HomeDigital EditionSys-Con RadioSearch Web Services Cd
B2B Beginning WS Business Process Management Case Studies Content Management Distributing Computing e-Business Electronic Data Interchange Enterprise Industry Insight Integration Interviews Java & Web Services .NET Portal Product Reviews Scalability & Performance Security SOAP Source Code UDDI Wireless WS Standards WS Tips & Techniques WSDL WS Editorials XML

A Strategy for Securing Web Services by Mark Secrist
WSJ Vol 03 Issue 3 - pg.9 

	


Listing 1: ClientRequestSigningHandler

public class ClientRequestSigningHandler extends BasicHandler {
   static {
      // Initialize the xml-security library
      org.apache.xml.security.Init.init();    
   }   

   public void invoke(MessageContext msgContext) throws AxisFault {  
      try {
         msgContext.getService();         
         Message requestMessage = msgContext.getRequestMessage();
         SOAPEnvelope unsignedEnvelope = requestMessage.getSOAPEnvelope();
         SOAPEnvelope signedEnvelope = 
            signTheEnvelope(msgContext,unsignedEnvelope);         
         requestMessage = new Message(signedEnvelope); 
         msgContext.setCurrentMessage(requestMessage);         
      } catch (Exception e) { 
          e.printStackTrace();
          throw  AxisFault.makeFault(e);
      }
   }
}

Listing 2: SupplierServiceClient

String endpointURL = "http://localhost:8080/axis/services/AcmeSupplier";   
// Set up the call to the service
Service service = new Service();
Call call = (Call) service.createCall();
call.setTargetEndpointAddress(new URL(endpointURL));
SOAPBodyElement[] reqSOAPBodyElements = new SOAPBodyElement[1];
// Fill out the SOAP body here

// Create and set the client request handler
ClientRequestSigningHandler clientReqHandler =
                      new ClientRequestSigningHandler();
clientReqHandler.setOption("keystore","acmekeystore.jks");
call.setClientHandlers(clientReqHandler,null);
// Invoke the service
Vector resSOAPBodyElements =
                  (Vector) call.invoke(reqSOAPBodyElements);

Listing 3:ServerRequestSigningHandler 

public class ServerRequestSigningHandler extends BasicHandler {
   static {
      org.apache.xml.security.Init.init();
   }

   public void invoke(MessageContext msgContext) throws AxisFault {
      try {
         Message inMsg = msgContext.getRequestMessage();
         Message outMsg = msgContext.getResponseMessage();

         // verify signed message
         Document doc = inMsg.getSOAPEnvelope().getAsDocument();
         CachedXPathAPI xpathAPI = new CachedXPathAPI();
         Element nsctx = doc.createElement("nsctx");
         nsctx.setAttribute("xmlns:ds", Constants.SignatureSpecNS);

         Element signatureElem = 
           (Element) xpathAPI.selectSingleNode(doc,"//ds:Signature", nsctx);

         XMLSignature sig = 
             new XMLSignature(signatureElem,"http://acmesupplier.com");

         boolean valid =
             sig.checkSignatureValue(sig.getKeyInfo().getPublicKey());

         if (! valid) {
            System.out.println("The signature is invalid");
            throw AxisFault.makeFault(new Exception("Validation Failed"));
         }
         System.out.println("Signature validation succeeded");
      } catch (Exception e) {
         System.out.println("Exception caught: " + e);
         throw AxisFault.makeFault(e);
      }
   }
}

Listing 4: Axis server deployment file

<deployment
    xmlns="http://xml.apache.org/axis/wsdd/"
    xmlns:java="http://xml.apache.org/axis/wsdd/providers/java">

  <!-- Define the Signature Handler for the request -->
  <handler name="requestHandler" type="ServerRequestSigningHandler">
    <parameter name="filename" value="MyService.log"/>
  </handler>

  <!-- Services from SupplierService WSDL service -->
  <service name="AcmeSupplier" provider="java:RPC" style="document">
      <operation name="getQuote" qname="operNS:QuoteRequest" />
      <parameter name="allowedMethods" value="getQuote"/>

      <requestFlow>
         <handler type="requestHandler"/>
      </requestFlow>
   </service>
</deployment>