Sample 100: Using WS-Security for Outgoing Messages

<definitions xmlns="http://ws.apache.org/ns/synapse"> <localEntry key="sec_policy" src="file:repository/conf/sample/resources/policy/policy_3.xml"/> <sequence name="main"> <in> <send> <endpoint name="secure"> <address uri="http://localhost:9000/services/SecureStockQuoteService"> <enableSec policy="sec_policy"/> </address> </endpoint> </send> </in> <out> <send/> </out> </sequence> </definitions>

Objective

Showcase the ability of Synapse to connect to secured endpoints using WS-Security standards

Pre-requisites

  • Download and install the Java Cryptography Extension (JCE) unlimited strength policy files for your JDK
  • Deploy the SecureStockQuoteService in the sample Axis2 server and start Axis2
  • Start Synapse using the configuration numbered 100 (repository/conf/sample/synapse_sample_100.xml)
    Unix/Linux: sh synapse.sh -sample 100
    Windows: synapse.bat -sample 100

Executing the Client

Use the stock quote client to send a request without WS-Security. Synapse is configured to enable WS-Security as per the policy specified by 'policy_3.xml' for the outgoing messages to the SecureStockQuoteService endpoint. The debug log messages on Synapse shows the encrypted message flowing to the service and the encrypted response being received by Synapse. The wsse:Security header is then removed from the decrypted message and the response is delivered back to the client, as expected. You may execute the client as follows:

ant stockquote -Dtrpurl=http://localhost:8280/

The message sent by Synapse to the secure service can be seen as follows, when TCPMon is used.

POST http://localhost:9001/services/SecureStockQuoteService HTTP/1.1 Host: 127.0.0.1 SOAPAction: urn:getQuote Content-Type: text/xml; charset=UTF-8 Transfer-Encoding: chunked Connection: Keep-Alive User-Agent: Synapse-HttpComponents-NIO 800 <?xml version='1.0' encoding='UTF-8'?> <soapenv:Envelope xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" xmlns:wsa="http://www.w3.org/2005/08/addressing" ..> <soapenv:Header> <wsse:Security ..> <wsu:Timestamp ..> ... </wsu:Timestamp> <xenc:EncryptedKey..> ... </xenc:EncryptedKey> <wsse:BinarySecurityToken ...> <ds:SignedInfo> ... </ds:SignedInfo> <ds:SignatureValue> ... </ds:SignatureValue> <ds:KeyInfo Id="KeyId-29551621"> ... </ds:KeyInfo> </ds:Signature> </wsse:Security> <wsa:To>http://localhost:9001/services/SecureStockQuoteService</wsa:To> <wsa:MessageID>urn:uuid:1C4CE88B8A1A9C09D91177500753443</wsa:MessageID> <wsa:Action>urn:getQuote</wsa:Action> </soapenv:Header> <soapenv:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="Id-3789605"> <xenc:EncryptedData Id="EncDataId-3789605" Type="http://www.w3.org/2001/04/xmlenc#Content"> <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc" /> <xenc:CipherData> <xenc:CipherValue>Layg0xQcnH....6UKm5nKU6Qqr</xenc:CipherValue> </xenc:CipherData> </xenc:EncryptedData> </soapenv:Body> </soapenv:Envelope>0

Note the WS-Security headers and the encrypted payload added by Synapse.

Back to Catalog