Sample 200: Engaging WS-Security on Proxy Services

<definitions xmlns="http://ws.apache.org/ns/synapse"> <localEntry key="sec_policy" src="file:repository/conf/sample/resources/policy/policy_3.xml"/> <proxy name="StockQuoteProxy"> <target> <inSequence> <send> <endpoint> <address uri="http://localhost:9000/services/SimpleStockQuoteService"/> </endpoint> </send> </inSequence> <outSequence> <send/> </outSequence> </target> <publishWSDL uri="file:repository/conf/sample/resources/proxy/sample_proxy_1.wsdl"/> <enableSec/> <policy key="sec_policy"/> </proxy> </definitions>

Objective

Demonstrates how to secure a proxy service using WS-Security and WS-Policy standards

Pre-requisites

  • Download and install the Java Cryptography Extension (JCE) unlimited strength policy files for your JDK
  • Deploy the SimpleStockQuoteService in the sample Axis2 server and start Axis2
  • Start Synapse using the configuration numbered 200 (repository/conf/sample/synapse_sample_200.xml)
    Unix/Linux: sh synapse.sh -sample 200
    Windows: synapse.bat -sample 200

Executing the Client

The proxy service expects to receive a signed and encrypted message as specified by the security policy. Please see Apache Rampart and Axis2 documentation on the format of the policy file. The element 'enableSec' specifies that Apache Rampart should be engaged on this proxy service. Hence if Rampart rejects any request messages that does not conform to the specified policy, those messages will never reach the 'inSequence' to be processed. To execute the client, send a stock quote request to the proxy service, and sign and encrypt the request by specifying the client side security policy as follows:

ant stockquote -Dtrpurl=http://localhost:8280/services/StockQuoteProxy -Dpolicy=./../../repository/conf/sample/resources/policy/client_policy_3.xml

By following through the debug logs or TCPMon output, you can see that the request received by the proxy service is signed and encrypted. Also, looking up the WSDL of the proxy service by requesting the URL http://localhost:8280/services/StockQuoteProxy?wsdl reveals that the security policy is attached to the provided base WSDL. When sending the message to the backend service, you can verify that the security headers are removed. The response received from Axis2 does not use WS-Security, but the response forwarded back to the client is signed and encrypted as expected by the client.

Back to Catalog