This documentation is for WSO2 Enterprise Service Bus version 4.7.0 . View documentation for the latest release.

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migrated to Confluence 5.3

Objective: Using WS-Security signing and encryption with proxy services through WS-Policy

Code Block
languagehtml/xml
linenumberstrue
<definitions xmlns="http://ws.apache.org/ns/synapse">
    <localEntry key="sec_policy" src="file:repository/samples/resources/policy/policy_3.xml"/>
    <proxy name="StockQuoteProxy">
        <target>
            <inSequence>
                <header name="wsse:Security" action="remove"
                        xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"/>
                <send>
                    <endpoint>
                        <address uri="http://localhost:9000/services/SimpleStockQuoteService"/>
                    </endpoint>
                </send>
            </inSequence>
            <outSequence>
                <send/>
            </outSequence>
        </target>
        <publishWSDL uri="file:repository/samples/resources/proxy/sample_proxy_1.wsdl"/>
        <policy key="sec_policy"/>
        <enableSec/>
    </proxy>
</definitions>

Prerequisites:
You may need to download and install the unlimited strength policy files for your JDK before using Apache Rampart (e.g. see http://java.sun.com/javase/downloads/index_jdk6.jsp)

  • Start the Synapse configuration numbered 200: i.e. wso2esb-samples.sh -sn 200
  • Start the Axis2 server and deploy the SimpleStockQuoteService if not already done.

The proxy service expects to receive a signed and encrypted message as specified by the security policy. Please see Apache Rampart and Axis2 documentation on the format of the policy file. The element 'engageSec' specifies that Apache Rampart should be engaged on this proxy service. Hence if Rampart rejects any request messages that does not conform to the specified policy, those messages will never reach the 'inSequence' to be processed. Since the proxy service is forwarding the received request to the simple stock quote service that does not use WS-Security, we are instructing ESB to remove the wsse:Security header from the outgoing message. To execute the client, send a stock quote request to the proxy service, and sign and encrypt the request by specifying the client side security policy as follows:

Code Block
languagebash
ant stockquote -Dtrpurl=http://localhost:8280/services/StockQuoteProxy -Dpolicy=./../../repository/samples/resources/policy/client_policy_3.xml

By following through the debug logs or TCPMon output, you could see that the request received by the proxy service was signed and encrypted. Also, looking up the WSDL of the proxy service by requesting the URL http://localhost:8280/services/StockQuoteProxy?wsdl reveals the security policy attachment to the supplied base WSDL. When sending the message to the backend service, you could verify that the security headers were removed, and that the response received does not use WS-Security, but that the response being forwarded back to the client is signed and encrypted as expected by the client.

Excerpt
hiddentrue

Sample on using WS-Security with policy attachments for proxy services