Securing Web Services in JBoss Application Server with WS-Security
Once the keys are set up, you must modify the configuration files to use the keys to sign the messages. Listing 9 shows an excerpt from the updated jboss-wsse-server.xml file.
Listing 9: WS-Security configuration file, jboss-wsse-server.xml, changes
<jboss-ws-security ...> ... <config> // Reference #1 <sign type="x509v3" alias="server" /> <encrypt type="x509v3" alias="client" /> <requires> <signature /> <encryption /> </requires> </config> </jboss-ws-security>
The server key is used to sign messages sent by the server (#1). The keystore and truststore-related settings are the same as for the earlier encryption example; only the two lines identified were added.
The changes to the jboss-wsse-client.xml file are similar, as shown in listing 10.
Listing 10: WS-Security configuration file, jboss-wsse-client.xml, changes
<jboss-ws-security ...> ... <config> // Reference #1 <sign type="x509v3" alias="client" /> <encrypt type="x509v3" alias="server" /> <requires> <signature /> <encryption /> </requires> </config> </jboss-ws-security>
In this case the client key is used to sign the messages (#1).
Package up the server and deploy it, package up the client, and then run the client. The messages are now signed. You can verify this by looking at the SOAP messages in the server.log file (after turning on message tracing as indicated at the end of section 9.5.3); you'll see a <ds:Signature> entry has been added to the message.
So there you have it, a simple web service secured using WS-Security. Even though the web service we used was a POJO, you can use the same steps to secure an EJB-based web service. Use the same configuration files, placing them in the META-INF directory instead of the WEB-INF directory.
About the Authors
Javid Jamae started his career in software in the mid 90s programming in C, C++, and PERL, but quickly moved to Java programming. He is a certified JBoss instructor and teaches courses in Hibernate and the JBoss Application Server. Javid is also an Agile evangelist and spends a large portion of his time transforming, coaching, and training organizations in using Agile methodologies.
Peter Johnson started working in Java in 1998 and was lead designer on projects such as a JDBC driver for the DMSII database that runs on Unisys mainframes. He is the chief architect on a team that analyzes Java applications and evaluates various open source software for enterprise readiness. Peter is a JBoss committer, working on the new admin console.
Page 5 of 5