Sunday, September 21, 2008

Configuring CXF for Web Service Security using WSS4J

In case you directly want to see samples, you can go to Examples of WS-Security.....
You can read to below to understand bits, assuming you have a sample WS application using CXF. To secure that WS application you need to do following,

Create KeyStores and TrustStores
OpenSSL and Java SE 6 keytool creates X509v3 certificates, whereas Java SE 5 or earlier keytool creates X509v1 certificate. If you already have keystores and truststores and you are not sure about version of them, you can verify the version of your X509 certificate using this blog entry I blogged sometime back. Lets create new keystores and truststores with new X509 private and public key pair.
a) Creating Client Public and Private Key in Client keystore and Server Public and Private key in Server Keystore
keytool -genkey -alias clientX509v1 -keypass keypassword -storetype jks -storepass storepassword -validity 3650 -keyAlg RSA -keystore client-keystore.jks
keytool -genkey -alias serverX509v1 -keypass keypassword -storetype jks -storepass storepassword -validity 3650 -keyAlg RSA -keystore server-keystore.jks
b) Exporting clients public key to an external file and servers public key to an external file
keytool -export -alias clientX509v1 -file client-certfile.csr -keystore client-keystore.jks -storepass storepassword -keyAlg RSA
keytool -export -alias serverX509v1 -file server-certfile.csr -keystore server-keystore.jks -storepass storepassword -keyAlg RSA
c) Import the clients public certificate from the external file to server trust store and servers public certificate to the client trust store
keytool -import -noprompt -alias clientX509v1 -file client-certfile.csr -storepass storepassword -keystore server-truststore.jks -storetype JKS
keytool -import -noprompt -alias serverX509v1 -file server-certfile.csr -storepass storepassword -keystore client-truststore.jks -storetype JKS
Now we have required keystores and truststores with X509V1 certificates.

Configure CXF Bus:
Now we need to configure In and Out configuration of the server and client on CXF using spring. WSS4J provides security implementation for CXF, for security to be applied on XML content, CXF required SAAJ Interceptor which creates the SOAP document over which WSS4J works.

On Client

<bean class="org.apache.cxf.feature.LoggingFeature"/>

<bean class="org.apache.cxf.binding.soap.saaj.SAAJOutInterceptor"/>
<ref bean="TimestampSignEncrypt_Request"/>

<ref bean="TimestampSignEncrypt_Response"/>
<bean class="org.apache.cxf.binding.soap.saaj.SAAJInInterceptor"/>


On Server


<bean class="org.apache.cxf.feature.LoggingFeature"/>

<bean class="org.apache.cxf.binding.soap.saaj.SAAJOutInterceptor"/>
<ref bean="TimestampSignEncrypt_Response"/>

<ref bean="TimestampSignEncrypt_Request"/>
<bean class="org.apache.cxf.binding.soap.saaj.SAAJInInterceptor"/>


Above is the CXF Bus configuration on server and client to configure WSS4J, Log an SAAJ interceptors for both in and out configuration.

Provide Security Configuration
Now, we need to write Security configurations on server and client for in and out interceptors.
In this example, I have written all commonly used Actions; using Timestamp, Encrypting method argument, and sigining Timestamp and/or body. The order in which they are written is the order in which these actions are performed. Also, we need to configure user (signature) and encryption user accordingly on server and client. Also, crypto configurations needs to pass about keystore and truststore related information; by signaturePropFile and encryptionPropFile properties.

Below is the security related server side configuration configured in WSS4JInInterceptor and WSS4JOutInterceptor

For Server side outgoing response to Client

<bean class="" id="TimestampSignEncrypt_Response">

<entry key="action" value="Timestamp Signature Encrypt"/>
<entry key="user" value="service"/>
<entry key="signaturePropFile"
<entry key="encryptionPropFile"
<!--entry key="signatureKeyIdentifier" value="DirectReference"/-->
<!--entry key="encryptionKeyIdentifier" value="IssuerSerial" /-->
<entry key="passwordCallbackClass"
<entry key="signatureParts"
<entry key="encryptionParts"
<!--entry key="encryptionKeyTransportAlgorithm"
<!--entry key="encryptionSymAlgorithm"


For Server side incoming request from client

<bean class="" id="TimestampSignEncrypt_Request">

<entry key="action" value="Timestamp Signature Encrypt"/>
<entry key="signaturePropFile" value=""/>
<entry key="decryptionPropFile" value=""/>
<entry key="passwordCallbackClass"


Below is the client side security related configuration configured in WSS4JInInterceptor and WSS4JOutInterceptor

For Client side outgoing request to Server

<bean class="" id="TimestampSignEncrypt_Request">

<entry key="action" value="Timestamp Signature Encrypt"/>
<entry key="user" value="client"/>
<entry key="encryptionUser" value="service"/>
<entry key="signatureKeyIdentifier" value="DirectReference"/>
<entry key="signaturePropFile" value=""/>
<entry key="encryptionPropFile" value=""/>
<entry key="encryptionKeyIdentifier" value="IssuerSerial" />
<entry key="passwordCallbackClass"
<entry key="signatureParts"
<entry key="encryptionParts"
<!--entry key="encryptionKeyTransportAlgorithm"
<!--entry key="encryptionSymAlgorithm"


For Client Side Incoming Response from Server:

<bean class=""

<entry key="action" value="Timestamp Signature Encrypt"/>
<entry key="signaturePropFile" value=""/>

<entry key="decryptionPropFile" value=""/>
<entry key="passwordCallbackClass"


Contents of crypto configuration files:
You require to give information about the keystore or truststore containing X509 private or public key, keystore password and alias name for the public-private key pair.

For encryption , you require to configure public key of the receiver, hence client/server truststore contains public certificate of server/client alias which is serverx509v1/clientx509v1 respectively.

For Signature, you require to use the private key stored in client/server keystore and hence alias clientx509v1/serverx509v1 respectively.

Install Bouncy Castle Security Provider
Just check the lib folder of CXF binary distribution as in CXF 2.2 onwards, CXF is having bouncy castle jar, hence no requirement to download this jar if your CXF distribution already have one.

(or else) Download the latest Bouncy Castle provider (bcprov-jdkXX-xxx.jar) for your JDK, then put it in JAVA_HOME/jre/lib/ext.Edit JAVA_HOME/jre/lib/security/ Find the list of security providers:Add the Bouncy Castle provider to the list as,
security.provider.10=org.bouncycastle.jce.provider.BouncyCastleProvider {assuming 9 entries are there}

Install JCE Unlimited Strength Jurisdiction Policy Files
Due to import control restrictions for some countries, the Java CryptographyExtension (JCE) policy files shipped with the J2SE DevelopmentKit and the J2SE Runtime Environment allow strong but limited cryptography to be used. These files are located at
An unlimited strength version of these files indicating no restrictions on cryptographic strengths is available on the JDK web site for those living in eligible countries.
Unlimited strength Jurisdiction Policy Files may be downloaded from the JavaSoft's web site.Here is the web address:
(At the end of the page under "Other Downloads" section).
Open the readme.txt and follow the instructions:Basically replace two existing jar for the two new ones((US_export_policy.jar and local_policy.jar )

Run your example by passing configuration files we just made

CXF can discover XML configuration files which you have written. For both web service clients and servers, the default location that CXF will look for a configuration for is "/cxf.xml" on the class path.Pass your server and client config files to the Java call to the server and client class as argument
If you wish to override this location, you can specify a command line property: -Dcxf.config.file=some_other_config.xml. This custom configuration file is also expected to be on the class path.
To use a url as the configuration location, specify as follows: -Dcxf.config.file.url=config_file_url

You may get an exception like below:

Caused by: exception decrypting data - dKeyException: Illegal key size at org.bouncycastle.jce.provider.JDKPKCS12KeyStore.cryptData(Unknown Sou rce) at org.bouncycastle.jce.provider.JDKPKCS12KeyStore.engineLoad(Unknown So urce) at at ... 38 more

Don't worry, you just require to put in unlimited strength JCE files in your jdk/jre. Read and follow steps in #Install JCE Unlimited Strength Jurisdiction Policy Files header just above. They will get resolved once you follow steps.

You may get Cannot recover key - It happens when your storepassword and keypassword are different. Though I think that is a valid case, but as a workaround you can make both passwords the same. Generate the keystores once again, export the certificates and import them into truststore once again. All commands except below two remains the same.

keytool -genkey -alias clientX509v1 -keypass storepassword -storetype jks -storepass storepassword -validity 3650 -keyAlg RSA -keystore client-keystore.jks
keytool -genkey -alias serverX509v1 -keypass storepassword -storetype jks -storepass storepassword -validity 3650 -keyAlg RSA -keystore server-keystore.jks

I hope now you would have seen secured in and out SOAP messages from client and server. :)
Do please let me know if you face some errors, exceptions and also your comments.

Wednesday, May 28, 2008

XML Schema Validation and importing different encoding schema

Following is a simple code which shows importing an different encoding xml schema into a different encoding xml schema. In the following example Book.xsd imports Age.xsd which has UTF-16 encoding. Following example also shows XML Schema Validation
import org.xml.sax.InputSource;
import org.xml.sax.XMLReader;
import org.xml.sax.SAXException;
import javax.xml.parsers.SAXParser;
import javax.xml.parsers.SAXParserFactory;
import org.xml.sax.SAXParseException;
import javax.xml.parsers.ParserConfigurationException;
public class XMLValidationSample {
public static void main(String args[]) {
String book = "Book.xsd", first = "first.xsd", last = "last.xsd", age = "age.xsd";
String[] schemas = {book, first, last, age};
SAXParserFactory factory = SAXParserFactory.newInstance();
factory.setNamespaceAware( true);
factory.setValidating( true);
SAXParser parser = factory.newSAXParser();
parser.setProperty( "",
parser.setProperty( "",
XMLReader reader = parser.getXMLReader();
reader.parse( new InputSource( "Book.xml"));
}catch (SAXException e) {
Exception x = e.getException ();
((x == null) ? e : x).printStackTrace (); }
catch (IOException e) {
e.printStackTrace (); }
catch(ParserConfigurationException e){
e.printStackTrace (); }

<?xml version="1.0" encoding="UTF-8"?>
<my:book xmlns:my="" xmlns:xsi="" xsi:schemaLocation= " Book.xsd">






<?xml version="1.0" encoding="UTF-8" ?>
<xsd:schema xmlns:xsd="" targetNamespace="" xmlns="" xmlns:f="" xmlns:l="" xmlns:a="" elementFormDefault="unqualified">
<xsd:import namespace="" schemaLocation="first.xsd"/>

<xsd:import namespace="" schemaLocation="last.xsd"/>
<xsd:import namespace="" schemaLocation="age.xsd"/>
<xsd:element name="book">
<xsd:element name="person" type="persontype" maxOccurs="unbounded"/> </xsd:sequence>
<xsd:complexType name="persontype">
<xsd:element name="firstd" type="f:firstType"/>
<xsd:element name="lastd" type="l:lastType"/>
<xsd:element name="aged" type="a:ageType"/>


<?xml version="1.0" encoding="UTF-8" ?>
<xsd:schema xmlns:xsd="" targetNamespace="" xmlns="" elementFormDefault="unqualified">
<xsd:complexType name="firstType">
<xsd:element name ="first" type="xsd:string"/>


<?xml version="1.0" encoding="UTF-8" ?>
<xsd:schema xmlns:xsd="" targetNamespace="" xmlns="" elementFormDefault="unqualified">
<xsd:complexType name="lastType">
<xsd:element name ="last" type="xsd:string"/>


<?xml version="1.0" encoding="UTF-16" ?>
<xsd:schema xmlns:xsd="" targetNamespace="" xmlns="" elementFormDefault="unqualified">
<xsd:complexType name="ageType">
<xsd:element name ="age" type="xsd:string"/>

Wednesday, March 19, 2008

how to find out the version of X.509 certificate? (v1, v2 or v3)

At times, we require to find out the version of given X.509 certificate, whether it is v1, v2 or v3 type certificate. A key differentiator between version v1 and v3 is that v3 certificate have extensions, which v1 doesn't have. But, at times, it's difficult to know whether any extensions are there or not, or if information like Email Address are there, can you consider them as extension or not?

OpenSSL and Java SE 6 utility tool 'keytool' [1] from Sun Microsystem creates X509v3 certificates, whereas Java SE 5 or earlier keytool creates X509v1 certificate. Keytool can import and export v1, v2 and v3 certificates from keystores.

If you don't remember, or else you received certificates from some other source, then you can figure out using following,
Programming Approach: Use X509Certificate[2] interface to get access to extensions and version number.
try { // Load the keystore
File file = new File("mykeystore.jks");
FileInputStream is = new FileInputStream(file);
KeyStore keystore = KeyStore.getInstance(KeyStore.getDefaultType());
// List the aliases
Enumeration enum = keystore.aliases();
for (; enum.hasMoreElements(); ) {
String alias = (String)enum.nextElement(); cert = keystore.getCertificate(alias);
if (cert instanceof X509Certificate) {
X509Certificate x509cert = (X509Certificate)cert;
// Get Version no {X509CertInfo class gives version num starting from zero, hence if you get '2', it 's actually X.509 v3 certificate}
// Get subject
Principal principal = x509cert.getSubjectDN();
String subjectDn = principal.getName();
// Get issuer
principal = x509cert.getIssuerDN();
String issuerDn = principal.getName();
} catch ( e) {
} catch (NoSuchAlgorithmException e) {
} catch (FileNotFoundException e) { // Keystore does not exist
} catch (KeyStoreException e) {
} catch (IOException e) {

Use OpenSSL: Download and install OpenSSL [3] pre built binaries for Windows.

  • Export the certificate to .CER format from the keytool -export command: keytool -export -alias myalias -file MYCERT.cer -keystore mykeystore -storepass mystorepassword
  • Convert CER format to PEM format using openssl command: x509 -inform der -in MYCERT.cer -out MYCERT.pem
  • Check the version using openssl command: x509 -in MYCERT.pem -inform PEM -text
You can see following information along with Validity, Subject, Subject Public Key Info and Certificate:
Version: 1 or 2 or 3
Serial Number: .....
Signature Algorithm: .....

Till now, you must have figured out what's the version of the X.509 certificate you are using. :)
