Selecting certificates programmatically in WSIT
Tuesday May 15, 2007
I am involved in porting the jax-rpc based WS-I Supply Chain Management sample application to WSIT which is based on JAX-WS. I used Netbeans 5.5.1rc1 with WSIT modules along with GlassFish v2 for this which made it a lot easier than it would have been to do it without IDE support. WSDLs were imported using netbeans which generated the web services classes. Customization files were used to customize the packages of generated classes. Netbeans wizard to create web service references (clients) were then used to create web service references to call other web services. The business logic was filled in and Java DB was used for the database access.
The components involved in this are depicted here. 
Configuring security using netbeans was straight forward for almost all of the services and client. The KeyStore and TrustStore part of security configuration for Warehouse A,B,C and Manufacturer A,B,C services and clients was not possible using the security policy assertions in wsdl and wsit-client.xml . This is because the 3 instances of the services use the same base wsdl. Kumar Jayanti showed me the way out with the usage of AliasSelector and CertSelector.
AliasSelector implementation was used to return the correct keystore alias depending on the who the caller was. To determine the caller, a BindingProvider property was set on the client stub's RequestContext as shown below.
WarehouseShipmentsPortType warehouseAStub =
warehouseAService.getWarehouseAPort();
((BindingProvider) warehouseAStub).getRequestContext().put(
WSIConstants.CALLER,
WSIConstants.CALLER_RETAILER);
In the AliasSelector ,
public class AliasSelector implements com.sun.xml.wss.AliasSelector{
public String select(Map map) {
if(map == null || map.isEmpty()){
return null;
}
if(map.get(WSIConstants.CALLER).equals(
WSIConstants.CALLER_RETAILER)) {
return "wsi-retailer-sign";
}
}
The CertSelector selected the certificate from the TrustStore based on the certificate CommonName and the CALLEE property which was set on the stub.
WarehouseShipmentsPortType warehouseAStub =
warehouseAService.getWarehouseAPort();
((BindingProvider) warehouseAStub).getRequestContext().put(
BindingProvider.ENDPOINT_ADDRESS_PROPERTY,
roles.get(ConfigurationEndpointRole.WAREHOUSE_A));
((BindingProvider) warehouseAStub).getRequestContext().put(
WSIConstants.CALLEE,
WSIConstants.WAREHOUSEA);
CertSelector implementation extract:
The wsit-client.xml will have the following configuration to point to the instance of AliasSelector and CertSelector.
public class CertSelector implements java.security.cert.CertSelector{
private Map runtimeProperties;
public CertSelector(Map properties){
this.runtimeProperties = properties;
}
public CertSelector clone(){
return new CertSelector(this.runtimeProperties);
}
public boolean match(Certificate cert) {
X509Certificate xcert = (X509Certificate) cert;
if(((String)runtimeProperties.get(WSIConstants.CALLEE)).toLowerCase().indexOf("warehousea") != -1 ) {
if(xcert.getSubjectX500Principal().getName().indexOf("CN=WarehouseA") != -1 ){
return true;
}
}
<wsp:Policy wsu:id="WarehouseSoapBindingPolicy">You can use these Selector interfaces to implement any kind of certificate management solution specific to the deployment.
<wsp:ExactlyOne>
<wsp:All>
<sc1:KeyStore wspp:visibility="private" storepass="xxx" type="JKS" location="/glassfish/domains/domain1/config/keystore.jks" aliasselector="com.sun.wsi.scm.util.AliasSelector">
<sc1:TrustStore wspp:visibility="private" storepass="xxx" type="JKS" location="/glassfish/domains/domain1/config/cacerts.jks" certselector="com.sun.wsi.scm.util.CertSelector">
</sc1:TrustStore>
</sc1:KeyStore>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
Refer to the articles , ask the experts sessions and blogs for staying informed on this and other topics in web services and security.
Technorati Tags: WSIT, GlassFish, Web Services, Java
Powered by ScribeFire.
|
|
|
|
street lamps
I have received several similar emails like this o...