Can`t enable WS-SecurityPolice with CXF in Web Service - web-services

It`s my first project with CXF and Web Services,using Tomcat as a servlet container and my first question in StackOverflow too,so be patient with me....;-)
I'm using :
Tomcat 9 (standalone and integrated with Eclipse).
CXF (3.2.0)
JDK 1.8
Windows 7
**The problem:**WS-SecurityPolicy not enabled/ not working in the server side.
WS-SecurityPolicy is implemented in the wsdl file of the web service and the policy seems working fine,because in the client side the SOAP output message body is signed.
The problem I'm stuck is in the server side,none of the policies are applied in response.
The first issue I had was with the SOAP header "must understand=1",the server does not recognize the security headers and throws an exception.
My suspect was that the web service is not applying the policy,then to avoid the exception of the header I put a handler that does nothing whith it.
Now the server response the SOAP message but in clear form (unsigned, without the BinarySecurityTolen and other stuff),my suspect was true,the policy is not working.
I think the porblem is a misconfiguration of CXF files...
The cxf bean configuration of the web service is loaded during Tomcat's startup.
INFO: Creating Service {http://ole/wsTransaccion}WsTransaccionService from WSDL: wsdl/wsTransaccion.wsdl
....
....
INFO: Loading XML bean definitions from ServletContext resource [/WEB-INF/cxf-wsTransaccion.xml]
The cxf-wsTransaccion.xml file contains:
http://www.springframework.org/schema/beans/spring-beans-2.5.xsd http://cxf.apache.org/bindings/soap http://cxf.apache.org/schemas/configuration/soap.xsd http://cxf.apache.org/jaxws http://cxf.apache.org/schemas/jaxws.xsd">
<bean id="myPasswordCallback"
class="implementacion.ServerKeystorePasswordCallback" />
<jaxws:endpoint xmlns:tns="http://ole/wsTransaccion" id="wsTransaccion"
implementor="implementacion.WsTransaccionImpl"
wsdlLocation="wsdl/wsTransaccion,wsdl" endpointName="tns:WsTransaccionPort"
serviceName="tns:WsTransaccionService" address="/WsTransaccionPort">
<jaxws:features>
<bean class="org.apache.cxf.feature.LoggingFeature" />
</jaxws:features>
<jaxws:properties>
<entry key="security.callback-handler">
<ref bean="myPasswordCallback"/>
</entry>
<entry key="security.encryption.properties" value="keystore.properties"/>
<entry key="security.signature.properties" value="keystore.properties"/>
<entry key="ws-security.encryption.username" value="useReqSigCert"/>
</jaxws:properties>
</jaxws:endpoint>
I think the problem coluld be in the location of the file keystore.properties, although no exception is thrown (like a java.io.FileNotFoundException) if not exists..
All examples I saw were Maven's projects ,but this is NOT A MAVEN project so I haven't the folder "resources" where properties files and keystore are placed.
I don't know the right place of keystore.properties, i think must be in the classpath ,then i put it in a package named resources with the keystore together.
The content of keystore.properties:
>org.apache.wss4j.crypto.provider=org.apache.ws.security.components.crypto.Merlin
>org.apache.wss4j.crypto.merlin.keystore.file=server.p12
>org.apache.wss4j.crypto.merlin.keystore.type=PKCS12
>org.apache.wss4j.crypto.merlin.keystore.alias=server
>org.apache.wss4j.crypto.merlin.keystore.password=xxxxxx<br/>
Other possibility is that org.apache.wss4j.crypto.merlin.keystore.file=server.p12 is not in the right place too, although is in the same place like keystore.properties
Any suggestion would be very appreciated.
Thanks very much!!!.

The problem was here:
Tomcat console:
"WARNING: Resource classpath:./resources/policyBinding.xml was not found in the classloaders."Although policyBinding.xml is in the classpath is not properly loaded due to the following annotation in the interface of the web service:
#Policy(uri = "./resources policyBinding.xml",placement=Policy.Placement.DEFAULT)
Thank you to Alfredo (WS-Security Policy node not being generated in Apache CXF with Spring and custom context file
) i figured it out the right syntax:
#Policy(uri = "classpath:policyBinding.xml",placement=Policy.Placement.DEFAULT)

Related

How to override wsdl soap-address within the ear under wildfly?

We have an ear application, that contains some WS endpoints. I have to deploy to the target server but I have to override the WSDL soap-address tag. The solution we use our local testbed is following this instruction: https://stackoverflow.com/a/23491951 That works perfectly. (server is wildfly 8.2)
However we cannot use this solution anymore on production server ("just because").
I found, that there is a jboss-webservices.xml, that should override the wsdl's <soap-address> tag without changing the standalone.xml / domain.xml's webservices subsystem settings.
But it is not working for me. My jboss-webservices.xml:
<?xml version="1.1" encoding="UTF-8"?>
<webservices version="1.2"
xmlns="http://www.jboss.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.jboss.com/xml/ns/javaee http://www.jboss.org/j2ee/schema/jboss_webservices_1_0.xsd">
<property>
<name>wsdl.soapAddress.rewrite.modify-wsdl-address</name>
<value>true</value>
</property>
<property>
<name>wsdl.soapAddress.rewrite.wsdl-host</name>
<value>somedomain.com</value>
</property>
</webservices>
These instructions are followed:
https://docs.jboss.org/author/display/JBWS/Published+WSDL+customization
https://docs.jboss.org/author/display/JBWS/Advanced+User+Guide
I place jboss-webservices.xml both two places referred by the documentation:
META-INF/jboss-webservices.xml for EJB webservice deployments
WEB-INF/jboss-webservices.xml for POJO webservice deployments and EJB webservice endpoints bundled in war archives
Non of them works.
The related log snippet:
11:50:43,502 INFO [org.jboss.ws.cxf.metadata] (MSC service thread 1-2) JBWS024061: Adding service endpoint metadata: id=ABCServicePortType
address=http://localhost:8180/abc-web/ABCServicePortType
implementor=example.service.v1.impl.ABCServicePortTypeImpl
serviceName={http://example.com/ns/mod/ws/ABCService/v1}ABCService
portName={http://example.com/ns/mod/ws/ABCService/v1}ABCServicePortTypeImplPort
annotationWsdlLocation=null
wsdlLocationOverride=null
mtomEnabled=false
My questions: May I miss something? Is there any other way to override soap-address?
Thanks in advance.
The properties that you provided in jboss-webservices.xml works but with a higher version of WildFly than you are using in your server (since WildFly 9). See webservices section of release notes for WildFly 9:
http://wildfly.org/news/2015/07/02/WildFly9-Final-Released/
It looks that before WildFly 9 release standalone.xml is the only one place to customize WSDL generation.

Duplicating a same SOAP webservice in Camel

A SOAP webservice is been exposed by a system. I have got a wsdl file of the webservice. Im able to send request and get response from soap ui. I want to duplicate this wsdl SOAP webservice in my camel routes deployed in servicemix, thereby making my ESB expose a similar webservice as the system's webservice. THis way many systems access this webservice to contact the system.
How do i duplicate a webservice using wsdl file of the system??
To duplicate webservice, exposed by a system, you can use http proxy route, based on jetty:
<route id="ServiceProxy">
<from uri="jetty:http://0.0.0.0:8186/service/?disableStreamCache=true&matchOnUriPrefix=true&continuationTimeout=900000&httpClient.timeout=120000"/>
<to uri="jetty:http://{{app-server.host}}:{{app-server.http.port}}/service/?bridgeEndpoint=true&throwExceptionOnFailure=false&continuationTimeout=120000&httpClient.timeout=900000"/>
</route>
You can write the same route on JavaDSL.
Found solution - Concept is cxf-proxying
Having a wsdl of the system, create a similar wsdl with the Endpoints defined according to the localhost and port number.
Save the wsdl in your local project,
provide the path to wsdl in pom, for converting wsdl to java by mentioning in the cxf-codegen-plugin.
create cxf consumer bean with details of local wsdl file
<cxf:cxfEndpoint id="consumerProxy" address="http://remote:port/service/"
serviceClass="com.remote.service.RemoteService" endpointName="c:RemoteService"
serviceName="c:RemoteService" xmlns:c="http://remote/namespace/">
<cxf:properties>
<entry key="dataFormat" value="MESSAGE" />
</cxf:properties>
</cxf:cxfEndpoint>
create cxf producer bean with details of remote wsdl file
<cxf:cxfEndpoint id="producerRemote" address="http://localhost:9001/service/"
serviceClass="com.remote.service.RemoteService" endpointName="c:RemoteService"
serviceName="c:RemoteService" xmlns:c="http://remote/namespace/">
<cxf:properties>
<entry key="dataFormat" value="MESSAGE" />
</cxf:properties>
</cxf:cxfEndpoint>
The proxy routes can be like below
from(cxfEndpoint("consumerProxy"))
.to(cxfEndpoint("producerRemote"));
Sending a request to localhost will be consumed by cxf endpoint - consumerProxy and sent to the cxf endpoint - producerRemote.
The response is sent back the reverse way.

Mule soap Proxy wsdl fails at relative path resolution of xsd

I have a WSDL and a Mule SOAP proxy web service using the MuleSoft XML Only SOAP Web Service example.
My application is working fine but if i enable validation i have one issue: When the XSD is stored anywhere other than the root of the project, it will not resolve.
I created folders of service and xsd inside /src/main/resources,
however when the service is invoked I receive the following error:
connector.http.mule.default.receiver.02] org.apache.cxf.wstx_msv_validation.ResolvingGrammarReaderController: D:\Developer\Global\BODs\GetListSalesOrder.xsd (The system cannot find the path specified)
java.io.FileNotFoundException: D:\Developer\Global\BODs\GetListSalesOrder.xsd (The system cannot find the path)
This is my mule flow..
<http:inbound-endpoint exchange-pattern="request-response" host="localhost" port="8081" path="test" doc:name="HTTP"/>
<cxf:proxy-service port="SyncSalesOrderBinding" namespace="http://www.cg.com/services/oagis/salesOrder" service="SyncSalesOrderService" validationEnabled="true" payload="body" wsdlLocation="services/WebServices/WSDL/SalesOrder.wsdl" doc:name="CXF">
<cxf:schemaLocations>
<cxf:schemaLocation>services/Developer/Global/BODs/GetListSalesOrder.xsd</cxf:schemaLocation>
</cxf:schemaLocations>
</cxf:proxy-service>
<logger message="Success" level="INFO" doc:name="Logger"/>
If your XSD file is imported in your wsdl file the following Code is fine :-
<cxf:proxy-service port="SyncSalesOrderBinding" namespace="http://www.cg.com/services/oagis/salesOrder" service="SyncSalesOrderService" validationEnabled="true" payload="body" wsdlLocation="services/WebServices/WSDL/SalesOrder.wsdl" doc:name="CXF"/>
You don't need to mention your XSD file in CXF component .. it will validate
If you still face any issues then there is patch available here : https://www.mulesoft.org/jira/browse/MULE-5963?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
.... Please you replace your jar with the one attached to the JIRA ... It will work definately

Apache CFX Schema validation - contract first

I am developing a Web service using Apache CXF and contract first approach with schema validation. Problem is, that validation is not working. There is no error, so it like is not activated. But validation is configured.
So, I have took a look to official Apache CXF examples you can find here.
I took a look to wsdl_first example and modify it adding schema validation and some restriction in WSDL:
<!-- HTTP Endpoint -->
<jaxws:endpoint xmlns:customer="http://customerservice.example.com/"
id="CustomerServiceHTTP" address="http://localhost:9090/CustomerServicePort"
serviceName="customer:CustomerServiceService" endpointName="customer:CustomerServiceEndpoint"
implementor="com.example.customerservice.server.CustomerServiceImpl">
<jaxws:features>
<bean class="org.apache.cxf.feature.LoggingFeature" />
</jaxws:features>
<!-- schema validation-->
<jaxws:properties>
<entry key="schema-validation-enabled" value="true" />
</jaxws:properties>
</jaxws:endpoint>
To my surprise, it doesn't work either.
OK, so I took a look to wsdl_first_xmlbeans example, where according with the README.txt file, it also shows how CXF configuration can be used to enable schema validation.
And for this example, schema validation works. The difference between both examples is that the second one use JAX-WS APIs and with the XMLBeans approach. Does it have something to do? Why schema validation is not working for first example? Probably, I am missing something.
For validation on the service side, it would likely need to have a wsdlLocation attribute set on the jaxws:endpoint so it would load the WSDL (that would then contain the schemas). Currently, the validation in that example is on the client side only. If you run the service, the log shows:
INFO: Creating Service {http://server.customerservice.example.com/}CustomerServiceImplService from class com.example.customerservice.CustomerService
which shows it's not using the WSDL at all.

Securing Web Service communication with SSL using CXF

I am trying to secure communications via SSL/TLS for one of our Web Service using CXF 2.2.5.
I am wondering how to update client and server Spring configuration file to activate this feature.
I found some information on CXF's website (CXF Wiki) for the client configuration, here is the given example:
<http:conduit name="{http://apache.org/hello_world}HelloWorld.http-conduit">
<http:tlsClientParameters>
<sec:keyManagers keyPassword="password">
<sec:keyStore type="JKS" password="password"
file="src/test/java/org/apache/cxf/systest/http/resources/Morpit.jks"/>
</sec:keyManagers>
<sec:trustManagers>
<sec:keyStore type="JKS" password="password"
file="src/test/java/org/apache/cxf/systest/http/resources/Truststore.jks"/>
</sec:trustManagers>
<sec:cipherSuitesFilter>
<!-- these filters ensure that a ciphersuite with
export-suitable or null encryption is used,
but exclude anonymous Diffie-Hellman key change as
this is vulnerable to man-in-the-middle attacks -->
<sec:include>.*_EXPORT_.*</sec:include>
<sec:include>.*_EXPORT1024_.*</sec:include>
<sec:include>.*_WITH_DES_.*</sec:include>
<sec:include>.*_WITH_NULL_.*</sec:include>
<sec:exclude>.*_DH_anon_.*</sec:exclude>
</sec:cipherSuitesFilter>
</http:tlsClientParameters>
<http:authorization>
<sec:UserName>Betty</sec:UserName>
<sec:Password>password</sec:Password>
</http:authorization>
<http:client AutoRedirect="true" Connection="Keep-Alive"/>
</http:conduit>
Concerning this configuration, the
Concerning the server side configuration I am unable to launch the server properly, here is the configuration I have:
<http:destination name="{urn:ihe:iti:xds-b:2007}DocumentRepository_Port_Soap12.http-destination">
</http:destination>
<httpj:engine-factory>
<httpj:engine port="9043">
<httpj:tlsServerParameters>
<sec:keyManagers keyPassword="changeit">
<sec:keyStore type="JKS" password="changeit" file="security/keystore.jks" />
</sec:keyManagers>
<sec:trustManagers>
<sec:keyStore type="JKS" password="changeit" file="security/cacerts.jks" />
</sec:trustManagers>
<sec:cipherSuitesFilter>
<!--
these filters ensure that a ciphersuite with export-suitable or null encryption is used, but exclude
anonymous Diffie-Hellman key change as this is vulnerable to man-in-the-middle attacks
-->
<sec:include>.*_EXPORT_.*</sec:include>
<sec:include>.*_EXPORT1024_.*</sec:include>
<sec:include>.*_WITH_DES_.*</sec:include>
<sec:include>.*_WITH_NULL_.*</sec:include>
<sec:exclude>.*_DH_anon_.*</sec:exclude>
</sec:cipherSuitesFilter>
<sec:clientAuthentication want="true" required="true" />
</httpj:tlsServerParameters>
</httpj:engine>
</httpj:engine-factory>
But when I run my application server (JOnas) with this configuration I have the following error message:
Line 20 in XML document from ServletContext resource [/WEB-INF/beans.xml] is invalid; nested exception is org.xml.sax.SAXParseException: cvc-complex-type.2.4.c: The matching wildcard is strict, but no declaration can be found for element 'httpj:engine-factory'.
Do you guys know how to solve this issue?
Thanks in advance,
It sounds like you are missing a namespace declaration or you have fat-fingered your XML. This is likely more of a Spring related issue than a CXF issue.
Check that the following items appear on your beans element where you declare httj:engine-factory:
<beans
...
xmlns:httpj="http://cxf.apache.org/transports/http-jetty/configuration"
...
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="
http://cxf.apache.org/transports/http-jetty/configuration http://cxf.apache.org/schemas/configuration/http-jetty.xsd
...">
<import resource="classpath:META-INF/cxf/cxf-extension-http.xml" />
<import resource="classpath:META-INF/cxf/cxf-extension-http-jetty.xml" />
Check that the CXF Jetty Transport JAR is in your classpath at runtime.
If you add the declaration and the schema location to your context file in your IDE (at least in Eclipse with the Spring plug-ins and IDEA) you should get schema validation right in your IDE so you can easily find any mistakes you make and take advantage of auto-completion.