Web services security: Encryption with Rampart

Hello, Prabath!

First of all, thank you for your tutorial article!

I tried to follow all the steps exactly as described in your tutorial (the only difference being the value for the %AXIS2_HOME%).

I've encountered the following minor problems, which I'll enumerate here to ease the following up of the tutorial for somebody else. (I also mention that I have never been working before with the BouncyCastle JCE provider.)

Places where more details should be useful:

1) from the provided link to the BouncyCastle site it's not very clear what exactly should be downloaded from there. There are 2 JCE provider jars per jdk version, but, as it's written there, the one with -ext- in the name should be ignored here (as it contains the proprietary algorithm IDEA). For Java 5, from what I've figured out that, it should be that with the name of the form bcprov-jdk15-%version%.jar (currently, the last version is 1.40, so the file should be bcprov-jdk15-140.jar). This jar should be copied in both:

i) the %AXIS2_HOME%\lib ($AXIS2_HOME/lib) directory, and:

ii) somewhere in the runtime classpath, for example (maybe not the best example) in %JAVA_HOME%\jre\lib\ext\

Remark: it's not generally recommendable to put our jars in system wide locations such $JAVA_HOME/jre/lib/ext/ or $AXIS2_HOME/lib/, but given the nature of this libray (a JCE provider), it deserves to be there (of course, if we have writing rights to the $JAVA_HOME directory).

2) The next thing to mention is that we have to add an entry in the java.security file (%JAVA_HOME%\jre\lib\security),

in the # List of providers and their preference orders (see above):, more precisely:

security.provider.N+1=org.bouncycastle.jce.provider.BouncyCastleProvider,

where N is the preference order of the last JCE provider mentioned there (by default, there are 6 in Java 5), so (in that case) we'll have to add the line:

security.provider.7=org.bouncycastle.jce.provider.BouncyCastleProvider

Not doing so will result in error messages like this:

org.apache.ws.security.WSSecurityException: WSHandler: Encryption: error during message processingorg.apache.

ws.security.WSSecurityException: An unsupported signature or encryption algorithm was used (unsupported key transport en

cryption algorithm: No such algorithm: http://www.w3.org/2001/04/xmlenc#rsa-1_5)

or, more detailed:

Exception in thread "main" org.apache.axis2.AxisFault: WSHandler: Encryption: error during message processing org.apache.ws.security.WSSecurityException: An unsupported signature or encryption algorithm was used (unsupported key transport encryption algorithm: No such algorithm: http://www.w3.org/2001/04/xmlenc#rsa-1_5)

at org.apache.rampart.handler.WSDoAllSender.processMessage(WSDoAllSender.java:67)

at org.apache.rampart.handler.WSDoAllHandler.invoke(WSDoAllHandler.java:72)

at org.apache.axis2.engine.Phase.invoke(Phase.java:317)

at org.apache.axis2.engine.AxisEngine.invoke(AxisEngine.java:264)

at org.apache.axis2.engine.AxisEngine.send(AxisEngine.java:429)

at org.apache.axis2.description.OutInAxisOperationClient.send(OutInAxisOperation.java:401)

at org.apache.axis2.description.OutInAxisOperationClient.executeImpl(OutInAxisOperation.java:228)

at org.apache.axis2.client.OperationClient.execute(OperationClient.java:163)

at org.apache.axis2.client.ServiceClient.sendReceive(ServiceClient.java:548)

at org.apache.axis2.client.ServiceClient.sendReceive(ServiceClient.java:528)

at org.apache.rampart.samples.sample05.Client.main(Client.java:45)

Caused by: org.apache.ws.security.WSSecurityException: WSHandler: Encryption: error during message processing org.apache.ws.security.WSSecurityException: An unsupported signature or encryption algorithm was used (unsupported key transport encryption algorithm: No such algorithm: http://www.w3.org/2001/04/xmlenc#rsa-1_5)

at org.apache.ws.security.action.EncryptionAction.execute(EncryptionAction.java:65)

at org.apache.ws.security.handler.WSHandler.doSenderAction(WSHandler.java:197)

at org.apache.rampart.handler.WSDoAllSender.processBasic(WSDoAllSender.java:201)

at org.apache.rampart.handler.WSDoAllSender.processMessage(WSDoAllSender.java:64)

... 10 more

3) we should overwrite the client java keystore file [rampart-sample]\client\client.jks, which is already present in the rampart-sample.zip with the one built by us during the keystores setup (the tutorial path would be C:\keystores\client\client.jks).

Not doing so will result in error messages like this:

Exception in thread "main" org.apache.axis2.AxisFault: WSDoAllReceiver: security processing failed

at org.apache.axis2.util.Utils.getInboundFaultFromMessageContext(Utils.java:512)

at org.apache.axis2.description.OutInAxisOperationClient.handleResponse(OutInAxisOperation.java:370)

at org.apache.axis2.description.OutInAxisOperationClient.send(OutInAxisOperation.java:416)

at org.apache.axis2.description.OutInAxisOperationClient.executeImpl(OutInAxisOperation.java:228)

at org.apache.axis2.client.OperationClient.execute(OperationClient.java:163)

at org.apache.axis2.client.ServiceClient.sendReceive(ServiceClient.java:548)

at org.apache.axis2.client.ServiceClient.sendReceive(ServiceClient.java:528)

at org.apache.rampart.samples.sample05.Client.main(Client.java:45)

After those supplemental steps, everything should go smooth, and we should see the result as:

<ns:echoResponse xmlns:ns="http://sample05.samples.rampart.apache.org"><ns:return>Hello world</ns:return></ns:echoResponse>

In conclusion, thanks again, Prabath, for your tutorial, it might help many of us which have to do with WSS etc.

PS: Another suggestion might be to continue this tutorial with a .NET (or native win32?) client that would consume such a securized service, it's a situation not very rarely encountered in practice -- Java EE on the server side, and .NET clients on the client one (and who knows?, maybe I can contribute myself on some parts of such a post).