JAX WS SECURITY

Similar Messages

• JAX-RS security: exiting/applicable Oracle docs?

  Hi,
  I intend to create some RESTful APIs for a product using Jersey JAX-RS RI Version 1.9 deployed on Oracle WLS 11g (10.3.6) as described in Programming RESTful Web Services - 11g Release 1 (10.3.6) but there is no security documentation available for Oracle WLS 11g (10.3.6). But I've found some for Oracle WLS 12c (12.1.1) at web page  Securing RESTful Web Services - 12c Release 1 (12.1.1).
  My question is: are the security mechanisms described in Oracle WLS 12c (12.1.1) web page  Securing RESTful Web Services - 12c Release 1 (12.1.1) applicable also for Oracle WLS 11g (10.3.6)?
  Also where can I find potential issues around JAX-RS/security/Jersey context with Oracle weblogic server?
  Thanks in advance,
  Dim

  Hello,
  A couple of options:
  1. Create a Weblogic Web Service Project with 12c Runtime.
  a. File->New->Web Service Project
  b. Select your 12c runtime
  -You should have a project with the JAX-RS on the java build library path.
  2. Create a standard J2ee Project ie: Web Project
  a. Create A Dynamic Web Project
  b. Select your 12c runtime
  c. Rt Click the Project->Properties->Java Build Path->Libraries->Add External JARs, then navigate and select "WLS 12c Dir"\modules\com.sun.jersey.core_"version".jar
  This should allow the resolution of the javax.ws.rs.* annotations.
  Additionally, you may need to rt. click the Deployment Descriptor of your project and select Generate Deployment Descriptor Stub. Subsequently add the following:
  <servlet>
  <servlet-name>JAX-RS Application</servlet-name>
  <servlet-class>com.sun.jersey.spi.container.servlet.ServletContainer</servlet-class>
  <load-on-startup>1</load-on-startup>
  </servlet>
  <servlet-mapping>
  <servlet-name>JAX-RS Application</servlet-name>
  <url-pattern>*</url-pattern>
  </servlet-mapping>

• Error from sample JAX-WS security from documentation: Failed to get token

  I am trying example 2-1 for the server and 2-3 for the client and i am using WLS 10.3.5:
  http://docs.oracle.com/cd/E21764_01/web.1111/e13713/message.htm#CDEBIJEJ
  i get some errors when trying to compile/generate the source listed, but i work around those.
  and i hardcode some values ( like username/password, keystore locations, etc).
  i can deploy the web service successfully and execute the client.
  I have some debugging turned on, so i see that the messages are being successfully encrypted and decrypted.
  However, i get an exception back from the server:
  [java] Exception in thread "main" javax.xml.ws.soap.SOAPFaultException: Failed to get token for tokenType: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3
  [java]      at com.sun.xml.ws.fault.SOAP11Fault.getProtocolException(SOAP11Fault.java:197)
  [java]      at com.sun.xml.ws.fault.SOAPFaultBuilder.createException(SOAPFaultBuilder.java:122)
  [java]      at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:125)
  [java]      at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:95)
  [java]      at com.sun.xml.ws.client.sei.SEIStub.invoke(SEIStub.java:136)
  [java]      at $Proxy30.echo(Unknown Source)
  [java]      at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
  [java]      at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
  [java]      at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
  [java]      at java.lang.reflect.Method.invoke(Method.java:597)
  [java]      at weblogic.wsee.jaxws.spi.ClientInstanceInvocationHandler.invoke(ClientInstanceInvocationHandler.java:84)
  [java]      at $Proxy31.echo(Unknown Source)
  [java]      at wssp12.wss10.Test.main(Unknown Source)
  For the Service:
  I have used exactly the same policies from the example.
  i did have to comment out the @WLHTTPTransport clause ( the error gives me the impression it is no longer supported )
  For the client:
  The generated port no longer takes just string for the wsdl url, so i don't pass in a url at all. i let it use the URL from the client gen process. I also hard coded a username/password i created.
  any thoughts?
  These examples don't mention anything about Secure Token Server ( although, i see it mentioned later down the page after other examples ). Do these examples require an STS be configured? or is that unrelated to my exception?
  Thanks for the help!!!
  Follow up:
  i added the following ( which i think should take care of the STS part i was asking about):
  61 String sts="https://TESTUESR0:7002/UsernameTokenPlainX509SignAndEncrypt/simpleSecureService";
  62 requestContext.put(weblogic.wsee.jaxrpc.WLStub.WST_STS_ENDPOINT_ON_WSSC,sts);
  but this made no difference.
  Edited by: user733322 on Feb 17, 2012 7:38 AM

  DTC was running on remote computer. The problem was it was no longer accepting transactions from remote servers. This was in SSIS so I had to turn to "Transaction Supported" for all Data Flow Transactions.
  Greg Hanson

• Setting WS-Security Actor Element

  Hello,
  I am trying to write a client to a service secured with WS-Security. The service checks the Actor attribute in the SOAP header, and if that attribute is not found or is different from the set Actor, it ignores the message. So my question is how should this attribute be set? Is the best way to write a handler to add it to the &lt;wsse:Security&gt; element, or is there a way to set it up in the xml configuration? I think it would be really nice to have this in the JAX-RPC security wizard, or at least to be able to easily set it up in the config files.
  Thanks,
  KS

  Hi Srinivas,
  You can go for SOAP adapter for your requirement.
  To add......if u wantt to check out the details of SOAP adapter.......
  SOAP Adapter: SOAP Adapter converts the SOAP messages into SAP XI message format that is SOAP with header attachments. This in an area many needs to really concentrate as it is heart of the ESA literature going forward.
  Refer Testing XI exposed Web-Services:
  /people/siva.maranani/blog/2005/03/01/testing-xi-exposed-web-services
  and Invoking XI Webservices:
  /people/siva.maranani/blog/2005/09/03/invoke-webservices-using-sapxi
  RFC to WebService - A Complete Walkthrough - Part 1
  /people/shabarish.vijayakumar/blog/2006/03/23/rfc--xi--webservice--a-complete-walkthrough-part-1
  and RFC -> XI -> WebService - A Complete Walkthrough -Part 2.
  /people/shabarish.vijayakumar/blog/2006/03/28/rfc--xi--webservice--a-complete-walkthrough-part-2
  You can down load a sample SOAP Client tool from SAP SOAP Client Tool.
  https://www.sdn.sap.com/irj/sdn/downloads
  Please refer How to Set Up a Web Service-Related Scenario with SAP XI for delving more deep.
  https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/library/uuid/befdeb90-0201-0010-059b-f222711d10c0
  Reward points if this helps
  Regards
  Vani.

• Com.sun.xml.wss.configuration.SecurityConfigurationXmlReader exception

  Hi,
  Lately when I tried to run the 'simple' application specified in the JWSDP 1.5 tutorial (JAX-RPC security part), i got the following error:
  exception
  javax.servlet.ServletException: com.sun.xml.wss.configuration.SecurityConfigurationXmlReader.readJAXRPCSecurityConfigurationString(Ljava/lang/String;Z)Lcom/sun/xml/wss/configuration/JAXRPCSecurityConfiguration;
       org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:291)
       org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:162)
  root cause
  java.lang.NoSuchMethodError: com.sun.xml.wss.configuration.SecurityConfigurationXmlReader.readJAXRPCSecurityConfigurationString(Ljava/lang/String;Z)Lcom/sun/xml/wss/configuration/JAXRPCSecurityConfiguration;
       com.sun.xml.rpc.security.SecurityPluginUtil.(SecurityPluginUtil.java:128)
       security.Security_Stub.(Security_Stub.java:40)
       security.SecurityService_Impl.getSecurityPort(SecurityService_Impl.java:59)
       securityclient.SecurityServlet.doGet(SecurityServlet.java:60)
       javax.servlet.http.HttpServlet.service(HttpServlet.java:747)
       javax.servlet.http.HttpServlet.service(HttpServlet.java:860)
       sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
       sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
       java.lang.reflect.Method.invoke(Method.java:585)
       org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:246)
       java.security.AccessController.doPrivileged(Native Method)
       javax.security.auth.Subject.doAsPrivileged(Subject.java:517)
       org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:273)
       org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:162)
  Can anybody help me?

  Which appserver are you using?
  If you are using Sun's appserver, the version supported by JWSDP 1.5 is 8.0.0_01. Can you please make sure that this is the version of the appserver you are using.
  Also, here's the link to the download page of this version of the appserver:
  http://javashoplm.sun.com/ECom/docs/Welcome.jsp?StoreId=22&PartDetailId=sjsas_pe-8.0_01-oth-JPR&SiteId=JSC&TransactionId=noreg
  HTH,
  Vishal

• Simplifing WsSecurity to JaxWS metro Implementation

  I'm using JaxWs Metro project implementation and i'm using this tutorial to add Ws Security feature to my web services. http://java.globinch.com/enterprise-java/web-services/jax-ws/secure-usernametoken-java-web-services-using-metro-wsit/
  What i have understand is that to add a Ws Security to your web service.You must first generate manually the wsdl file then add WSIT configuration part to your web service then put that modified wsdl in your project and modify sun-jaxws.xml so that take care of your modified wsdl file(so that it will not generate a new one). I think it's extremley difficult to do all that for all my web services.In addition,i'm using eclipse so there is no generating tool(like netbeans). I want to know is there any simple solution ?

  On 9/10/2013 5:26 AM, Joseph Hwang wrote:
  > I am struggling with jbossws-cxf-4.2.0.Final ws-security implementation
  > with eclipse ide.
  > [snip]
  > I try to jbossws-cxf ws-security in eclipse ide.But there is no document
  > or reference site.
  > Pls, check this issue, https:/community.jboss.org/thread/232031
  > Your advice will be appreciated! Thanks in advance
  This would be more a topic to take up in the Eclipse web tools platform
  forum.

• Passing SAML Tokens to Webservice

  Hi All
  I have to create a webservice client which passes
  Username token, SAML1.1 , 2 , X509 Tokens.
  My experience runs low on webservices.
  Kindly point to some documents, which specifies
  the way to incorporate these token to the webservice call.
  Thanks in advance.
  Shaan

  One method to accomplish this is to leverage an STS to issue security tokens. These security tokens can then be placed into the WS-Security headers of the SOAP requests generated by your web service client. Ping Identity has a product called PingTrust. It is an STS that can issue SAML 1.x, SAML 2.0 and custom tokens, and validate SAML 1.x, SAML 2.0, UserName/Password, Kerberos, X.509 and custom tokens. The product includes SDK;s and JAX-RPC security interceptors that can be used by the application developer to integrate with PingTrust.

• WS security on webservices with JAX-WS Provider Interface

  Hi Experts:
  I have developed webservices with JAX-WS Provider Interface (WSProvider),it gives message level handling and also eliminates POJOs for user defined types; but how to add operation level Weblogic security policy on such services ?
  In my Weblogic console, I can see the endpoint of the service, and my services has at least 10 operations as defined in the WSDL, but I do not see operations details in the server console when I try to attach Weblogic security policy; so how do I add security rule to decide which operation is allowed by which user?
  am I missing something? or this is not possible ?  I am using WSProvider Interface and wondering is any issue because of that?  Or my operations should be visible regards of any JAX-WS standards implementation ?
  Thanks in advance!

  appaerently with the switch to the oc4j ws providers - a regression was introduced - bug 5665917 ... which is to be fixed for 10.1.3.3 ..
  pls contact oracle support to retrieve the patch ..
  /clemens

• Jax RPC and security

  Hello
  i have a little question about the jax rpc and security stuff
  i have a webservice running
  once over http://localhost:8080/appl/service
  and over ssl too http://localhost:8443/appl/service
  i am starting the server and then the client is generating static stubs over the ...8080/appl/ws/service?WSDL
  is it possible to let the client application generate the stubs over the https port?
  or do i have to secure the files on port 8080 via authentication then let the ClientDeveloper download the wsdl-files and let him then create the stubs with a local copy of the wsdls?
  Any sugestions?
  Thx for any Ideas
  Michael / Adraw

  Michael / Adraw,
  Sorry for piggybacking on your request but I see you have your web service running on over SSL. When I tried that with the jwsdp 1.3 I am unable to browse pages over SSL with netscape and I can not connect with a client web services application (written in java).
  Are you able to do this with jwsdp 1.3??
  Brian Mason
  [email protected]

• Ws security and jax-ws

  Hello.
  Does anybody knows, how can i implement ws security with jax-ws?
  I know i can do it with axis 2, but i dont know if i can do it only with jax-ws.
  Thanks in advance.

  WIS is not suppported on WLS JAX-WS. You'll need to use other authentication mechanisms such as http basic (which you tried already), or message-level security such as UNT, or SAML.
  Regards,
  Pyounguk

• Problems with JAX-WS when using security (e.g. username token profile)

  Hello,
  I am deploying a web service on weblogic 11g (10.3.1) with this policy:
  @Policy(uri = "policy:Wssp1.2-2007-Https-UsernameToken-Plain.xml",attachToWsdl=true)
  I have another web application as client which is using a JAX-WS SOAP handler to communicate with web service
  and everything works fine when my client is deployed on tomcat 6 (JRE 6) (anthentication goes through)
  The handleMessage() method of my handler is posted here :
       public boolean handleMessage(SOAPMessageContext context) {
       m_logger.debug("UserNameTokenHandler handleMessage() called");
       Boolean outboundProperty = (Boolean) context.get (MessageContext.MESSAGE_OUTBOUND_PROPERTY);
       SOAPMessage message =context.getMessage();
  if (outboundProperty.booleanValue()) {
       m_logger.debug("\n (client protocol handler) Outbound message:");
  try {
       SOAPEnvelope envelope = context.getMessage().getSOAPPart().getEnvelope();
       SOAPHeader header = envelope.getHeader();
       if (header == null ) {
            header = envelope.addHeader();
       SOAPElement security = header.addChildElement("Security", "wsse", WSSE_NAMESPACE);
       SOAPElement usernameToken = security.addChildElement("UsernameToken", "wsse");
       usernameToken.addAttribute(new QName("xmlns:wsu"), WSU_NAMESPACE);
       SOAPElement username = usernameToken.addChildElement("Username", "wsse");
       username.addTextNode(user);
       SOAPElement password = usernameToken.addChildElement("Password", "wsse");
       password.addTextNode(pass);
       } catch (Exception e) {
            m_logger.error("Failed to add username token profile security", e);
  } else {
       m_logger.debug("\n (client protocol handler) Inbound message:");
  return true;
  but when I deploy the same client on weblogic server it fails to communicate with my web service with this error:
  javax.xml.ws.soap.SOAPFaultException: Unable to add security token for identity, token uri =http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#UsernameToken
  I noticed Weblogic has some packages to handle security like:
  weblogic.wsee.security.unt.ClientUNTCredentialProvider
  weblogic.xml.crypto.wss.provider.CredentialProvider
  weblogic.xml.crypto.wss.WSSecurityContext
  So I added another mechanism using weblogic package to add username password to SOAP header
  Map<String, Object> request = ((BindingProvider) proxy).getRequestContext();
            if (connectInfo.get("username") != null && connectInfo.get("password") != null) {
            List<CredentialProvider> credProviders = new ArrayList<CredentialProvider>();
            //client side UsernameToken credential provider
            CredentialProvider cp = new ClientUNTCredentialProvider((String)connectInfo.get("username"),
                      (String)connectInfo.get("password"));
            credProviders.add(cp);
            request.put(WSSecurityContext.CREDENTIAL_PROVIDER_LIST, credProviders);      
  This seems to be ok but only for weblogic.
  I don't want to have one client for deploying on weblogic and another one for JAX-WS
  I suppose weblogic follows the standard and should support the original approach.
  Is this an incompatibly issue or am i missing something

  In one of WLP Pageflows, I invoke a SOA BPEL WebService that needs Security Header like the way you have. I have my own Handler class and I call the below private method in handleMessage(...) and so far it is working fine. Security Header is adding fine.
  One difference I could see in your method and my method is when we create SOAPElement for "Security" Tag, at the time of creation itself, I pass the third argument also that is the namespace. I remember vaguely, when I used code like yours, like first instantiate with only 2 args. Then set the namespace. It did not work. So I used the API, that takes the namespace as third argument.
  So try something like below. This is a working code snipped deployed on WLP 10.3 (WLP is on top of WLS 10.3).
  Thanks
  Ravi Jegga
       private void setSOAPSecurityHeader(SOAPEnvelope soapEnvelope) throws Exception {
            try {
                 //soapEnvelope.addNamespaceDeclaration("soap", "http://schemas.xmlsoap.org/soap/envelope/");
                 soapEnvelope.addNamespaceDeclaration("wsu", "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd");
                 SOAPHeader header = soapEnvelope.addHeader();
                 String namespace = "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
                 SOAPElement securityElement = header.addHeaderElement(soapEnvelope.createName("Security", "wsse", namespace));
                 securityElement.addNamespaceDeclaration("", namespace);
                 //securityElement.addNamespaceDeclaration("env", "http://schemas.xmlsoap.org/soap/envelope/");
                 SOAPElement usernameTokenElement = securityElement.addChildElement(soapEnvelope.createName("UsernameToken", "wsse", namespace));
                 usernameTokenElement.addNamespaceDeclaration("", namespace);
                 SOAPElement usernameElement = usernameTokenElement.addChildElement(soapEnvelope.createName("Username"));
                 SOAPElement passwordElement = usernameTokenElement.addChildElement(soapEnvelope.createName("Password"));
                 // For Testing Purposes only hardcoded this username and password values. Later on this may be set dynamically
                 usernameElement.setValue("xxxxxxx");
                 passwordElement.setValue("yyyyyyy");
                 //SOAPBody soapBody = soapEnvelope.getBody();
                 //SOAPHeader soapHeader = soapEnvelope.getHeader();
            } catch (Exception e) {
                 // Handle This error in the main method that is calling this private method. So just return the Exception as it is...
                 throw e;
       }

• JAX-WS web service client and Windows integrated Security authentication

  I am currently developing a JAX-WS web service client running on WebLogic 10.3.2.0. The client is connecting to exchange web service running on IIS.
  Everything works well when EWS is configured with Http basic authentication.
  The problems started when I changed the autentication method on EWS from Http basic authentication to Windows integrated Security authentication.
  The client is then unable to authenticate to the web service. Every request made to EWS returns with the message : Invalid HTTP server response [401] - Unauthorized.
  I tried using an authenticator like this one:
  static class RetrieveWSDLAuthenticator extends Authenticator
  private String username, password;
  public RetrieveWSDLAuthenticator(String user, String pass)
  username = user;
  password = pass;
  @Override
  protected PasswordAuthentication getPasswordAuthentication()
  return new PasswordAuthentication(username, password.toCharArray());
  and setting it as the default authenticator :
  Authenticator.setDefault(new MyAuthenticator("username", "password"));
  but the method getPasswordAuthentication() was not even called.
  Is there a way to make a JAX-WS client works with Windows integrated Security ?

  WIS is not suppported on WLS JAX-WS. You'll need to use other authentication mechanisms such as http basic (which you tried already), or message-level security such as UNT, or SAML.
  Regards,
  Pyounguk

• Implementing Security in web services developed using JAX WS approach

  Hi ,
  Our Organization has developed a Web service using JAX WS approach exposing EJB as EndPoint .This wsdl file URL is only used by third party companies that register with us (Means i want to say that this wsdl url is not world wide accessable).
  Now we need to implement security for this service , please tell me what is the appropiate for doing so ??
  Thank you in advance .
  Waiting for your valuable suggestions .
  Please help .

  You can implement message level security in many ways. Some of the ways are
  SAML
  Digital certificates etc
  You may have to work with your vendor specific API to achieve this. Take a look at one case study.
  http://www.ibm.com/developerworks/webservices/library/ws-security.html
  You will find lot of articles on google to implement message level security however my recommendation would be to get in touch with security expert.

• Secure the JAX-RPC United Loan Web Service with WS-Security source file not

  A download link 'http://www.oracle.com/technology/obe/obe1013jdev/secureunitedloan/SecureUnitedLoanSource.zip' referenced by 'http://www.oracle.com/technology/obe/obe1013jdev/secureunitedloan/SecureUnitedLoan.html' cannot be found.

  After some research I found that:
  1. on geronimo 2.1 you can only use basic authentication for webservices
  2. advanced security requires the use of axis2

• How to secure a J2SE Web Service

  Hi,
  I have created a J2SE Web Service using JAX-WS and I now wish to secure it but I can't seem to work out how to do it in an automated manner.
  I have used the simple Java-First method, writing an annotated java class and then running wsgen to generate the WSDL and required artifacts.
  WSIT seems to be the solution, placing a WSIT config file in a META-INF directory on the classpath. However, in the examples that I have there seems to be a huge amount of overlap between the WSDL and the WSIT config file. Moreover, the content of the WSIT config seems to be dependent on the contents of the WSDL. This means that should I update the implementation class I would have to manually update the WSIT config (unlike the WSDL which would be autogenerated from the Java class).
  Ideally I would like to create two files:
  - myserviceImpl.java
  - wsit-config.xml (using the correct naming convention)
  Then run WSGEN and, hey presto, a full WSDL is generated complete ith security policy information. However, it seems that this is not the way it works.
  I'd be grateful for any advice you can give on how to automate this process. My current idea is to generate the WSDL and then use an XSLT step in the build process to drag the WSIT config into the WSDL.
  I'd also be interested in hearing how other people have created secure J2SE web services.
  I am using Eclipse (not NetBeans) and Maven.
  Thanks

  I am using Eclipse (not NetBeans) and Maven.I hate doing this, but have you tried Netbeans? Metro has really tight integration with it and pretty much can do what you want. However, making a programmer change IDE is like suggesting someone to try another religion.