Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migrated to Confluence 4.0

Before adding WS-Security to your web services, you must make sure to have:

  1. Access to a certificate authority (CA) - either your own using OpenSSL for example or an external one like CACert
  2. Acess to keytool (usually through  your Java SDK)

Securing a server

This is quite easy. You need first to create a keystore with a key pair. During that process you will be asked for passwords for protecting your keystore and private key. Let's choose 'groovyws' for both of them. This can be done for example with:

Code Block
keytool -genkey -keyalg RSA -dname "C=FR, O=GroovyWS Inc, OU=GroovyWS Test Centre, CN=Server" -alias server \
-keystore Server.jks

Then you need to generate the Certificate Signing Request like this:

Code Block
keytool -certreq -alias server -file ServerCertificateRequest.pem -keystore Server.jks

You need to get the server certificate from your CA using the newly generated request. Let's assume you get back the file named ServerCertificate.pem. You need to include that certificate into your keystore. Ususaly this won't be possible unless your keystore contains the certificate of your CA. Let's add those two certificates:

Code Block
keytool -import -alias TheCA -file TheCACert.pem -keystore Server.jks

keytool -import -alias server -file ServerCertificate.pem -keystore Server.jks

You are now ready to start your server:

Code Block
        Map<String, String> mapServer = [

        server = new WSServer(myServiceUrl)

In the above example, the client authentication is not required. If you turn the flag to true (or omit the line, it is true by default), the client must trust the server, you therefore have to provide a keystore containing the server certificate.

Code Block
keytool -import -alias server -file ServerCertificate.pem -keystore TrustingTheServer.jks
Code Block
        Map<String, String> mapClient = [

        def proxy = new WSClient(myServiceUrl+"?wsdl", this.class.classLoader)

        assert proxy.add(2.0 as double, 5.0 as double) == 7.0
        assert proxy.square(4.0 as double) == 16.0

You may also setup more complex configurations where both the client & server need to trust each others ...