(j);
                // Note: an encryption action does not have an associated principal
    	        // only Signature and UsernameToken actions return a principal
                if (eResult.getAction() != WSConstants.ENCR) {
                    System.out.println(eResult.getPrincipal().getName());
                }
            }
        }
    }
The principal structure is either a UsernameToken principal or a X509Principal. The princpals contain the names plus other information of the verified username token or signature certificate.

Some hints

Client

At the client side, the WSS4J Axis handler, as all other parts of Axis, run in the context of the calling application. Depending on the application, the callback classes may perform complex operations, even do some user interaction, to get the password or to access some database to get certificates or keys. There are no timeouts defined at the client side before the SOAP request is put on the wire.

Server

On the server side the WSS4J handler run in the same context as the other part of the server, usually some servlet container, such as Tomcat. Also the server must be able to handle many requests in a short time. Thus the password callback as well as the Crypto implementation shall be as fast as possible. In general, no user interaction is possible at the server side to gather passwords. Also at this point of the SOAP request processing there are active timeouts, even if they are fairly long.

Bi-directional SOAP Security

WSS4J fully supports bi-directional SOAP security. To enable bi-directional support just put WSDoAllSender on the responseFlow at the server and WSDoAllReceiver at the response flow of the client thus reversing the roles. Similar to the above hints, the server side part (now WSDoAllSender) runs in the server context and WSDoAllReceiver runs in the application (client) context. There are no Axis timeout constraints on the client side after Axis received the response and handed it over to the WSS4J handler.

Handler chaining

Usually WSS4J handlers are chained without any other handler between them in the chain. It is, however, possible to do so. In this case the intermediate handler must not modify the SOAP Envelope that is contained in the Axis message. This could (most probably will) invalidate or destroy any security actions done sofar. Such an intermediate handler may set some properties that may influence the processing of the following WSS4J handler, such as setting a new username, password callback class, and so on.

Since:
WSS4J 1.0


Copyright © 2004-2008 The Apache Software Foundation. All Rights Reserved.