Defining the Axis2 Security Configuration

While the necessary configuration will depend on what security features you choose to use the overall set of activities will be similar regardless. On the client side you can define the security configuration via a client Axis2 descriptor file (axis2.xml), Rampart policy file, or programmatically (deprecated). On the server side you can define the security configuration via the service descriptor file (services.xml) or via a Rampart policy embedded in the service WSDL.

The following examples show the client and server configurations in the context of a client Axis2 descriptor and Rampart policy files and the server configuration via the context of the service descriptor file.

Client configuration:

Figure 1. Sample Client Descriptor Settings (Fragment)
<axisconfig name="AxisJava2.0">
  <module ref="rampart" />

   <parameter name="InflowSecurity">
     <action>
       <items>Signature Encrypt</items>
       <signaturePropFile>
         client-crypto.properties
       </signaturePropFile>
       <passwordCallbackClass>
         webservice.ClientPWCallback
       </passwordCallbackClass>
       <signatureKeyIdentifier>
         DirectReference
       </signatureKeyIdentifier>
     </action>
   </parameter>

   <parameter name="OutflowSecurity">
     <action>
       <items>Signature Encrypt</items>

       <encryptionUser>admin</encryptionUser>
       <user>tester</user>

       <passwordCallbackClass>
         webservice.ClientPWCallback
       </passwordCallbackClass>

       <signaturePropFile>
       client-crypto.properties
       </signaturePropFile>
       <signatureKeyIdentifier>
         DirectReference
       </signatureKeyIdentifier>

       <encryptionParts>
         {Element}{http://www.curamsoftware.com}Credentials
       </encryptionParts>

     </action>
   </parameter>
...

Server configuration:

Figure 2. Sample Server Security Settings (services.xml Fragment)
<serviceGroup>
  <service name="SignedAndEncrypted">

    ...

    <module ref="rampart" />

    <parameter name="InflowSecurity">
      <action>
        <items>Signature Encrypt</items>
        <passwordCallbackClass>
          webservice.ServerPWCallback
        </passwordCallbackClass>
        <encryptionUser>admin</encryptionUser>
        <user>tester</user>
        <signaturePropFile>
          server-crypto.properties
        </signaturePropFile>
        <signatureKeyIdentifier>
          DirectReference
        </signatureKeyIdentifier>
      </action>
    </parameter>

    <parameter name="OutflowSecurity">
      <action>
        <items>Signature Encrypt</items>
        <encryptionUser>admin</encryptionUser>
        <user>tester</user>
        <passwordCallbackClass>
          webservice.ServerPWCallback
        </passwordCallbackClass>
        <signaturePropFile>
          server-crypto.properties
        </signaturePropFile>
        <signatureKeyIdentifier>
          DirectReference
        </signatureKeyIdentifier>
      </action>
    </parameter>

    ...

  </service>
</serviceGroup>

All Rampart clients must specify a configuration context that at a minimum identifies the location of the Rampart and other modules. The following example illustrates this and includes a client Axis2 descriptor file. Later code examples will utilize this same structure assuming it is located in the C:\Axis2\client directory.

Figure 3. Axis2 Client File System Structure
modules/
  addressing-1.3.mar
  rahas-1.5.mar
  rampart-1.5.mar
conf/
  client-axis2.xml

The equivalent specification to the parameters in Defining the Axis2 Security Configuration and Defining the Axis2 Security Configuration via a Rampart policy file would be as follows:

Figure 4. Sample Rampart Policy

(policy.xml Fragment)

...
<ramp:RampartConfig
  xmlns:ramp="http://ws.apache.org/rampart/policy">
  <ramp:user>beantester</ramp:user>
  <ramp:encryptionUser>curam</ramp:encryptionUser>
  <ramp:passwordCallbackClass>
    webservice.ClientPWCallback
  </ramp:passwordCallbackClass>

  <ramp:signatureCrypto>
    <ramp:crypto
      provider="org.apache.ws.security.components.crypto.Merlin">
      <ramp:property
        name="org.apache.ws.security.crypto.merlin.keystore.type">
        JKS
      </ramp:property>
      <ramp:property
        name="org.apache.ws.security.crypto.merlin.file">
        client.keystore
      </ramp:property>
      <ramp:property
        name=
        "org.apache.ws.security.crypto.merlin.keystore.password">
        password
      </ramp:property>
    </ramp:crypto>
  </ramp:signatureCrypto>
  <ramp:encryptionCypto>
    <ramp:crypto
      provider="org.apache.ws.security.components.crypto.Merlin">
      <ramp:property
        name="org.apache.ws.security.crypto.merlin.keystore.type">
        JKS
      </ramp:property>
      <ramp:property
        name="org.apache.ws.security.crypto.merlin.file">
        client.keystore
      </ramp:property>
      <ramp:property
        name=
        "org.apache.ws.security.crypto.merlin.keystore.password">
        password
      </ramp:property>
    </ramp:crypto>
  </ramp:encryptionCypto>
</ramp:RampartConfig>
...
Parent topic: Using Rampart With Web Services