This documentation is for WSO2 Enterprise Service Bus version 4.9.0 . View documentation for the latest release.

All docs This doc
||
Skip to end of metadata
Go to start of metadata

Introduction

This sample demonstrates how you can use WS-Security signing and encryption with proxy services through WS-Policy.

In this sample the proxy service expects to receive a signed and encrypted message as specified by the security policy. To understand the format of the policy file, have a look at the Apache Rampart and Axis2 documentation. The element  engageSec specifies that Apache Rampart should be engaged on this proxy service. Hence if Rampart rejects any request message that does not conform to the specified policy, that message will never reach the  inSequence in order to be processed. Since the proxy service is forwarding the received request to the simple stock quote service that does not use WS-Security, you are instructing the ESB to remove the wsse:Security header from the outgoing message.

Prerequisites

Building the sample

The XML configuration for this sample is as follows: 

<definitions xmlns="http://ws.apache.org/ns/synapse">
    <localEntry key="sec_policy" src="file:repository/samples/resources/policy/policy_3.xml"/>
    <proxy name="StockQuoteProxy">
        <target>
            <inSequence>
                <header name="wsse:Security" action="remove"
                        xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"/>
                <send>
                    <endpoint>
                        <address uri="http://localhost:9000/services/SimpleStockQuoteService"/>
                    </endpoint>
                </send>
            </inSequence>
            <outSequence>
                <send/>
            </outSequence>
        </target>
        <publishWSDL uri="file:repository/samples/resources/proxy/sample_proxy_1.wsdl"/>
        <policy key="sec_policy"/>
        <enableSec/>
    </proxy>
</definitions>

This configuration file  synapse_sample_200.xml is available in the <ESB_HOME>/repository/samples directory.

To build the sample

  1. Start the ESB with the sample 200 configuration. For instructions on starting a sample ESB configuration, see Starting the ESB with a sample configuration.

    The operation log keeps running until the server starts, which usually takes several seconds. Wait until the server has fully booted up and displays a message similar to "WSO2 Carbon started in n seconds."

  2. Start the Axis2 server. For instructions on starting the Axis2 server, see Starting the Axis2 server.

  3. Deploy the back-end service  SimpleStockQuoteService. For instructions on deploying sample back-end services, see Deploying sample back-end services.

Note

When you run this sample, the bouncyCastle jar file that is used for encryption does not load into the axis2 client. This is due to an issue with the axis2Client shipped with ESB 4.8.1. Therefore, before running the client, you need to copy the bcprov-jdk15.jar file from the <ESB_HOME>/repository/axis2/client/lib directory to the <ESB_HOME>/repository/components/plugins directory.

Executing the sample

The sample client used here is the Stock Quote Client, which can operate in several modes. For further details on this sample client and its operation modes, see Stock Quote Client.

To execute the sample client

  • Run the following command from the <ESB_HOME>/samples/axis2Client directory. 

    ant stockquote -Dtrpurl=http://localhost:8280/services/StockQuoteProxy -Dpolicy=./../../repository/samples/resources/policy/client_policy_3.xml

    This sends a stock quote request to the proxy service and also signs and encrypts the request by specifying the client side security policy.

Analyzing the output

By analyzing the debug log output or the TCPMon output, you will see that the request received by the proxy service is signed and encrypted.

You can look up the WSDL of the proxy service by requesting the URL http://localhost:8280/services/StockQuoteProxy?wsdl , in order to confirm the security policy attachment to the supplied base WSDL.

When sending the message to the backend service, you can verify that the security headers were removed and that the response received does not use WS-Security, but that the response being forwarded back to the client is signed and encrypted as expected by the client.


  • No labels