Selecting certificates programmatically in WSIT

I am involved in porting the jax-rpc based  WS-I Supply Chain Management sample application to WSIT which is based on JAX-WS. I  used Netbeans 5.5.1rc1 with WSIT modules along with GlassFish v2 for this which made it a lot easier than it would have been to do it without IDE support. WSDLs were imported using netbeans which generated the web services classes. Customization files were used to customize the packages of generated classes. Netbeans wizard to create web service references (clients) were then used to create web service references to call other web services. The business logic was filled in and Java DB was used for the database access.

The components involved in this are depicted here.





Configuring security using netbeans was straight forward for almost all of the services and client. The KeyStore and TrustStore part of security configuration for Warehouse A,B,C and Manufacturer A,B,C services and clients was not possible using the security policy assertions in wsdl and wsit-client.xml . This is because the 3 instances of the services use the same base wsdl. Kumar Jayanti showed me the way out with the usage of AliasSelector and CertSelector.

AliasSelector implementation was used to return the correct keystore alias depending on the who the caller was. To determine the caller, a BindingProvider property was set on the client stub's RequestContext as shown below.


WarehouseShipmentsPortType warehouseAStub =
                    warehouseAService.getWarehouseAPort();
((BindingProvider) warehouseAStub).getRequestContext().put(
                    WSIConstants.CALLER,
                    WSIConstants.CALLER_RETAILER);



In the AliasSelector ,


public class AliasSelector implements com.sun.xml.wss.AliasSelector{

public String select(Map map) {
  if(map == null || map.isEmpty()){
    return null;
  }
  if(map.get(WSIConstants.CALLER).equals(
    WSIConstants.CALLER_RETAILER)) {
    return "wsi-retailer-sign";
  }
}



The CertSelector selected the certificate from the TrustStore based on the certificate CommonName and the CALLEE property which was set on the stub.



WarehouseShipmentsPortType warehouseAStub =
                     warehouseAService.getWarehouseAPort();
((BindingProvider) warehouseAStub).getRequestContext().put(
                     BindingProvider.ENDPOINT_ADDRESS_PROPERTY,
                     roles.get(ConfigurationEndpointRole.WAREHOUSE_A));
((BindingProvider) warehouseAStub).getRequestContext().put(
                     WSIConstants.CALLEE,
                     WSIConstants.WAREHOUSEA);




CertSelector implementation extract:


public class CertSelector implements java.security.cert.CertSelector{

private Map runtimeProperties;

public CertSelector(Map properties){
  this.runtimeProperties = properties;
}

public CertSelector clone(){
  return new CertSelector(this.runtimeProperties);
}

public boolean match(Certificate cert) {
  X509Certificate xcert = (X509Certificate) cert;
    if(((String)runtimeProperties.get(WSIConstants.CALLEE)).toLowerCase().indexOf("warehousea") != -1 ) {
if(xcert.getSubjectX500Principal().getName().indexOf("CN=WarehouseA") != -1 ){
  return true;
}
}

The wsit-client.xml will have the following configuration to point to the instance of AliasSelector and CertSelector.


<wsp:Policy wsu:id="WarehouseSoapBindingPolicy">
  <wsp:ExactlyOne>
   <wsp:All>
    <sc1:KeyStore wspp:visibility="private" storepass="xxx" type="JKS" location="/glassfish/domains/domain1/config/keystore.jks" aliasselector="com.sun.wsi.scm.util.AliasSelector">
    <sc1:TrustStore wspp:visibility="private" storepass="xxx" type="JKS" location="/glassfish/domains/domain1/config/cacerts.jks" certselector="com.sun.wsi.scm.util.CertSelector">
   </sc1:TrustStore>
  </sc1:KeyStore>
 </wsp:All>

</wsp:ExactlyOne>
</wsp:Policy>
You can use these Selector interfaces to implement any kind of certificate management solution specific to the deployment.
Refer to the articles , ask the experts sessions and blogs for staying informed on this and other topics in web services and security.


Technorati Tags: , , ,

Powered by ScribeFire.

Comments:

[Trackback] Security Token Configuration in Metro

Posted by Kumar Jayanti's Blog on June 03, 2009 at 07:57 AM IST #

[Trackback] Security Token Configuration in Metro

Posted by Kumar Jayanti's Blog on July 07, 2009 at 11:05 AM IST #

[Trackback] Security Token Configuration in Metro

Posted by Kumar Jayanti's Blog on July 08, 2009 at 06:15 AM IST #

street lamps

Posted by street lamps on October 30, 2009 at 01:21 AM IST #

I have received several similar emails like this one.

Posted by link of london on November 06, 2009 at 10:48 PM IST #

I really believe that these social networks will have a huge impact on what we can accomplish as groups, it'll help us be very organized and communicate.

Posted by links london on November 11, 2009 at 12:57 AM IST #

I really believe that these social networks will have a huge impact on what we can accomplish as groups, it'll help us be very organized and communicate.

Posted by christian louboutin on November 13, 2009 at 05:07 AM IST #

I think I will try to recommend this post to my friends and family, cuz it’s really helpful.

Posted by ed hardy clothing on November 16, 2009 at 10:44 PM IST #

Nike Air Max 90 <a href="http://www.airmax-shox.com/7-air-max-90">Nike Air Max 90</a>
Air Max 90 <a href="http://www.airmax-shox.com/7-air-max-90">Air Max 90</a>
Nike Max 90 <a href="http://www.airmax-shox.com/7-air-max-90">Nike Max 90</a>
Max 90 Shoes <a href="http://www.airmax-shox.com/7-air-max-90">Max 90 Shoes</a>

Posted by Rena on November 25, 2009 at 11:10 AM IST #

Thanks for your useful info, I think it's a good topic.

Posted by air jordan shoes on December 04, 2009 at 12:11 AM IST #

Write very good, Customization files were used to customize the packages of generated classes. Netbeans wizard to create web service references (clients) were then used to create web service references to call other web services.

Posted by valves manufacturer on December 08, 2009 at 12:34 AM IST #

Thanks for offer this, very good info.

Posted by sanitary fittings on December 08, 2009 at 12:37 AM IST #

Keep up the good work bro.Your article is really great and I truly enjoyed reading it.Waiting for some more great articles like this from you in the coming days.

Posted by Ed Hardy Clothing on December 10, 2009 at 05:22 AM IST #

Above these goods really good, so beautiful jewelry!replica watches Really to be commended! Unfortunately, I have no money, He He. Otherwise I really bought"Magnificent", "Gum gee yuk yip", "True gold fears no fiery," "golden palace in books," "very strong"replica watchThere is a noble, time-delayed in ancient times left to shine; There is a wealth, status and power load across time and space.fake rolex watches You have a good typing speed soon yo!

Posted by replica watches on January 08, 2010 at 04:06 AM IST #

Above these goods really good, so beautiful jewelry!replica watches Really to be commended! Unfortunately, I have no money, He He. Otherwise I really bought"Magnificent", "Gum gee yuk yip", "True gold fears no fiery," "golden palace in books," "very strong"replica watchThere is a noble, time-delayed in ancient times left to shine; There is a wealth, status and power load across time and space.fake rolex watches You have a good typing speed soon yo!

Posted by replica watches on January 08, 2010 at 04:06 AM IST #

Above these goods really good, so beautiful jewelry!replica watches Really to be commended! Unfortunately, I have no money, He He. Otherwise I really bought"Magnificent", "Gum gee yuk yip", "True gold fears no fiery," "golden palace in books," "very strong"replica watchThere is a noble, time-delayed in ancient times left to shine; There is a wealth, status and power load across time and space.fake rolex watches You have a good typing speed soon yo!

Posted by replica watches on January 08, 2010 at 04:06 AM IST #

Thank you.Hot Shoes Cheap Jordan shoes michael jordan shoes and are on sale-Free shipping.

Posted by michael jordan shoes on January 09, 2010 at 01:29 AM IST #

I really appreciate the kind of topics you post here. Thanks for sharing us a great information that is actually helpful. Good day!

Posted by Links of London jewelry on January 09, 2010 at 03:25 AM IST #

Thank you for sharing.Nice post.

Posted by Nike Air Max 90 on January 14, 2010 at 11:58 PM IST #

it is I have received several similar emails like this one.

Posted by Louisvuitton bags on January 30, 2010 at 06:33 AM IST #

just do it
may you ba happy

Posted by WOW CD KEY on February 04, 2010 at 07:57 AM IST #

You have a good typing speed soon

Posted by affiliate on March 03, 2010 at 07:06 AM IST #

good thanks for sharing.

Posted by links of london on March 04, 2010 at 11:55 PM IST #

Hi Harsha, Thanks for your article and i need a small help from you. I am currently stuck with a issue for more than 4 days and could not find a solution. I am writing a WSIT client for a WCF web service which requires a mutual certificate authentication. i received the .pfx file from the service provider which i imported to the java truststore. Because of i was getting an exception for the serverfake certificate, i added that too to the truststore. netbeans createss the following entry in the service.svc.xml: with this configuration in hand, when i invoke the web service method, i receive this exception: SEVERE: WSS1518: Failed to validate certificate java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty I would appreciate if you can kindly help me in fixing this issue. Thank you very much in advance.

Posted by guest on June 27, 2010 at 02:13 PM IST #

Post a Comment:
  • HTML Syntax: NOT allowed
About

harsha

Search

Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today