FUSE ESB
  1. FUSE ESB
  2. ESB-1377

Please add an example of how securean insecure client and server using JAX-WS.

    Details

    • Type: Documentation Documentation
    • Status: Resolved Resolved
    • Priority: Major Major
    • Resolution: Done
    • Affects Version/s: 4.3.0-fuse-03-00
    • Fix Version/s: 4.4.0-fuse-00-27
    • Component/s: Documentation
    • Labels:
      None
    • Similar Issues:
      Show 10 results 

      Description

      Starting with an insecure example, the following steps must be completed:

      WSDL Changes
      The first change I made was to change the soap:address in the WSDL, to HTTPS. I also switched the port just for a distinction.

      Server Spring Changes
      I then changed the spring configuration for the server as follows:

      The current recommend approach is to use jetty to inject the security requirements with a jaws endpoint:

        <httpj:engine-factory bus="cxf">
            <!-- -->
            <!-- https://0.0.0.0:8084/... -->
            <!-- -->
            <httpj:engine port="8084">
              <httpj:tlsServerParameters>
                <sec:keyManagers keyPassword="password">
                   <sec:keyStore type="jks" file="./ssl-keys/cherry.jks" password="password"/>
                </sec:keyManagers>
                <sec:trustManagers>
                  <sec:keyStore type="jks" file="./ssl-keys/truststore.jks" password="password"/>
                </sec:trustManagers>
                <sec:cipherSuitesFilter>
                  <!-- these filters ensure that a ciphersuite with
                    export-suitable or null encryption is used,
                    but exclude anonymous Diffie-Hellman key change as
                    this is vulnerable to man-in-the-middle attacks -->
                  <sec:include>.*_EXPORT_.*</sec:include>
                  <sec:include>.*_EXPORT1024_.*</sec:include>
                  <sec:include>.*_WITH_DES_.*</sec:include>
                  <sec:include>.*_WITH_NULL_.*</sec:include>
                  <sec:exclude>.*_DH_anon_.*</sec:exclude>
                </sec:cipherSuitesFilter>
      
               <sec:clientAuthentication want="true" required="true"/>
              </httpj:tlsServerParameters>
           </httpj:engine>
        </httpj:engine-factory>
      

      We use the httpj:engine element to configure the security requirements for this port where your web service is configured to listen. There are several ways to manage your keys. Instead of the file attribute, you can specify the location of the keystore using either "resource" or "url" attribute. The latter are generally recommended with caution as it's easy to end up loading a truststore from an unworthy source. For the purposes of this demonstration, I created a new directory in my <servicemix installation> directory called "ssl-keys". This directory with the sample keys is included with the zip and you'll need to copy it over.

      I've also set this example up to require the client to send a certificate:

           <sec:clientAuthentication want="true" required="true"/>
      

      You can change this as you need. For the endpoint itself, you would do the following:

       <jaxws:endpoint
          xmlns:customer="http://demo.fusesource.com/wsdl/CustomerService/"
          id="customerService"
          address="https://0.0.0.0:8084/Customers"
          serviceName="customer:CustomerService"
          endpointName="customer:SOAPOverHTTP"
          implementor="#customerServiceImpl">
      
        </jaxws:endpoint>
      

      The interesting bit in this endpoint configuration, is the implementor. The #notation will let us refer to a local bean definition:

      <bean id="customerServiceImpl" class="com.fusesource.customer.ws.CustomerServiceImpl"/>
      {code)
      
      which will refer to the actual class of the server. 
      
      These are the basics you need for a server. 
      
      *Client Spring Changes*
       For a client, it's a little different as it uses an http conduit configuration with jaxws client configuration:
      
      

      <http:conduit name="

      {http://demo.fusesource.com/wsdl/CustomerService/}

      CustomerServicePort.http-conduit">
      <http:tlsClientParameters secureSocketProtocol="TLS" disableCNCheck="true" >
      <sec:trustManagers>
      <sec:keyStore type="JKS" password="password"
      file="./ssl-keys/truststore.jks"/>
      </sec:trustManagers>
      <sec:keyManagers keyPassword="password">
      <sec:keyStore type="JKS" password="password"
      file="./ssl-keys/wibble.jks"/>
      </sec:keyManagers>
      <sec:cipherSuitesFilter>
      <!-- these filters ensure that a ciphersuite with
      export-suitable or null encryption is used,
      but exclude anonymous Diffie-Hellman key change as
      this is vulnerable to man-in-the-middle attacks -->
      <sec:include>.EXPORT.</sec:include>
      <sec:include>.EXPORT1024.</sec:include>
      <sec:include>.WITH_DES.</sec:include>
      <sec:include>.WITH_NULL.</sec:include>
      <sec:exclude>.DH_anon.</sec:exclude>
      </sec:cipherSuitesFilter>
      </http:tlsClientParameters>
      </http:conduit>

      The conduit is configured against the service's port.  The name must be the service namespace + port name from the WSDL + notation ".http-conduit".  If you have trouble with this step, you can use a wild card to grab everything for the client being configured in this file:
      
      

      <http:conduit name="*.http-conduit">

      
      The next step is to define the client itself:
      
      

      <jaxws:client
      id="customerServiceProxy"
      serviceClass="com.fusesource.demo.wsdl.customerservice.CustomerService"
      address="https://localhost:8084/Customers"/>

      <bean id="customerServiceClient"
      class="com.fusesource.customer.client.ClientInvoker"
      init-method="init" destroy-method="destroy">
      <property name="customerService" ref="customerServiceProxy"/>
      </bean>

      The customerServiceClient bean refers to the main class in our client application with a reference to the proxy, the generated code from "wsdl2java".
      
      
      To run the  secure demo, please do the following:
      
      1.  In root demo directory, run "mvn clean install" to build everything
      2.  Either copy the ssl-keys to your servicemix install root directory or update the spring configuration file with appropriate directory for the keystores.   Please feel free to use your own demo keys. 
      3.  In Karaf, run the following commands to install and star the server:
      
      

      osgi:install mvn:com.fusesource/customer-ws-osgi-bundle/1.0.0
      osgi:start <bundle id from previous step>

      In your log you will see the server start:
      
      

      17:43:57,899 | INFO | xtenderThread-35 | ReflectionServiceFactoryBean | ory.ReflectionServiceFactoryBean 399 | - - | Creating Service

      {http://demo.fusesource.com/wsdl/CustomerService/}

      CustomerService from class com.fusesource.demo.wsdl.customerservice.CustomerService
      17:43:57,916 | INFO | xtenderThread-35 | ServerImpl | g.apache.cxf.endpoint.ServerImpl 93 | - - | Setting the server's publish address to be https://0.0.0.0:8084/Customers
      17:43:57,919 | INFO | xtenderThread-35 | CXFJettySslSocketConnector |

      4.  To run the client, execute the following osgi commands:
      
      

      osgi:install mvn:com.fusesource/customer-ws-client/1.0.0
      osgi:start <bundle id from previous step>

      In your log you will see Ade's phone number:
      
      

      ..
      17:45:40,416 | INFO | invoker thread. | ClientInvoker | ce.customer.client.ClientInvoker 29 | 200 - com.fusesource.customer-ws-client - 1.0.0 | Got back Ade Trenaman, ph:+353-1-01234567
      ..

      
      

        Activity

        Hide
        Fintan Bolton
        added a comment -

        This issue is now documented in a new chapter of the ESB Security Guide, "Securing the Camel CXF Component". This will be released with ESB 4.4.

        Show
        Fintan Bolton
        added a comment - This issue is now documented in a new chapter of the ESB Security Guide, "Securing the Camel CXF Component". This will be released with ESB 4.4.

          People

          • Assignee:
            Fintan Bolton
            Reporter:
            Susan Javurek
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: