Sample Code

Configuring the .NET Web Service

The first task is to set up the .NET Web service. Taking our stock-trading theme from previous chapters forward, this Web service will return a recommendation for the top stock of the day. To ensure that this information is accessed only by authenticated clients, the Web service will be protected by using WS-Security.

The Web service itself can be found in the C:\Interoperability\Samples\Advanced\WS-Security\Auth\dotNET\WebService directory. Navigate to this directory and build the sample code using the provided NAnt script by entering nant at the command prompt. As with the previous .NET Web service samples shown in this book, we need to create a virtual directory to host this Web service.

To do this, launch IIS from the Start\Program Files\Administrative Tools program group . Expand through to the Default Web Site option, right-click, and select New\Virtual Directory. For the virtual directory alias, type dotNETAuthWebService , as shown in Figure 13.4.

Figure 13.4: Creating the .NET WS-Security Authentication virtual directory.

Although this can be changed later, this exact name is important for the WS-Security authentication sample to run correctly. Click the Next button, and set the directory to C:\Interoperability\Samples\Advanced\WS-Security\Auth\dotNET\WebService , as shown in Figure 13.5.

Figure 13.5: Setting the path for the virtual directory.

Click the Next button, and accept the defaults for the remaining pages to complete the wizard. The secure .NET Web service is now set up. We can verify this by browsing to http://localhost/dotNETAuthWebService/StockService.asmx . If the Web service has been successfully deployed, the operations screen, as shown in Figure 13.6, will be displayed.

Figure 13.6: Validating the secure purchase recommendation operation.

As you can see, the StockService exposes a single method named GetSecurePurchaseRecommendation . Although we can see this method by using this interface, we cannot call it from the browser. If you try this, an exception will be thrown indicating that only SOAP requests are allowed to make such calls.

 System.ApplicationException: Only SOAP requests are permitted. 

If you get a Web page indicating that the page cannot be displayed (HTTP 500 ”Internal Server error) in Microsoft Internet Explorer, ensure that the Show Friendly HTTP Error Messages setting is disabled in the options within the browser itself, as shown in Figure 13.7.

Figure 13.7: Disabling the Show Friendly HTTP Error Messages setting in Internet Explorer.

The .NET Web service is now configured. Using GLUE, we will now configure the equivalent Web service in Java.

Configuring the Java Web Service

The Java Web service can be found in the C:\Interoperability\Samples\Advanced\WS-Security\Auth\Java\WebService directory. As with previous examples, publishing the Web service itself is performed by using the Ant script in this directory to build and run the sample. To do this, type start ant run at a command prompt in this directory.

Once published, the WSDL of the Web service is available at http://localhost:8004/JavaWSSWebService/StockService.wsdl . As can be seen in the WSDL document, the Web service exposes a method named GetSecureSaleRecommendation , the opposite of the one exposed by the .NET Web service.

Setting Up Certificates

The two Web services required for the sample are now set up. Before we can build and run the clients that are going to call these Web services, we must first create some X.509 certificates.

 makecert n "CN=Simon Guest, OU=Authors, O=Microsoft Press,  L=Redmond, ST=WA, C=US" ss my dotNETClient.cer 

 keytool keystore keystore.db genkey alias JavaClient keyalg rsa 

 Enter keystore password:  StrongPassword 

 What is your first and last name?   [Unknown]:  Simon Guest What is the name of your organizational unit?   [Unknown]:  Authors What is the name of your organization?   [Unknown]:  Microsoft Press What is the name of your City or Locality?   [Unknown]:  Redmond What is the name of your State or Province?   [Unknown]:  WA What is the two-letter country code for this unit? [Unknown]:  US 

 Is CN=Simon Guest, OU=Authors, O=Microsoft Press, L=Redmond, ST=WA, C=US correct?   [no]:  yes  Enter key password for <JavaClient>         (RETURN if same as keystore password): 

Running the .NET Client

Now that we have the two Web services configured and have created suitable X.509 test certificates, let's build and run the client code in the C:\Interoperability\Samples\Advanced\WS-Security\Auth\dotNET\Client directory. The first thing that the client requires is a certificate to use to sign the request. This is selected through a simple dialog box, shown in Figure 13.8, that lists all personal certificates in the Windows key store.

Figure 13.8: Selecting a certificate to sign the Web services request.

Select the certificate that was created in the previous section. Use the View Certificate option to verify the details of the certificate. Click OK to continue. The client will now display the details for the selected certificate (your details will vary depending on what you entered during the certificate creation earlier):

 Key Name : C=US, S=WA, L=Redmond, O=Microsoft Press, OU=Authors, CN=Simon Guest Key ID of Certificate selected : zVEz4a8D/vVPjnlOYCSPm1p+O8w= 

Using this certificate, the client now makes a request to both the .NET (WSE) and Java (GLUE) Web services, signing the requests as appropriate. The .NET (WSE) Web service returns a recommended stock:

 Calling the WSE Service... Secure stock recommendation from the WSE Service: Ticker: ASKI Name: Alpine Ski Price: 32.45 Previous: 32.09 Volume: 45 

The Java (GLUE) Web service returns a similar result:

 Calling the GLUE Service... Secure stock recommendation from the GLUE Service: Ticker: TRRE Name: Trey Research Price: 9.35 Previous: 9.48 Volume: 93 

Running the Java Client

The Java client makes the same authenticated calls to the .NET and Java Web services and works in much the same way. The client, located in the C:\Interoperability\Samples\Advanced\WS-Security\Auth\Java\Client directory, produces the following output after it is built and run:

 Calling the WSE Service... Secure stock recommendation from the WSE Service: Ticker: ASKI Name: Alpine Ski Price: 32.45 Previous: 32.09 Volume: 45 Calling the GLUE Service... Secure stock recommendation from the GLUE Service: Ticker: TRRE Name: Trey Research Price: 9.35 Previous: 9.48 Volume: 93 

Tracing the Output

So far we have seen how both the .NET and Java client can use WS-Security to make an authenticated call to either a .NET or Java Web service. On the surface, however, this isn't apparent because when simply running the examples, the calls to the two services look like any other calls. With the exception of the calls being prompted for a certificate in the .NET client sample, there is little to indicate that these calls are being authenticated.

To prove that they are, we can check under the covers of the two client calls and observe the request and responses in their native SOAP format. One of the easiest ways to see the underlying call is to enable logging on the Java client. To do this, edit the Client.java file in the C:\Interoperability\Samples\Advanced\WS-Security\Auth\Java\Client directory and uncomment the following line:

 electric.util.log.Log.startLogging("SOAP"); 

Rebuild and run the Java client. What you should now observe is that the SOAP messages sent to and from the Java client are now logged to the console.

The important element to observe in the call is the binary token itself. This is sent as part of the < wsse:Security > SOAP header:

 <wsse:Security      xmlns:wsse='http://schemas.xmlsoap.org/ws/2002/07/secext'>     <wsse:BinarySecurityToken ValueType='wsse:X509v3'          EncodingType='wsse:Base64Binary'          xmlns:wsu='http://schemas.xmlsoap.org/ws/2002/07/utility'          wsu:Id='electric-id-8575EC20-4536-59E5-2E49-41E5030EC2E6'> MIICTjCCAbcCBD6uq/owDQYJKoZIhvcNAQEEBQAwbjELMAkGA1UEBhMCVVMxCzAJBgNVB AgTAldBMRAwDgYDVQQHEwdSZWRtb25kMRgwFgYDVQQKEw9NaWNyb3NvZnQgUHJlc3MxED AOBgNVBAsTB0F1dGhvcnMxFDASBgNVBAMTC1NpbW9uIEd1ZXN0MB4XDTAzMDQyOTE2NDQ 0MloXDTAzMDcyODE2NDQ0MlowbjELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAldBMRAwDgYD VQQHEwdSZWRtb25kMRgwFgYDVQQKEw9NaWNyb3NvZnQgUHJlc3MxEDAOBgNVBAsTB0F1d GhvcnMxFDASBgNVBAMTC1NpbW9uIEd1ZXN0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQ KBgQChuZXZYPS+kVPsMc5Nl0x2TLrzede/ANP7KajAGC/lpYwRmaaBlzwQH1qC2wySi2g taQ9af781FsQjvjFPeTeUBfyDrUG93HLwr3NL/mEXt9YnlYJW6HcqkM1OpG8kgQm+4Bv9 K5PrZF/FI43Hnq02/re983HgGsUcC46P3QVceQIDAQABMA0GCSqGSIb3DQEBBAUAA4GBA HV4frsL6n5CC3a9X1Wlbp7IgMskFYMuIsGAaPkQd6nGQYoLy+IuHuXdoewi4ujB1stVvH rnwPTr3gc1oNGtw6Pt2wg6M6sFJQte0NfKt5ZCKNyP85ORaIrzaRFDHgeOtmzsdJbQuPU +7C0ECKBKReEd6ZL0hFEv3aKcMu5imZRR </wsse:BinarySecurityToken> 

This is the binary representation of the public portion of the certificate itself (note that your version might differ from this). The actual signature of the Web service request comes slightly after this, in an element named < SignatureValue >:

 <ds:SignatureValue> YV9N+XtUJ4qRZseqK84KOSbiTotJqjtETXh7XOOadOzUk9Jl+WIPhUCKdTGPrlkdKr8jY XfXhyrn0CTAKw1Dz46ARJ2OdT/8TriW6yB3uduPPwtRK+LK6i1gKEOMGCC/bzfy33Kxiv rVDgMq4dVSWnDqivP0ZaILAKe2gZ04weE= </ds:SignatureValue> 

This element is a hashed value of the request itself, signed by the private key of the certificate. To compute whether the signature is valid, the service will use the public key to decrypt the hash value of the request, recalculate what should have been the hash value of the request, and compare the two. If they are the same, the signature and contents within are deemed valid.

In the response portion of the SOAP output, notice how the response does not contain any authentication ”we could certainly do this by applying the same principles and mechanisms for the Web service itself. Notice also that the data returned back to the client is sent in as clear text:

 <soap:Body      soap:encodingStyle='http://schemas.xmlsoap.org/soap/encoding/'     xmlns:soap='http://schemas.xmlsoap.org/soap/envelope/'>     <n:GetSecureSaleRecommendationResponse xmlns:n='x'>         <Result>             <Ticker>TRRE</Ticker>             <Name>Trey Research</Name>             <Price>9.35</Price>             <Previous>9.48</Previous>             <Volume>93</Volume>         </Result>     </n:GetSecureSaleRecommendationResponse> </soap:Body> 

As we've seen in these message outputs, signing the message does not perform any encryption of the message data itself ”it just acts as a mechanism to prove the details of the sender, which prevents spoofing. Both the request for data and the response are sent in plain XML. To ensure the privacy of this data, we need to use WS-Security to encrypt the message, a process we'll be looking at in the second half of this chapter.

Proving the Sample

We've seen in the previous section the type of SOAP headers that are created when using WS-Security on the client, but with this authentication example, how do we prove that the Web services cannot be called without the correct authentication mechanism? The easiest way to do this is to edit one of the clients and comment out the code that applies the WS-Security context. If we take the .NET client, for example, we can see how this is performed.

Navigate to the C:\Interoperability\Samples\Advanced\WS-Security\Auth\dotNET\Client directory, and edit the Client.cs file. Comment out the following lines in code:

 wpReqContext.Security.Tokens.Add(token); wpReqContext.Security.Elements.Add(new Signature(token)); 

Save the file, rebuild the sample, and rerun. Upon rerunning the sample, you will still get prompted for the X.509 certificate to use to sign the Web service request. Because these certificate details are not being added to the request (which is the result of them being commented out), you will see the following:

 Calling the WSE Service... Unhandled Exception: System.Web.Services.Protocols.SoapException: System.Web.Services.Protocols.SoapExceptio n:  The security information supplied was not valid.     at dotNETAuthWebService.StockService.         GetSecurePurchaseRecommendation()     at System.Web.Services.Protocols.SoapHttpClientProtocol.         ReadResponse(SoapClientMessage message, WebResponse response,             Stream responseStream, Boolean asyncCall)     at System.Web.Services.Protocols.SoapHttpClientProtocol.         Invoke(String methodName, Object[] parameters)     at WSEWebService.StockService.GetSecurePurchaseRecommendation()     at Client.Client.Main(String[] args) 

The preceding request was generated by the Web service itself. The Web service was expecting an authenticated request and instead received one that had not been signed. Logic within the Web service detected this, and the exception was thrown. This result can also be validated against the Java Web service by commenting out the relevant lines in the Java client.

How the Samples Work

The samples contain three key elements: the Web services containing the required configuration to allow WS-Security “style messages, the client files that contain the code for deciding which certificate to use, and the proxy files (which require some modification from their original state).

First, let's take a look at the .NET Web service. This can be found in the C:\Interoperability\Samples\Advanced\WS-Security\Auth\dotNET\WebService directory. The StockService.asmx.cs class file shows the WebMethod attribute for GetSecurePurchaseRecommendation :

 [WebMethod] public Stock GetSecurePurchaseRecommendation() {     SoapContext requestContext = HttpSoapContext.RequestContext;     if (requestContext == null)         throw new ApplicationException("Only SOAP requests are permitted.");     if (!IsValid(requestContext))         {             throw new SoapException("The security information supplied was not valid.",                 new System.Xml.XmlQualifiedName("Bad.Security",                  "http://www.microsoft.com/interoperability/"                 +"dotNETWSSWebService"));         }     return Recommendations.Recommendation; } 

Notice how the Web method first checks for a valid SoapContext (a class from the WSE libraries) before returning the recommendation. Although this is in code within this method, you could also imagine how this could be applied to an HttpModule (a class that intercepts incoming HTTP calls) such that it applies to all methods or a group of methods.

The IsValid method within the Web service uses the SoapContext to check for a valid signature. At this point, we allow any calls to come through that have been signed by a valid X.509 certificate:

 if (x509token != null) {     valid = true; } 

The Java Web service works in a slightly different way, but it follows the same principles. Just before the Web service is hosted, a new context is created to hold the WS-Security information. This context can be found in Server.java, located in the C:\Interoperability\Samples\Advanced\WS-Security\Auth\Java\WebService directory.

 WSSContext wss = new WSSContext(); ProxyContext proxyContext = new ProxyContext(); proxyContext.setWSSContext(wss); 

The WSSContext is configured by adding a new authenticator and signature guard.

 WSSSignature signatureSpec      = new WSSSignature(new ElementReference("/soap:Envelope/soap:Body")); wss.in.addAuthenticator(new X509NullAuthenticator()); wss.in.addGuard(new SignatureGuard(signatureSpec)); 

Notice how for the authenticator, an X509NullAuthenticator is used. This usage has an effect similar to the IsValid method in the .NET Web service in that this authenticator will allow any valid certificate to pass through. This approach is useful for demonstration purposes, but in production, the X509Authenticator class should be used. The X509Authenticator class relies on a preconfigured set of certificates that already exists in the key store. If an incoming request is signed by a certificate that is not in the key store, it is ultimately rejected.

Finally, the Web service is registered with the publish method.

 Registry.publish("StockService", new StockService(), proxyContext); 

This sample code sets up the Web services for both the .NET and Java Web service.

The client code follows a similar path, with additional instructions wrapping the existing calls to the Web services. First, references to the proxy files are created and two SoapContext objects are derived from each individual proxy. For the .NET client (Client.cs in the C:\Interoperability\Samples\Advanced\WS-Security\Auth\dotNET\Client directory), the code looks as follows:

 WSEWebService.StockService wp = new WSEWebService.StockService(); GLUEWebService.StockService gp = new GLUEWebService.StockService(); SoapContext wpReqContext = wp.RequestSoapContext; SoapContext gpReqContext = gp.RequestSoapContext; 

As the RequestSoapContext method is not normally exposed by a Web service proxy, we'll look shortly at the additional steps to create this in the proxy file.

The next step is to ask the user for a certificate. We do this by using the same function as shown in the WSE 1.0 Quickstart samples (which were included as part of the WSE installation earlier). Given the ID of a certificate, we could have also used the following code instead:

 X509SecurityToken token = GetSecurityToken(""); if (token == null)     throw new ApplicationException("No key provided for signature."); 

The GetSecurityToken method displays a small Windows Form that displays the list of certificates available in the Windows key store for the current user. When a certificate is selected, it's returned to the client as an X509SecurityToken .

The next step is to add this token to the Tokens and Elements class within the Security component of the SoapContext object. Doing this will both add the X.509 certificate details and cause the signature to be created that we observed earlier in the SOAP output. This is done for the call to both the .NET and Java Web services.

 wpReqContext.Security.Tokens.Add(token); wpReqContext.Security.Elements.Add(new Signature(token));    gpReqContext.Security.Tokens.Add(token); gpReqContext.Security.Elements.Add(new Signature(token)); 

Finally, the calls to the two Web services are made ”to the .NET Web service to get the recommendation for purchase, and to the Java Web service to get the recommendation for sale.

 WSEWebService.Stock stock = wp.GetSecurePurchaseRecommendation(); . . . GLUEWebService.Stock stock2 = gp.GetSecureSaleRecommendation(); 

As these clients are dealing with separate namespaces, we are using the Stock type from each (although technically, they relate to the same type).

Not surprisingly, the Java client works in a similar fashion, but it uses the appropriate calls from the GLUE libraries. The client (Client.java, which can be found in the C:\Interoperability\Samples\Advanced\WS-Security\Auth\Java\Client directory) starts by defining the URLs for both the .NET and Java Web services.

 String wseURL      = "http://localhost/dotNETWSSWebService/StockService.asmx?WSDL"; String glueURL      = "http://localhost:8004/JavaWSSWebService/StockService.wsdl"; 

In previous examples, we have used a helper class to bind to the Web service. In this client, however, we need to create a context that holds the WS- Security information. As this context is not supported by any helper methods, we'll perform the binding in the client itself. In a production system, you could imagine how we could also use the agent-service pattern that was first shown in Chapter 6 to abstract these types of calls to a different class.

After the context has been created, the certificate used to sign the requests is loaded from the key store. Unlike with the .NET client, we have chosen to hard-code the location of the key store in the client source itself. The aliases and passwords used in this code to access the key store should equate to the ones used when the store was created.

 ProxyContext proxyContext = new ProxyContext(); KeyStore keyStore = loadKeyStore("..\..\..\Certs\keystore.db",     "StrongPassword"); PrivateKey privateKey = (PrivateKey) keyStore.getKey("JavaClient",     "StrongPassword".toCharArray()); X509Certificate cert      = (X509Certificate) keyStore.getCertificate("JavaClient"); 

After the certificate has been loaded, the signature is created and added to the ProxyContext .

 WSSContext wss = new WSSContext(); proxyContext.setWSSContext(wss); WSSSignature signatureSpec = new WSSSignature(new ElementReference("soap:Envelope/soap:Body")); signatureSpec.setCertificate(cert); signatureSpec.setPrivateKey(privateKey); wss.out.addSignature(signatureSpec); 

Notice how in this code the setCertificate and addSignature methods correspond with Tokens.Add and Elements.Add in the .NET sample.

Finally, the binding for each Web service is created, and the relevant stock-recommendation call is made.

 WSEWebService.IStockServiceSoap wseService      = (WSEWebService.IStockServiceSoap)Registry.bind(wseURL,          WSEWebService.IStockServiceSoap.class,proxyContext); GLUEWebService.IStockService glueService      = (GLUEWebService.IStockService)Registry.bind(glueURL,         GLUEWebService.IStockService.class,proxyContext); WSEWebService.Stock stock      = wseService.GetSecurePurchaseRecommendation(); GLUEWebService.Stock stock2      = glueService.GetSecureSaleRecommendation(); 

The final piece for linking the client and Web service is the proxy file for each. Although the sample contains a proxy file that has been pregenerated, it's worth going through the steps required to create a proxy file to enable this authentication.

The proxy files for the .NET client can be found in the C:\Interoperability\Samples\Advanced\WS-Security\Auth\dotNET\Client directory. The two files are named WSEWebService.cs and GLUEWebService.cs. Both were generated with the WSDL.EXE tool that was used extensively throughout Chapter 6, but two slight modifications were made.

If you open one of these files, you'll notice that the StockService class inherits from WebServicesClientProtocol instead of System.Web.Services.Protocols.SoapHttpClientProtocol .

 public class StockService : WebServicesClientProtocol 

The WebServicesClientProtocol is actually part of the WSE libraries, and as a result, our second modification requires the library to be referenced within the class itself.

 using Microsoft.Web.Services; 

This inheritance allows the client to make the call to the RequestSoapContext method to add the X.509 token and sign the request. These modifications are required to use the WSE, and they can be made either by hand or with the WSE Settings Tool for Visual Studio .NET, which was mentioned earlier in this chapter.

For the Java client (Client.java in C:\Interoperability\Samples\Advanced\WS-Security\Auth\Java\Client), the proxy files for the two Web services are located in two subdirectories: GLUEWebService and WSEWebService. As the wsdl2java tool produces more than one file for each, this is a cleaner solution than having only one subdirectory. Although the proxy files do not need to be altered , the MAP files that are generated need to be placed in the same directory as the calling client. To enable this, the MAP files from the generated wsdl2java output were renamed to WSEWebService.map and GLUEWebService.map, respectively, and placed in the same directory as the client source. These MAP files differentiate among the Stock types exposed by each of the services.

Other Methods of Authentication

In this sample, we've seen how X.509 certificates were chosen to demonstrate authentication between the .NET and Java clients and Web services. Although the process is not shown in the sample code, in addition to authenticating with an X.509 certificate, both Microsoft WSE 1.0 and GLUE 4.0.1 support authentication with a Username/Password token or a binary security token. For more information, consult the product documentation for each.

Thinking About Authorization

This authentication sample using WS-Security has shown how either a .NET or Java Web service can be created to allow only authenticated requests from clients ”requests that in this instance were signed with an X.509 certificate. What the example doesn't show is any authorization of the request once it has been accepted.

In a production solution, you would likely encounter a need to restrict both incoming requests that are not signed and incoming requests that are signed by a certificate that is not recognized. Performing this level of authorization will require additional work by both the .NET and Java Web services.

For the .NET Web service, achieving this level of authorization might involve expanding the IsValid method so that it checks the details of the certificate, or it might involve matching up the public parts of the certificate to a certificate stored in an Active Directory. For the Java Web service, this might involve restricting the certificates to the ones stored in the key store (by using the X509Authenticator class) or by using something more customized, where parts of the certificate are matched against a Java Authentication and Authorization Service (JAAS) realm.

Configuring the .NET Web Service

As with the authentication example, to show the samples in action we need to create a virtual directory to host the .NET Web service. The sample code used for the Web service can be found in the C:\Interoperability\Samples\Advanced\WS-Security\Enc\dotNET\WebService directory. Use the accompanying nant script to build the sample code in this directory.

To create the virtual directory using IIS, right-click the Default Web Site icon within the administration tool and select New/Virtual Directory. For the alias of the Web service, use dotNETEncWebService .

Set the path of the files correctly ( C:\Interoperability\Samples\Advanced\WS-Security\Enc\dotNET\WebService ) in the next stage of the wizard.

Accept the remaining default settings to create the virtual directory. Again, the publishing of the Web service can be validated by browsing to http://localhost/dotNETEncWebService/StockService.asmx . The method signature for the GetSecurePurchaseRecommendation should now require a String to represent a credit card, as shown in Figure 13.9.

Figure 13.9: Validating the Web service with Internet Explorer.

The configuration of the .NET Web service is now complete.

Configuring the Java Web Service

The sample code for the Java Web service can be found in the C:\Interoperability\Samples\Advanced\WS-Security\Enc\Java\WebService directory. As with the previous authentication sample, build this code by using the supplied Ant script. The run target can be used with the Ant script to publish the Web service on http://localhost:8004/JavaWSSWebService/StockService.wsdl .

Both the .NET and Java Web services are published. Before we run the clients, let's first look at how the symmetric key is configured.

The Symmetric Key

You might recall that with the last authentication, sample certificates were created and used by both the .NET and Java clients to sign the Web service request. Although the WS-Security specification allows certificates for encrypting data, at the time of this writing, GLUE 4.0.1 doesn't support this. In this sample, we'll show how a symmetric key can be used instead. With symmetric-key cryptography, the same key is held by both the client and the service and is used to both encrypt and decrypt the data. In a production environment, symmetric keys are often distributed with the client and little additional setup is required. Additionally, the symmetric key can be negotiated at the time of connection. This is often referred to as a handshake .

The symmetric key that will be used in this sample is the same as the default key supplied with the Microsoft WSE 1.0 Quickstart samples, and it's currently hard-coded into each of the classes for the client.

Running the Java Client

We'll first run the Java client to show the details of the message that is constructed . The sample code for the Java client can be found in the C:\Interoperability\Samples\Advanced\WS-Security\Enc\Java\Client directory. Ensure that both the .NET and Java Web services are running by testing the URLs through Internet Explorer, and build and run the sample client code using the provided Ant script.

If the client code is successfully run, you should see the following output:

 Calling the WSE Service... Secure stock recommendation from the WSE Service: Ticker: ASKI Name: Alpine Ski Price: 32.45 Previous: 32.09 Volume: 45 Calling the GLUE Service... Secure stock recommendation from the GLUE Service: Ticker: TRRE Name: Trey Research Price: 9.35 Previous: 9.48 Volume: 93 

The client has successfully constructed the Web service request to both the .NET and Java Web services, and both requests contain the encrypted credit card information. If you look at the running Java Web service, you should see that the credit card detail was successfully sent to the method.

 Credit card details received: 1234 5678 9012 3456 (01/05) 

Looking back at the Java Client class, you'll notice that this number and expiration date are hard-coded for sample purposes.

Again, as with the authentication sample, it's reassuring to check that the underlying communication was in fact secure. To do this, we can enable SOAP logging on the Java client. Open the Client.java file, and locate and uncomment the following line of code:

 electric.util.log.Log.startLogging("SOAP"); 

Rebuild and rerun the Java client. The console window will now show the SOAP messages that are being sent to and received from the Web service.

Looking at the first message that was sent from the Java client to the .NET Web service, you can see that no credit card number was passed as part of the request. Instead, the SOAP message contains an element named EncryptedData .

 <n3:EncryptedData      xmlns:ds='http://www.w3.org/2000/09/xmldsig#'      Id='electric-id-59E66E3D-ED83-8900-135B-F534FF089EAB'>     <n3:EncryptionMethod          Algorithm='http://www.w3.org/2001/04/xmlenc#tripledes-cbc'/>     <ds:KeyInfo>         <ds:KeyName>WSE Sample Symmetric Key</ds:KeyName>     </ds:KeyInfo>     <n3:CipherData>         <n3:CipherValue> AAAAAAAAAAAuIFS4iNzjpxPEihTVtlwbjL1QT5Ur/MdQGPutyfCwZ29YRk2GhpqKKsjsH 7c8j4KXCwa4P6gvIDzCyoOFXAegK9SwBU1FaG2UBW6OxceeUCjj06Y5Alw5IrIBU3phif BkXTcdsWHzxsZP9l38bcpHEpwY1/LhsU1iRG0k2WJ75HsuwZr4a+WJ3a/d2HjB9UMYf4N ONVzMt5xzhzmvu89QLkSUb0/gNZDwprVTnK10iJ9izn5k8MpvtQX774mx1YYDS+l+WXEh rMpfj5HHeV4z         </n3:CipherValue>     </n3:CipherData> </n3:EncryptedData> 

In this message, we can see three key bits of information. First, the EncryptionMethod element lists the algorithm that was used to encrypt the data. In this case, a Triple DES with CBC (Ciphertext Block Chaining) was used. The second element of interest is KeyName . This is a String field that is used to indicate to the Web service which key was used to encrypt the data. This allows both the client and Web service to distinguish between any number of keys shared between them. Finally, the CipherValue element contains the encrypted data itself.

When we look at the reply from the .NET Web service, we can see that the returned stock recommendation was not encrypted.

 <GetSecurePurchaseRecommendationResult>     <Ticker xmlns=     'http://www.microsoft.com/interoperability/dotNETEncWebService'>         ASKI</Ticker>     <Name xmlns=     'http://www.microsoft.com/interoperability/dotNETEncWebService'>         Alpine Ski</Name>     <Price xmlns=     'http://www.microsoft.com/interoperability/dotNETEncWebService'>         32.45</Price>     <Previous xmlns=     'http://www.microsoft.com/interoperability/dotNETEncWebService'>         32.09</Previous>     <Volume xmlns=     'http://www.microsoft.com/interoperability/dotNETEncWebService'>         45</Volume> <GetSecurePurchaseRecommendationResult> 

The preceding code shows us that the sample code encrypts the credit card details from the client to the Web service, but the response is sent in clear text. In the real world, you might be required to encrypt the data sent back to the client also. (Given that the information was paid for by a credit card, I would hope that it is worth encrypting!)

Encryption can certainly be applied to the response as well as to the request. The key observation here is that just because the request is encrypted it doesn't automatically mean the response is, too. This way of thinking is slightly different than in the HTTPS/SSL world, where once the secure link is established, both requests and responses are encrypted for the duration of the session.

Running the .NET Client

Before we look at how each client works, run the .NET client, the sample code for which can be found in the C:\Interoperability\Samples\Advanced\WS-Security\Enc\dotNET\Client directory. Use the accompanying NAnt script to build and run the sample code. You should see a result similar to that seen with the Java client.

How the Samples Work

First, each Web service must implement WS-Security. For the .NET Web service, this implementation is configured through the web.config file, which can be found in the directory of the Web service itself. Within the security elements of the web.config file is an entry that specifies the decryption provider:

 <decryptionKeyProvider      type="dotNETEncWebService.DecryptionKeyProvider,            dotNETEncWebService"/> 

As we can see, the provider refers to a class within the Web service itself. This class can be found in the StockService.asmx.cs file, and it overrides the DecryptionKeyProvider class method that specifies the key that will be used. As mentioned previously, this key is hard-coded in this class.

The Web method itself, GetSecurePurchaseRecommendation , does not need to make any calls to verify or decrypt the data. Verification is automatically handled by the WSE HttpHandler class.

 [WebMethod] public Stock GetSecurePurchaseRecommendation(String creditCardNo) {     SoapContext requestContext = HttpSoapContext.RequestContext;     if (requestContext == null)         throw new ApplicationException("Only SOAP requests are permitted.");     if (requestContext.Security.Elements.Count == 0)         throw new ApplicationException("No security information sent with request.");     return Recommendations.Recommendation; } 

Two checks, however, are made within this method to ensure that only SOAP requests are allowed and that some security elements were supplied with the call. These checks allow the sample to reject calls made by clients who have not encrypted the data in the request.

For the Java Web service, the WS-Security properties are configured in the Server.java class. As with the previous Java examples, you can move these settings into a configuration file. Within the Server class, the configuration is performed in three stages. First, a new BasicRealm is created, with a principal that includes an account with the username and password that match the symmetric-key settings.

 BasicRealm realm = new BasicRealm("test"); String userName = "WSE Sample Symmetric Key"; String password = "EE/uaFF5N3ZNJWUTR8DYe+OEbwaKQnso"; realm.addPrincipal(userName,password); 

You can find additional information on realms in the "Web Services Authentication and Authorization" section in Chapter 6. Next, a WS-Security “specific context is created. This context will be used to set the encryption properties for the hosted Web service.

 WSSContext wss = new WSSContext(); ServiceContext serviceContext = new ServiceContext(); serviceContext.setWSSContext(wss); 

Finally, a new class of type WSSEncryption is created and configured with the symmetric-key settings. A guard is used to set up the WS-Security context and prevent nonencrypted requests from calling the Web service. In GLUE, a guard performs a role similar to that of a filter (in the Java Servlet API) or HttpModule (in .NET). The EncryptionGuard method intercepts the message before it reaches the Web service method. If the request is not encrypted based on a preconfigured set of parameters, it is rejected.

 WSSEncryption encryptionSpec = new WSSEncryption(); ElementReference reference      = new ElementReference("soap:Envelope/soap:Body/*"); encryptionSpec.setReference(reference); encryptionSpec.setRealm(realm); wss.in.addGuard(new EncryptionGuard(encryptionSpec)); 

The .NET and Java clients work in a way similar to the authentication examples shown in the first section. For the .NET client, the proxy file to the Web service is created and adjusted to include the WSE 1.0 references. After the SOAP context has been derived from the proxy, the symmetric key is added as a new security element to the call.

 SoapContext wpReqContext = wp.RequestSoapContext; SoapContext gpReqContext = gp.RequestSoapContext; wpReqContext.Security.Elements.Add(new EncryptedData(key)); gpReqContext.Security.Elements.Add(new EncryptedData(key)); 

This key is obtained from GetEncryptionKey method in the client code. The data for the key is in the code for this sample and is used with the SymmetricEncryptionKey class to generate the symmetric key.

 SymmetricEncryptionKey key      = new SymmetricEncryptionKey(TripleDES.Create(), keyBytes); 

The fictitious credit card number is then created and passed to the GetSecurePurchaseRecommendation method.

 WSEWebService.Stock stock      = wp.GetSecurePurchaseRecommendation(creditCardNo); 

This method is used for both the .NET and Java Web services.

For the Java client, a similar approach is taken. A new WSSContext (WS- Security Context) is created for the call. The symmetric key is then added to the context with the following code:

 byte[] secretKeyBytes = Base64.fromBase64(symmetricKey);  encryptionSpec.setSecretKeyBytes(secretKeyBytes);  wss.out.addEncryption(encryptionSpec); 

After the Web service is bound, the client calls both the .NET and Java Web services.

 WSEWebService.Stock stock      = wseService.GetSecurePurchaseRecommendation(creditCardNo); GLUEWebService.Stock stock2      = gp.GetSecureSaleRecommendation(creditCardNo); 

For both clients, the recommendation returned by each of the Web services is displayed to the console.