Axis securing seemingly public web services

Hi,
Their may be an obvious answer to this question, but I've done some searching and come up blank so far.
I am wondering if you can restrict which domains are allowed to access the web services on your axis web application (I am running axis on tomcat).
It is my understanding that anyone who know the address of a servlet that generates a WSDL file will be able to consume this service. I want to be able to prevent this and only allow my own domain access to web service.
Any advice would be most appreciated.
:|

use HTTP basic authentication? In addition if you don't want the public internet to access it, hide it behind a firewall.

Similar Messages

  • Adding security to a web service then generating a proxy [SOLVED]

    Hi
    I generated a web service based on a very simple java program. I have deployed it to a local oc4j install and successfully called it from a proxy generated from jdev. I am using 10.1.3.3.0.
    I added security to the web service and regenerated the proxy. I wanted to see the difference in the SOAP messages sent to the web service. However the proxy does not seem to have changed to take account of the new security settings on the web service.
    The security options I set were:
    On main security dialog: Ticked the port and "Text Password"
    On Authentication: Ticked "Expect Username ti Authenticate"
    "Password Required"
    Password Type = "Plain Text"
    "Nonce Required in Token"
    "Creation Time Required in Token"
    I have 2 questions:
    1. How do I get the proxy to send SOAP messages that contain the security headers required to run the web service. Here is the main method from my proxy. I thought adding setUsername and setPassword would be the solution
        public static void main(String[] args) {
            try {
                gpn3.Getphonenum3SoapHttpPortClient myPort = new gpn3.Getphonenum3SoapHttpPortClient();
                System.out.println("calling " + myPort.getEndpoint());
                // Add your own code here
                myPort.setUsername("oc4jadmin");
                myPort.setPassword("welcome");           
                myPort.getNum("Lisa");
            } catch (Exception ex) {
                ex.printStackTrace();
    2. When the web service receives a user name and password what does it check them against? I assume the oc4jadmin user will be allowed access but how do I set up other users?
    many thanks
    paul schweiger
    Message was edited by:
    [email protected]

    I have figured this out now
    1. I needed to set the same security settings in my proxy as I did for my web service. I had assumed that the proxy would generate the necessary security settings from the web service.
    2. For some reason my web service application is using the system level jazn-data xml file
    oc4j_extended_101330/j2ee/home/config/system-jazn-data.xml
    This does include the oc4jadmin user and I am now able to use that account to call the web service. I also managed to add another user and use that account to call the web service successfully.
    Thanks for the help
    paul

  • Problems invoking a secure 8.1 web service from a 6.1 client

    I'm trying to invoke a secure 8.1 web service from a 6.1 client application and keep getting rejected with the following message:
    Security Violation: User: '<anonymous>' has insufficient permission to access EJB:
    In the 6.1 client, I've established a WebServiceProxy and set the userName and password to the proper values, but I can't seem to get past the security.
    If there something special I need to do on either the 8.1 securing side or on the 6.1 accessing side to make this work?
    Any help would be GREATLY appreciated.

    Hi Paul,
    This sound familiar, but I cannot at the moment locate a reference to
    the issue. I would encourage you to seek the help of our super support
    team [1].
    Regards,
    Bruce
    [1]
    http://support.bea.com
    [email protected]
    Paul Merrigan wrote:
    >
    I'm trying to invoke a secure 8.1 web service from a 6.1 client application and keep getting rejected with the following message:
    Security Violation: User: '<anonymous>' has insufficient permission to access EJB:
    In the 6.1 client, I've established a WebServiceProxy and set the userName and password to the proper values, but I can't seem to get past the security.
    If there something special I need to do on either the 8.1 securing side or on the 6.1 accessing side to make this work?
    Any help would be GREATLY appreciated.

  • Error While Consuming Public Web Service through Stand Alone Proxy

    Hi,
    I am getting the below error when I am consuming a public web service through Stand Alone Proxy.
    java.rmi.RemoteException: Service call exception; nested exception is:
         com.sap.engine.services.webservices.jaxrpc.exceptions.InvalidResponseCodeException: Invalid Response Code: (407) Proxy Authentication Required ( The ISA Server requires authorization to fulfill the request. Access to the Web Proxy filter is denied.  ).
         at com.mindtree.examples.GlobalWeatherSoapStub.getCitiesByCountry(GlobalWeatherSoapStub.java:159)
         at com.mindtree.examples.GlobalWeatherSoapStub.getCitiesByCountry(GlobalWeatherSoapStub.java:168)
         at com.mindtree.examples.WebServiceClient.main(WebServiceClient.java:18)
    Caused by: com.sap.engine.services.webservices.jaxrpc.exceptions.InvalidResponseCodeException: Invalid Response Code: (407) Proxy Authentication Required ( The ISA Server requires authorization to fulfill the request. Access to the Web Proxy filter is denied.  ).
         at com.sap.engine.services.webservices.jaxrpc.wsdl2java.soapbinding.MimeHttpBinding.handleResponseMessage(MimeHttpBinding.java:903)
         at com.sap.engine.services.webservices.jaxrpc.wsdl2java.soapbinding.MimeHttpBinding.call(MimeHttpBinding.java:1346)
         at com.mindtree.examples.GlobalWeatherSoapStub.getCitiesByCountry(GlobalWeatherSoapStub.java:152)
         ... 2 more
    Regards,
    Venkatesh

    Hi,
    I am still facing the same issue.
    Regards,
    Venkatesh

  • WebServiceException When invoking secured ADF-BC web services on WebSphere

    We built web services using ADF 11.1.1.7 RC1, and deployed to WebSphere ND 7.0.0.23
    The web services are secured using OWSM policy:
    @SecurityPolicy( { "oracle/wss11_saml_or_username_token_with_message_protection_service_policy" })
    And we have a client java program which invokes the web services as follows:
    MTOMFeature mtom = new MTOMFeature();
    SecurityPolicyFeature sec_policy = new SecurityPolicyFeature("oracle/wss11_saml_token_with_message_protection_client_policy");
    if (lCMAMService == null) {
    generateFCMWebserviceUrl();
    URL url = new URL(fcmUrl);
    LCMAMService_Service lCMAMService_Service = null;
    try {
    lCMAMService_Service = new LCMAMService_Service(url);
    } catch (WebServiceException wse) {
    generateFCMWebserviceUrl(true);
    URL physicalURL = new URL(fcmUrl);
    lCMAMService_Service = new LCMAMService_Service(physicalURL);
    lCMAMService = lCMAMService_Service.getLCMAMServiceSoapHttpPort(mtom, sec_policy);
    Everything works fine in WebLogic. However, when running on WebSphere ND 7.0.0.23, the following exception were thrown:
    javax.xml.ws.WebServiceException: Invalid or unsupported WebServiceFeature feature http://www.w3.org/ns/ws-policy
         at org.apache.axis2.jaxws.ExceptionFactory.createWebServiceException(ExceptionFactory.java:173)
         at org.apache.axis2.jaxws.ExceptionFactory.makeWebServiceException(ExceptionFactory.java:70)
         at org.apache.axis2.jaxws.ExceptionFactory.makeWebServiceException(ExceptionFactory.java:118)
         at org.apache.axis2.jaxws.feature.ClientFramework.addFeature(ClientFramework.java:56)
         at org.apache.axis2.jaxws.binding.BindingImpl.setFeatures(BindingImpl.java:138)
         at org.apache.axis2.jaxws.BindingProvider.initialize(BindingProvider.java:167)
         at org.apache.axis2.jaxws.BindingProvider.<init>(BindingProvider.java:73)
         at org.apache.axis2.jaxws.client.proxy.JAXWSProxyHandler.<init>(JAXWSProxyHandler.java:123)
         at org.apache.axis2.jaxws.client.proxy.JAXWSProxyHandler.<init>(JAXWSProxyHandler.java:114)
         at org.apache.axis2.jaxws.spi.ServiceDelegate.getPort(ServiceDelegate.java:615)
         at javax.xml.ws.Service.getPort(Service.java:133)
         at oracle.apps.epm.fcc.lcm.proxy.LCMAMService_Service.getLCMAMServiceSoapHttpPort(LCMAMService_Service.java:59)
         at oracle.apps.epm.fcc.lcm.common.FCMExportImportHandler.instantiateFCMService(FCMExportImportHandler.java:703)
    It seems that in WebSphere, the security policy are not supported. Any idea what needs to be changed for the client code to work in WebSphere?
    Thanks.

    Hi,
    as you are from Oracle, can you reach out to internal forums and mailing lists? JDeveloper 11.1.1.7 RC1 is not available outside of Oracle and therefore should not have questions posted on this public forum.
    Frank

  • How to secure a J2SE Web Service

    Hi,
    I have created a J2SE Web Service using JAX-WS and I now wish to secure it but I can't seem to work out how to do it in an automated manner.
    I have used the simple Java-First method, writing an annotated java class and then running wsgen to generate the WSDL and required artifacts.
    WSIT seems to be the solution, placing a WSIT config file in a META-INF directory on the classpath. However, in the examples that I have there seems to be a huge amount of overlap between the WSDL and the WSIT config file. Moreover, the content of the WSIT config seems to be dependent on the contents of the WSDL. This means that should I update the implementation class I would have to manually update the WSIT config (unlike the WSDL which would be autogenerated from the Java class).
    Ideally I would like to create two files:
    - myserviceImpl.java
    - wsit-config.xml (using the correct naming convention)
    Then run WSGEN and, hey presto, a full WSDL is generated complete ith security policy information. However, it seems that this is not the way it works.
    I'd be grateful for any advice you can give on how to automate this process. My current idea is to generate the WSDL and then use an XSLT step in the build process to drag the WSIT config into the WSDL.
    I'd also be interested in hearing how other people have created secure J2SE web services.
    I am using Eclipse (not NetBeans) and Maven.
    Thanks

    I am using Eclipse (not NetBeans) and Maven.I hate doing this, but have you tried Netbeans? Metro has really tight integration with it and pretty much can do what you want. However, making a programmer change IDE is like suggesting someone to try another religion.

  • How to use Axis to access a web service through Authentication  proxy

    Using axis access internat web service is success,but access a web service through Authentication proxy is failure.But other java classes connect through a proxy to the internet which works very well:
    please help me ,thank you!!!
    import org.apache.axis.client.Call;
    import org.apache.axis.client.Service;
    import javax.xml.namespace.QName;
    //this is my access webservice faliure   codes
    public class TestClient
       public static void main(String [] args) {
           try {
                System.getProperties().setProperty("http.proxySet", "true");
                System.getProperties().setProperty("http.proxyHost","proxy.com");
                System.getProperties().setProperty("http.proxyPort", "8080");
                System.getProperties().setProperty("http.proxyUser", "username");
                System.getProperties().setProperty("http.proxyPassword","password");
               String endpoint =
                        "http://nagoya.apache.org:5049/axis/services/echo";
               Service  service = new Service();
               Call     call    = (Call) service.createCall();
               call.setTargetEndpointAddress( new java.net.URL(endpoint) );
               call.setOperationName(new QName("http://soapinterop.org/", "echoString") );
               String ret = (String) call.invoke( new Object[] { "Hello!" } );
               System.out.println("Sent 'Hello!', got '" + ret + "'");
           } catch (Exception e) {
               System.err.println(e.toString());
       }I get an "(407)Proxy authorization required" error?

    I am also looking for a solution. Does any one know how to do through code instead of jvm settings?
    Thanks in advance!

  • Security for a web service

    Hi everyone,
    Scenario :
    I want to securise a web service with SSL.
    I want to call this web service with Java standalone class (not servlet, JSP,...).
    Here is what I've done :
    1) I created a web service with "Secure SOAP" option.
    2) I created a <u>Standalone Proxy</u>.
    3) I created a Java Standalone client and tried to call the web service.
    Here is the code :
         public static void main(String[] args) {
              try {
              Hello1WebServiceImpl service = new Hello1WebServiceImpl();
              Hello1WebServiceViDocument port = (Hello1WebServiceViDocument)service.getLogicalPort();
              System.out.println(port.sayHello1());
              } catch (Exception e) {
                   e.printStackTrace();
    Here is the exception :
    java.rmi.RemoteException: Service call exception; nested exception is:
         java.net.ConnectException: Connection timed out: connect
         at com.proxy.Config1BindingStub.sayHello1(Config1BindingStub.java:80)
         at com.proxy.Config1BindingStub.sayHello1(Config1BindingStub.java:88)
         at SampleComponent.main(SampleComponent.java:23)
    Caused by: java.net.ConnectException: Connection timed out: connect
         at java.net.PlainSocketImpl.socketConnect(Native Method)
         at java.net.PlainSocketImpl.doConnect(PlainSocketImpl.java:305)
         at java.net.PlainSocketImpl.connectToAddress(PlainSocketImpl.java:171)
         at java.net.PlainSocketImpl.connect(PlainSocketImpl.java:158)
         at java.net.Socket.connect(Socket.java:452)
         at java.net.Socket.connect(Socket.java:402)
         at java.net.Socket.<init>(Socket.java:309)
         at java.net.Socket.<init>(Socket.java:124)
         at iaik.security.ssl.SSLSocket.<init>(Unknown Source)
         at com.sap.engine.services.webservices.jaxm.soap.SSLUtilImpl.createSSLSocket(SSLUtilImpl.java:43)
         at com.sap.engine.services.webservices.jaxm.soap.HTTPSocket.initStreamsFromSocket(HTTPSocket.java:500)
         at com.sap.engine.services.webservices.jaxm.soap.HTTPSocket.initializeStreams(HTTPSocket.java:422)
         at com.sap.engine.services.webservices.jaxm.soap.HTTPSocket.getOutputStream(HTTPSocket.java:384)
         at com.sap.engine.services.webservices.jaxrpc.wsdl2java.soapbinding.HTTPTransport.getRequestStream(HTTPTransport.java:337)
         at com.sap.engine.services.webservices.jaxrpc.wsdl2java.soapbinding.MimeHttpBinding.outputMessage(MimeHttpBinding.java:433)
         at com.sap.engine.services.webservices.jaxrpc.wsdl2java.soapbinding.MimeHttpBinding.call(MimeHttpBinding.java:1117)
         at com.proxy.Config1BindingStub.sayHello1(Config1BindingStub.java:73)
         ... 2 more
    Can someone please tell me the steps I must follow ?
    Thanks in advance.
    Message was edited by: David Fryda

    Ive ran into similar proples using normal ssl over http and the issues were with my environmet configuration ... yours may be with somthing totally different... but i fixed my probs by adding the folling code before creating the connection. 
    java.security.Provider provider[] =
      java.security.Security.getProviders();
    for (int i = 0; i < provider.length; i++) {
      java.security.Security.removeProvider(
        provider<i>.getName());
    java.security.Security.insertProviderAt(
    new com.sun.net.ssl.internal.ssl.Provider(), 2);
    java.security.Security.insertProviderAt(
    new sun.security.provider.Sun(), 1);
    System.setProperty(
    "java.protocol.handler.pkgs",
    "com.sun.net.ssl.internal.www.protocol");
    you can also accomplish this by modifying the java.security file found in \jre\lib\security directory.
    Also because this is a stand alone app be sure to have all the necessary jar files in you classpath ... you can accomplish this by using the -classpath option when calling your program or by moving the files into you \bin\lib\ext directory;

  • ATG - Axis integration for existing web services

    Hello,
    I am currently using the web services as defined in the ATG2007.1/DPS/WebServices/userprofilingWebServices.ear
    I have a need to extend this to do pre-processing before hitting the getProfileId and my understanding is that I need
    to use a Handler to do so. But when I try to modify the web service by trying to point to my own Handler in the
    webservices.xml file with:
    <handler>
    <handler-name>com.mycompany.security.RemoteIPHandler</handler-name>
    <handler-class>com.mycompany.security.RemoteIPHandler</handler-class>
    </handler>
    this handler doesn't seem to be registered (the change is in the JBoss 4.0.5)
    and is never called. Does anyone have experience trying to use a Handler for
    the out-of-box user profile web services? Am I even modifying the correct file/layer?
    Any help would be appreciated.
    Thanks,
    Doug

    If you have SOA Suite licenses, then you can use OSB. OSB provides support for REST.
    cheers
    James

  • Security issue with Web Services on Oracle SOA suite? (Serious?)

    Hi,
    I have recently installed and set up the SOA 10.1.3 on my local machine.
    I created a simple test web service and deployed - worked ok.
    I then added simple plain text security to the service, and again opened it up for testing using the test service function.
    Initially, it returns with the expected message 'missing soap header security'.
    However if you refresh the page / or test the service again, it is then invoked - seemingly bypassing the security !!!
    Oddly the 3rd attempt then shows the security message again, and it seems to alternate between allowing access to the service and imposing the security?!?!
    Has anyone else experience this ?
    Is it a bug ? (if so, its a pretty nasty one that could quite possibly catch alot of people out !)

    I have now created an independant client in Java to call the WS.
    The security is still bypassed on ever other call?!?!
    I have this over HTTPS also, and was hoping this would provide an adequate means of securing my web services.
    How is everyone else securing web services that are exposed to general consumers? Maybe i should find a new approach !

  • LDAP security provider and web service authentication

    Background: we are currently developing web services to our existing weblogic application. Our users can configure user/password authentication in one of three ways: database, LDAP, or SSO. Setting SSO aside, we need to implement the same authentication for database and LDAP that we use in our existing logon servlet in our web services. In our servlet we detect which they are configured for and, if database, authenticate the encrypted password to a database table we have for user id/password. If LDAP we use weblogic.servlet.security.ServletAuthentication and the weak() method to authenticate.
    We've to use SOAP headers to communicate username/password from the client to the web service. We want to code a SOAP message handler to grab the username/password and do the authentication there. We've successfully put something together that handles the database authentication no problem and are now struggling with how to handle the LDAP authentication. We distribute a LDAP security provider we've coded for LDAP authentication. I guess what I am looking for is an equivalent functionality provided with weblogic.servlet.security.ServletAuthentication. Note that I realize the weblogic.servlet.security package has been deprecated starting with Weblogic 9.0 but cannot find what functionality replaces it. Any help there would be appreciated as well.
    Note that I am fairly new to web service development (about 10 months now) and definitely new to web service security and Weblogic security. I tried digging into the volumes of documentation out there regarding these two topics but am simply having a difficult time sorting it all out and figuring out how to do what I want to do.
    Thanks in advance!
    Julia

    Hi,
    Add Provider (LDAP Credentials) in Admin console Security Realm --> defaultrealm -->Providers. Configuring Ldap in Admin Console will enable Admin Server to connect to LDAP. All the LDAP preconfigured Users/Groups will be available in Users and Groups Tab of Security Realms >defaultrealm >Users and Groups. Add Roles using Security Realms >defaultrealm > Roles and Policies > Global Roles > Roles. Add Role Conditions to the role by specifying users/groups configured in LDAP. If your webservice runs with SSL Anotate the Webservice file something like this below.
    @RolesAllowed({
    @SecurityRole(role="test")
    @Policy(
    uri="policy:Wssp1.2-2007-Https-UsernameToken-Plain.xml",
    attachToWsdl=true)
    Here the role is Preconfigired role in AdminConsole. Add the following tag in the soapenv:header.
    <soapenv:Header>
    <wsse:Security soapenv:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
    <wsse:UsernameToken>
    <wsse:Username>test</wsse:Username>
    <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">password</wsse:Password>
    </wsse:UsernameToken>
    </wsse:Security>
    </soapenv:Header>

  • Question: Securing Communications in Web Services: A Tutorial

    Hi all,
    I have been following this tutorial:
    http://developers.sun.com/prodtech/identserver/reference/techart/secure-ws.html
    And it was a pissed-off experience. I have only spent 5 mins on it and I am already stuck.
    Anyway, when I try to deploy the StockServer project, I get the following error:
    am-init:
    am-deploy:
    /home/bwoo/Creator/Projects/webservicessecurity/samples/StockServer/nbproject/am-deploy.xml:46: Could not create task or type of type: amdeploy.
    Ant could not find the task or a class this task relies upon.
    This is common and has a number of causes; the usual
    solutions are to read the manual pages then download and
    install needed JAR files, or fix the build file:
    - You have misspelt 'amdeploy'.
    Fix: check your spelling.
    - The task needs an external JAR file to execute
    and this is not found at the right place in the classpath.
    Fix: check the documentation for dependencies.
    Fix: declare the task.
    - The task is an Ant optional task and the JAR file and/or libraries
    implementing the functionality were not found at the time you
    yourself built your installation of Ant from the Ant sources.
    Fix: Look in the ANT_HOME/lib for the 'ant-' JAR corresponding to the
    task and make sure it contains more than merely a META-INF/MANIFEST.MF.
    If all it contains is the manifest, then rebuild Ant with the needed
    libraries present in ${ant.home}/lib/optional/ , or alternatively,
    download a pre-built release version from apache.org
    - The build file was written for a later version of Ant
    Fix: upgrade to at least the latest release version of Ant
    - The task is not an Ant core or optional task
    and needs to be declared using <taskdef>.
    - You are attempting to use a task defined using
    <presetdef> or <macrodef> but have spelt wrong or not
    defined it at the point of use
    Remember that for JAR files to be visible to Ant tasks implemented
    in ANT_HOME/lib, the files must be in the same directory or on the
    classpath
    Please neither file bug reports on this problem, nor email the
    Ant mailing lists, until all of these causes have been explored,
    as this is not an Ant bug.
    BUILD FAILED (total time: 5 seconds)
    Have any of you had the same problem? I know there is a similar tutorial on NetBeans website but it's even more poorly written.

    No i have not really worked on it these last days...
    I wonder why so few answers to this post. Would we the only two people who want to do this (be able to access OCS fron a web app, reusing SSO session)
    My main problem, for these web services, is to pass a password. As we do actually, we should keep a password in clear text in the User session.. and i'm not fond of this.

  • Securing SOA 11g Web Services with OWSM AD authentication

    I have SOA 11g with Weblogic 10.3.5 installed and running a Web Service and a Client I want to protect with Active Directory auth and perhaps some other access rules. As I read, I can use OWSM policies to do that. Most guides I found concern OWSM 10g.
    How can I make WL use AD authentication? Do I have to use Access Manager?

    I finally figured it out. The nullpointer exception is related to the SAML assertion. The SAML assertion in my requests is signed with embedded signature and this seems to be not supported with the used OWSM policy. Without the signature is the exception gone.
    Marian

  • Testing Security policy attached web service

    Hi,
    I am facing a scenario where I need to test our web service ( which has security policy annotation ) in the similar way how the ( external ) customer would do , i.e with security policy attached. So is there any way to test this scenario..?
    though there are some SSSP envts to enable this security policy to the soap requests, we want to test in all envts irrespective of oracle infrastructure ( as the customer does).
    Thanks,
    Praveen S K

    We do most of our external testing of this type using soapUI. This allows us to sign/encrypt messages or provide a username/token. This also allows the creation of repeatable test suites with validations built into them.
    Thanks,
    Adam DesJardin

  • Public Web services

    I'm working on a Web Services client application which invokes Web Services methods through a proxy server.
    I'm looking for sites where sample web services are available to test my proxy server access.
    I appreciate some help.
    Regards.

    use HTTP basic authentication? In addition if you don't want the public internet to access it, hide it behind a firewall.

Maybe you are looking for

  • Sun Java System Web Server 6.1 SP3 service-j2ee threads problem

    Hi, Sorry my english. I'm an intermediate Java programmer and a newbie in the Sun's web servers world. I'm doing an evaluation of an web applicaction written in Java Servlets that is supposed to have a leaking threads problem. We use SunOS 5.9 (... s

  • My MBP can't open some web pages

    Hello. I have problem with opening some web pages. It doesn't matter on the browser. It happens as in Safari as in Chrome. All browsers are updated. My MPB is updated. Problem is not in router. My gf has the same MBP and she can open the pages which

  • How to resolve itunes app purchase issues in India

    I purchased a package from DailyYoga app which I got billed for via itunes, but the package is not enabled on my ipad after 3 days of when the purchase amount showed up in my credit card. I've contacted the DailyYoga folks directly via their website

  • Green (or no) VGA output

    My trusty old MBP is occasionally giving green output to external monitors and projectors.  At times, external monitors are not even recognized.  If I tinker with the laptop's screen resolution, sometimes that will help with recognition of external m

  • Spry widget editting HELP!

    I am a new user of DW CS4, and have a "simple" question. I am creating a page with some Spry Validation widgets to collect some user information (Name, Phone, Email Address, etc. - nothing very complex). When I create the widgets, and fill out the Pr