Nicolas Dorier Nicolas Dorier - 14 days ago 7
Java Question

How to call a web security with message security and client certificate authentication?

I need to call a web service with a java client.
This service authenticates clients through certificates at the message level (Ws-Security, not SSL).

It should be possible since, I can generate web services with JAX-WS with mutual certificate security in this dialog.

But I don't manage to create a client. Does anyone has an idea ?

Answer

I did not tried it myself, but from http://download.oracle.com/docs/cd/E17802_01/webservices/webservices/docs/2.0/tutorial/doc/ :

Configuring Message Security Using XWSS

The Application Server contains all of the JAR files necessary to use XWS-Security for securing JAX-WS applications, however, in order to view the sample applications, you must download and install the standalone Java WSDP bundle. You can download the Java WSDP from http://java.sun.com/webservices/downloads/webservicespack.html.

To add message security to an existing JAX-WS application using XWSS, follow these steps on the client side:

  • Create a client security configuration. The client security configuration file specifies the order and type of message security operations that will be used for the client application. For example, a simple security configuration to perform a digital signature operation looks like this:

            <xwss:Sign id="s" includeTimestamp="true">
                <xwss:X509Token encodingType="http://docs.oasis-
                  open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"
                                valueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-
                  x509-token-profile-1.0#X509SubjectKeyIdentifier"
                                certificateAlias="xws-security-client"
                                keyReferenceType="Identifier"/>
            </xwss:Sign>
    
        </xwss:SecurityConfiguration>
    </xwss:Service>
    <xwss:SecurityEnvironmentHandler>
        simple.client.SecurityEnvironmentHandler
    </xwss:SecurityEnvironmentHandler>
    

    For more information on writing and understanding security configurations and setting up SecurityEnvironmentHandlers, please see the Java Web Services Developer Pack 1.6 Tutorial at http://java.sun.com/webservices/docs/1.6/tutorial/doc/index.html.

  • In your client code, create an XWSSecurityConfiguration object initialized with the security configuration generated. Here is an example of the code that you would use in your client file. For an example of a complete file that uses this code, look at the example client in the \jaxws2.0\simple-doclit\src\simple\client\ directory.

    FileInputStream f = new FileInputStream("./etc/client_security_config.xml"); 
    XWSSecurityConfiguration config = SecurityConfigurationFactory.newXWSSecurityConfiguration(f);  
    
  • Set security configuration information on the RequestContext by using the XWSSecurityConfiguration.MESSAGE_SECURITY_CONFIGURATION property. For an example of a complete file that uses this code, look at the example client in the \jaxws2.0\simple-doclit\src\simple\client\ directory.

    // put the security config info
    ((BindingProvider)stub).getRequestContext().put(
        XWSSecurityConfiguration.MESSAGE_SECURITY_CONFIGURATION,
        config); 
    
  • Invoke the method on the stub as you would if you were writing the client without regard to adding XWS-Security. The example for the application from the \jaxws2.0\simple-doclit\src\simple\client\ directory is as shown below:

    Holder<String> hold = new Holder("Hello !");
    stub.ping(ticket, hold);