Chapter 29. Securing Web Services for Remote Portlets
There are two main ways to secure the communication between a producer and consumer:
- Securing the Transport Layer This requires using SSL and a HTTPS endpoint. By using this, the communication between the consumer and producer will be encrypted.
- Securing the Contents of the SOAP message This option requires using ws-security to handle parts of the SOAP message. With this option you can specify things like encryption, signing, timestamps, etc as well as passing across user credentials to perform a login on the producer side. WS-Security is more powerful and has more options, but is requires more complex configurations.
Depending on requirements, an HTTPs endpoint and/or ws-security can be used.
29.1. Web Services for Remote Portlets over SSL with HTTP endpoints
It is possible to use WSRP over SSL for a secure exchange of data. The portal does not come initially configured for HTTPS connectors, therefore the producer's must be configured for the server. This is a global configuration change, and will affect more than the portal and WSRP. See the Red Hat JBoss Enterprise Application Platform 6 Administration and Configuration Guide for instructions relating to configuring HTTPS connectors for the server.
Once the producer is configured for HTTPS connections, modify the URL for the WSRP endpoint on the consumer to point to the new HTTPS based URL. This will require either manually updating the value in the WSRP administration application, or by specifying it using the
wsrp-consumers-config.xml configuration file before the server is first started.
29.1.1. Configuration For Enabling SSL With WSRP
The following procedures are provided as an example of configuring HTTPS/SSL with WSRP.
Warning
These examples are not the best practices for configuring HTTPS with the platform, and does things which should not be used in a production server (such as self-signed certificates). See JBoss Enterprise Application Platform 6 product documentation for detailed, best practice configuration guidelines.
29.1.2. Configuring the Producer to Use HTTPS
Configure the producer's server to use HTTPS. This is handled in the same manner that you would configure any JBoss Enterprise Application server for HTTPS.
- Generate the keystore for the producer by executing the following command.
keytool -genkey -alias tomcat -keyalg RSA -keystore producerhttps.keystore -dname "cn=localhost" -keypass changeme -storepass changeme
- Configure the server to add an HTTPS connection. This requires modifying the standalone/configuration/standalone.xml file with the following content in bold:
<subsystem xmlns="urn:jboss:domain:web:1.1" default-virtual-server="default-host" native="false"> <connector name="http" protocol="HTTP/1.1" scheme="http" socket-binding="http"/> <connector name="https" protocol="HTTP/1.1" scheme="https" socket-binding="https" secure="true"> <ssl certificate-key-file="/path/to/producerhttps.keystore" password="changeme"/> </connector> <virtual-server name="default-host" enable-welcome-root="true"> <alias name="localhost"/> <alias name="example.com"/> </virtual-server> ... - Start the server and verify that https://localhost:8443/portal is accessible. Note that since you are using a self-signed certificate that your browser will give a warning that the certificate cannot be trusted.
Note
In this example case we are accessing the portal using 'localhost' hence why we are using "cn=localhost" in the keytool command. If you are using this across another domain, you will need to make the necessary changes.
29.1.3. Configuring the Consumer to Access the WSRP Endpoint over HTTPS
- Export the producer's public key from the producer's keystore
keytool -export -alias tomcat -file producerkey.rsa -keystore producerhttps.keystore -storepass changeme
- Import the producer's public key into a new keystore for the consumer
keytool -import -alias tomcat -file producerkey.rsa -keystore consumerhttps.keystore -storepass changeme -noprompt
- Configure the bin/standalone.conf file to add the following line at the end of the file:
JAVA_OPTS="$JAVA_OPTS -Djavax.net.ssl.trustStore=/path/to/consumerhttps.keystore -Djavax.net.ssl.trustStorePassword=changeme"
- Start the consumer and change the selfv2 producer url to https://localhost:8443/wsrp-producer/v2/MarkupService?wsdl and verify that the consumer can access the producer.
Note
It is possible to modify the wsrp-consumers-config.xml configuration file to change the URL instead of modifying it in the administration GUI.
It is possible to use WSRP over SSL for secure exchange of data. Configure your server appropriately as described in the HTTPS Configuration section of the Installation Guide.
29.2. Web Services for Remote Portlets and Web Services Security
Portlets may present different data or options depending on the currently authenticated user. For remote portlets, this means having to propagate the user credentials from the consumer back to the producer in a safe and secure manner. The WSRP specification does not directly specify how this should be accomplished, but delegates this work to the existing WS-Security standards. The WS-Security standards can also be used to secure the soap message, such as encryption and signing the message.
Encryption is strongly recommended
Encrypt the credentials being sent between the consumer and producer, otherwise they will be sent in plain text and could be easily intercepted. Configure WS-Security to encrypt and sign the SOAP messages being sent, or secure the transport layer by using an HTTPS endpoint. Failure to encrypt the soap message or transport layer will result in the username and password being sent in plain text.
Web Container Compatibility
WSRP and WS-Security is only supported on the portal when running on JBoss Enterprise Application Platform 6.