Spring WS - Part 5

Spring WS provides an easy integration with various WS-Security features with the help of interceptors like Wss4jSecurityInterceptor, XwsjSecurityInterceptor.

We are going to explore here very basic feature of WS-SECURITY i.e. implementing Security using with UserNameTokenAuthentication
We are going to use Wss4jSecurityInterceptor as it is very easy to configure.

We are going to use configure two interceptors:
1) One for the Server End.
2) Other for the Client End.
 For Server End The configuration for Wss4jSecurityInterceptor is as follows:

@Bean
 public Wss4jSecurityInterceptor wss4jSecurityInterceptor()
 {
  /**
   * The SecurementActions for UsernameToken is commented, as the
   * UsernameToken is to be added by the client, the server-side
   * interceptor would only validate that.
   * 
   */

  Wss4jSecurityInterceptor wss4jSecurityInterceptor = new Wss4jSecurityInterceptor();
  wss4jSecurityInterceptor.setValidationActions("UsernameToken");
  //wss4jSecurityInterceptor.setSecurementActions("UsernameToken");
  wss4jSecurityInterceptor.setSecurementUsername("Ernie");
  wss4jSecurityInterceptor.setSecurementPassword("Bert");
  wss4jSecurityInterceptor.setSecurementPasswordType("PasswordText");
  wss4jSecurityInterceptor.setValidationCallbackHandler(callbackHandler());
  return wss4jSecurityInterceptor;
 }
It is added to the list of server side interceptors as:
interceptors.add(wss4jSecurityInterceptor());
For Client End 
@Bean
 public Wss4jSecurityInterceptor wss4jSecurityInterceptorClient()
 {

  /* Please note If ValidationActions needs to be mentioned
   * then Validdation CallBack Handler must be there
   */ 


  Wss4jSecurityInterceptor wss4jSecurityInterceptor = new Wss4jSecurityInterceptor();
  //wss4jSecurityInterceptor.setValidationActions("UsernameToken");
  wss4jSecurityInterceptor.setSecurementActions("UsernameToken");
  wss4jSecurityInterceptor.setSecurementUsername("Ernie");
  wss4jSecurityInterceptor.setSecurementPassword("Bert");
  wss4jSecurityInterceptor.setSecurementPasswordType("PasswordText");
  //wss4jSecurityInterceptor.setValidationCallbackHandler(callbackHandler());
  return wss4jSecurityInterceptor;
 }
It is added to the WebServiceTemplate configuration , as when the client invokes the Web Service using this template then, the UserNameToken is added to the request SOAPi Message and thus available to the server side for Validation, with the help of Validation CallBackHandler.

So at the Client side, the interceptor could be added as:

webServiceTemplate.setInterceptors(new ClientInterceptor[]{wss4jSecurityInterceptorClient()});
The Callback Handler can be configured as: 

/**
  * Validation CallBack Handler for UserNameToken Authentication
  * 
  */

 @Bean
 public SimplePasswordValidationCallbackHandler callbackHandler()
 {
  SimplePasswordValidationCallbackHandler simplePasswordValidationCallbackHandler = new SimplePasswordValidationCallbackHandler();
  Map userMap = new HashMap();
  userMap.put("admin", "secret");
  userMap.put("user", "pass");
  userMap.put("Ernie","Bert");
  simplePasswordValidationCallbackHandler.setUsersMap(userMap);
  return simplePasswordValidationCallbackHandler;
 }
Here we have used an in-memory implementation i.e. A map for the list of valid UserName & Password Configuration for simplicity. Here we can provide the implementation according to our need. The CallBackHandler implementation used here is SimplePasswordValidationCallbackHandler If we have Spring Security in our application we can also use SpringSecurityPasswordValidationCallbackHandler. Here the Username and Password are being set from UserDetailsService of Spring Security. So awesome right??..

This is in short about WS-Security.

The client that we have used in the whole application is Spring Controller configured in the same application.
 
@Controller
public class TestController {

 static Logger log = LoggerFactory.getLogger(TestController.class);

 @Autowired
 WebServiceTemplate webServiceTemplate;

 String data;
 
 @PostConstruct
 public void PostConstrut()
 {
  Assert.notNull(webServiceTemplate, "WebServiceTemplate Must not be null");
 }
 
 
 @RequestMapping(value="/testWSService", method=RequestMethod.GET)
 public ModelAndView testWebService(ModelMap model)
 {
  log.debug(" ***** In testWebService() method, Testing Services with Web Service Template ***** ");
  GetCountryRequest getCountryRequest = new ObjectFactory().createGetCountryRequest();
  getCountryRequest.setName("OK");
  FileDataSource fileDataSource = new FileDataSource("/path/to/File/TobeUploaded");
  DataHandler dataHandler = new DataHandler(fileDataSource);
  getCountryRequest.setFile(dataHandler);
  webServiceTemplate.marshalSendAndReceive(getCountryRequest);
  ModelAndView modelAndView = new ModelAndView();
  return modelAndView;
 }
}
The WebServiceTemplate that we have used here is he bean configured in the Configuration. This is used to invoke the Web Service and the rest is just normal bean setting. The Marshalling and Unmarshalling of the parameters are being taked case by the Spring WS.

So this in short about what I explored about Spring Web-Services. I find it really great.

Any Views and Suggestions are always welcome. Please share and untill next time Keep coding and keep sharing..... :-)

Comments

Post a Comment

Popular posts from this blog

Use of @Configurable annotation.

Not, all types(beans) used in a Spring Based Application are Spring managed. Sometimes, we need to inject some dependency into some Types which are not Spring Managed. The most common example being, injection of Service or DAO layer within the Entity class. Now the instances of Entity classes are being created using the new operator, i.e. they are not Spring Managed. Now we want to inject the corresponding Service or DAO Type which is Spring Managed within these Entity Types, and these can be performed with the help of @Configurable . It is the Aspects, which performs all the underlying engineering and ,makes this thing possible. Let's see an example. @Configurable public class Person { @Autowired ResourceBundleThemeSource themeSource; private String firstName; private String lastName; private int age; private Address address; @CustomDateFormat Date birthDate; MultipartFile profile; public String getFirstName() { return firstName; } public voi
Read more

Spring WS - Part 4

Another interesting and essential feature is the attachment part. Now I found two things out here. The attachment can be inline within the SOAP message body (suitable as long as the attachment size is not too long) or we can enable MTOM feature within the marshaller and leverage the MTOM-XOP feature. For the attachment to be inline with the SOAP message body, no actual configuration are required, everything is being taken care by the Spring WS framework, except the following: &ltxs:element name="getCountryRequest"&gt &ltxs:complexType&gt &ltxs:sequence&gt &ltxs:element name="name" type="xs:string"/&gt &ltxs:element name="file" type="xs:base64Binary" xmime:expectedContentTypes="application/octet-stream"&gt&lt/xs:element&gt &lt/xs:sequence&gt &lt/xs:complexType&gt &lt/xs:e
Read more