THIS IS A TEST INSTANCE. ALL YOUR CHANGES WILL BE LOST!!!!
...
Here is an example of WS-Security implemented using annotations for interceptors (uses UsernameToken).
Generating keys using keytool
Using X.509 Certificates
The X.509 Certificate Token Profile (pdf) provides another option for implementing WS-Security. For the Signature and Encryption actions, you'll need to create a public & private key for the entities involved. You can generate a self-signed key pair for your development environment via the following steps. Keep in mind these will not be signed by an external authority like Verisign, so are inappropriate for production use.
...
A more detailed description of key generation can be found here:
http://java.sun.com/j2se/1.4.2javase/6/docs/technotes/tooldocstools/windowssolaris/keytool.html
How to create a production certificate can be found here:
http://support.globalsign.net/en/objectsign/java.cfm
Signing
To sign our message, we'll want to configure our client to sign the message via its private key and configure the server to verify the signature using the Client's public key. To do this Signing a message is used to validate to the recipient that the message could only have come from a certain sender, and that the message was not altered in transit. It involves the sender encrypting a digest (hash) of the message with its private key, and the recipient unencrypting the hash with the sender's public key, and recalculating the digest of the message to make sure the message was not altered in transit (i.e., that the digest values calculated by both the sender and recipient are the same). For this process to occur you must ensure that the Client's public key has been imported into the server's keystore using keytool.
...
The USER that is specified is the key alias that you used when creating your keysfor the client. The password callback class is responsible for providing the that key's password.
| Tip | |||||||
|---|---|---|---|---|---|---|---|
| |||||||
If you For X.509 support you will normally have multiple actions, e.g. UsernameToken Encryption with Signature. For these cases, just space-separate them the actions in the ACTION property as follows:
Alternatively, you may space-separate the string literals you see above in the Spring configuration (e.g., "Signature Encrypt") |
Our client_sign.properties file contains several settings to configure WSS4J:
...
| Code Block |
|---|
org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin
org.apache.ws.security.crypto.merlin.keystore.type=jks
org.apache.ws.security.crypto.merlin.keystore.password=amex123
org.apache.ws.security.crypto.merlin.file=server_keystore.jks
|
Encryption
.file=server_keystore.jks
|
Encryption
Encryption involves the sender encrypting the message with the recipient's public key to ensure that only the recipient can read the message (only the recipient has its own private key, necessary for decrypting the message.) This requires the sender to have the recipient's public key in its keystore.
The process for encrypting is very similar to and indeed usually combined with the signature process above. Our Until our documentation is filled out further here, our WS-Security test sample provides an example of encrypting requests and responses, also check this blog entry for a more end-to-end example showing signature and encryption of both SOAP requests and responses.