This article describes how the UltraESB can be used as a high performance WS-Security gateway in an enterprise deployment. The example demonstrates how the UltraESB verifies the timestamp and the signature and performs decryption of an encrypted SOAP message, and forwards a valid request to a backend service after removing the security headers. The response is signed and encrypted, and then returned back to the client.
The UltraESB includes a new WS-Security library that is designed to support high performance WS-Security processing. Currently this library does not support all possible combinations or options as per the specs, but tackles the problem with a practical angle of attack, to cater to the most common use cases when WS-Security is handled at a gateway. In future, this library will be extended to include for a larger subset of the common use cases.
The configuration defines an instance of the WSSecurityManager bean, which could be initialized with an identity keystore and a trust keystore, or just a single keystore where all credentials are saved. In the example, we will use a standard keystore used for WS-Security testing, and thus used the second alternative for initialization
<bean id="wssecMgr" class="org.adroitlogic.soapbox.WSSecurityManager">
<constructor-arg value="samples/conf/keys/ws-sec-keystore.jks"/>
<constructor-arg value="password"/>
<constructor-arg>
<map>
<entry key="alice" value="password"/>
<entry key="bob" value="password"/>
</map>
</constructor-arg>
</bean>
It expects a Map of passwords against the alias for the credentials, and these passwords can be encrypted in the configuration file using the UltraESB security support - see the article 'Securing the UltraESB configuration' for more details.
The proxy service invokes on the WS Security Manager to verify and secure messages as shown below. The UsernameToken authentication maybe verified, and the verified username and user roles accessed during mediation as shown in the example below.
<u:proxy id="ws-sec-proxy">
<u:transport id="http-8280">
<u:property name="wsdlURL" value="file:samples/resources/SimpleStockQuoteService.wsdl"/>
</u:transport>
<u:target>
<u:inSequence>
<u:java import="org.adroitlogic.soapbox.*;"><![CDATA[
try {
WSSecurityManager wssecMgr = Mediation.getWSSecurityManager();
wssecMgr.verifyUsernameTokenAuthentication(msg);
wssecMgr.verifyTimestampedEncryptedAndSignedMessage(msg, true);
System.out.println("Validated User : " + msg.getMessageProperty(MessageSecurityContext.USER_NAME));
System.out.println("Validated Roles : " + msg.getMessageProperty(MessageSecurityContext.USER_ROLES));
} catch (Exception e) {
Mediation.setPayloadToSOAP11Fault(msg, null, "Security validation failed", null);
Mediation.sendResponse(msg, 500);
}
]]></u:java>
</u:inSequence>
<u:inDestination>
<u:address>http://localhost:9000/service/SimpleStockQuoteService</u:address>
</u:inDestination>
<u:outSequence>
<u:java import="org.adroitlogic.soapbox.*;"><![CDATA[
Mediation.getWSSecurityManager().timestampSignAndEncryptMessage(msg, "bob", "alice");
]]></u:java>
</u:outSequence>
<u:outDestination>
<u:address type="response"/>
</u:outDestination>
</u:target>
</u:proxy>
To try out the sample, start the sample configuration 204 of the UltraESB through the ToolBox, or the command line as follows
asankha@asankha:~/java/ultraesb-1.0-beta-1/bin$ ./ultraesb.sh -sample 204
Start the sample Jetty server, and the HTTP/S client from the ToolBox, and load the WS-Secured sample request from file samples/resources/ws-secured-request.xml and send to the URL http://localhost:8280/service/ws-sec-proxy. You will get the WS-Secured response back again as shown below.
<S:Envelope xmlns:S="http://schemas.xmlsoap.org/soap/envelope/">
<S:Header>
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" S:mustUnderstand="1">
<xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Id="id-1263880885183-575747277">
<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"...
This example does not show how you could decrypt the above, although it would be possible with a custom client. Using the TCPDump utility of the ToolBox, one can verify that the request forwarded to the SimpleStockQuote service - has the WS-Security header removed after the successful validation. Sending a message that has been altered will result in a security violation fault being returned.
By saving a valid WS-Secured message into a file - and making its timestamp valid for 10 years, the request file could now be even used with the load generator of the ToolBox, to benchmark the WS-Security performance of the UltraESB.
See the sample # 204 configuration for more examples. Examples that shows how WS-Security maybe added to outgoing partners, and how UsernameToken authentication could be included etc is also shown.
| Next > |
|---|
