XWS-Security Home

XWS-Security Samples

Revised: 10/1/2004

Contents

• Read This Section First
• What's New in This Release
• What This Release Includes
• Standards and Errata to Which XWS-Security Conforms in this Release
• Upon Which Technologies is XWS-Security Based?
• Current Limitations
• Known Issues

Before you work with this release, make sure that you have installed the required software and are on a supported operating system. You can find this information in the Java^TM Web Services Developer Pack (Java WSDP) home page and Release Notes.

The following features are new to the FCS 1.0 release of XWS-Security:

• The XWS-Security configuration file schema has been enhanced. Refer to the Java Web Services Tutorial for further description of the schema.
• Security operations can now be configured either at the level of a WSDL service, port, or operation. At this time, support is available for one WSDL service per configuration file. In future releases, XWS-Security may be upgraded to understand multiple WSDL services per configuration file. For information on specifying XWS-Security for a WSDL operation, see the Java Web Services Tutorial or refer to the simple sample application.
• XWS-Security now makes use of a callback handler implementation supplied by the application developer to integrate with the security environment (security environment refers to the environment under which the application is running and has to do with obtaining keys, certificates, etc. for performing the security operations). A set of standard callback classes have been defined which any callback handler implementation needs to handle. Refer to the API documentation for callback handlers in the install_dir/xws-security/docs/api/ directory for more information on the callback classes. Refer to the simple sample application for an example using the callback handler.

This release includes the following XML and Web Services Security (XWS-Security) features:

• Support for securing JAX-RPC applications
• A sample security framework within which a JAX-RPC application developer will be able to secure applications by signing/verifying parts of SOAP messages and/or encrypting/decrypting parts of a SOAP message. The message sender can make claims about the security properties by associating security tokens with the message. An example of a security claim is the identity of the sender, identified using username and password.
• Web Services Security (WSS) interop scenarios. Developers will be able to send and receive messages compliant with the WSS Soap Message Security specification. Developers can use the framework to implement applications which have security requirements similar to those defined in the WSS interop scenarios. More information on the scenarios can be found at Draft Spec for Interop1 (draft 5) and Final Spec for Interop2 (draft 6).
• Command-line tools specific to XWS-Security, including pkcs12import and keyexport.
• Sample programs

The XWS-Security release contents are arranged in the following structure within the Java WSDP release:

• OASIS Standard 1.0
• Web Services Security: SOAP Message Security V1.0
• Web Services Security: Username Token Profile V1.0
• Web Services Security: X.509 Token Profile V1.0
• Schema files V1.0 [1] and [2]
  

• Errata to the OASIS Standard 1.0
• Errata for Web Services Security: SOAP Message Security V1.0
• Errata for Web Services Security: Username Token Profile V1.0
• Errata for Web Services Security: X.509 Token Profile V1.0

XWS-Security APIs are used for securing Web services based on JAX-RPC. This release of XWS-Security is based on non-standard XML Digital Signature and XML Encryption APIs, which are subject to change with new revisions of the technology. As standards are defined in the Web Services Security space, these nonstandard APIs will be replaced with standards-based APIs.

JSR-105 (XML Digital Signature APIs) are included in this release of the Java WSDP as well. JSR-105 is a standard API (in progress, almost at Proposed Final Draft) for generating and validating XML Signatures as specified by the W3C recommendation. It is an API that should be used by Java applications and middleware that need to create and/or process XML Signatures. It can be used by Web Services Security (which is the goal for a future release) and by non-Web Services technologies, for example, documents stored or transferred in XML. Both JSR-105 and JSR-106 (XML Digital Encryption APIs) are core-XML security components.

XWS-Security does not use the JSR-105 or JSR-106 APIs because, currently, the Java standards for XML Digital Signatures and XML Encryption are undergoing definition under the Java Community Process. These Java standards are JSR-105-XML Digital Signature APIs, which you can read at http://www.jcp.org/en/jsr/detail?id=105 and JSR-106-XML Digital Encryption APIs, which you can read at http://www.jcp.org/en/jsr/detail?id=106.

XWS-Security uses the Apache libraries for DSig and XML-Enc. In future releases, the goal of XWS-Security is to move toward using JSR-105 and JSR-106 APIs. The following table shows how the various technologies are stacked upon one another:

The Apache XML Security project is aimed at providing implementation of security standards for XML. Currently the focus is on the W3C standards. More information on Apache XML Security can be viewed at: http://xml.apache.org/security/.

Java security includes the Java Cryptography Extension (JCE) and the Java Cryptography Architecture (JCA). JCE and JCA form the foundation for public key technologies in the Java platform. The JCA API specification can be viewed at http://java.sun.com/j2se/1.4.2/docs/guide/security/CryptoSpec.html. The JCE documentation can be viewed at http://java.sun.com/products/jce/index-14.html.

Current Limitations

• Since the Java Standards for key Web Services Security technologies are still being defined under the Java Community Process, the current APIs in this release are nonstandard and are subject to change in future releases.
• Examples written using an earlier release of XWS-Security APIs will not run on this release of the JWSDP.
• XWS-Security cannot be used for securing message attachments.

In this release, the XWS-Security implementation has the following known issues:

• JAX-RPC dynamic proxies are not yet supported, only static stubs work.
• In the simple sample, the client/server security configuration files containing <xwss:SymmetricKey> elements will not work when running under Java 2 SDK version 1.4.2_04 due to a bug related to JCEKS keystores in J2SDK 1.4.2_04. This issue is resolved in J2SDK 1.4.2_05 and J2SDK 5.0.
• README files for the samples do not specify setting provider permissions that are needed when 3rd Party JCE Providers are used with the SJS Application Server and SJS Web Server.

  When running XWS-Security samples under SJSAS and SJSWS, and if a third party JCE provider is needed (because you are running under a version of the Java SDK prior to 5.0), add the appropriate permissions for the provider in the server.policy file of SJSAS/SJSWS. The README.txt file under each of the XWS-Security samples specifies a list of permissions required for running those samples under SJSAS and SJSWS. This permission is in addition to the list of permissions specified in the README, and is applicable only when a third party JCE provider is being used.

  Add the following permission:

       permission java.security.SecurityPermission  "putProviderProperty.<Provider>";
       

  Where <Provider> is the standard name of the JCE provider. For example, if the provider has a standard name of ABC, the permission would look like this:

     permission java.security.SecurityPermission  "putProviderProperty.ABC";
     

  For more information, refer to the Java Web Services Tutorial chapter Securing JAXRPC Applications with XML and Web Services Security, downloadable from http://java.sun.com/webservices/downloads/webservicestutorial.html for more details on configuring the JCE provider.

• Errors during schema validation of security-configuration file result in a Warning message instead of an exception being thrown.

  The security-configuration file is validated against the schema at compile time (before deployment), but if there is an error in the security-configuration file, an exception is not being thrown. Instead a Warning Message is issued.

• When the dumpMessages flag is enabled on the SecurityConfiguration element, the incoming request message is dumped twice when using method level security with encrypted body content.

  When method-level security is configured for a particular WSDL method and the security configuration specifies encryption of the body content, the incoming request is dumped twice when dumpMessages is set to true.

  • The first dump of the message will contain the unmodified incoming message.
  • The second dump of the message will be that of the incoming message with decrypted body.

  For more information, refer to the Java Web Services Tutorial chapter Securing JAXRPC Applications with XML and Web Services Security, downloadable from http://java.sun.com/webservices/downloads/webservicestutorial.html for more details on configuring method level security for a JAX-RPC web service.

• Due to a bug in the current release, there is no way to disable security for a particular Port if there is a <SecurityConfiguration> specified for the enclosing Service. Even if an empty <SecurityConfiguration/> is specified for a Port, the <SecurityConfiguration> specified for the Service will be applied, thereby violating the precedence rules.
• In this release of XWS-Security, users will have to ensure that the SecurityEnvironmentHandler implementation they supply are thread safe.
• Due to a bug in the encryption logic, multithreaded applications may encounter encryption/decryption-related failures.
• When a corresponding security operation was not performed by the sender for a target specified in a <RequireEncryption>/<RequireSignature> element, and no <OptionalTargets> element is configured in the security configuration, a NullPointerException may be thrown.