General remarks and caveats

First of all some hints and caveats if you plan to use WSS4J together with a SOAP implementation:

Before you use WSS together with SOAP become familiar with the SOAP implementation you use.

Web Service Security usually can not be used just out of the box. People starting with this shall have some good understanding of Web Services, how to use them, how they work. After all, it is not the right stuff for Web Service newbies.

Most people use Axis together with WSS4J because WSS4J provides Axis handlers to simplify the setup and deployment of Web Service security. In this case it is necessary to understand the basic concepts of Axis.

The concept of handlers:

Deployment and deployment files:

Static versus dynamic calls:

If you are familiar with these concepts then you may go on and use and deploy additional software that rely on these Axis concepts. Well, you don't need to understand every detail of the concepts, but a solid know-how is always a good strating point.

Overall Structure of WSS4J for Signature and Encryption

The following text describes the WS Security part of WSS4J, not the part of secure conversation and reliable messaging.

The two parts of WSS4J WS-Security

In general WSS4J (WS Security) falls into two parts

The message flow of a request

Thus the message flow is as follows (client part):

   |-> Axis kernel
           |-> WSS4J handler (Axis/JAX-RPC)
                    |<-> WSS4J sign/encrypt methods
           |<------ |         

Between the Axis kernel and the WSS4J Axis handler there may be some other handlers.

However, the security handler is

Signed parts of the SOAP request message _must_ not be altered if during the follwing request processing. In addition it is somewhat difficult to modify the message after it was encrypted.

Steps to enhance your webservice with Security

To develop a procduct that use WS Security I would perform several steps:

  1. Step 0: get a good understanding of your SOAP implementation (see remarks above)
  2. Then develop and set-up the Webservice (client and server) without any security. Then test them to have a stable basis. In particular test the error cases.

  3. Define an installation procedure, e.g. using Ant or scripts, to reliably install the product. This includes to copy all libraries, classes, jars, etc. to their right places. 1. Then re-check the classpath used by your client and server. Many problems just pop up because of a wrong classpath and other wrong path settings.

After this works flawlessly then you can introduce security on top. WSS4J was designed that you can introduce security to an existing Webservice environment without changing existing source code.

For Axis this means that you need to modify your deployment files on the server, create and/or modify the client's deployment files.

Before you set-up your required security, you need to think about which type of security your webservice needs:

If your security requirements are such that you need to sign and/or encrypt your SOAP requests, then you should ask the following questions:

After this step you can create the required security environment

After all this was done do some regression without enabling security in the deployment files:

Now you can enable security. Do do so, insert the required statements in the deployment files (both client and server side). Do one step after another, e.g. first perform Signature only, then, if you need it, switch on Encryption.

Please refer to the Javadoc for a more detailed description of the deployment parameters that control the WSS4J Axis security handlers. The Axis directory of WSS4J where the Axis specific handlers are located also contains some introduction.

If the security set-up works it comes to the most boring part: testing. You need to think about test cases for your webservice. You need to have test cases that generate errors, use wrong certificates, etc. to make sure the security enviroment is stable.

Well, the rest is as usual for a normal product: make it simple to install, operate, and have success in selling it :-) .

FrontPage/WsFx/wssec (last edited 2009-09-20 22:47:43 by localhost)