:: Home :: Scope :: Arch :: Test :: Project :: Impl :: Links :: Release :: Demo ::





logo here




Facts:

  1. BEA, IBM and Microsoft implemented a part or whole WS-Security spec
  2. dozen developers are asking on dev & user mailing list when the Axis project will implements this standard
  3. I'm finishing my thesis about web service, session management and authantication and I like to give my open source contribution


first objective:

Implements the ‹UsernameToken› spec (Web Service security UsernameToken Profile - working draft 4, 11 August 2003)

  •  without password
  •  clear password
  •  password digest
  •  password+nonce+timestamp digest

second objective:

Make some samples about web service operations that use UsernameToken.
ws.microsoft.com is a very small "gym" for start practicing


final destination:

implements all the WS-Security spec

Releases



[View Summary page] - [View ALL Project Files]

Demo - Quick Start

Try axis-wsse on ws.microsoft.com doing this:
  1. Request your token at Microsoft.Com WebServices Apply for Token
  2. Install axis-wsse
  3. -optionally- you can fire up the TCPMon for understanding what's up:

    javaw org.apache.axis.utils.tcpmon (preview)

  4. From the command line execute the sample for retriving the string matching the version of ws.microsoft.com service:

    java -cp axis-wsse-1.0.jar
    net.vitale.filippo.samples.MsGetVersion
    $yourToken$ $yourPin$
    ($port$)


    leave the argument $port$ UNSET if you are not using TCPMon

    (if it doesn't work due CLASSPATH misconfiguration, try to modify
    this .BAT and execute in the same dir with axis-wsse-X.X.jar)



  5. The result will be something like:
     yourToken = [B8ffemWZ1***hidden***wYJJW4bua0+]
      yourPin  = [**hidden*]
     URLstring = [http://ws.microsoft.com/mscomservice/mscom.asmx]
    ---------- cut here ------ cut here ------ cut here ----------
    Microsoft.Com Platform Services 1.0 Beta
    					
    ...TCP sniffing the request to ws.microsoft.com
    POST /mscomservice/mscom.asmx HTTP/1.0
    Content-Type: text/xml; charset=utf-8
    Accept: application/soap+xml, application/dime, multipart/related, text/*
    User-Agent: Axis/1.1
    Host: ws.microsoft.com
    Cache-Control: no-cache
    Pragma: no-cache
    SOAPAction: "http://www.microsoft.com/GetVersion"
    Content-Length: 911
    Authorization: Basic QjhmZQvNE***hidden***QjhmZQvNE
    
    
    
    <?xml version="1.0" encoding="UTF-8"?>
       <soapenv:Envelope
       xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
       xmlns:xsd="http://www.w3.org/2001/XMLSchema"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> 
         <soapenv:Header>  
          <wsse:Security soapenv:mustUnderstand="0"
            xmlns:wsse="http://schemas.xmlsoap.org/ws/2002/07/secext">   
               <wsse:UsernameToken>    
                  <wsse:Username xsi:type="xsd:string">
                  B8ffemWZ1***hidden***wYJJW4bua0+</wsse:Username>    
                  <wsse:Password Type="wsse:PasswordDigest"
                   xsi:type="xsd:string">
                   BF3utb***hidden***0lKZz4quA=</wsse:Password>    
                   <wsse:Nonce xsi:type="xsd:string">
                   msJPTHku44rHAqPIRvbNQA==</wsse:Nonce>    
                   <wsu:Created xsi:type="xsd:string"
                   xmlns:wsu="http://schemas.xmlsoap.org/ws/2002/07/utility">
                   2003-10-13T19:50:57Z</wsu:Created>   
                </wsse:UsernameToken>  
             </wsse:Security> 
          </soapenv:Header> 
          <soapenv:Body>  
             <GetVersion xmlns=""/> 
          </soapenv:Body>
       </soapenv:Envelope>			
    					
    ...and the response:
    HTTP/1.1 200 OK
    Connection: close
    Date: Mon, 13 Oct 2003 18:50:52 GMT
    Server: Microsoft-IIS/6.0
    P3P: CP='ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI
     TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI'
    X-Powered-By: ASP.NET
    X-AspNet-Version: 1.1.4322
    Cache-Control: private, max-age=0
    Content-Type: text/xml; charset=utf-8
    Content-Length: 607
    <?xml version="1.0" encoding="utf-8"?>
       <soap:Envelope
       xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xmlns:xsd="http://www.w3.org/2001/XMLSchema">
          <soap:Header>
             <wsu:Timestamp
             xmlns:wsu="http://schemas.xmlsoap.org/ws/2002/07/utility">
                <wsu:Created>
                	2003-10-13T18:50:52Z
                </wsu:Created>
                <wsu:Expires>
                	2003-10-13T18:55:52Z
                </wsu:Expires>
             </wsu:Timestamp>
          </soap:Header>
          <soap:Body>
             <GetVersionResponse xmlns="http://www.microsoft.com">
                <GetVersionResult>
                	Microsoft.Com Platform Services 1.0 Beta
                </GetVersionResult>
             </GetVersionResponse>
          </soap:Body>
       </soap:Envelope>
    					


    The core of this sample is based on the configuration of the *unmodified* org.apache.axis.client.Call:
    Service service = new Service();
    Call call = (Call)service.createCall();
    
    call.setTargetEndpointAddress(new java.net.URL(urlS));
    call.setOperation("GetVersion");
    call.setSOAPActionURI("http://www.microsoft.com/GetVersion");
    call.setUseSOAPAction(true);
    
    call.setUsername(usernameS);
    call.setPassword(passwordS);
    call.setProperty(WsseClientHandler.PASSWORD_OPTION,
    		WsseClientHandler.PASSWORD_DIGEST_WITH_NONCE);
    
    call.setClientHandlers(new WsseClientHandler(), null);
    
    System.out.print((String)call.invoke(new Object[] {}));
    					


    With axis-wsse now you can try all the web service that require single-message authentication based on UsernameToken in all the 4 password send technique. If you have suggestions or comments, feel free to contact me:

    filippo () vitale.net


Links

Apache Axis
Axis mailing list
Web Service security UsernameToken Profile (working draft 4, 11 August 2003)
Is WS-Security in Java so hard?
WS-Security Authentication and Digital Signatures with Web Services Enhancements

This page is created and mantained by Filippo Vitale (filippo [a.t] vitale dot net)

the HTML style is inspired from: "'br.kernelnewbies.org-beta2' by Caio Begotti" @ http://www.oswd.org
SourceForge.net Logo