How to securing Axis2 WebService on WSO2 ESB 5.0.0?

Question

I'm new in WSO2 ESB 5.0.0 but I'm working on WSO2 ESB 4.7.0 for last few years. Does anyone know, how to secure Axis2 WebService on WSO2 ESB 5.0.0 ?

In documentation (https://docs.wso2.com/display/ESB500/WSO2+Enterprise+Service+Bus+Documentation) i finded only description for securing proxy services and it works for proxy.

Problem is that in web console of WSB ESB 5.0.0 there is no posibility to secure service. When I am deploying CAR archive with Axis2 Web Service, or AAR archive on WSO2 ESB 5.0.0 axis2 service deployed unsecured.

In version 4.7.0 I can secure Axis2 WebService from web console, in 5.0.0 I can't do this.

For proxy services in 5.0.0 securing it is very simple: - create policy in registry - add two lines in proxy definition like :

<enableSec/>
<policy key="gov:ws-policy/myPolicy.xml"/>*

How do this for axis2 webservice, adding lines like this in services.xml description of axis2 serwis doesn't work ? Any suggestions ?

thanks Jakub

Answer 1

As you noticed, applying security for services via the management console is not supported in ESB 5.0.0. But you can enable security on the axis2 services by following below steps.

1. Go to the services.xml file resides at /META-INF and add the policy configuration manually. Please add the configuration inside the <service> tag. (You can generate policy configuration using WSO2 Developer studio. Follow the steps in doc[1] and go to the source view to get the policy configuration)
2. Then add the rampart configuration tag after the policy configuration, Please add the rampart configuration inside the <service> tag. <module ref="rampart"/>

I'm attaching a sample services.xml for your reference.

<?xml version="1.0" encoding="UTF-8"?>
<!--
  ~ Copyright 2005-2011 WSO2, Inc. (http://wso2.com)
  ~
  ~ Licensed under the Apache License, Version 2.0 (the "License");
  ~ you may not use this file except in compliance with the License.
  ~ You may obtain a copy of the License at
  ~
  ~ http://www.apache.org/licenses/LICENSE-2.0
  ~
  ~ Unless required by applicable law or agreed to in writing, software
  ~ distributed under the License is distributed on an "AS IS" BASIS,
  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  ~ See the License for the specific language governing permissions and
  ~ limitations under the License.
  -->
<service name="echo">
   <schema elementFormDefaultQualified="false" />
   <description>This service echos the input provided to it.</description>
   <transports>
      <transport>https</transport>
      <transport>http</transport>
   </transports>
   <parameter name="ServiceClass" locked="true">org.wso2.carbon.core.services.echo.Echo</parameter>
<wsp:Policy xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="UTOverTransport">
      <wsp:ExactlyOne>
         <wsp:All>
            <sp:TransportBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
               <wsp:Policy>
                  <sp:TransportToken>
                     <wsp:Policy>
                        <sp:HttpsToken RequireClientCertificate="false" />
                     </wsp:Policy>
                  </sp:TransportToken>
                  <sp:AlgorithmSuite>
                     <wsp:Policy>
                        <sp:Basic256 />
                     </wsp:Policy>
                  </sp:AlgorithmSuite>
                  <sp:Layout>
                     <wsp:Policy>
                        <sp:Lax />
                     </wsp:Policy>
                  </sp:Layout>
                  <sp:IncludeTimestamp />
               </wsp:Policy>
            </sp:TransportBinding>
            <sp:SignedSupportingTokens xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
               <wsp:Policy>
                  <sp:UsernameToken sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient" />
               </wsp:Policy>
            </sp:SignedSupportingTokens>
         </wsp:All>
      </wsp:ExactlyOne>
      <rampart:RampartConfig xmlns:rampart="http://ws.apache.org/rampart/policy">
         <rampart:user>wso2carbon</rampart:user>
         <rampart:encryptionUser>useReqSigCert</rampart:encryptionUser>
         <rampart:timestampPrecisionInMilliseconds>true</rampart:timestampPrecisionInMilliseconds>
         <rampart:timestampTTL>300</rampart:timestampTTL>
         <rampart:timestampMaxSkew>300</rampart:timestampMaxSkew>
         <rampart:timestampStrict>false</rampart:timestampStrict>
         <rampart:tokenStoreClass>org.wso2.carbon.security.util.SecurityTokenStore</rampart:tokenStoreClass>
         <rampart:nonceLifeTime>300</rampart:nonceLifeTime>
      </rampart:RampartConfig>
      <sec:CarbonSecConfig xmlns:sec="http://www.wso2.org/products/carbon/security">
         <sec:Authorization>
            <sec:property name="org.wso2.carbon.security.allowedroles">admin</sec:property>
         </sec:Authorization>
      </sec:CarbonSecConfig>
   </wsp:Policy>
   <module ref="rampart"/>
</service>

[ 1 ] https://docs.wso2.com/display/DVS380/Applying+Security+for+a+Service#ApplyingSecurityforaService-Creatingthesecuritypolicy