Reputation: 4752
Basic authentication instead of UsernameToken for proxied server in WSO2 ESB
I created a proxied service in WSO2 ESB and setup a UsernameToken authentication. However looks like it is not that easy to configure UsernameToken with JAX-WS bundled within the JDK (as described here), the JDK has to be patched and so on. Is there a way to use a Basic HTTP Authentication with the credentials of the ESB just like the UsernameToken?
Upvotes: 2
Views: 1789
Answers (1)
Reputation: 81
According to the article "Securing Web Service Integration" by Amila Suriarachchi "WSO2 carbon supports UT even with HTTP basic authentication by converting the POX message", but I am not sure whether this is relevant to your interests.
However configuring UsernameToken authorization with a JAX-WS client is not as hard as it seems. All you have to do is create a class that implements javax.xml.ws.handler.soap.SOAPHandler and add the security header in the outbound messages by overriding the handleMessage(SOAPMessageContext messageContext) method.
My java version is 1.6.0_26 (with none of the above mentioned patches applied) and the web service client stub classes are generated by JAX-WS RI 2.1.7 according to the wsdl of a web service, secured by the UsernameToken scenario and exposed by a WSO2 Carbon Server (namely Data Services Server-2.6.3)
I use Apache WSS4J for creating the security header - in this case by simply instantiating a org.apache.ws.security.message.WSSecUsernameToken object and setting the username and password via the setUserInfo(String user, String password) method. Also a timestamp element should be added to the security header of the outgoing SOAP message. A sample implementation could look like this:
public boolean handleMessage(SOAPMessageContext messageContext) {
Boolean isOutboundMessage = (Boolean) messageContext.get(MessageContext.MESSAGE_OUTBOUND_PROPERTY);
if (isOutboundMessage) {
SOAPPart messageSoapPart = messageContext.getMessage().getSOAPPart();
WSSecHeader securityHeader = new WSSecHeader();
securityHeader.insertSecurityHeader(messageSoapPart);
WSSecUsernameToken usernameToken = new WSSecUsernameToken();
usernameToken.setPasswordType(WSConstants.PASSWORD_TEXT);
usernameToken.setUserInfo("root", "top_secret");
WSSecTimestamp timestamp = new WSSecTimestamp();
usernameToken.build(messageSoapPart, securityHeader);
timestamp.build(messageSoapPart, securityHeader);
}
return true;
}
Another important thing to mention is that SOAP header elements may come with a mustUnderstand global SOAP attribute. Referring to the article Working with Headers in JAX-WS SOAPHandlers by Jim White this attribute is used to indicate whether or not the web service receiver or intermediary is required to understand the header element before processing the message.
In case the mustUnderstand element is set to true (soapenv:mustUnderstand="1") the getHeaders() method should be coded to tell the runtime environment that the SOAP handler is going to take care of the mustUnderstand header elements by returning a set of QName (qualified name) objects that match the mustUnderstand header elements. Below is the getHeaders() method that handles the Security header.
public Set<QName> getHeaders() {
final String NAMESPACE_URI = "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
final String LOCAL_PART = "Security";
final String PREFIX = "wsse";
final QName wssecurity = new QName(NAMESPACE_URI, LOCAL_PART, PREFIX);
final Set<QName> headers = new HashSet<QName>();
headers.add(wssecurity);
return headers;
}
Lastly, before getting the service port and invoking any of its methods you should register an instance of the above mentioned class (let's say - UsernameTokenSecuritySoapHandler) to the handler chain of your web service client. This can be done by using the following code:
Service service = new Service();
service.setHandlerResolver(new HandlerResolver() {
public List<Handler> getHandlerChain(PortInfo portInfo) {
List<Handler> handlers = new ArrayList<Handler>();
handlers.add(new UsernameTokenSecuritySoapHandler());
return handlers;
}
});
In addition - you could find here an excellent article by Young Yang about the JAX-WS API's handler framework.
Hope this helps.
Upvotes: 2
Related Questions
- WSO2 SECURITY USERNAMETOKEN ESB AND DSS
- How to Configure HTTP Basic Auth for WSO2 EI proxy service
- WSO2 EI and WSO2 Developer - Setup an ESB Proxy with http basic authentication
- WSO2 ESB Proxy to WSO2 IS RemoteUserStoreManagerService
- wso2 header authentication bearer
- How to Create Proxy Service from WSDL That Requires HTTP Authentication to Access?
- Passing Username and Password to a REST API in WSO2 ESB
- Use HTTP Digest Authentication with WSO2 ESB
- Error in applying Username Token scenario to Proxy WSO2 ESB
- WSO2 ESB proxy backend with mutual authentication