WS Security in MuleBy Anirban Sen Chowdhary

Web Services Security (WS-Security, WSS) is an extension to SOAP to apply security to Web services.If a web service is exposed to external world, the data it carries can comes under the threat to several potential security vulnerabilities.So, in order to protect our web service we require Web Services Security

WS-Security describes 3 main mechanisms:• How to sign SOAP messages to assure integrity. Signed messages

also provide non-repudiation.• How to encrypt SOAP messages to assure confidentiality.• How to attach security tokens to ascertain the sender's identity.

WS-Security incorporates security features in the header of a SOAP message.It works in application layer.

In this example we will be implementing a simple username and password in the WS Security format.

So, we will expose a SOAP web service that will implement WS Security :-

To expose a web service with security in Mule we need spring security in our flow :-<mule-ss:security-manager> <mule-ss:delegate-security-provider name="memory-provider" delegate-ref="authenticationManager" /> </mule-ss:security-manager> <spring:beans> <ss:authentication-manager alias="authenticationManager"> <ss:authentication-provider> <ss:user-service id="userService"> <ss:user name=“anirban" password=“password authorities="ROLE_ADMIN" /> </ss:user-service> </ss:authentication-provider> </ss:authentication-manager> </spring:beans>

<cxf:ws-security name="inboundSecurityConfig"><cxf:mule-security-manager /> <cxf:ws-config><cxf:property key="action" value="UsernameToken" /></cxf:ws-config></cxf:ws-security>

.

And our Mule flow will be :-

<flow name="securedSoapService"><http:inbound-endpoint exchange-pattern="request-response" host="localhost" port="8090" path="designation" doc:name="HTTP"><cxf:jaxws-service serviceClass="com.getdesignation.test.services.schema.maindata.v1.GetDesignation"><cxf:ws-security ref="inboundSecurityConfig"/></cxf:jaxws-service></http:inbound-endpoint><component class="com.getdesignation.test.services.schema.maindata.v1.Impl.GetDesignationImpl" /></flow>

Following will be our flow in graphical mode ready with security :-

Now, we will be testing our secured web service in SOAPUI

You can see here, we are testing the service by giving username and password in the header section of SOAP request and I am getting the response back from the service

So, you can see WS-Security offers confidentiality and integrity protection from the creation of the message to it's consumption. WS-Security offers more protection than HTTPS would, and SOAP offers a richer API than any other security .Thus we can say WS-Security has measures for authentication, integrity, confidentiality and non-repudiation  

In my next slide I will bring some other techniques of implementing WS Security in Mule.Hope you have enjoyed this simpler version. 

Thank You