Sending binary data through web service and using WS-Security
https://stackoverflow.com/questions/1264992
-
13-09-2019 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
We have to transfer binary data using web service stack and in the process we have to sign web service requests/responses.
The main question is: what is the prefered way to do this?
Should we use MTOM and WS-Security? From ISSUE CXF-1904 I have concluded that there are issues when one uses MTOM and WS-Security. CXF and axis2 use WSS4J and it seems that WSS4J does not work well with digitally signed messages when you use MTOM.
What about other web service stacks?
Solution 4
From http://ws.apache.org/wss4j/attachments.html :
WSS4J 2.0.0 introduces support for signing and encrypting SOAP message attachments, via the the SOAP with Attachments (SWA) Profile 1.1 specification. There is no support in WSS4J 1.6.x for signing or encrypting message attachments. Attachments can be signed and encrypted in WSS4J via either the "action"-based approach or via WS-SecurityPolicy, as covered in the sections below.
OTHER TIPS
CXF can do WS-Security related things along with MTOM, but the attachments do not end up signed or encrypted. The SOAP message itself is signed/encrypted, but the attachments are not due to restrictions in WSS4J. (If SpringWS uses WSS4J, it would have the same restrictions)
Be default for security reasons when using the WSS4JOutInterceptor with CXF, we turn off MTOM to make sure they get inlined and then signed/encrypted. That's a security choice. The WSS4JOutInterceptor DOES have a flag (out.setAllowMTOM(true)) which would allow the MTOM to remain as attachments, but keep in mind, those attachments would not be "secured".
Simply send the data as a byte[]. If there is a large amount of data, then WCF does support MTOM.
Under no circumstances should you use WSE. WSE is based on top of ASMX web services. Microsoft has stated that ASMX technology is "legacy", and that they will not be fixing bugs in it. Even worse, WSE is quite obsolete, and has been replaced by WCF.
I would recommend the use of Spring-WS over the Apache CXF API, it's considerably lighter, better-documented and easier to use. However, Spring-WS is not JAX-WS compliant (this is no bad thing, in my opinion, but you may think different).
Spring-WS is just a light, Spring-friendly wrapper around an underlying SOAP implementation, and should work on top of Sun JAX-WS or Apache CXF, although I'd recommend using Sun's implementation. It also has full MTOM and WS-Security support (via Apache WSS4J).
