Details

    • Type: New Feature
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 1.5 M2
    • Component/s: Security
    • Labels:
      None

      Description

      The current implementation of WS-Security is based on SUN's XWSS, which requires SUN's JDK 1.5. This means that it cannot be used on WebSphere, for instance.

      There is an alternative WS-Security implementation called WSS4J (http://ws.apache.org/wss4j/). We can use this library to build an alternative WS-Security implementation, which does not require SUN's Java 5.

        Issue Links

          Activity

          Hide
          tareq Tareq Abedrabbo added a comment -

          Hi Arjen,

          I'm trying to prepare a complete patch to alleviate the task of integrating the code. As I changed the signature of secureMessage & validateMessage to take message context as a parameter, there is a slight impact on the code of XwsSecurityInterceptor and its unit tests.
          I hope to find enough time to complete the work tonight. In all cases I'll post an update and a list of what should be considered to complete the integration.
          I've already done a slight change: I've moved the utility method that I had added to AxiomUtil to a separate class so that there is no dependency between the core module and xml security.
          Expect an update from me tonight or tomorrow early in the morning.

          Show
          tareq Tareq Abedrabbo added a comment - Hi Arjen, I'm trying to prepare a complete patch to alleviate the task of integrating the code. As I changed the signature of secureMessage & validateMessage to take message context as a parameter, there is a slight impact on the code of XwsSecurityInterceptor and its unit tests. I hope to find enough time to complete the work tonight. In all cases I'll post an update and a list of what should be considered to complete the integration. I've already done a slight change: I've moved the utility method that I had added to AxiomUtil to a separate class so that there is no dependency between the core module and xml security. Expect an update from me tonight or tomorrow early in the morning.
          Hide
          tareq Tareq Abedrabbo added a comment -

          Update:

          • Moved Axiom transformation methods a new class (Wss4jUtils) to avoid dependency between the core module and xml-security.

          The archive contains a patch of the modified spring-ws classes (security module):

          • made AbstractWsSecurityInterceptor.WS_SECURITY_NAME protected
          • changed the signature of validateMessage & secureMessage to take MessageContext as a parameter.
          • moved AbstractCallbackHandler to org.springframework.ws.soap.security
          • modified xwss classes and unit tests in accordance.

          Remarks:

          • I tested the various Wss4j functionalities with Bouncy Castle.
          • Each unit test consists of a base test case containing all the code, a Saaj subclass and an Axiom subclass.

          That's what I can think of for the moment. I you need more details or help please let me know.

          Show
          tareq Tareq Abedrabbo added a comment - Update: Moved Axiom transformation methods a new class (Wss4jUtils) to avoid dependency between the core module and xml-security. The archive contains a patch of the modified spring-ws classes (security module): made AbstractWsSecurityInterceptor.WS_SECURITY_NAME protected changed the signature of validateMessage & secureMessage to take MessageContext as a parameter. moved AbstractCallbackHandler to org.springframework.ws.soap.security modified xwss classes and unit tests in accordance. Remarks: I tested the various Wss4j functionalities with Bouncy Castle. Each unit test consists of a base test case containing all the code, a Saaj subclass and an Axiom subclass. That's what I can think of for the moment. I you need more details or help please let me know.
          Hide
          arjen.poutsma Arjen Poutsma added a comment -

          Ok, I've started incorporating this in the code base. Thanks again, Tareq!

          Show
          arjen.poutsma Arjen Poutsma added a comment - Ok, I've started incorporating this in the code base. Thanks again, Tareq!
          Hide
          arjen.poutsma Arjen Poutsma added a comment -

          Fixed. Many thanks to Tareq Abed Rabbo, for doing the hard work!

          Note that the WSS4J still needs full reference documentation (SWS-282), coming in 1.5 RC1.
          In the mean time, the airline spring-ws client uses WSS4J for UsernameToken authentication, so you look there.

          Show
          arjen.poutsma Arjen Poutsma added a comment - Fixed. Many thanks to Tareq Abed Rabbo, for doing the hard work! Note that the WSS4J still needs full reference documentation ( SWS-282 ), coming in 1.5 RC1. In the mean time, the airline spring-ws client uses WSS4J for UsernameToken authentication, so you look there.
          Hide
          arjen.poutsma Arjen Poutsma added a comment -

          Closing 1.5 M2 issues.

          Show
          arjen.poutsma Arjen Poutsma added a comment - Closing 1.5 M2 issues.

            People

            • Assignee:
              arjen.poutsma Arjen Poutsma
              Reporter:
              arjen.poutsma Arjen Poutsma
            • Votes:
              16 Vote for this issue
              Watchers:
              7 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: