Java Web Service: Axis2 ws-security Basics

Introduction: Learn how to add the Rampart security module to the Apache Axis2 and start using the Ws-security attribute in a Web service.

Security is an important requirement for many enterprise services. Also, trying to achieve your own security is risky, as any minor negligence can lead to serious security vulnerabilities. These characteristics raise interest in the standardization of security handling, and many experts contribute to the standards and avoid any personal omissions. SOAP-based WEB services can use widely supported ws-security and related standards to meet their security needs, allowing for the appropriate configuration of security for each service.

The Apache AXIS2 supports these security standards through the Rampart module (see Resources). In this article, you will see how to install, configure, and use Rampart for AXIS2 to achieve the basic security features of sending a username and password in a service request. In subsequent articles in this series, you will understand how to use Rampart to implement more complex security.

Ws-security

Ws-security is a standard for adding security to SOAP WEB service message exchange (see Resources). It attaches security information to the message using a SOAP message header element, passing different types of declarations (including name, identity, key, group, privileges, features, and so on) and encryption and digital signature information in the form of a token (token). Ws-security supports multiple forms of tokens, multiple trusted domains, multiple signature formats, and multiple encryption techniques, so that in most cases the header information needs to contain specific formatting and algorithm recognition for each type of content. Additional information can result in a complex structure of the header information, as shown in Listing 1 (for a large number of edits)-a sample message that contains a signature and an encryption:

Listing 1. Sample messages that contain signatures and encryption

<soap:envelope xmlns:soap= "http://schemas.xmlsoap.org/soap/envelope/" ...>
<soap:Header>
<wsse:security soap:mustunderstand= "1" >
<wsu:timestamp wsu:id= "TIMESTAMP-D2E3C4AA-DA82-4138-973D-66B596D66B2F" >
<wsu:Created>2006-07-11T21:59:32Z</wsu:Created>
<wsu:Expires>2006-07-12T06:19:32Z</wsu:Expires>
</wsu:Timestamp>
<wsse:binarysecuritytoken valuetype= "...-x509-token-profile-1.0#x509v3"
Encodingtype= "...-wss-soap-message-security-1.0#base64binary"
Xmlns:wsu= "... oasis-200401-wss-wssecurity-utility-1.0.xsd"
Wsu:id= "securitytoken-faa295 ..." >MIIEC56MQswCQY...</wsse:BinarySecurityToken>
<xenc:encryptedkey xmlns:xenc= "http://www.w3.org/2001/04/xmlenc#" >
<xenc:encryptionmethod algorithm= "Http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
<keyinfo xmlns= "http://www.w3.org/2000/09/xmldsig#" >
<wsse:SecurityTokenReference>
<wsse:keyidentifier valuetype=
"... #X509SubjectKeyIdentifier" >LlYsHyhNnOVA9Aj7...</wsse:KeyIdentifier>
</wsse:SecurityTokenReference>
</KeyInfo>
<xenc:CipherData>
<xenc:CipherValue>g+A2WJhsoGBKUydZ9Za...</xenc:CipherValue>
</xenc:CipherData>
<xenc:ReferenceList>
<xenc:datareference uri= "#EncryptedContent-ba0556c3-d443-4f34-bcd1-14cbc32cd689"/>
</xenc:ReferenceList>
</xenc:EncryptedKey>
<signature xmlns= "http://www.w3.org/2000/09/xmldsig#" >
<SignedInfo>
<ds:canonicalizationmethod
Algorithm= "http://www.w3.org/2001/10/xml-exc-c14n#"
xmlns:ds= "http://www.w3.org/2000/09/xmldsig#"/>
<signaturemethod algorithm= "Http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<reference uri= "#Id-c80f735c-62e9-4001-8094-702a4605e429" >
<Transforms>
<transform algorithm= "http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<digestmethod algorithm= "Http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>lKjc5nyLQDZAIu/hZb4B6mLquow=</DigestValue>
</Reference>
...
</SignedInfo>
<SignatureValue>TiLmWvlz3mswinLVQn58BgYS0368...</SignatureValue>
<KeyInfo>
<wsse:SecurityTokenReference>
<wsse:reference uri= "#SecurityToken-faa295 ..."
Valuetype= "...-x509-token-profile-1.0#x509v3"/>
</wsse:SecurityTokenReference>
</KeyInfo>
</Signature>
</wsse:Security>
</soap:Header>
<soap:body wsu:id= "ID-8DB9FF44-7BEF-4737-8091-CDAC51A34DB8" >
<xenc:encrypteddata id= "Encryptedcontent-ba05 ..."
Type= "Http://www.w3.org/2001/04/xmlenc#Content"
xmlns:xenc= "http://www.w3.org/2001/04/xmlenc#" >
<xenc:encryptionmethod algorithm= "HTTP://WWW.W3.ORG/2001/04/XMLENC#AES128-CBC"/>
<xenc:CipherData>
<xenc:CipherValue>mirmi0KuFEEI56eu2U3cICz...</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedData>
</soap:Body>
</soap:Envelope>