Protecting a Web service in XI 7.0

Similar Messages

• Password protecting a web service

  I have to develop a web service which will need to validate the client that is requesting the service. Should I include the user/password information in the SOAP payload or should they be better placed in the headers? If so, how could I achieve that with JDev 902/903 does the web service wizard will support something like this? Does any one has some sample code?
  Additionally, is there a way to encrypt both the user and password so they won't be transmited as plain text? Are there any samples doing something like this?
  Thanks,
  Fedro

  Jdev 902/903 does not directly support this. But you can pass a username and password pragmatically by modifying the generated proxy.
  You can send the user name and password not as part of SOAP message but as part of HTTP headers. On the server side you can set the basic security to protest the SOAP servlet end point using basic j2ee features.Look at the OC4J developer's guide.

• How to prevent downloading wsdl in weblogic web service client

  Hi,
  I get a problem regarding weblogic web service client. My working environment:
  weblogic server 8.1
  Windows XP SP2
  JDK 1.4
  I use the weblogic tool to generate the client jar file from the wsdl file.
       <target name="generate-client">
            <clientgen wsdl="ACCESS.wsdl"
                 packageName="xxxxxx.client"
                 clientJar="${client}/${AccessClient_jar_file}"
                 keepGenerated="true"
                 saveWSDL="true"
            />
            <javac srcdir="${source}"
            destdir="${client}"
            includes="**/AccessClient.java">
            <classpath>
            <pathelement path="${client}/${AccessClient_jar_file}"/>
            </classpath>
            </javac>
       </target>
  After that, I create a client java file to invoke the service deploy in the server.
  public static void main(String[] argv)
  throws Exception
       int transactionId = 100;
       int id = 1000;
  // Setup the global JAXM message factory
  System.setProperty("javax.xml.soap.MessageFactory", "weblogic.webservice.core.soap.MessageFactoryImpl");
  // Setup the global JAX-RPC service factory
  System.setProperty( "javax.xml.rpc.ServiceFactory", "weblogic.webservice.core.rpc.ServiceFactoryImpl");
  AccessServicePorts ws = new AccessServicePorts_Impl(argv[0]);
  AccessService port = ws.getAccessService();
  // Resource - create
  Resource resource = new Resource();
  resource.setRES_CD("Create ResCo");
  resource.setCODE_CODE("code_cod");
  resource.setRES_TYPE("Resource typ");
  resource.setCOMMON_FIELD(common);
  AccessDefaultResult resultItems = port.createResource(resource);
  System.out.println("createResource : " + resultItems);
  I find that this web service client always issue 2 http requests to invoke an web service method deployed in server.
  1st http reqeust:
  GET /AccessEpol/EpolServiceSoap?WSDL HTTP/1.1
  User-Agent: Java/1.4.2_08
  Host: 127.0.0.1:8001
  Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
  Connection: keep-alive
  the return result is the wsdl downloaded from the server.
  2nd http request is the real web service request.
  The question is how could I eliminate the 1st http request because it's really unnecessary. I use other web service client like Axis 1.x, Axis client never has the http request to download the wsdl from the server.
  I read through weblogic web service document. It do mentions that put saveWSDL="true" in the clientgen ant task. the default value for saveWSDL is true already. I did try saveWSDL="false" also. None of them can eliminate the 1st http request.
  appreciate for any answer my question?

  Hi David,
  thanks for the reply.
  More or less I agree some points you mentioned above.
  I did use Axis 1.x to test the inter-operability. The web service was developed in Weblogic 8.1 and is a part of an existing web application. It will be merged to existing application deployed in weblogic 8.1.
  I also program the web service client to test the web service.
  The implementation of the server and client will be handed over the project team and training for supporting or continuous development have to be conducted by me. So I don't like to use two types of technologies which will make thing complex.
  I found this issue when I tried to protected the web service endpoint, eg http://localhost:7001/epol/service, using the web application Basic mechanism. The wsdl URL http://localhost:7001/epol/service?WSDL is also protected in this case. Unfortunately the username/password pair is not sent to the server when the weblogic client download the WSDL from the server. In this case, the client failed and throw exception.

• LV2012 Web Services w/ NI Auth login not working w/ static files in Firefox 19

  Hi!
  I followed this procedure to password protect my web service and the static files. 
  http://digital.ni.com/public.nsf/allkb/DF41D5DA8EEB4840862577D90058C208
  When testing it out with my web service it seems to work fine on any web browser.  http://localhost:8080/add/add/1/2 first will present a login.  Once the user is logged in the page refreshes and the results of the operation are shown.  http://localhost:8080/logout works as well.
  I followed the procedure in the FAQ to include an index.html file.
  http://www.ni.com/white-paper/7747/en#toc15
  When I try to access the page (via http:localhost:8080/add/web/index.html) I'm greeted with the National Instruments login screen.  I enter my credentials and in Chrome and Internet Explorer the screen refreshes and I see my html file.  In Firefox it hangs for awhile on the authentication screen and then reloads back to the authenticaiton screen (as if the username and password did not take).
  Attached are my files.  If you want to try and recreate this please follow this procedure:
  * Unzip the attached project to a folder
  * Open the project in LabVIEW 2012
  * Check the properties of the web service to ensure that the build paths are correct
  * Follow the procedure above for setting up NI Auth on your web service and adding the "testpermission2" permission.  Be sure to remove "Everyone" from that "testpermission2" or you will never see a login prompt.
  * Build/Deploy the web service
  * open http://localhost:8080/logout to ensure that you are not currently authenticated
  * open http://localhost:8080/add/add/1/2 and login, observe behavior
  * open http://localhost:8080/add/web/index.html you should still be logged in so you will see the "Hello World!" just fine
  * open http://localhost:8080/logout to log back out
  * open http://localhost:8080/add/web/index.html and see if you are able to login.
  I've tried disabelling my plugins in Firefox and still have this problem.  I'm really scratching my head on how to overcome this other than throwing away NI Auth and use something else.  My web service is going to run off of a static front end driven by javascript and html.  So the access point will be the html file.  I need to have some username and password scheme worked out.  I also need to be able to see what user is currently logged in with my Web Service VIs (does anyone know if that is possible with NI Auth)? 
  The other BIG issue I have with NI Auth is that it requires Silverlight.  So much for mobile support, eh?  Anyone know of a good plug-and-play alternative so I don't have to reinvent the wheel?  I guess I could impliment some kind of token system on my web service side.
  In the meantime, getting NI Auth to properly work with Firefox would help.
  Thanks for your input,
  -Nic
  Attachments:
  Example Web Service.zip ‏15 KB

  Disclaimer: I in no way mean to bash NI and I have used NI Auth myself in the past
  If you are going to go to the trouble of abstracting NI Auth, I would recommend instead investing your time in your own authentication scheme (or implementing a standard scheme in LV).
  NI Auth is great and works for low security applications where you just don't want people fooling around with your application who shouldn't be.
  However, NI Auth is really not that secure.  If I remember correctly, the username is transmitted in plain text and I don't think the encryption algorithm is that sophisticated.  It is nice that it's already integrated into LV, but there really are very few features at this time.
  If you want something to be really secure, you need to take measures beyond what NI Auth provides and before you go to the work of building abstraction on top of a basic and somewhat shaky protocol, I'd seriously consider implementing a more stable base.
  <insert 2 cents complete>
  Chris
  Certified LabVIEW Architect
  Certified TestStand Architect

• Web services security

  I want a JAX-Ws web service deployed in weblogic that does userid/password authentication. It would be nice if Oracle could provide a good working example of this.
  I tried the following so far:
  1. I tried on the web service samples: under wlserver_10.3/samples/server/examples/src/examples/webservices/security_jws. I built and deployed the service successfully to WSL 10.3.0. I used the test Java client and it seems to work. Then I tried connecting to the web service using SOAP UI client. SOAP UI was able to call the web service operation without being prompted for id or password.
  2. I tried the steps under Security->Authentication->Basic Authentication section of this document:
  http://e-docs.bea.com/workshop/docs81/doc/en/core/. I setup a security-constraint (to protect the web service url context), login-config, security-role and then in weblogic.xml I mapped the role to the 'users' role in weblogic server. It does not work. SOAP UI was able to invoke the operation without being prompted.
  Another interesting thing I found was that on the client side if I use code like this:
  BindingProvider bindingProvider = (BindingProvider) port;
  Map<String, Object> reqContext = bindingProvider.getRequestContext();
  reqContext.put(BindingProvider.USERNAME_PROPERTY, "weblogic");
  reqContext.put(BindingProvider.PASSWORD_PROPERTY, "xxxxxx");
  and supply the wrong password, client connection fails. However if I take out both user name and password properties, the client connection works!!!
  Please provide good working example of some of these simple cases. May be on your new sample code website (www.samplecode.oracle.com). Thanks.

  One item 1 in my post above, I was wrong about SOAP UI when connecting to the example in wlserver_10.3/samples/server/examples/src/examples/webservices/security_jws folder. A client connection from SOAP UI is indeed refused by the server due to lack of security headers. So that's good.
  However, I changed the security_jws example ant build file and added the parameter type="JAXWS" to the jwsc task as well as clientgen task. I got the following error.
  BUILD FAILED
  C:\Oracle\Middleware\wlserver_10.3\samples\server\examples\src\examples\webservices\security_jws\build.xml:48: weblogic.
  wsee.tools.WsBuildException: JWS Validation failed: [The WebLogic Server 9.x-style policy is not supported in JAX-WS web
  services., The WebLogic Server 9.x-style policy is not supported in JAX-WS web services., The WebLogic Server 9.x-style
  policy is not supported in JAX-WS web services., The annotation weblogic.jws.WLHttpTransport is not allowed on examples
  .webservices.security_jws.SecureHelloWorldImpl because it is a JAX-WS type web service., The WebLogic Server 9.x-style p
  olicy is not supported in JAX-WS web services., The WebLogic Server 9.x-style policy is not supported in JAX-WS web serv
  ices., The WebLogic Server 9.x-style policy is not supported in JAX-WS web services., The annotation weblogic.jws.WLHttp
  Transport is not allowed on examples.webservices.security_jws.SecureHelloWorldImpl because it is a JAX-WS type web servi
  ce.]
  Total time: 2 seconds
  What is recommended way to do secure a jax-ws web service in Weblogic 10.3.0 or 10.3.1? Do these Weblogic versions support WSIT (https://wsit.dev.java.net/)? Please provide an example.

• Web service proxy on security issue

  Using jdeveloper 11g R1(11.1.1.2.0)+fusion middleware em :
  1.I protected a web service with wss policy of wss_user_name_token_service_policy then deployed to in independent WLS 10.3.2
  2.Created a web service proxy with wss policy of wss_user_name_token_client_policy with csf-key being 'demo' in a ADF web project,the proxy can be invoked by a JSF page.Then deployed this client web project in same WLS.
  3.Access the JSF page then get error:racle.wsm.common.sdk.WSMException: WSM-00015 : The user name is missing. I created the key of 'demo' with correct user name and password on EM under map of oralce.wsm.security, still throw such error.
  However, using the web service data control can works right:
  4.Created a web service data control with wss policy of wss_user_name_token_client_policy with csf-key 'being' demo2 and a wrong user name and password in the ADF web project. Then created another JSF page using the web service data control.
  5.Deployed the web project in WLS.
  6.Created the key of 'demo2' with correct user name and password in map of oracle.wsm.security on EM
  6.Access the JSF page that invokes the web service data control.
  It worked right. This is what I expected that user name and password of service client should not be specified in design time but after deployment. The client app will send correct SOAP request with auth head after creating its required key on EM.
  The question is why web service proxy can not work right even create its key on EM after deployment to WLS? Seems the policy in client does not take any effective when sending request.

  This depends on the webservice types:JAX-WS or RPC-WS.
  Also the jdeveoper need enhancement

• Ws-basic username inside pl/sql procedure published as web service

  I'm new to jdeveloper, but been working with Oracle for 13 years...
  We have used Jdevelper to expose a pl/sql procedure as a web service using the "Publish as web service..." wizard. We then used Web Services Manager in server agent mode to protect that web service using ws-basic header auth. OWSM does a lookup on the user supplied credentials against our active directory ldap server to determine if the user should be able to call the service. That all works, EXCEPT...
  The problem is that the stored procedure runs a query against data protected by virtual private database and extensive audit logs. We need access to the ws-basic credential from within oracle so that we can set the session context and pull the end-user's id for auditing purposes.
  Right now, all we know inside the stored procedure is the oracle username used to connect to the database. This is of course different from the one used to authenticate our user in the OWSM layer.
  The pl/sql procedure does not have a parameter to specify the user name, and even if it did, there is no way for us to verify that any user supplied parameter matches the credentials used in OWSM.
  So, I assume, I need to modify the code generated by the "Publish as web service" wizard and somehow pull the ws-basic credentials (just username) and push them into the Oracle session_context.
  Anyone have any sample code or advice on how to get access to ws-basic credentials or even any of the metadata on a certificate supplied to OWSM for authentication/authorization?

  I change p_action value ( before p_action => 'alta' ) now ( p_action => '"alta"' )
  res := Xxm_Web_Service_Client_Pkg.invoke(p_init_msg_list => FND_API.G_TRUE,
  p_url => 'http://198.137.253.178:7777/event/DefaultSystem/clienteService_RS',
  p_action => '"alta"',
  x_return_status => l_return_Status,
  x_msg_count => l_msg_count,
  x_msg_data => l_msg_data,
  x_req => req)
  And the invokation an ESB service from a PLSQL procedure began to work fine !!!
  Thanks for all answers
  Thans Peter !!!
  Claudio

• Calling a web service deployed in a SSO protected domain

  Hello,
  I want to write a web service based on a stateless session EJB and to deploy it as part of an application on an OC4J server. The application is protected by SSO.
  My question is: how should I write a client stub for that web service? How are the name and the password provided in the client stub in order to call web service (that will be also protected as part of the protected application)?
  Regards,
  Marinel

  Ditto. I get the feeling that no reply to your message must mean that OC4J doesn't support this.
  An even simpler scenario is getting an Applet client to connect to an EJB without having to provide the username and password from the Applet. Otherwise, we are forced to ask the user to login for every applet or we embed the user/pass in applet params. Both are unacceptable.
  Any ideas.

• Unable to invoke a protected web service from PL/Sql

  Hi All
  I am trying to invoke a protected web service from Plsql. But getting the below error.
  error message is ORA-31011: XML parsing failed
  ORA-19202: Error occurred in XML processing
  LPX-00104: Warning: element "html" is not declared in the DTD
  Error at line 2
  If i try to invoke the service after disabling the protection then i am able to call it and getting response. Pls let me know how to deal with this authentication issue.
  Below is the invoking code i am using.
  BEGIN
  generate_envelope(p_request, l_envelope);
  show_envelope(l_envelope);
  l_http_request := UTL_HTTP.begin_request(p_url, 'POST','HTTP/1.0');
  UTL_HTTP.set_header(l_http_request, 'Authorization', 'Basic Y29tcGxpYW5jZS5nZW46Y29tcGxpYW5jZQ11');
  UTL_HTTP.set_header(l_http_request, 'Content-Type', 'text/xml');
  UTL_HTTP.set_header(l_http_request, 'Content-Length', LENGTH(l_envelope));
  UTL_HTTP.set_header(l_http_request, 'SOAPAction', p_action);
  UTL_HTTP.write_text(l_http_request, l_envelope);
  l_http_response := UTL_HTTP.get_response(l_http_request);
  UTL_HTTP.read_text(l_http_response, l_envelope);
  UTL_HTTP.end_response(l_http_response);
  l_response.doc := XMLTYPE.createxml(l_envelope); -- Error Line
  l_response.envelope_tag := p_request.envelope_tag;
  l_response.doc := l_response.doc.extract('/'||l_response.envelope_tag||':Envelope/'||l_response.envelope_tag||':Body/child::node()',
  'xmlns:'||l_response.envelope_tag||'="http://schemas.xmlsoap.org/soap/envelope/"');
  show_envelope(l_response.doc.getstringval());
  check_fault(l_response);
  RETURN l_response;
  END;
  I tried invoking the service by passing username and password in LDE tool and captured the Request SOAP Message. I saw username/password encrypted to "Y29tcGxpYW5jZS5nZW46Y29tcGxpYW5jZQ11". Hence tried with that.
  I have also tried the below line for authentication but it is not working.
  utl_http.set_authentication(l_http_request, 'myusername', 'mypassword','Basic',false);
  Pls assist me in resolving this.
  Thanks,
  PKV

  One more update i tried printing l_http_response.status_code and got 302.
  Thanks,
  PKV

• Protecting a REST web service with Policy Agent

  I have deployed a REST web service in Glassfish using Jersey Annotations. A UI in the same Glassfish instance is protected by a policy agent that forces users through a login page. I would like to protect the REST web service with BASIC Authentication using the same policy agent. Is this possible? Is there supporting documentation?

  Hi Daniel,
  When you publish a message through Rest, hope your Restful service will receive/process the posted message?
  So
  YourBizTalk -->(Post Message to)-->RestFulService
  From the error message, "the published message could not be routed because no subscribers were found.", it seems like the this Restful service is a
  wrapper (or service interface) for BizTalk at client end( where message has been posted thru Rest) and actual posted message is “processed” by BizTalk and the error "" is from BizTalk "after" Rest. This message says the message you posted
  through rest is not found subscription at their end.
  So
  YourBizTalk -->(Post Message to)-->RestFulService -->Clients'BizTalk.
  Here problem is at Clients'BizTalk as shown where the posted message to their BizTalk is not processed because no subscription has been found.
  If this answers your question please mark it accordingly. If this post is helpful, please vote as helpful by clicking the upward arrow mark next to my reply.

• Blackberry Protect web service does NOT connect remote to my phone

  Can't find any similar problems on the net which is worrying...
  Bold 9700, regularly registered to BIS
  I installed Balckberry protect a few times hoping it would solve the problem
  Essentially It all works but when I connect via the web service, I cannot connect to my phone(I am emulating a lost phone scenario) I tried to block the phone remotely, play a sound, change the screen message...NOTHING works
  The backups are done regularly
  Can anyone help?

  I'd contact your service provider if the rebooting and resetting network settings did not work. A locked phone (locked to a specific network) will not allow you to connect to another provider's network. It is the phone itself that makes calls (which is why you can still make an emergency call from a phone with no sim card in it) and receives sms. The sim acts as an "enabler" so to speak.

• Web Services with a Site minder protected Environment

  Hi All,
  I am not sure this is the right group to post this, if not let me know what is the best group or forum to post this.
  I am having a problem with invocation of web services which are protected by a site minder SSO. I am trying to access them from the same site minder protected environment.
  But I am not able to invoke them.
  Please let me know what is the better way to invoke them and is there a way or not? In general if a web services is protected by any kind of SSO then how do we invoke the protected web service?
  Thanks
  Vasu

  If a webservice is protected by a SSO, I don't think you can bypass it without authentication. Coming to Site Minder it should expose the authentication functionality as another web service, so that you go through the SM service first and then to the original webservice. Given that we have been authenticated in the 1st call, SM should allow you in to the 2nd call.
  We also have SM in our environment and use one such authentication service for login.
  You can check with your SM team for this and accordingly proceed.
  Thanks,
  Patrick

• Protected methods in web services

  hello,
  I created the descriptor file for a web service that had a protected method in
  it and noticed the protected method showed up in the descriptor file! Should
  the "source2wsdd" task only output PUBLIC methods as service actions? Is there
  any way to specify methods to be 'ignored' when generating the web services descriptor
  file?
  here was the generated descriptor XML:
  <web-service name="BindingService"
  protocol="https"
  style="document"
  targetNamespace="http://www.foo.com/ws/BindingService/"
  portName="BindingServicePort"
  uri="/BindingService"
  portTypeName="BindingServicePort">
  <types>
  </types>
  <wsdd:type-mapping xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/"
  xmlns:xsd="http://www.w3.org/2001/XMLSchema"
  xmlns:wsdd="http://www.bea.com/servers/wls70">
  <wsdd:type-mapping-entry deserializer="weblogic.xml.schema.binding.internal.builtin.DocumentCodec"
  type="xsd:anyType"
  class-name="org.w3c.dom.Document"
  serializer="weblogic.xml.schema.binding.internal.builtin.DocumentCodec">
  </wsdd:type-mapping-entry>
  </wsdd:type-mapping>
  <components>
  <java-class name="BindingService"
  class-name="com.arrow.ws.vendor.BindingService">
  </java-class>
  </components>
  <operations>
  <operation name="getConfigName"
  component="BindingService"
  method="getConfigName()">
  <params>
  <return-param xmlns:typeNS="http://www.w3.org/2001/XMLSchema"
  location="body"
  type="typeNS:string"
  name="result"
  class-name="java.lang.String">
  </return-param>
  </params>
  </operation>
  </operations>
  </web-service>

  Checkout this example:
  http://www.manojc.com/?sample3
  public class HelloWorldService{
  * @wlws:exclude
  public void dontExpose(){
  Regards,
  -manoj
  http://manojc.com
  "Jacob Anderson" <[email protected]> wrote in message
  news:4036581e$[email protected]..
  >
  hello,
  I created the descriptor file for a web service that had a protectedmethod in
  it and noticed the protected method showed up in the descriptor file!Should
  the "source2wsdd" task only output PUBLIC methods as service actions? Isthere
  any way to specify methods to be 'ignored' when generating the webservices descriptor
  file?
  here was the generated descriptor XML:
  <web-service name="BindingService"
  protocol="https"
  style="document"
  targetNamespace="http://www.foo.com/ws/BindingService/"
  portName="BindingServicePort"
  uri="/BindingService"
  portTypeName="BindingServicePort">
  <types>
  </types>
  <wsdd:type-mappingxmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/"
  xmlns:xsd="http://www.w3.org/2001/XMLSchema"
  xmlns:wsdd="http://www.bea.com/servers/wls70">
  <wsdd:type-mapping-entrydeserializer="weblogic.xml.schema.binding.internal.builtin.DocumentCodec"
  type="xsd:anyType"
  class-name="org.w3c.dom.Document"
  serializer="weblogic.xml.schema.binding.internal.builtin.DocumentCodec">
  </wsdd:type-mapping-entry>
  </wsdd:type-mapping>
  <components>
  <java-class name="BindingService"
  class-name="com.arrow.ws.vendor.BindingService">
  </java-class>
  </components>
  <operations>
  <operation name="getConfigName"
  component="BindingService"
  method="getConfigName()">
  <params>
  <return-param xmlns:typeNS="http://www.w3.org/2001/XMLSchema"
  location="body"
  type="typeNS:string"
  name="result"
  class-name="java.lang.String">
  </return-param>
  </params>
  </operation>
  </operations>
  </web-service>

• How-to access username and password protected Java EE Web services from ADF

  The title of this post is exactly the same as this article by Frank Nimphius:
  http://www.oracle.com/technology/products/jdev/howtos/1013/protectedws/access_protected_web_services_from_adf.htm
  The article addresses the problem of securing web services using usernames and passwords, when those web services are accessed through a proxy or a data control. In the examples, the user names and passwords are specified, whether in the code or the definition of data controls. (SKING/SKING).
  In a very common scenario, users login to reach a page, for example, A.jspx, which contains a button that calls a web service, for example displayDate. Suppose that user has logged in by username/pass of (AHUNOLD/AHUNOLD) and AHUNOLD has access to the service and the page. Is there any way to pass the logged in user name and password to the webservice ? Of course we can hard-code the username in the data control definition or proxy code, but this is just one of the thousands of users who have access to the service and the authentication is not dynamic this way.
  Hope my question is clear. Wishing you all a great Christmas.
  Farbod

  Hi Frank, and happy new year.
  Are you implying that it couldn't be done declaratively? What is your suggestion for this problem? You know the problem... As I described:
  - I need to secure my web services, so when exposed, no one from inside network or the internet, can access the web service without proper permission
  - The web services are shown as web controls on jspx pages. The user has logged in before reaching the page. It is irrelevant to ask him to enter user name and password again.
  - I have user names, passwords and roles in Oracle Internet Directory (Identity Management). It provides some APIs and I can retrieve the usernames and attempt logging in programmically. But how can I get username and password from the session in ADF application?
  I guess using SAML or certificate could be the solution, but I have a problem with SAML, described here:
  Re: Webservices Security, SAML, and Identity Management (OID)
  Best Regards,
  Farbod

• How to access password protected web service endpoint?

  Hello,
  I annotated an EJB as a web service end point with @WebService and @WebMethod, and put this end point into a security realm from sun-ejb-jar.xml.
  Then I use wsimport to generate the client source code and compiled them with my program. But when I call the web service, an exception was thrown with message body "The server sent HTTP status code 401: Unauthorized". It seems that username and password for the realm will be set somewhere.
  Could someone tell me where can I put the username and the password?
  Thank you very much.

  Also I don't understand how security works in cases where I do not have the password. Imagine that my client is inside a web application, and is authenticated by the application server (by some unknown mechanism, even could be sso). I have access to my Subject and all, but I don't know the password.
  How would I do to call another web application (or web service) in name of the callee. (that is, the user who called my web application)