Uploaded image for project: 'FUSE ESB'
  2. ESB-1377

Please add an example of how securean insecure client and server using JAX-WS.


    • Type: Documentation
    • Status: Resolved
    • Priority: Major
    • Resolution: Done
    • Affects Version/s: 4.3.0-fuse-03-00
    • Fix Version/s: 4.4.0-fuse-00-27
    • Component/s: Documentation
    • Labels:


      Starting with an insecure example, the following steps must be completed:

      WSDL Changes
      The first change I made was to change the soap:address in the WSDL, to HTTPS. I also switched the port just for a distinction.

      Server Spring Changes
      I then changed the spring configuration for the server as follows:

      The current recommend approach is to use jetty to inject the security requirements with a jaws endpoint:

        <httpj:engine-factory bus="cxf">
            <!-- -->
            <!-- -->
            <!-- -->
            <httpj:engine port="8084">
                <sec:keyManagers keyPassword="password">
                   <sec:keyStore type="jks" file="./ssl-keys/cherry.jks" password="password"/>
                  <sec:keyStore type="jks" file="./ssl-keys/truststore.jks" password="password"/>
                  <!-- these filters ensure that a ciphersuite with
                    export-suitable or null encryption is used,
                    but exclude anonymous Diffie-Hellman key change as
                    this is vulnerable to man-in-the-middle attacks -->
               <sec:clientAuthentication want="true" required="true"/>

      We use the httpj:engine element to configure the security requirements for this port where your web service is configured to listen. There are several ways to manage your keys. Instead of the file attribute, you can specify the location of the keystore using either "resource" or "url" attribute. The latter are generally recommended with caution as it's easy to end up loading a truststore from an unworthy source. For the purposes of this demonstration, I created a new directory in my <servicemix installation> directory called "ssl-keys". This directory with the sample keys is included with the zip and you'll need to copy it over.

      I've also set this example up to require the client to send a certificate:

           <sec:clientAuthentication want="true" required="true"/>

      You can change this as you need. For the endpoint itself, you would do the following:


      The interesting bit in this endpoint configuration, is the implementor. The #notation will let us refer to a local bean definition:

      <bean id="customerServiceImpl" class="com.fusesource.customer.ws.CustomerServiceImpl"/>
      which will refer to the actual class of the server. 
      These are the basics you need for a server. 
      *Client Spring Changes*
       For a client, it's a little different as it uses an http conduit configuration with jaxws client configuration:

      <http:conduit name="


      <http:tlsClientParameters secureSocketProtocol="TLS" disableCNCheck="true" >
      <sec:keyStore type="JKS" password="password"
      <sec:keyManagers keyPassword="password">
      <sec:keyStore type="JKS" password="password"
      <!-- these filters ensure that a ciphersuite with
      export-suitable or null encryption is used,
      but exclude anonymous Diffie-Hellman key change as
      this is vulnerable to man-in-the-middle attacks -->

      The conduit is configured against the service's port.  The name must be the service namespace + port name from the WSDL + notation ".http-conduit".  If you have trouble with this step, you can use a wild card to grab everything for the client being configured in this file:

      <http:conduit name="*.http-conduit">

      The next step is to define the client itself:


      <bean id="customerServiceClient"
      init-method="init" destroy-method="destroy">
      <property name="customerService" ref="customerServiceProxy"/>

      The customerServiceClient bean refers to the main class in our client application with a reference to the proxy, the generated code from "wsdl2java".
      To run the  secure demo, please do the following:
      1.  In root demo directory, run "mvn clean install" to build everything
      2.  Either copy the ssl-keys to your servicemix install root directory or update the spring configuration file with appropriate directory for the keystores.   Please feel free to use your own demo keys. 
      3.  In Karaf, run the following commands to install and star the server:

      osgi:install mvn:com.fusesource/customer-ws-osgi-bundle/1.0.0
      osgi:start <bundle id from previous step>

      In your log you will see the server start:

      17:43:57,899 | INFO | xtenderThread-35 | ReflectionServiceFactoryBean | ory.ReflectionServiceFactoryBean 399 | - - | Creating Service


      CustomerService from class com.fusesource.demo.wsdl.customerservice.CustomerService
      17:43:57,916 | INFO | xtenderThread-35 | ServerImpl | g.apache.cxf.endpoint.ServerImpl 93 | - - | Setting the server's publish address to be
      17:43:57,919 | INFO | xtenderThread-35 | CXFJettySslSocketConnector |

      4.  To run the client, execute the following osgi commands:

      osgi:install mvn:com.fusesource/customer-ws-client/1.0.0
      osgi:start <bundle id from previous step>

      In your log you will see Ade's phone number:

      17:45:40,416 | INFO | invoker thread. | ClientInvoker | ce.customer.client.ClientInvoker 29 | 200 - com.fusesource.customer-ws-client - 1.0.0 | Got back Ade Trenaman, ph:+353-1-01234567


        Gliffy Diagrams




              • Assignee:
                fbolton Fintan Bolton
                sjavurek Susan Javurek
              • Votes:
                0 Vote for this issue
                0 Start watching this issue


                • Created: