Thursday, February 11, 2021

SOAP web service with Spring Boot

This article will show you how to create a SOAP web service with spring boot. You can create a spring project within a minutes by using Spring Initializr. In Spring Initializr landing page I am choosing below items:

Project: Maven Project

Language: Java

Spring Boot: 2.4.1

Project Metadata

Group:com.soapservice

Artifact:soapservice

Name:soapservice

Description:Demo SOAP service with Spring Boot

Package name:com.soapservice.soapservice

Packaging:Jar

Java:8

Dependencies:spring-boot-starter-web, spring-boot-starter-web-services


After choosing the above items then click one Generate button. It will give you a spring boot project skeleton. I have import this project in eclipse as a maven project. After importing if you found any error like Project configuration is not up-to-date with pom.xml. Then select the project and right click on it then Maven->Update Project.

Tuesday, February 9, 2021

X.509 Authentication in Spring Security

 x.509 is a digital signature which is an encoded hash document that is encrypted by the private key. This certificate signature must be verified by each client before establishing an HTTPS connection to securing the application. 

In this article we will see how to generate a server CA certificate and client certificate.


Generating Server CA Certificate: 

Step 1: To signed the server side and client side certificate first we need to generate a certificate authority. To do this first open the command prompt and run below command to generate self signed CA certificate:

openssl req -x509 -sha256 -days 3650 -newkey rsa:4096 -keyout serverCA.key -out serverCA.crt

After run the above command it will ask a pass phrase for private key. For this article we will use changeit as a passphrase. It will ask also some additional information which is optional. In this article we will provide only Common Name (CN) as localhost

Step 2: Server-side Certificate: Now run below command to generate a certificate signin request:

openssl req -new -newkey rsa:4096 -keyout localhost.key -out localhost.csr

This step will ask similar information like step 1. We will only provide password changeit for passphrase and localhost for CN

Step 3: Before we proceed, we need to create a configuration file – localhost.ext. It'll store some additional parameters needed during signing the certificate:

authorityKeyIdentifier=keyid,issuer

basicConstraints=CA:FALSE

subjectAltName = @alt_names

[alt_names]

DNS.1 = localhost

Step 4: At this stage we need to sign the request with serverCA.crt certificate. To do this run the below command:

openssl x509 -req -CA serverCA.crt -CAkey serverCA.key -in localhost.csr -out localhost.crt -days 365 -CAcreateserial -extfile localhost.ext

It will ask for passphrase and we have to provide the same passphrase that we used to created CA certificate. After providing the required information it will generate a file localhost.crt which is the certificate signed by our own certificate authority.

Step 5: Now we have to import the signed certificate and private key into the keystore. Before importing in keystore we will bundle the certificate and private key using pkcs12 archiveing. Run below command for packing:

openssl pkcs12 -export -out localhost.p12 -name "localhost" -inkey localhost.key -in localhost.crt

After executing the avove command it will generate localhost.p12 file as a bundle of privatekey and certificate. Now we will import the  localhost.p12 file and generate the keystore.jks file using keytool with below command:

keytool -importkeystore -srckeystore localhost.p12 -srcstoretype PKCS12 -destkeystore keystore.jks -deststoretype JKS

Step 6: Imports the server CA certificate to the Java truststore. Run below command:

keytool -import -trustcacerts -noprompt -alias ca -ext san=dns:localhost,ip:127.0.0.1 -file serverCA.crt -keystore truststore.jks

The stored password in this case is changeit.


Spring Security Configuration: 

Step 1: If you complete the above steps then we are ready to implement the authentication in server side. Add below configuration in application.properties file:

server.ssl.key-store=../store/keystore.jks

server.ssl.key-store-password=${PASSWORD}

server.ssl.key-alias=localhost

server.ssl.key-password=${PASSWORD}

server.ssl.trust-store=../store/truststore.jks

server.ssl.trust-store-password=${PASSWORD}

server.ssl.enabled=true

server.ssl.client-auth=need


Note: In this article we are using changeit for all password field.