Security in Web services

I am new to web services so please pardon me if what I am asking is really dumb.....
I have created a simple PL/SQL web service using JDeveloper that I have published to an installation of 9iAS. My client is calling this URL directly passing the parameters in the URL and getting the SOAP message back. Everything works great.
Now I need to secure this somehow. This is an internal application, so I am not terribly concerned with security, but we do need something that will prevent somebody who stumbles across this URL to start using it.
I have read a lot of documentation on securing web services, but it all seems to be around creating clients, but I don't want a client, I just want to be able to call the URL directly from external systems programmatically.
One option is obviously to pass username / pw in as parameters and then validate this in PL/SQL, but this is obviously not very secure.
Another things I was thinking was to use the owa_util.get_cgi_env('REMOTE_ADDR') inside by PL?SQL function to get the IP Address of the client calling and then validate this to make sure this client is allowed to access the web service. This function returns ORA-06502. Does anybody know anything about how to get the IP address of the client calling? I know there are ways to limit access to certain IP addresses on the web server level, but this server is used for other things so I don’t want to do that.
Is there anything else I can do to secure a web service like this?
Any help is appreciated.

More reading and code sample (see end of this post) of what is coming and what is possible today:
http://www.oracle.com/oramag/oracle/02-jul/index.html?o42special_web.html
http://otn.oracle.com/oramag/webcolumns/2003/techarticles/smith_wss.html
This article from Vipin Samar gives the state of WS-Security pretty accurately:
http://otn.oracle.com/tech/webservices/standards/Samar_Security.htm
Accompanying paper:
http://otn.oracle.com/tech/webservices/pdf/33206.pdf
And, this code sample/tutorial illustrates SSL with Web services:
http://otn.oracle.com/sample_code/tutorials/wspki/toc.htm
Mike.

Similar Messages

Unable to call WSS (WS-Security) enabled Web Service using UTL_DBWS

We are attempting to call a WSS (WS-Security) enabled Web Service from PL/SQL using the UTL_DBWS package (see [http://download.oracle.com/docs/cd/B19306_01/appdev.102/b14258/u_dbws.htm#CHDIDGJH] ). We are doing this in similar fashion to [http://www.oracle-base.com/articles/10g/utl_dbws10g.php] with calls to utl_dbws.create_service, utl_dbws.create_call and utl_dbws.invoke.
Using this method we can successfully call an unsecured Web Service, but calls to WSS-enabled Web Services fail. We are currently using Oracle Database 10.2.0.3.
The failure we are getting is:
ORA-29532: Java call terminated by uncaught Java exception: javax.xml.rpc.soap.SOAPFaultException:
com.sun.xml.wss.XWSSecurityException: Message does not conform to configured
policy ( AuthenticationTokenPolicy(S) ): No Security Header found;nested
exception is com.sun.xml.wss.XWSSecurityException:
com.sun.xml.wss.XWSSecurityException: Message does not conform to configured
policy ( AuthenticationTokenPlicy(S) ): No Security Header found
Apparently UTL_DBWS does not support calling WSS enabled services, although this doesn't appear to be an officially recognised position. Does anyone know if Oracle are planning to support this soon (if ever)? Looking at Re: Calling WS from PL/SQL using WS-security suggests that support has been considered before, but not yet realised.
Thanks,
Tom

Having raised a Service Request with Oracle support on this, I got the following response from Oracle Development (On unpublished bug [8542959|https://metalink2.oracle.com/metalink/plsql/ml2_documents.showDocument?p_database_id=BUG&p_id=8542959]):
Development has confirmed that WS-Security is not supported through UTL_DBWS. They have also acknowledged that this is not documented and they will change the official Oracle documentation will reflect this fact. From what is being stated, it would appear that there is no plan to support the use of WS-Security through UTL_DBWS in any release in the near future.
So, in short, without developing your own home-grown SOAP request, there is no way to call a WSS enabled web service from within PL/SQL.
-Tom

Exception while accessing web service secure through web services Manager

Hi All,
I deployed sime Hello World web service on JWSDP1.6 and secure it through web service manager(gateway) using Certificate based security.But when I try to access this web service using JWSDP client,I got the following Error while monitoring the soap messages through TCP-Monitor:
/////////////////////////////////Request///////////////////////////////////////////////////////////////
POST /gateway/services/SID0003009 HTTP/1.1
Content-Type: text/xml; charset=utf-8
Accept: text/xml, text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Content-Length: 5631
SOAPAction: ""
User-Agent: Java/1.5.0_05
Host: ivy.cs.ucl.ac.uk:8082
Connection: keep-alive
<?xml version="1.0" encoding="UTF-8"?><env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:enc="http://schemas.xmlsoap.org/soap/encoding/" xmlns:ns0="http://hello.org/wsdl" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" env:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><env:Header>
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" env:mustUnderstand="1"><xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"><xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<wsse:SecurityTokenReference>
<wsse:KeyIdentifier EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentifier">eN9famBBWzHNUIwWRhMPktcM+VQ=</wsse:KeyIdentifier>
</wsse:SecurityTokenReference>
</ds:KeyInfo><xenc:CipherData><xenc:CipherValue>MHjtgA4wOtvI1B+SuRVEmD07yE+jl6axd4XbJ0nvQ3EzSuVVoST9vHzURh+B47yj41187s8T+yjt
Bmpk9OB278Jghonkacv6r+q+LVlxRrQDudNGir7plzFeM6bUadMxf+FLgn5O0a44vU/tvy6V9+zi
yqFdhTvS21No/aW62No=</xenc:CipherValue></xenc:CipherData><xenc:ReferenceList><xenc:DataReference URI="#XWSSGID-1155126003241-1198323932"/></xenc:ReferenceList></xenc:EncryptedKey><wsse:BinarySecurityToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="XWSSGID-11551260018331598979688">MIIC3TCCAkagAwIBAgIBATANBgkqhkiG9w0BAQQFADBJMQswCQYDVQQGEwJVUzEMMAoGA1UECBMD
U0NBMQwwCgYDVQQKEwNTVU4xHjAcBgNVBAMTFWNlcnRpZmljYXRlLWF1dGhvcml0eTAeFw0wNjAz
MTkxMzQ5MDJaFw0xNjAzMTYxMzQ5MDJaMEcxCzAJBgNVBAYTAlVTMQwwCgYDVQQIEwNTQ0ExDDAK
BgNVBAoTA1NVTjEcMBoGA1UEAxMTeHdzLXNlY3VyaXR5LWNsaWVudDCBnzANBgkqhkiG9w0BAQEF
AAOBjQAwgYkCgYEAzNDPKUz1MhUH1LsrLqXKxciOKSWeTrdoe/SVwe/4uy5eobAWSsSTposaOYFy
uxf3cGCCIs7u0jMAXLQ9jzobDbt9XQ4tXPoBzKKzS+yU6hDk2TcOCkioeT9A9db5LF8yevhwXKB4
AJ1Eh//Dp/djoonXCCxsxupQZp3ueRJrR98CAwEAAaOB1jCB0zAJBgNVHRMEAjAAMCwGCWCGSAGG
+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUECH05VC3/WGW
H4AGD6tnH0h+kFUweQYDVR0jBHIwcIAUdry1wGRZ2fyJSKisVSxpMEmIiaahTaRLMEkxCzAJBgNV
BAYTAlVTMQwwCgYDVQQIEwNTQ0ExDDAKBgNVBAoTA1NVTjEeMBwGA1UEAxMVY2VydGlmaWNhdGUt
YXV0aG9yaXR5ggkA4HaEvd6hq8YwDQYJKoZIhvcNAQEEBQADgYEA0RhOk67pCrO6MgZZGqrmAMW6
76fZowBxTKlFq88nrf8v1MUxV8H9wgbTDrwR0HtxY3TGpDFw2tNAww2pyDX/pQ2Wt46ichluGxjf
aEV53loKTOM7syAmlicWqViGzBfgzriIl918TzFaX9BD/Y55bKZQk057maBCSkUuFfF453s=</wsse:BinarySecurityToken><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><InclusiveNamespaces xmlns="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="wsse enc env ns0 xsd xsi"/></ds:CanonicalizationMethod><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><ds:Reference URI="#XWSSGID-1155126002593447652186"><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>UJ1kuwI+WuF/RkrQpZrj1GvraLI=</ds:DigestValue></ds:Reference><ds:Reference URI="#XWSSGID-1155126002602761294100"><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>sKG/z5OIGgqJ2nw7JtpXyJzr8pY=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>SBc65VTG1xpEkRUTz70H0fVGIgoBJ0QnNad0k07RMSfw4vG1WHJdt19R05pO2AvU5aoYuBSaguJe
ZGEjmWzw8mnSWKBi+zeDMeJiwgqwW6HHHX9P7JDslxuTIqoJIVUbSjUTSVz6ww8siIK65quXdkMT
ZzLfp7Cd0gBuA3EEZpg=</ds:SignatureValue><ds:KeyInfo><wsse:SecurityTokenReference xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="XWSSGID-11551260025411896275738">
<wsse:Reference URI="#XWSSGID-11551260018331598979688" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
</wsse:SecurityTokenReference></ds:KeyInfo></ds:Signature><wsu:Timestamp xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="XWSSGID-1155126002602761294100"><wsu:Created>2006-08-09T12:20:02Z</wsu:Created><wsu:Expires>2006-08-09T12:20:07Z</wsu:Expires></wsu:Timestamp></wsse:Security></env:Header><env:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="XWSSGID-1155126002593447652186"><xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Id="XWSSGID-1155126003241-1198323932" Type="http://www.w3.org/2001/04/xmlenc#Content"><xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/><xenc:CipherData><xenc:CipherValue>XNqEzHNp47ILtOagAUNCXYkxOCWv4CjHqmZ7j6VKN/NO96ce4BsNSL6lKzqa9dPxHB1sTVGZQ8KA
COQ6DGwyWCP8ip+CU2hor3uUAml7nzHTx1LUw3Db+0p31VAT3EqKJA3aFy38GQrBTr9ojMOUA6tm
Cj71yucN3UCKRUl3RpE8qU68y7AwNxPsyAZeSa2AVm2cmWvSDZlxgMsx+JCEZaf3+D0o1zMp0Fxb
MSISPt/JrEolt1H5UM1AoFGU4QkckWrQNLPyEF9oxEgZ8oCE5U8v/YJwZIAHFrx67XfaLwQLjzXw
VPigsH9gLkfbP2BU8Vp31GsPwBZtUeNz9S35+CZPD7EiqoAB1QuAxZkJV7n00VChYH+scT64tNja
c81bcD8tf4sAr7toCMNDAU6+74+Qy0EyPqgwLtotDxErn4kF8e72cONMMQBQ91tQs+iI+D6C1I6+
f9UiSfgtm/MTuKQK1CRqarEtI9N6lpqVH8k7ulUwH/jFstihxmhMJ3aZY+qQgSwSs3pwSSim+e18
eR7dOEq4vG8ivKuGvTDO4sSV2RP/nL/3eXr0y7eM0kMFKwTUA4JqL4Y/l8Bo/rie/ZXkkbF6hwEu
dX1QmB0gf5k=</xenc:CipherValue></xenc:CipherData></xenc:EncryptedData></env:Body></env:Envelope>
////////////////////////////////Response///////////////////////////////////////////////////////////////
HTTP/1.1 100 Continue
Server: Oracle Application Server Containers for J2EE 10g (10.1.2.0.0)
Date: Wed, 09 Aug 2006 12:28:47 GMT
HTTP/1.1 500 Internal Server Error
Date: Wed, 09 Aug 2006 12:28:47 GMT
Server: Oracle Application Server Containers for J2EE 10g (10.1.2.0.0)
Connection: Keep-Alive
Keep-Alive: timeout=15, max=100
Content-Type: text/xml
Transfer-Encoding: chunked
157
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"><SOAP-ENV:Body><SOAP-ENV:Fault><faultcode xmlns:p="http://schemas.oblix.com/ws/2003/08/Faults">c</faultcode><faultstring>Step execution failed with an exception</faultstring><detail></detail></SOAP-ENV:Fault></SOAP-ENV:Body></SOAP-ENV:Envelope>
0
So basically, what I am doing here as follows:
HelloClient(using JWSPD1.6)->gateway(web service manager for securing the web service using message level security through certificate )->helloservice(deployed using JWSDP1.6)
I would appreciate if someone could tell me the cause of this errror.Thanks.
Kashif

time to look into the gateway logs as stated by the fault ..
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"><SOAP-ENV:Body><SOAP-ENV:Fault><faultcode xmlns:p="http://schemas.oblix.com/ws/2003/08/Faults">c</faultcode><faultstring>Step execution failed with an exception</faultstring><detail></detail></SOAP-ENV:Fault></SOAP-ENV:Body></SOAP-ENV:Envelope>
looks like the cipher step might have failed

Security of Web Services, Agents and Sequantial Calling of Web Services

I want to ask about the secure invocation of web services and the role of agents.
Suppose that I have greet() web service:
public String greet() {
String S1=sayHello(); // A web service, actually its proxy
String S2=sayGoodMorning(); // A web service, actually its proxy
return S1+" "+S2;
It calls two other webservices and they return "HELLO" and "Good Morning". Also assume that I need to secure all my web services but I need these calls to work!
I put an agent in front of those two web services and require them to check a SAML token. I also attach an agent to greet() to authenticate the inbound and sign and add SAML token for outbound.
But I think these two calls fail because the SAML is not created on each call. (Is it?)
How can I make those two calls, secure each web service and at the same time keep the security code out of business code, in other words keep my web service security agnostic?
Thank you in advance.
Best Regards
Farbod

Any Comments on this?

Use of security in web service

Hi,
I have tried to use security from the example jaas-sample of jwsdp 1.5 .
I just want to secure my web service with a username/password.
When I called my service from the client...I see the xml flow :
<?xml version="1.0" encoding="UTF-8"?>
<env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:enc="http://schemas.xmlsoap.org/soap/encoding/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" env:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
<env:Header>
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" env:mustUnderstand="1">
<wsse:UsernameToken>
<wsse:Username>Ron</wsse:Username>
<wsse:Password>****</wsse:Password>
<wsse:Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">3k18Sv+DMhcO3aoq6YWLB4xa</wsse:Nonce>
<wsu:Created xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2005-03-01T15:26:05Z</wsu:Created>
</wsse:UsernameToken>
</wsse:Security>
</env:Header>
<env:Body>
<ns0:getInformations/>
</env:Body>
</env:Envelope>
it seems to be correct but I have an exception :
Thread : main at 01 mars 2005 16:10:06,593 ERROR Error occured during retrieving informations
java.rmi.ServerException: JAXRPCSERVLET28 : Informations sur le port manquant
at com.sun.xml.rpc.client.StreamingSender._raiseFault(StreamingSender.java:497)
at com.sun.xml.rpc.client.StreamingSender._send(StreamingSender.java:294)
It works when I not use the security option (in wscompile) ...
Have you any idea for a solution?

Hi,
I tried the xws-security samples and everything worked fine.
After editing the "java.security" according to the manual with:
security.provider.2=org.bouncycastle.jce.provider.BouncyCastleProvider
After that change and a restart of the application server I get the same error message.
I copied the jar file "bcprov-jdk14-127.jar" from bouncycastle to the jre/lib/ext folder.
I will check further.
br
Dieter

Secured Sybase Web Service with outside certificate authority

Hello,
I would like to use Secured Sybase Web Service with outside certificate authority, like Symantec. Could you let me know how I can create CSR for sending to Symantec? What other steps do I need to do?
Thanks,
Sudarat.

Hello Jason,
Thanks for your reply. The certificate authority require the CSR file before issue a signed certificate. If this is a signed certificate for IIS web server, I can create CSR from IIS. But I cannot use a signed certificate created from CSR of IIS with Sybase Web Service. The below steps are what I have tried.
1. I use CreateCert.exe with /r parameter to create CSR and private key.
2. I sent CSR to a certificate authority and they send back a signed certificate.
3. I have to combine a signed certificate from #2 with private key created from #1. Then use that file to specify with -xs{https …when starting the service.
Are the above steps what I have to do? If so, do I need to redistribute createcert.exe to my customers who want to use my application and how? Why I cannot use the signed certificate created from CSR of IIS?
Thanks,
Sudarat.

How to create secure EJB web service in Oc4J using JDeveloper?

We are going to develop a EJB web service running in OC4J using JDeveloper 10.1.3.3.
By using the JDeveloper feature, we can simply create the web service by using the "Web Service Endpoint Interface" in the session bean.
However, unlike the web service created from Java class, I can't find any option to change the security setting of this web service. We tried adding annotation like @DenyAll for testing, but there has no effect and related method can still be called without WS-Security header.
Now, we can only change the security setting via the web console after deployment (select the web service, then enable security in administration page, and then edit security configuration to change the inbound policies for authentication). It works in our local machine, but it may not work in the production environment as we cannot touch the em console.
May I know if there has any way to include the security setting inside the project?
Thanks in advance.

If I am not wrong, you might be probably talking about this :
http://docs.oracle.com/cd/B40099_02/books/EAI2/EAI2_WebServices33.html#wp179056
In order to implement the SOAP header, you would have to :
(1) Define SOAP header in the wsdl of the service.
(2) Add a new soap binding in the wsdl, which contains soap header and soap body.
I think, this should get you going..

Problem in invoking a secure weblogic web service from javaws client

Hi all,
the situation is this: there is a secure web service (Wssp1.2-2007-Wss1.1-X509-Basic256.xml policy) which is accessed by a stand-alone remote web service client (swing-enabled) which is initiated via java web start. You'll probably wondering why this is a special case. Let me elaborate...
The first step was to develop the service and the client. This wasn't much of a trouble, since the documentation was very good apart from creating a ClientBSTCredentialProvider object at the client side. The documentation should explicitly state that the sixth argument, that of the server certificate, is required! In any case, the first step was a success and the invocation was encrypted and signed at the message level.
The second step was to create a stand-alone remote client, without any local weblogic installation. That was a bit of a problem, since wlfullclient.jar or wseeclient.jar or weblogic.jar were not enough. I should note that the client was created via netbeans 7.0 and not with the help of weblogic clientgen. So, I had to make a verbose run from netbeans, in order to enumerate the jars which are accessed and gather them into the same directory. That was OK too. The standalone client works just fine.
The third step is to simply (not so simply...) make a java web start version of the client. Since the previous step was a success (having all necessary jars in the same directory) this one should not be a problem. Well... that turned out to be a huge issue. What I get back as the error message (shown in the java web start console) is this:
java.lang.InternalError: error initializing kernel caused by: java.lang.AssertionError: Duplicate initialization of WorkManager
     at weblogic.work.WorkManagerFactory.set(WorkManagerFactory.java:107)
     at weblogic.work.ExecuteQueueFactory.initialize(ExecuteQueueFactory.java:23)
     at weblogic.kernel.Kernel.initialize(Kernel.java:103)
     at weblogic.kernel.Kernel.ensureInitialized(Kernel.java:64)
     at weblogic.rjvm.wls.WLSRJVMEnvironment.ensureInitialized(WLSRJVMEnvironment.java:50)
     at weblogic.protocol.ProtocolManager$DefaultAdminProtocolMaker.<clinit>(ProtocolManager.java:53)
     at weblogic.protocol.ProtocolManager.getDefaultAdminProtocol(ProtocolManager.java:218)
     at weblogic.protocol.ProtocolHandlerAdmin.<clinit>(ProtocolHandlerAdmin.java:23)
     at weblogic.rjvm.wls.WLSRJVMEnvironment.registerRJVMProtocols(WLSRJVMEnvironment.java:120)
     at weblogic.rjvm.RJVMManager.ensureInitialized(RJVMManager.java:87)
     at weblogic.rjvm.RJVMManager.<clinit>(RJVMManager.java:46)
     at weblogic.rjvm.LocalRJVM.<init>(LocalRJVM.java:97)
     at weblogic.rjvm.LocalRJVM.<init>(LocalRJVM.java:28)
     at weblogic.rjvm.LocalRJVM$LocalRJVMMaker.<clinit>(LocalRJVM.java:31)
     at weblogic.rjvm.LocalRJVM.getLocalRJVM(LocalRJVM.java:72)
     at weblogic.xml.crypto.utils.DOMUtils.generateId(DOMUtils.java:403)
     at weblogic.xml.crypto.utils.DOMUtils.generateId(DOMUtils.java:395)
     at weblogic.xml.crypto.utils.DOMUtils.assignId(DOMUtils.java:374)
     at weblogic.xml.crypto.wss.SecurityBuilderImpl.assignUri(SecurityBuilderImpl.java:148)
     at weblogic.wsee.security.policy.SigningReferencesFactory.getSigningReferences(SigningReferencesFactory.java:100)
     at weblogic.wsee.security.wss.policy.wssp.SigningPolicyBlueprintImpl.addSignatureNodeListToReference(SigningPolicyBlueprintImpl.java:446)
     at weblogic.wsee.security.wss.policy.wssp.SigningPolicyBlueprintImpl.addSignatureNodeListToReference(SigningPolicyBlueprintImpl.java:335)
     at weblogic.wsee.security.wss.plan.SecurityMessageArchitect.resolveSignatureList(SecurityMessageArchitect.java:574)
     at weblogic.wsee.security.wss.plan.SecurityMessageArchitect.resolveSignatureList(SecurityMessageArchitect.java:428)
     at weblogic.wsee.security.wss.plan.SecurityMessageArchitect.constructMessage(SecurityMessageArchitect.java:304)
     at weblogic.wsee.security.wss.plan.SecurityMessageArchitect.buildWssMessage(SecurityMessageArchitect.java:138)
     at weblogic.wsee.security.wss.plan.SecurityMessageArchitect.buildWssMessage(SecurityMessageArchitect.java:121)
     at weblogic.wsee.security.wss.SecurityPolicyArchitect.processOutbound(SecurityPolicyArchitect.java:225)
     at weblogic.wsee.security.wss.SecurityPolicyArchitect.processMessagePolicy(SecurityPolicyArchitect.java:123)
     at weblogic.wsee.security.wss.SecurityPolicyConductor.processRequestOutbound(SecurityPolicyConductor.java:119)
     at weblogic.wsee.security.wss.SecurityPolicyConductor.processRequestOutbound(SecurityPolicyConductor.java:91)
     at weblogic.wsee.security.wssp.handlers.WssClientHandler.processOutbound(WssClientHandler.java:117)
     at weblogic.wsee.security.wssp.handlers.WssClientHandler.processRequest(WssClientHandler.java:69)
     at weblogic.wsee.security.wssp.handlers.WssHandler.handleRequest(WssHandler.java:112)
     at weblogic.wsee.jaxws.framework.jaxrpc.TubeFactory$JAXRPCTube.processRequest(TubeFactory.java:222)
     at com.sun.xml.ws.api.pipe.Fiber.__doRun(Fiber.java:866)
     at com.sun.xml.ws.api.pipe.Fiber._doRun(Fiber.java:815)
     at com.sun.xml.ws.api.pipe.Fiber.doRun(Fiber.java:778)
     at com.sun.xml.ws.api.pipe.Fiber.runSync(Fiber.java:680)
     at com.sun.xml.ws.client.Stub.process(Stub.java:272)
     at com.sun.xml.ws.client.sei.SEIStub.doProcess(SEIStub.java:153)
     at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:115)
     at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:95)
     at com.sun.xml.ws.client.sei.SEIStub.invoke(SEIStub.java:136)
     at $Proxy29.fetchCSD(Unknown Source)
     at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
     at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
     at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
     at java.lang.reflect.Method.invoke(Method.java:597)
     at weblogic.wsee.jaxws.spi.ClientInstanceInvocationHandler.invoke(ClientInstanceInvocationHandler.java:84)
     at $Proxy30.fetchCSD(Unknown Source)
     at exchangecsdclient.CSDExchangeClientImpl.fetchCSD(CSDExchangeClientImpl.java:151)
     at pdfutil.PDFUtilApp.initialize(PDFUtilApp.java:55)
     at org.jdesktop.application.Application$1.run(Application.java:170)
     at java.awt.event.InvocationEvent.dispatch(InvocationEvent.java:209)
     at java.awt.EventQueue.dispatchEvent(EventQueue.java:597)
     at java.awt.EventDispatchThread.pumpOneEventForFilters(EventDispatchThread.java:269)
     at java.awt.EventDispatchThread.pumpEventsForFilter(EventDispatchThread.java:184)
     at java.awt.EventDispatchThread.pumpEventsForHierarchy(EventDispatchThread.java:174)
     at java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:169)
     at java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:161)
     at java.awt.EventDispatchThread.run(EventDispatchThread.java:122)
     at weblogic.kernel.Kernel.ensureInitialized(Kernel.java:66)
     at weblogic.rjvm.wls.WLSRJVMEnvironment.ensureInitialized(WLSRJVMEnvironment.java:50)
     at weblogic.protocol.ProtocolManager$DefaultAdminProtocolMaker.<clinit>(ProtocolManager.java:53)
     at weblogic.protocol.ProtocolManager.getDefaultAdminProtocol(ProtocolManager.java:218)
     at weblogic.protocol.ProtocolHandlerAdmin.<clinit>(ProtocolHandlerAdmin.java:23)
     at weblogic.rjvm.wls.WLSRJVMEnvironment.registerRJVMProtocols(WLSRJVMEnvironment.java:120)
     at weblogic.rjvm.RJVMManager.ensureInitialized(RJVMManager.java:87)
     at weblogic.rjvm.RJVMManager.<clinit>(RJVMManager.java:46)
     at weblogic.rjvm.LocalRJVM.<init>(LocalRJVM.java:97)
     at weblogic.rjvm.LocalRJVM.<init>(LocalRJVM.java:28)
     at weblogic.rjvm.LocalRJVM$LocalRJVMMaker.<clinit>(LocalRJVM.java:31)
     at weblogic.rjvm.LocalRJVM.getLocalRJVM(LocalRJVM.java:72)
     at weblogic.xml.crypto.utils.DOMUtils.generateId(DOMUtils.java:403)
     at weblogic.xml.crypto.utils.DOMUtils.generateId(DOMUtils.java:395)
     at weblogic.xml.crypto.utils.DOMUtils.assignId(DOMUtils.java:374)
     at weblogic.xml.crypto.wss.SecurityBuilderImpl.assignUri(SecurityBuilderImpl.java:148)
     at weblogic.wsee.security.policy.SigningReferencesFactory.getSigningReferences(SigningReferencesFactory.java:100)
     at weblogic.wsee.security.wss.policy.wssp.SigningPolicyBlueprintImpl.addSignatureNodeListToReference(SigningPolicyBlueprintImpl.java:446)
     at weblogic.wsee.security.wss.policy.wssp.SigningPolicyBlueprintImpl.addSignatureNodeListToReference(SigningPolicyBlueprintImpl.java:335)
     at weblogic.wsee.security.wss.plan.SecurityMessageArchitect.resolveSignatureList(SecurityMessageArchitect.java:574)
     at weblogic.wsee.security.wss.plan.SecurityMessageArchitect.resolveSignatureList(SecurityMessageArchitect.java:428)
     at weblogic.wsee.security.wss.plan.SecurityMessageArchitect.constructMessage(SecurityMessageArchitect.java:304)
     at weblogic.wsee.security.wss.plan.SecurityMessageArchitect.buildWssMessage(SecurityMessageArchitect.java:138)
     at weblogic.wsee.security.wss.plan.SecurityMessageArchitect.buildWssMessage(SecurityMessageArchitect.java:121)
     at weblogic.wsee.security.wss.SecurityPolicyArchitect.processOutbound(SecurityPolicyArchitect.java:225)
     at weblogic.wsee.security.wss.SecurityPolicyArchitect.processMessagePolicy(SecurityPolicyArchitect.java:123)
     at weblogic.wsee.security.wss.SecurityPolicyConductor.processRequestOutbound(SecurityPolicyConductor.java:119)
     at weblogic.wsee.security.wss.SecurityPolicyConductor.processRequestOutbound(SecurityPolicyConductor.java:91)
     at weblogic.wsee.security.wssp.handlers.WssClientHandler.processOutbound(WssClientHandler.java:117)
     at weblogic.wsee.security.wssp.handlers.WssClientHandler.processRequest(WssClientHandler.java:69)
     at weblogic.wsee.security.wssp.handlers.WssHandler.handleRequest(WssHandler.java:112)
     at weblogic.wsee.jaxws.framework.jaxrpc.TubeFactory$JAXRPCTube.processRequest(TubeFactory.java:222)
     at com.sun.xml.ws.api.pipe.Fiber.__doRun(Fiber.java:866)
     at com.sun.xml.ws.api.pipe.Fiber._doRun(Fiber.java:815)
     at com.sun.xml.ws.api.pipe.Fiber.doRun(Fiber.java:778)
     at com.sun.xml.ws.api.pipe.Fiber.runSync(Fiber.java:680)
     at com.sun.xml.ws.client.Stub.process(Stub.java:272)
     at com.sun.xml.ws.client.sei.SEIStub.doProcess(SEIStub.java:153)
     at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:115)
     at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:95)
     at com.sun.xml.ws.client.sei.SEIStub.invoke(SEIStub.java:136)
     at $Proxy29.fetchCSD(Unknown Source)
     at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
     at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
     at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
     at java.lang.reflect.Method.invoke(Method.java:597)
     at weblogic.wsee.jaxws.spi.ClientInstanceInvocationHandler.invoke(ClientInstanceInvocationHandler.java:84)
     at $Proxy30.fetchCSD(Unknown Source)
     at exchangecsdclient.CSDExchangeClientImpl.fetchCSD(CSDExchangeClientImpl.java:151)
     at pdfutil.PDFUtilApp.initialize(PDFUtilApp.java:55)
     at org.jdesktop.application.Application$1.run(Application.java:170)
     at java.awt.event.InvocationEvent.dispatch(InvocationEvent.java:209)
     at java.awt.EventQueue.dispatchEvent(EventQueue.java:597)
     at java.awt.EventDispatchThread.pumpOneEventForFilters(EventDispatchThread.java:269)
     at java.awt.EventDispatchThread.pumpEventsForFilter(EventDispatchThread.java:184)
     at java.awt.EventDispatchThread.pumpEventsForHierarchy(EventDispatchThread.java:174)
     at java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:169)
     at java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:161)
     at java.awt.EventDispatchThread.run(EventDispatchThread.java:122)
The two invocations (one using java and the other using javaws) should obviously have not differences at all since all resources (jars) are the same.
I have tried all client jar combinations (with wlfullclient.jar, wseeclient.jar, weblogic.jar) and the result is the same. One additional piece of information is that when removing all security parameters (message level encryption and signing) from the web service the java web start client works just fine!!!
This is not an issue of additional jars that somehow mess with weblogic jars, since the same error occurs even in the basic hello world web service.
I wonder if someone has faced the same problem. I would really really appreciate any help. Thank you in advance and keep up the good work.
Cheers,
Paul.
Edited by: PaulP on Jan 11, 2012 5:31 AM

Hi Kal,
since we're currently evaluating the software and haven't acquired a license, we cannot contact support.
I only need to know if this is a solved bug or not. Does it have to do with the classloading process (I cannot think of anything else)?
Thank you again very very much!
Cheers,
Paul.

Error while executing Secure SOAP web service from Web Service Navigator

Hi All,
I have created a web service for a stateless session bean choosing option "Secure SOAP".
When I am testing it through web service navigator, it is showing following error:-
Security: Authentication expected but missing
And in response text it is showing following :-
HTTP/1.1 500 Internal Server Error
Connection: close
Server: SAP J2EE Engine/7.00
Content-Type: text/xml; charset=UTF-8
Date: Wed, 17 Dec 2008 05:42:10 GMT
Set-Cookie: <value is hidden>
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" >
<SOAP-ENV:Body><SOAP-ENV:Fault><faultcode>SOAP-ENV:Server</faultcode><faultstring>Security: Authentication expected but missing</faultstring><detail><ns1:com.sap.engine.interfaces.webservices.runtime.ProtocolException xmlns:ns1='http://sap-j2ee-engine/error'>Security: Authentication expected but missing</ns1:com.sap.engine.interfaces.webservices.runtime.ProtocolException></detail></SOAP-ENV:Fault></SOAP-ENV:Body></SOAP-ENV:Envelope>
Can anybody help me with above thing?
And my second question : I have created web service with "Basic Auth SOAP" option. and while executing at web service navigator, its asking for username & password.
What role / right should be granted to this user so as to make him able to execute this web service? This user must be a UME user, correct?
Pls help me in resolving this.
Thanks and regards,
Amey Mogare

Hi Fazal,
I have read the thread, but my questions are still unanswered.
1. I know how to set username and password while using "Basic Auth SOAP" protocol. But my question in this case is what are the accesses user requires to be able to execute web service.
2. And about Secure SOAP, why is above mentioned error is appearing?
Thanks and regards,
Amey Mogare

How to call a secure external Web Service using Oracle BPEL and OWSM

Hi,
i have to invoke an external secure Web Service using SOA Suite 10.1.3.1, but i don´t know how to do this. Do i use OWSM gateway or Agent? how to configure the gateway or agent to pass the required security to the external secure web service.
thanks in advance
Dong

Are you getting any errors? What type of XAI Class are you using?
One thing I've noticed is that if you are making changes to the XAI Sender you will have to restart the environment before the changes can take effect.
Also, if you are using RTHTTPSNDR as XAI Class you may have to include the HTTP Method - Post in the context.
Hope this helps.
Regards,
Philip

WS-Security, WSE, Web Services, Authentication and Flex 2

Hey All,
I've been working hard on getting Flex to communicate with a
Microsoft .NET 2.0 Web Services project enabled with WSE 3.0
WS-Security. I can't seem to get the headers into the SOAP request
that I need.
For example, I can get a SOAP header into the message like
so:
<SOAP-ENV:Envelope xmlns:SOAP-ENV="
http://schemas.xmlsoap.org/soap/envelope/"
xmlns:xsd="
http://www.w3.org/2001/XMLSchema"
xmlns:xsi="
http://www.w3.org/2001/XMLSchema-instance">
<SOAP-ENV:Header>
<ns0:Security xmlns:ns0="
http://tempuri.org/">
<ns0:password>pass</ns0:password>
<ns0:username>DOMAIN\Administrator</ns0:username>
</ns0:Security>
</SOAP-ENV:Header>
<SOAP-ENV:Body>
<HelloWorld xmlns="
http://tempuri.org/" />
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
.. but, this isn't what my WSE, WS-Security enabled service
expects. Which is:
<soap:Envelope xmlns:soap="
http://schemas.xmlsoap.org/soap/envelope/"
xmlns:xsi="
http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="
http://www.w3.org/2001/XMLSchema"
xmlns:wsa="
http://schemas.xmlsoap.org/ws/2004/08/addressing"
xmlns:wsse="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:wsu="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<soap:Header>
<wsa:Action>
http://tempuri.org/HelloWorld</wsa:Action>
<wsa:MessageID>urn:uuid:5be8b55a-df7b-4547-8def-76282fcd8b47</wsa:MessageID>
<wsa:ReplyTo>
<wsa:Address>
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</wsa:Address>
</wsa:ReplyTo>
<wsa:To>
http://localhost/CampaignMojoAPI.asmx</wsa:To>
<wsse:Security soap:mustUnderstand="1">
<wsu:Timestamp
wsu:Id="Timestamp-aab299a8-81e3-4d8a-bfa4-555f38978584">
<wsu:Created>2007-06-06T20:26:37Z</wsu:Created>
<wsu:Expires>2007-06-06T20:31:37Z</wsu:Expires>
</wsu:Timestamp>
<wsse:UsernameToken xmlns:wsu="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
wsu:Id="SecurityToken-b43668b1-51a3-4ba1-a90a-69eca3b98b66">
<wsse:Username>DOMAIN\Administrator</wsse:Username>
<wsse:Password Type="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#Passwor dText">pass</wsse:Password>
<wsse:Nonce>IK4ZemfS1pj3kpdYO5+FBg==</wsse:Nonce>
<wsu:Created>2007-06-06T20:26:37Z</wsu:Created>
</wsse:UsernameToken>
</wsse:Security>
</soap:Header>
<soap:Body>
<HelloWorld xmlns="
http://tempuri.org/" />
</soap:Body>
</soap:Envelope>
I've tried "addSimpleHeader" and "addHeader", but both seem
to inject nested xml elements. Can anyone help me shape this WS
call into the format I need it in? Would it be possible to call
this WS manually via a direct HTTP post from Flex 2?
Thanks!,
Sean

Yeah,
Hey guys - thanks for the responses. I looked into this and
it seems no one uses WS-Security from the browser. That's why even
Google's APIs use alternative key logins, etc. I read from one user
that in the next version of Microsoft's AJAX platform that they
might support it, but that's about it. For now, it looks like
there's not even an AJAX/Javascript way to do this. If we could do
it via Javascript, then we could use the FABridge. I don't think
Flex supports it. I've tried to manipulate the headers into place
via Flex classes and I don't think enough control is there to get
the output in the form that's needed.
I think it's possible to write it in Javascript. But right
now my time budget just doesn't allow for it. I already spent two
whole days re-writing how Flex makes Web Service calls so they're
synchronous with timeouts instead of this massive amount of
asynchronous code they want you to write, so no more
re-writing/extending of components for me for a while.
But if anyone wants to work together to support it via
AJAX/Javascript, I would invest money into developing it.
I would like a public WS-Security AJAX/Javascript framework
for making these calls via WS-Security so I can offer customers a
standard way of accessing/authenticating against our public API
set. It would also make it possible for Flex to access standard web
services with WS-Security enabled.
Let me know what you guys think, or if anyone else has any
good suggestions/software.
Thanks much,
S.

Using WS-Security with Web Service Controls in WLI 8.1 SP3

We have a process that calls a web service hosted on a .NET environment. The technique we have used is to generate a service control from the web service WSDL and call that control from a process. The web service is protected using a WS-Security usernameToken policy. The problem is that the .NET environment requires the wsse:Nonce and wsu:Created elements to be provided along with the token and I cannot see how I can specify this using a wsse policy file in WebLogic workshop. Does anyone have any advice for the best way to add this information to the security element in the SOAP header from within a WLI process? I've seen some example code for a java web service client, but that would not really fit with the control-based approach normally adopted in a WLI environment.

You won't be able to do this using the WSSE file.
An easy way to get around this is to use an XML Bean built from the WS-Security XML Schema. You'll have to read the WS-Security spec to determine how to create the nonce, but you'll be able to convert this XML Bean into the Element[] that the setOutputHeaders() method, which is on the service control you call the .NET Web Service with.
Regards,
Mike Wooten

Security with Web Service calling some EJBs

Hi everybody,
I have implemented some web services residing in a war file deployed on my Tomcat. The web services module is a client to some EJBs deployed on my JBoss. I need to log the user in my realm on each WS request and log the user out before the WS response.
I have implemented security on web applications with JBoss and used JAAS realms succesfully but what do I do in this case with Web Services? I mean the requests are stateless. If I use the org.jboss.security.ClientLoginModule
won't this override the credentials of another user who is already logged in the realm?
I have also implemented a standalone application which spawns a thread for each user request and I am wondering about the same thing. This application is a service listening for some kind of messages; on a message the application should log the user in the realm before calling an EJB and log the user after the request is completed. So it's more or less the same situation as above.
Is this possible? I mean logging many users in the same realm in one non-web application?
Any ideas?
Thank you in advance!!!
thoism

requests are stateless, just as are requests to webapps.
Which is hardly surprising as a web services stack is typically implemented as a web application.
If you could log in only a single user at the same time to an EJB application, it would be rather pointless to have the application as a distributed multiuser system :)
What you might check is whether you're allowed to log in the same user several times, if I remember correctly this can be limited in the EJB module deployment descriptors.

ADF Mobile - Securing REST Web Services

Hi,
I've developed some REST web services for my ADF Mobile app to use. They work fine but I'm having trouble securing them. According to the developer guide:
http://docs.oracle.com/cd/E35521_01/doc.111230/e24475/amxwebservices.htm#CHDGFCGD
10.5.2 How to Enable Access to REST-Based Web Services
Since only one security policy is supported for REST-based web services, ADF Mobile automatically adds oracle/wss_http_token_over_ssl_client_policy for REST web service over HTTPS, or oracle/wss_http_token_client_policy for REST web service over HTTP protocol to enable Oracle Web Services Manager (OWSM) Lite Mobile ADF Application Agent to inject a proper security header.
..so I'm trying to attach the policy oracle/wss_http_token_service_policy to the web service, but deploying it to Weblogic results in the below stack trace.
I'm trying to attach the policy in JDeveloper by selecting the service class in the java structure pane, then in the Property Inspector, using the "Web Services extension" section to select the policy.
I'm guessing I've missed a step, but can't find what. Or I'm doing completely the wrong thing. Either way, any help in resolving would be very much appreciated.
Rich.
weblogic.application.ModuleException: [HTTP:101216]Servlet: "CDRestServicePort" failed to preload on startup in Web application: "RestServices".
javax.xml.rpc.JAXRPCException: oracle.wsm.common.sdk.WSMException: WSM-07508 : Oracle WSM Agent initialization failed due to PolicySet validation errors: WSM-07617 Policy: oracle/wss_http_token_service_policy contains unsupported assertions.
, with PolicySet=PolicySet [timestamp=Mon Oct 21 13:53:23 BST 2013, subjectPattern=ResourcePattern [pattern=/DefaultDomain/DefaultServer/SOAPServices/WEBs/RestServices.war/WLSWEBSERVICEs/CDRestServiceService/PORTs/CDRestServicePort, subjectType=WLS_SERVICE, terms={PORT=CDRestServicePort, IMPLEMENTATION=WEB, SUBJECT_TYPE=WLS_SERVICE, SERVICE=CDRestServiceService, MODULE=RestServices.war, APPLICATION=SOAPServices, DOMAIN=DefaultDomain, SERVER=DefaultServer}], domainExpression=http://restws.westbourne/#wsdl.endpoint(CDRestServiceService/CDRestServicePort), polmap={oracle/wss_http_token_service_policy={Policy[wsp:http://schemas.xmlsoap.org/ws/2004/09/policy][oralgp:http://schemas.oracle.com/ws/2006/01/loggingpolicy][local-optimization:off][provides:{http://docs.oasis-open.org/ns/opencsa/sca/200903}authentication, {http://docs.oasis-open.org/ns/opencsa/sca/200903}clientAuthentication, {http://docs.oasis-open.org/ns/opencsa/sca/200903}clientAuthentication.transport][status:enabled][xmlns:http://schemas.xmlsoap.org/ws/2004/09/policy][wsu:http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd][Id:wss_http_token_service_policy][displayName:i18n:oracle.wsm.resources.policydescription.PolicyDescriptionBundle_oracle/wss_http_token_service_policy_PolyDispNameKey][orawsp:http://schemas.oracle.com/ws/2006/01/policy][orasp:http://schemas.oracle.com/ws/2006/01/securitypolicy][description:i18n:oracle.wsm.resources.policydescription.PolicyDescriptionBundle_oracle/wss_http_token_service_policy_PolyDescKey][attachTo:binding.server][Name:oracle/wss_http_token_service_policy][xsi:http://www.w3.org/2001/XMLSchema-instance][category:security][{LogAssertion[Logging][{AssertionBindings[{Config[name:Log Message1_properties][{PropertySet[name:standard-security-properties][{Property[type:string][contentType:optional][name:reference.priority]}]}]}]}][{MessageLog[ Request = all][ Response =all]}]}][{HttpSecurityScenario[http-security][Silent:true][name:Http Security][Enforced:true][category:security/authentication][{AssertionBindings[{Config[name:HttpConfig][configType:declarative][{PropertySet[name:standard-security-properties][{Property[type:string][contentType:constant][name:realm][Value:owsm]}][{Property[type:string][contentType:constant][name:role][Value:ultimateReceiver]}][{Property[type:string][contentType:optional][name:reference.priority]}]}]}]}]}][{LogAssertion[Logging][{AssertionBindings[{Config[name:Log Message2_properties][{PropertySet[name:standard-security-properties][{Property[type:string][contentType:optional][name:reference.priority]}]}]}]}][{MessageLog[ Request = all][ Response =all]}]}]}}}, constraintedDataMap={ConstraintGroup [terms=[], size=0, weight=0]=ConstraintedData [status=FAILURE, localoptimization=null, validationErrors=[Error Code:WSM-07617 Error Context:Policy], overrides=[], polRefs=[PolicyReference [policyURI=oracle/wss_http_token_service_policy, polRefQName={http://schemas.xmlsoap.org/ws/2004/09/policy}PolicyReference, version=-1, attributes={{http://schemas.oracle.com/ws/2006/01/policy}status=enabled, {http://schemas.oracle.com/ws/2006/01/policy}category=security}, overrideProps=null]]]}, locked=true]
at oracle.wsm.agent.handler.wls.WSMAgentHook.handleException(WSMAgentHook.java:462)
at oracle.wsm.agent.handler.wls.WSMAgentHook.init(WSMAgentHook.java:274)
at weblogic.wsee.jaxws.framework.jaxrpc.TubeFactory.newHandler(TubeFactory.java:108)
at weblogic.wsee.jaxws.framework.jaxrpc.TubeFactory.createServer(TubeFactory.java:81)
at weblogic.wsee.jaxws.WLSTubelineAssemblerFactory$TubelineAssemblerImpl.createServer(WLSTubelineAssemblerFactory.java:216)
at com.sun.xml.ws.server.WSEndpointImpl.<init>(WSEndpointImpl.java:213)
at weblogic.wsee.jaxws.WLSContainer$WLSEndpointFactory$WLSEndpointImpl.<init>(WLSContainer.java:623)

Hi,
so have you "Oracle Web Services Manager (OWSM) Lite Mobile ADF Application Agent" installed? Sounds this is a pre-requisite for this work
Frank

Mutual Certificate Security in Web Services

Hi all,
I need some help about mutual certificate in glassfish on netbeans 6.8. I already imported my self-signed-certificates for server and client in the truststore cacert.jks and created private keys for each of them in the keystore.jks. The next thing I did was to use the Security Mechanism: Mutual Certifacte Security to enable the usage of my self-signed-certificates.....So far so good...Here comes the problem: I looked into Wireshark and I saw the transaction of my selfsigned certifcates between client and server, but now I want to print out the extension(like uri=http://xxx) from the client-certificate on serverside.
This is my serverside source code :
package org.me.calculator;
import javax.jws.WebMethod;
import javax.jws.WebParam;
import javax.jws.WebService;
import java.io.ByteArrayInputStream;
import java.io.InputStream;
import java.security.cert.CertificateFactory;
import javax.jws.WebMethod;
import javax.jws.WebParam;
import javax.jws.WebService;
import java.security.cert.X509Certificate;
import java.util.Collection;
import java.util.List;
import javax.annotation.security.RolesAllowed;
import javax.servlet.http.*;
* @author User
@WebService()
public class CalculatorWS {
* Web service operation
@WebMethod(operationName = "add", action="add")
public int add(@WebParam(name = "i") int i, @WebParam(name = "j") int j) {
int k= i+j;
return k;
@WebMethod(operationName = "Extensionthrower", action="Extensionthrower")
@RolesAllowed("users")
public String Extensionthrower() {
HttpServletResponseWrapper response = null;
String clientcert = response.getResponse().toString();
if(clientcert.isEmpty()== false){
try{
InputStream inStream = new ByteArrayInputStream(clientcert.getBytes());
final CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
final X509Certificate cert = (X509Certificate) certificateFactory.generateCertificate(inStream);
java.util.Collection altNames = cert.getSubjectAlternativeNames();
if (altNames.size() > 1) {
throw new Exception("Unable to handle multiple SubjectAltName.");
java.util.List item = (java.util.List)altNames.iterator().next();
Integer type = (Integer)item.get(0);
Object value = item.get(1);
String result = null;
switch (type.intValue()) {
case 0: throw new Exception("SubjectAltName of type OtherName not supported.");
case 1: result = "rfc822Name=" + (String)value;
break;
case 2: result = "dNSName=" + (String)value;
break;
case 3: throw new Exception("SubjectAltName of type x400Address not supported.");
case 4: throw new Exception("SubjectAltName of type directoryName not supported.");
case 5: throw new Exception("SubjectAltName of type ediPartyName not supported.");
case 6: result = "uri=" + (String)value;
break;
case 7: result = "ipaddress=" + (String)value;
break;
default: throw new Exception("SubjectAltName of unknown type.");
return result;
}catch(Exception e){System.out.println(""+e);}
return null;
}When my clietn sends a request to the server, I get the following message:
Servlet ClientServlet at /SecureCalculatorClientApp
Successfully authenticated!
Result: 2 + 2 = 4. Extension: null .The right Extension it has to print out is i.e.: Extension: http://polizei
I just used the Debug mode and when it gets to line: "final X509Certificate cert = (X509Certificate) certificateFactory.generateCertificate(inStream);" it throws an Exception....Can anyone help me out? Is something with the input "inStream" wrong?
Many thanks in advance

Yes, the server has to load/receive the client cert and compare it with the certs in the truststore.
Every cert that you generate has to be imported in the truststore, and because every cert that you use has an
alias, it is easier to look for the right cert.
If I use @RolesAllowed("users") the credentials are stored in the sun-web.xml, like this:
<security-role-mapping>
<role-name>users</role-name>
<principal-name>CN=..., OU=......</principal-name>
</security-role-mapping>In the sun-web.xml you define the credentials, now you have to use them for authentication purpose and this is done in the web.xml.
Wishing best luck

Security in Web services

Similar Messages

Maybe you are looking for