Question: Securing Communications in Web Services: A Tutorial

Similar Messages

• Adding security to a web service then generating a proxy [SOLVED]

  Hi
  I generated a web service based on a very simple java program. I have deployed it to a local oc4j install and successfully called it from a proxy generated from jdev. I am using 10.1.3.3.0.
  I added security to the web service and regenerated the proxy. I wanted to see the difference in the SOAP messages sent to the web service. However the proxy does not seem to have changed to take account of the new security settings on the web service.
  The security options I set were:
  On main security dialog: Ticked the port and "Text Password"
  On Authentication: Ticked "Expect Username ti Authenticate"
  "Password Required"
  Password Type = "Plain Text"
  "Nonce Required in Token"
  "Creation Time Required in Token"
  I have 2 questions:
  1. How do I get the proxy to send SOAP messages that contain the security headers required to run the web service. Here is the main method from my proxy. I thought adding setUsername and setPassword would be the solution
      public static void main(String[] args) {
          try {
              gpn3.Getphonenum3SoapHttpPortClient myPort = new gpn3.Getphonenum3SoapHttpPortClient();
              System.out.println("calling " + myPort.getEndpoint());
              // Add your own code here
              myPort.setUsername("oc4jadmin");
              myPort.setPassword("welcome");           
              myPort.getNum("Lisa");
          } catch (Exception ex) {
              ex.printStackTrace();
  2. When the web service receives a user name and password what does it check them against? I assume the oc4jadmin user will be allowed access but how do I set up other users?
  many thanks
  paul schweiger
  Message was edited by:
  [email protected]

  I have figured this out now
  1. I needed to set the same security settings in my proxy as I did for my web service. I had assumed that the proxy would generate the necessary security settings from the web service.
  2. For some reason my web service application is using the system level jazn-data xml file
  oc4j_extended_101330/j2ee/home/config/system-jazn-data.xml
  This does include the oc4jadmin user and I am now able to use that account to call the web service. I also managed to add another user and use that account to call the web service successfully.
  Thanks for the help
  paul

• Problems invoking a secure 8.1 web service from a 6.1 client

  I'm trying to invoke a secure 8.1 web service from a 6.1 client application and keep getting rejected with the following message:
  Security Violation: User: '<anonymous>' has insufficient permission to access EJB:
  In the 6.1 client, I've established a WebServiceProxy and set the userName and password to the proper values, but I can't seem to get past the security.
  If there something special I need to do on either the 8.1 securing side or on the 6.1 accessing side to make this work?
  Any help would be GREATLY appreciated.

  Hi Paul,
  This sound familiar, but I cannot at the moment locate a reference to
  the issue. I would encourage you to seek the help of our super support
  team [1].
  Regards,
  Bruce
  [1]
  http://support.bea.com
  [email protected]
  Paul Merrigan wrote:
  >
  I'm trying to invoke a secure 8.1 web service from a 6.1 client application and keep getting rejected with the following message:
  Security Violation: User: '<anonymous>' has insufficient permission to access EJB:
  In the 6.1 client, I've established a WebServiceProxy and set the userName and password to the proper values, but I can't seem to get past the security.
  If there something special I need to do on either the 8.1 securing side or on the 6.1 accessing side to make this work?
  Any help would be GREATLY appreciated.

• Question about document/literal web service

  Hello every body.
  I have some question about document/literal web service.
  I’ve been working with Axis before.
  Axis has four valid signatures for your message-style service methods:
  public Element [] method(Element [] bodies);
  public SOAPBodyElement [] method (SOAPBodyElement [] bodies);
  public Document method(Document body);
  public void method(SOAPEnvelope req, SOAPEnvelope resp);
  The same I am trying to do with WebLogic API for webservices.
  But when I am trying to test web service (public Document method (Document body); )
  I have serialized exceptions for org.w3c.dom.Document.
  Do I have to write a custom class for org.w3c.dom.Document serialization?
  If yes can you give me some idea or example?
  The all idea behind this web service is. I have just one web service and mane classes for XML processing. Depends what xml document will be during runtime, web service will be using different class for xml processing. It works fine with Axis, but in case of WebLogic I have some problem.
  One more question… How I have to call this web service from java client?
  I have seen this example http://www.manojc.com/?sample31 ,
  but this web service looks like (Document helloDom()). I need to send Document.
  This example works for Dynamic Proxy, but does not work for static call.
  Any ideas?? Thank in advance.

  Hi,
  I am getting a similar issue. I created a Document-style/literal webservice and deployed on Weblogic 9.2 . Then I generated client stubs using clientgen. I get the following exception stack trace:
  java.rmi.RemoteException: web service invoke failed: javax.xml.soap.SOAPException:
  failed to serialize class java.lang.Objectweblogic.xml.schema.binding.SerializationException: type mapping lookup failure on
  class=class com.sun.org.apache.xerces.internal.dom.DeferredDocumentImpl TypeMapping=TYPEMAPPING SIZE=3
  ENTRY 1:
  class: java.lang.Object
  xsd_type: ['http://xmlns.ozarkexpress.com/business/sell']:stns:echoDocumentResponse
  ser: weblogic.xml.schema.binding.internal.builtin.XSDAnyCodec@1125127
  deser: weblogic.xml.schema.binding.internal.builtin.XSDAnyCodec@18dfef8
  ENTRY 2:
  class: java.lang.Object
  xsd_type: ['http://xmlns.ozarkexpress.com/business/sell']:stns:echoDocument
  ser: weblogic.xml.schema.binding.internal.builtin.XSDAnyCodec@15e83f9
  deser: weblogic.xml.schema.binding.internal.builtin.XSDAnyCodec@2a5330
  ENTRY 3:
  class: java.lang.Object
  xsd_type: ['http://www.w3.org/2001/XMLSchema']:xsd:anyType
  ser: weblogic.xml.schema.binding.internal.builtin.XSDAnyCodec@bb7465
  deser: weblogic.xml.schema.binding.internal.builtin.XSDAnyCodec@d6c16c

• WebServiceException When invoking secured ADF-BC web services on WebSphere

  We built web services using ADF 11.1.1.7 RC1, and deployed to WebSphere ND 7.0.0.23
  The web services are secured using OWSM policy:
  @SecurityPolicy( { "oracle/wss11_saml_or_username_token_with_message_protection_service_policy" })
  And we have a client java program which invokes the web services as follows:
  MTOMFeature mtom = new MTOMFeature();
  SecurityPolicyFeature sec_policy = new SecurityPolicyFeature("oracle/wss11_saml_token_with_message_protection_client_policy");
  if (lCMAMService == null) {
  generateFCMWebserviceUrl();
  URL url = new URL(fcmUrl);
  LCMAMService_Service lCMAMService_Service = null;
  try {
  lCMAMService_Service = new LCMAMService_Service(url);
  } catch (WebServiceException wse) {
  generateFCMWebserviceUrl(true);
  URL physicalURL = new URL(fcmUrl);
  lCMAMService_Service = new LCMAMService_Service(physicalURL);
  lCMAMService = lCMAMService_Service.getLCMAMServiceSoapHttpPort(mtom, sec_policy);
  Everything works fine in WebLogic. However, when running on WebSphere ND 7.0.0.23, the following exception were thrown:
  javax.xml.ws.WebServiceException: Invalid or unsupported WebServiceFeature feature http://www.w3.org/ns/ws-policy
       at org.apache.axis2.jaxws.ExceptionFactory.createWebServiceException(ExceptionFactory.java:173)
       at org.apache.axis2.jaxws.ExceptionFactory.makeWebServiceException(ExceptionFactory.java:70)
       at org.apache.axis2.jaxws.ExceptionFactory.makeWebServiceException(ExceptionFactory.java:118)
       at org.apache.axis2.jaxws.feature.ClientFramework.addFeature(ClientFramework.java:56)
       at org.apache.axis2.jaxws.binding.BindingImpl.setFeatures(BindingImpl.java:138)
       at org.apache.axis2.jaxws.BindingProvider.initialize(BindingProvider.java:167)
       at org.apache.axis2.jaxws.BindingProvider.<init>(BindingProvider.java:73)
       at org.apache.axis2.jaxws.client.proxy.JAXWSProxyHandler.<init>(JAXWSProxyHandler.java:123)
       at org.apache.axis2.jaxws.client.proxy.JAXWSProxyHandler.<init>(JAXWSProxyHandler.java:114)
       at org.apache.axis2.jaxws.spi.ServiceDelegate.getPort(ServiceDelegate.java:615)
       at javax.xml.ws.Service.getPort(Service.java:133)
       at oracle.apps.epm.fcc.lcm.proxy.LCMAMService_Service.getLCMAMServiceSoapHttpPort(LCMAMService_Service.java:59)
       at oracle.apps.epm.fcc.lcm.common.FCMExportImportHandler.instantiateFCMService(FCMExportImportHandler.java:703)
  It seems that in WebSphere, the security policy are not supported. Any idea what needs to be changed for the client code to work in WebSphere?
  Thanks.

  Hi,
  as you are from Oracle, can you reach out to internal forums and mailing lists? JDeveloper 11.1.1.7 RC1 is not available outside of Oracle and therefore should not have questions posted on this public forum.
  Frank

• Beginner's questions about WCF and web services

  For the purpose of this forum let me just say that I got my certs back in Dot Net 2.0.  I know how to write simple web services.  Now someone has dumped a huge package of code on my desk that (I think) contains a WCF project (without documentation
  of course).  Contains references to System.ServiceModel.
  So my questions...
  1.  What (if anything) is the difference between WCF and Web API?
  2.  If there is a difference,  how do you decide which one to use?
   3.  Assuming that this project on my desk is a WCF project, where can I find some hints on how to run it in VS2013 Community? 

  WEB API is restricted to ASP.NET and HTTP. 
  http://captechconsulting.com/blog/john-nein/aspnet-web-api-vs-windows-communication-foundation-wcf
  WCF uses more communication protocols than just HTTP, there are more ways to host a WCF service other than IIS, like a selfhosting exe type WCF server,   and WCF is a SOA solution.
  WCF is a more robust solution in a whole lot of ways is the bottom line.
  http://en.wikipedia.org/wiki/Service-oriented_architecture
  http://www.codeproject.com/Articles/515253/Service-Oriented-Architecture-and-WCF

• How to secure a J2SE Web Service

  Hi,
  I have created a J2SE Web Service using JAX-WS and I now wish to secure it but I can't seem to work out how to do it in an automated manner.
  I have used the simple Java-First method, writing an annotated java class and then running wsgen to generate the WSDL and required artifacts.
  WSIT seems to be the solution, placing a WSIT config file in a META-INF directory on the classpath. However, in the examples that I have there seems to be a huge amount of overlap between the WSDL and the WSIT config file. Moreover, the content of the WSIT config seems to be dependent on the contents of the WSDL. This means that should I update the implementation class I would have to manually update the WSIT config (unlike the WSDL which would be autogenerated from the Java class).
  Ideally I would like to create two files:
  - myserviceImpl.java
  - wsit-config.xml (using the correct naming convention)
  Then run WSGEN and, hey presto, a full WSDL is generated complete ith security policy information. However, it seems that this is not the way it works.
  I'd be grateful for any advice you can give on how to automate this process. My current idea is to generate the WSDL and then use an XSLT step in the build process to drag the WSIT config into the WSDL.
  I'd also be interested in hearing how other people have created secure J2SE web services.
  I am using Eclipse (not NetBeans) and Maven.
  Thanks

  I am using Eclipse (not NetBeans) and Maven.I hate doing this, but have you tried Netbeans? Metro has really tight integration with it and pretty much can do what you want. However, making a programmer change IDE is like suggesting someone to try another religion.

• Referencing WCF (Windows Communication Foundation) web services

  I am having some issues referencing a WCF based web service.
  Apex can consume the WSDL just fine, but when I attempt to use any of the methods I start running into errors.
  For example, there is a simple method that accepts a username and returns a facility ID. If I use the apex built-in web service test tool, I see the following request and response:
  <?xml version='1.0' encoding='UTF-8'?>
  <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"
  xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  mlns:xsd="http://www.w3.org/2001/XMLSchema">
       <SOAP-ENV:Body><ns1:FetchRequest xmlns:ns1="http://microsoft.com/wsdl/types/"><ns1:UserName>TAUS461</ns1:UserName>
  /ns1:FetchRequest></SOAP-ENV:Body>
  </SOAP-ENV:Envelope>
  <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><s:Fault>
  <faultcode xmlns:a="http://schemas.microsoft.com/net/2005/12/windowscommunicationfoundation/dispatcher">a:InternalServiceFault</faultcode><faultstring xml:lang="en-US">
  Procedure or function 'Prc_Fetch' expects parameter '@userName', which was not supplied.</faultstring><detail>
  <ExceptionDetail xmlns="http://schemas.datacontract.org/2004/07/System.ServiceModel"
  xmlns:i="http://www.w3.org/2001/XMLSchema-instance"><HelpLink i:nil="true"/><InnerException i:nil="true"/>
  <Message>Procedure or function 'Prc_Fetch' expects parameter '@userName', which was not supplied.</Message><StackTrace>   at WA.Ecy.ADS.FS.Service.BusinessLogic.FacilitySiteBAO.Fetch(String userName) in
  C:\Projects\FS 2008\Development\Services\FS.Service\Source\Business Logic\FS.Service.BusinessLogic\FacilitySiteBAO.cs:line 418&#xD;
  at FS.Service.ServiceImplementation.FacilitySiteService.Fetch(FetchRequest request) in
  C:\Projects\FS 2008\Development\Services\FS.Service\Source\Service Interface\FS.Service.ServiceImplementation\GeneratedCodeFacilitySiteService.cs:line 1588&#xD;
     at SyncInvokeFetch(Object , Object[] , Object[] )&#xD;
     at System.ServiceModel.Dispatcher.SyncMethodInvoker.Invoke(Object instance, Object[] inputs, Object[]&amp; outputs)&#xD;
     at System.ServiceModel.Dispatcher.DispatchOperationRuntime.InvokeBegin(MessageRpc&amp; rpc)&#xD;
     at System.ServiceModel.Dispatcher.ImmutableDispatchRuntime.ProcessMessage5(MessageRpc&amp; rpc)&#xD;
     at System.ServiceModel.Dispatcher.ImmutableDispatchRuntime.ProcessMessage4(MessageRpc&amp; rpc)&#xD;
     at System.ServiceModel.Dispatcher.ImmutableDispatchRuntime.ProcessMessage3(MessageRpc&amp; rpc)&#xD;
     at System.ServiceModel.Dispatcher.ImmutableDispatchRuntime.ProcessMessage2(MessageRpc&amp; rpc)&#xD;
     at System.ServiceModel.Dispatcher.ImmutableDispatchRuntime.ProcessMessage1(MessageRpc&amp; rpc)&#xD;
     at System.ServiceModel.Dispatcher.MessageRpc.Process(Boolean isOperationContextSet)</StackTrace><Type>System.Data.SqlClient.SqlException</Type></ExceptionDetail></detail></s:Fault></s:Body></s:Envelope>I get a similar error regardless of which method I attempt to call.
  So, I thought that I would try Jason Straub's [link FLEX_WS_API|http://jastraub.blogspot.com/2008/06/flexible-web-service-api.html] package. First I opened SOAPUI, pointed to the WSDL and generated a test request for the Fetch method. The request looked like this:
  <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:urn="urn: WA.Ecy.ADS.FacilitySite.Services">
     <soapenv:Header/>
     <soapenv:Body>
        <urn:FetchRequest>
           <!--Optional:-->
           <urn:UserName>TAUS461</urn:UserName>
        </urn:FetchRequest>
     </soapenv:Body>
  </soapenv:Envelope>
  <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/">
     <s:Header>
        <ActivityId CorrelationId="dcdd3433-7f61-48f4-b3e3-c2a6647409d3" xmlns="http://schemas.microsoft.com/2004/09/ServiceModel
  Diagnostics">2aeead53-c9df-41df-9a77-3798be030775</ActivityId>
     </s:Header>
     <s:Body xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
        <FetchResponse xmlns="urn: WA.Ecy.ADS.FacilitySite.Services">
           <FacilitySiteId>99997167</FacilitySiteId>
        </FetchResponse>
     </s:Body>
  </s:Envelope>So far so good, SOAPUI can call and retrieve from this method. Now I put this into place with FLEX_WS_API
  declare
  l_env clob;
  l_url varchar2(1000) := 'http://ecydevws/FacilitySiteService/FacilitySiteService.svc'; -- dev web service URL
  l_response xmltype;
  p_username varchar2(30) := 'TAUS461';
  begin
       -- start creating the soap envelope
       l_env := '<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:urn="urn: WA.Ecy.ADS.FacilitySite.Services">
               <soapenv:Header/>
               <soapenv:Body>
                  <urn:FetchRequest>
                  <urn:UserName>'||p_username||'</urn:UserName>
                  </urn:FetchRequest>
               </soapenv:Body>
            </soapenv:Envelope>';
       -- get the response
       l_response := flex_ws_api.make_request (
            p_url => l_url,
            p_action => 'http://WA.Ecy.ADS.FacilitySite.Services/Fetch',
            p_version => '1.1',
            p_envelope => l_env);
  -- for testing, put the respone into a table
  insert into ws_results values (l_response);
  end;Doing this,my response becomes
  <s:Envelope xmlns:s=
  "http://schemas.xmlsoap.org/soap/envelope/"><s:Body><s:Fault><faultcode xmlns:a="http://schemas.microsoft.com
  ws/2005/05/addressing/none">a:ActionNotSupported</faultcode>
  <faultstring xml:lang="en-US">
  The message with Action 'http://WA.Ecy.ADS.FacilitySite.Services/Fetch' cannot be processed at the receiver, due to a ContractFilter
  mismatch at the EndpointDispatcher. This may be because of either a contract mismatch (mismatched Actions between sender and receiver)
  or a binding/security mismatch between the sender and the receiver.  Check that sender and receiver have the same contract and the same
  binding (including security requirements, e.g. Message, Transport, None).</faultstring></s:Fault></s:Body></s:Envelope>So it appears to me that the WCF service is expecting something else in soap header, but I am confused on why the SOAPUI call works as is.
  Does anyone with WCF knowledge have any ideas of how to get this to work or if the problem is even with WCF?
  Thanks, Tony

  as of now only file with wsdl extention is supported,

• LDAP security provider and web service authentication

  Background: we are currently developing web services to our existing weblogic application. Our users can configure user/password authentication in one of three ways: database, LDAP, or SSO. Setting SSO aside, we need to implement the same authentication for database and LDAP that we use in our existing logon servlet in our web services. In our servlet we detect which they are configured for and, if database, authenticate the encrypted password to a database table we have for user id/password. If LDAP we use weblogic.servlet.security.ServletAuthentication and the weak() method to authenticate.
  We've to use SOAP headers to communicate username/password from the client to the web service. We want to code a SOAP message handler to grab the username/password and do the authentication there. We've successfully put something together that handles the database authentication no problem and are now struggling with how to handle the LDAP authentication. We distribute a LDAP security provider we've coded for LDAP authentication. I guess what I am looking for is an equivalent functionality provided with weblogic.servlet.security.ServletAuthentication. Note that I realize the weblogic.servlet.security package has been deprecated starting with Weblogic 9.0 but cannot find what functionality replaces it. Any help there would be appreciated as well.
  Note that I am fairly new to web service development (about 10 months now) and definitely new to web service security and Weblogic security. I tried digging into the volumes of documentation out there regarding these two topics but am simply having a difficult time sorting it all out and figuring out how to do what I want to do.
  Thanks in advance!
  Julia

  Hi,
  Add Provider (LDAP Credentials) in Admin console Security Realm --> defaultrealm -->Providers. Configuring Ldap in Admin Console will enable Admin Server to connect to LDAP. All the LDAP preconfigured Users/Groups will be available in Users and Groups Tab of Security Realms >defaultrealm >Users and Groups. Add Roles using Security Realms >defaultrealm > Roles and Policies > Global Roles > Roles. Add Role Conditions to the role by specifying users/groups configured in LDAP. If your webservice runs with SSL Anotate the Webservice file something like this below.
  @RolesAllowed({
  @SecurityRole(role="test")
  @Policy(
  uri="policy:Wssp1.2-2007-Https-UsernameToken-Plain.xml",
  attachToWsdl=true)
  Here the role is Preconfigired role in AdminConsole. Add the following tag in the soapenv:header.
  <soapenv:Header>
  <wsse:Security soapenv:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
  <wsse:UsernameToken>
  <wsse:Username>test</wsse:Username>
  <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">password</wsse:Password>
  </wsse:UsernameToken>
  </wsse:Security>
  </soapenv:Header>

• Security for a web service

  Hi everyone,
  Scenario :
  I want to securise a web service with SSL.
  I want to call this web service with Java standalone class (not servlet, JSP,...).
  Here is what I've done :
  1) I created a web service with "Secure SOAP" option.
  2) I created a <u>Standalone Proxy</u>.
  3) I created a Java Standalone client and tried to call the web service.
  Here is the code :
       public static void main(String[] args) {
            try {
            Hello1WebServiceImpl service = new Hello1WebServiceImpl();
            Hello1WebServiceViDocument port = (Hello1WebServiceViDocument)service.getLogicalPort();
            System.out.println(port.sayHello1());
            } catch (Exception e) {
                 e.printStackTrace();
  Here is the exception :
  java.rmi.RemoteException: Service call exception; nested exception is:
       java.net.ConnectException: Connection timed out: connect
       at com.proxy.Config1BindingStub.sayHello1(Config1BindingStub.java:80)
       at com.proxy.Config1BindingStub.sayHello1(Config1BindingStub.java:88)
       at SampleComponent.main(SampleComponent.java:23)
  Caused by: java.net.ConnectException: Connection timed out: connect
       at java.net.PlainSocketImpl.socketConnect(Native Method)
       at java.net.PlainSocketImpl.doConnect(PlainSocketImpl.java:305)
       at java.net.PlainSocketImpl.connectToAddress(PlainSocketImpl.java:171)
       at java.net.PlainSocketImpl.connect(PlainSocketImpl.java:158)
       at java.net.Socket.connect(Socket.java:452)
       at java.net.Socket.connect(Socket.java:402)
       at java.net.Socket.<init>(Socket.java:309)
       at java.net.Socket.<init>(Socket.java:124)
       at iaik.security.ssl.SSLSocket.<init>(Unknown Source)
       at com.sap.engine.services.webservices.jaxm.soap.SSLUtilImpl.createSSLSocket(SSLUtilImpl.java:43)
       at com.sap.engine.services.webservices.jaxm.soap.HTTPSocket.initStreamsFromSocket(HTTPSocket.java:500)
       at com.sap.engine.services.webservices.jaxm.soap.HTTPSocket.initializeStreams(HTTPSocket.java:422)
       at com.sap.engine.services.webservices.jaxm.soap.HTTPSocket.getOutputStream(HTTPSocket.java:384)
       at com.sap.engine.services.webservices.jaxrpc.wsdl2java.soapbinding.HTTPTransport.getRequestStream(HTTPTransport.java:337)
       at com.sap.engine.services.webservices.jaxrpc.wsdl2java.soapbinding.MimeHttpBinding.outputMessage(MimeHttpBinding.java:433)
       at com.sap.engine.services.webservices.jaxrpc.wsdl2java.soapbinding.MimeHttpBinding.call(MimeHttpBinding.java:1117)
       at com.proxy.Config1BindingStub.sayHello1(Config1BindingStub.java:73)
       ... 2 more
  Can someone please tell me the steps I must follow ?
  Thanks in advance.
  Message was edited by: David Fryda

  Ive ran into similar proples using normal ssl over http and the issues were with my environmet configuration ... yours may be with somthing totally different... but i fixed my probs by adding the folling code before creating the connection. 
  java.security.Provider provider[] =
    java.security.Security.getProviders();
  for (int i = 0; i < provider.length; i++) {
    java.security.Security.removeProvider(
      provider<i>.getName());
  java.security.Security.insertProviderAt(
  new com.sun.net.ssl.internal.ssl.Provider(), 2);
  java.security.Security.insertProviderAt(
  new sun.security.provider.Sun(), 1);
  System.setProperty(
  "java.protocol.handler.pkgs",
  "com.sun.net.ssl.internal.www.protocol");
  you can also accomplish this by modifying the java.security file found in \jre\lib\security directory.
  Also because this is a stand alone app be sure to have all the necessary jar files in you classpath ... you can accomplish this by using the -classpath option when calling your program or by moving the files into you \bin\lib\ext directory;

• Basic questions about PL/SQL web services and datasource names

  Hi there,
  I successfully generated a web service for a PL/SQL packaged procedure in JDeveloper 11.1.1.3.0).
  In the web service base class the following code was generated:
  __dataSource = (javax.sql.DataSource) __initCtx.lookup("java:comp/env/jdbc/dbconnectionDS");However in the weblogic server the datasource name is jdbc/somethingelse so the deployment fails at first.
  What is the recommended procedure to solve this issue? The obvious solution is to manually edit the source -- that is what I did and it worked fine. However if I re-generate the web service I will lose my change. Is there a better way to do this?
  Another question -- in the generated web.xml file, there is a resource-ref for the datasource. I was hoping that changing the datasource name there would help but it didn't work. What is it used for in this context?
  Thanks
  Luis

  Hi Vishal,
  I did as you suggested but it didn't work... see below more details.
  Thanks
  Luis
  1 - I re-generated the web service from the PL/SQL package. The constructor in CFBTestWSBase class looks likes this:
  public CFBTestWSBase() throws SQLException
    {  try {
  javax.naming.InitialContext __initCtx = new javax.naming.InitialContext();
  __dataSource = (javax.sql.DataSource) __initCtx.lookup("java:comp/env/jdbc/custfeedbackDS");
  } catch (Exception __jndie) {
  throw new java.sql.SQLException("Error looking up <java:comp/env/jdbc/custfeedbackDS>: " + __jndie.getMessage());
  }2 - I added the following section to weblogic.xml:
    <resource-description>
      <res-ref-name>comp/env/jdbc/custfeedbackDS</res-ref-name>
      <jndi-name>jdbc/DataSource</jndi-name>
    </resource-description>3 - I got the following error when during deployment to weblogic server:
  [HTTP:101216]Servlet: "CFBTestWSPort" failed to preload on startup in Web application: "CustFeedbackTestWS.war".
  java.sql.SQLException: Error looking up <java:comp/env/jdbc/custfeedbackDS>: While trying to look up comp/env/jdbc/custfeedbackDS in /app/webapp/CustFeedbackTestWS.war/346617503.
  at cfbtestws.CFBTestWSBase.<init>(CFBTestWSBase.java:33)
  at cfbtestws.CFBTestWSUser.<init>(CFBTestWSUser.java:11)
  at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
  at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:39)
  at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:27)
  at java.lang.reflect.Constructor.newInstance(Constructor.java:513)
  ...

• Axis securing seemingly public web services

  Hi,
  Their may be an obvious answer to this question, but I've done some searching and come up blank so far.
  I am wondering if you can restrict which domains are allowed to access the web services on your axis web application (I am running axis on tomcat).
  It is my understanding that anyone who know the address of a servlet that generates a WSDL file will be able to consume this service. I want to be able to prevent this and only allow my own domain access to web service.
  Any advice would be most appreciated.
  :|

  use HTTP basic authentication? In addition if you don't want the public internet to access it, hide it behind a firewall.

• Security issue with Web Services on Oracle SOA suite? (Serious?)

  Hi,
  I have recently installed and set up the SOA 10.1.3 on my local machine.
  I created a simple test web service and deployed - worked ok.
  I then added simple plain text security to the service, and again opened it up for testing using the test service function.
  Initially, it returns with the expected message 'missing soap header security'.
  However if you refresh the page / or test the service again, it is then invoked - seemingly bypassing the security !!!
  Oddly the 3rd attempt then shows the security message again, and it seems to alternate between allowing access to the service and imposing the security?!?!
  Has anyone else experience this ?
  Is it a bug ? (if so, its a pretty nasty one that could quite possibly catch alot of people out !)

  I have now created an independant client in Java to call the WS.
  The security is still bypassed on ever other call?!?!
  I have this over HTTPS also, and was hoping this would provide an adequate means of securing my web services.
  How is everyone else securing web services that are exposed to general consumers? Maybe i should find a new approach !

• Complete newbie question - Can BI consume web services?

  Post Author: Steve Lamont
  CA Forum: Data Integration
  I am working on a new client site working on integration between a whole slew of systems including CRM, billing, BI etc.  The client is architecting a SOA oriented approach to all integration where it make sense.  As part of the effort, a new BI database is being built and loaded via some ETL tool.  The primary interface to access this new BI data will be business objects (BO).  Now, in the current environments, there are multiple, disparate BI systems containing various data.  The BO knowledge person (and he is not a business object employee) on this site is claiming that to access these other BI databases, he wants to do it by sending out requests via service calls.  I fully understand that BO itself can be set up to be a service provider and provide services for other consumers to take advantage of, but how does BO itself consume services provided by other applications?
  Obviously I don't fully understand BO, but my initial inclination is that this approach is wrong.  If data is required from these other BI source, wouldn't they be configured as data sources within business objects?  This BO guy claims that calling web services is more efficient that direct peer-to-peer calls via the database drivers.
  Can any share some comments on this situation?

  Post Author: bhofmans
  CA Forum: Data Integration
  You posted your question to the wrong forum, please try to post it to one of the subforums in "Enterprise Reporting, Query & Analysis".
  This forum is about Data Integrator, Business Objects ETL tool.
  I'll try to answer your question anyway with my reporting background From what I know, YES we can consume web services in reports (Crystal reports), but for larger volumes of data a direct access to the database would be faster. A webservice approach might make sense if the webservice implements some business logic (semantic layer) which would be easier then to go directly to the tables.
  And just for the record : also Data Integrator can consumer web services...

• Question about Using PAPI Web Service in PowerBuilder 9

  Hi, all.
  I Have a simple question about using papiws in power builder 9.
  In pb9, I created a new Web Service Proxy Wizard and I input a url for papiws(ex. http://seraphpernote:7001/papiws/PapiWebService) and click next.
  But I couldn't get any Service List.
  In Eclipse, I used this url for using papiws well.
  Does anybody know about this case??
  help me plz.

  IIRC you must activate PAPI-WS for the engine. In Studio you do it by right-clicking on the project, then "engine preferences". In enterprise/standalone you must activate PAPI-WS in the Admin Center.