Web Service Authentication Question

Similar Messages

• Simple web service authentication question

  I'm using the application server included with Sun ONE Identity Server 6.1 (and Apache Axis) to deploy a very simple sample web service. Accessing it from a web browser works fine. (After entering the url to my service, I'm redirected to the authentication page. After authenticating, my service is executed as expected.)
  The problem comes when I attempt to execute this same web service from a Java application (using Apache Axis). I authenticate programmatically and have a valid SSOToken. How do I pass my authentication information along to the IS server when invoking the web service programmatically? Can I do this somehow with the SSOToken I have? Every time I invoke the service programmatically, a "(302)Moved Temporarily" HTML response is received.
  Thanks for your help.
  David

  This solved the problem for me (using Axis):
       call.setProperty(org.apache.axis.transport.http.HTTPConstants.HEADER_COOKIE,
                        "iPlanetDirectoryPro=" + token.getTokenID().toString());
       call.setMaintainSession(true);Hope this helps.

• SOAP Web Service Authentication configuration

  Hello,
  I've got a little problem with Web Service authentication configuration.
  I'm working on the SAP NetWeaver CE EHP1 7.11. I also have a XMII application deployed on the server and there are some SOAP Web Services(over XMII Transactions) that require basic authentication.
  I use all Web Services in the EJB layer. So, I've generated proxy using SAP NetWeaver as a Web Service Runtime for generation. And Iuse an injection mechanism to get a service implementation:
  @WebServiceRef(name="GetBatchListService")
  private XacuteWS batchListWS;
  In this case I could use Single Service Administration application in the NetWeaver Administrator@SOA Management@Application and Scenario Communication to configure basic authentication for EVERY Web Service. And this configuration disappears after every redeploy.
  The question is how and where could I configure authentication for all web services?
  I've read a lot of documentation, but, unfortunately, I haven't found needed one. I could see 2 direction of searching now, it might help:
  1) Destination: Configure HTTP Destination or Web Service Template Destination and use it in all Web Services proxies somehow.
  2) Find Configuration way: Create a configuration group or anything else to configure all services from one screen.
  Best Regards,
  Dmitry

  Dimtris,
  If your WSDL url is pointing to the URL of the Adapter Engine as shownin the Hot to Use the SOAP adapter there is no option. You cannot add it to the SOAP Url.
  But, if you change the SOAP Url to the Url shown in this blog by Stefan Grube then you can add the user id and pasword to the url by adding sap- user=userid and sap-password = password.
  The optin shown ion the blog by Grube can be used as long as you do not have to use SOAP attachments and in this  case you would not need both sender SOAP adapter and a sender agreement.
  /people/stefan.grube/blog/2006/09/21/using-the-soap-inbound-channel-of-the-integration-engine
  Regards
  Bhavesh
  Regards
  Bhavesh

• X.509 Web Service Authentication for ABAP AS Web Service Interaction

  We are trying to use X.509 web service authentication with SAP Web AS ABAP between 2 different SAP installations. Company 1 is trying to consume a web service set up by Company 2.
  Company 1 has installed Company 2's public key, generated the client proxy using Company 2's WSDL and created a corresponding lpconfig entry.
  Then company 2 has set up the profile parameter ICM/HTTPS/verify_client to accept certificates and imported Company 1's SLL client certificate and mapped the user in USREXTID.  Note that Company 1 uses self-signed certificates, so it does not have a root certificate, which is what the documentation says should be imported into the PSE instead of the SSL client certificate.
  When Company 1 tries the web service call, it receives a request to authenticate the web service from Company 2. (basic authentication logon screen, even though the web service configuration is set to X.509 Client Certificate.
  Should this work or is there a problem because Company 1 uses self-signed certificates or is there something else we are missing?

  >
  Connie Begovich wrote:
  > We are trying to use X.509 web service authentication with SAP Web AS ABAP between 2 different SAP installations. Company 1 is trying to consume a web service set up by Company 2.
  >
  > Company 1 has installed Company 2's public key, generated the client proxy using Company 2's WSDL and created a corresponding lpconfig entry.
  >
  > Then company 2 has set up the profile parameter ICM/HTTPS/verify_client to accept certificates and imported Company 1's SLL client certificate and mapped the user in USREXTID.  Note that Company 1 uses self-signed certificates, so it does not have a root certificate, which is what the documentation says should be imported into the PSE instead of the SSL client certificate.
  >
  > When Company 1 tries the web service call, it receives a request to authenticate the web service from Company 2. (basic authentication logon screen, even though the web service configuration is set to X.509 Client Certificate.
  >
  > Should this work or is there a problem because Company 1 uses self-signed certificates or is there something else we are missing?
  I think that the problem is in Service Authentication (in transaction sicf). You have to consume web-service, transmitting user-password for access.

• Web Service Security Question

  I have created a web service in the NetWeaver portal using a Portal Service.  I have marked the service as requiring basic http authentication.  However, when I call the web service from the Enterprise Portal Web Services Checker in NWDS it just let's me supply the params of the web service and no authentication.  Any ideas?
  I also noticed that my web service does not appear under the Web Services Container or Web Services Security section in Visual Administrator.  Anybody have any idea why this is?
  Thanks in advance.
  Curtis

  Hi Curtis,
  My guess is that since you are logged into the Portal while calling this web service, it will use the current session cookie to authenticate automatically. I'm not sure on the second question, tried a restart?
  Regards,
  Raj

• Web Services Authentication Error - AUTH_0005

  Authentication via the AuthenticationService is successful, returning a  valid Session ID.  Authentication via passing an AuthenticationToken in  the SOAP Header fails with an error of AUTH_0005 The user name header is  invalid ....
  We are calling newScale web  services from an external application.  Making a call to the  AuthenticationService using this SOAP request is successful:
  <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:aut="http://authentication.api.newscale.com">
      <soapenv:Header/>
      <soapenv:Body>
         <aut:authenticate>
            <aut:userName>username</aut:userName>
            <aut:password>password</aut:password>
         </aut:authenticate>
      </soapenv:Body>
  </soapenv:Envelope>
  The return data is:
  <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
      <soap:Header>
         <AuthenticationToken>
            <Username>username</Username>
            <SessionId>1FD9023262278342CACF63D0D6C5A8F2</SessionId>
         </AuthenticationToken>
      </soap:Header>
      <soap:Body>
         <ns1:authenticateResponse xmlns:ns1="http://authentication.api.newscale.com">
            <ns1:personInfo>
               <active xmlns="http://authentication.api.newscale.com">false</active>
               <email xmlns="http://authentication.api.newscale.com">[email protected]</email>
               <employeeCode xsi:nil="true" xmlns="http://authentication.api.newscale.com"/>
               <firstName xmlns="http://authentication.api.newscale.com">user</firstName>
               <homeOrganizationalUnitName xsi:nil="true" xmlns="http://authentication.api.newscale.com"/>
               <lastName xmlns="http://authentication.api.newscale.com">name</lastName>
               <localeName xsi:nil="true" xmlns="http://authentication.api.newscale.com"/>
               <login xmlns="http://authentication.api.newscale.com">username</login>
               <managerEmail xsi:nil="true" xmlns="http://authentication.api.newscale.com"/>
               <managerName xsi:nil="true" xmlns="http://authentication.api.newscale.com"/>
               <managerPhone xsi:nil="true" xmlns="http://authentication.api.newscale.com"/>
               <placeName xsi:nil="true" xmlns="http://authentication.api.newscale.com"/>
               <status xmlns="http://authentication.api.newscale.com">0</status>
               <timeZoneName xsi:nil="true" xmlns="http://authentication.api.newscale.com"/>
               <title xsi:nil="true" xmlns="http://authentication.api.newscale.com"/>
            </ns1:personInfo>
         </ns1:authenticateResponse>
      </soap:Body>
  </soap:Envelope>
  However,  when we pass credentials in an AuthenticationToken when accessing any  of the other services, we get an error.  For example:
  <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:req="http://requisition.api.newscale.com">
      <soapenv:Header>
         <req:AuthenticationToken>
            <req:Username>username</req:Username>
            <req:Password>password</req:Password>
         </req:AuthenticationToken>
      </soapenv:Header>
      <soapenv:Body>
         <req:getServiceDefinition>
            <req:initiatorLoginName>username</req:initiatorLoginName>
            <req:customerLoginName>username</req:customerLoginName>
            <req:serviceName>VMSpinup</req:serviceName>
         </req:getServiceDefinition>
      </soapenv:Body>
  </soapenv:Envelope>
  Yields this error:
  <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
      <soap:Body>
         <soap:Fault>
            <faultcode>soap:Server</faultcode>
            <faultstring>The user name header is invalid. It is  either not present or empty!. Please send a valid  header.</faultstring>
            <detail>
               <RequisitionFault xmlns="http://requisition.api.newscale.com">
                  <errorCode>AUTH_0005</errorCode>
                  <errorMessage>The user name header is invalid. It  is either not present or empty!. Please send a valid  header.</errorMessage>
               </RequisitionFault>
            </detail>
         </soap:Fault>
      </soap:Body>
  </soap:Envelope>
  Unfortunately,  I cannot find any details on the meaning of this error or what its  cause is.  There appears to be a valud SOAP header.  Is it talking about  the HTTP header instead?
  Thanks.

  I posted this same question here on the form, bottom line this does not work. You need to pass in the username and password each time
  https://supportforums.cisco.com/message/3492955#3492955

• Consuming Web Service | Authentication

  Hello Friends,
  I'm having some trouble configuring a Web Service regarding authentication.
  I created a remote function in SE80 and a web service with it, then I went to SOAMANAGER and configured the authentication section with the 'no authentication' option and added the user/pass in the 'ABAP Service User'.
  In SICF the service is active and seams OK(the user/pass is set), but every time I try to open the WSDL in the browser I get 'A username and password are being requested by SAP Web Application Server'...
  I tested the service with SOAPUI and it also requests the User/Pass for SAP, so it seams that the problem is to enter in SAP WAS and not to access the web service.
  Please advice.
  Thank you.
  PT

  Hello Paulot,
                       You are confused with the WSDL URL and the Webservice Binding URL.
  WSDL URL :
                    This gives the description about the Interface defination for that Webservice interface and it also contains the Binding url in the SOAP Address tag . This the the url , whick will be called on consuming the webservice from external interfaces.
  Binding URL:-
                  This is the URL , whick will be called on consuming the webservice from external interfaces.
  Let me know if you ahve any questions.

• WS-Security, WSE, Web Services, Authentication and Flex 2

  Hey All,
  I've been working hard on getting Flex to communicate with a
  Microsoft .NET 2.0 Web Services project enabled with WSE 3.0
  WS-Security. I can't seem to get the headers into the SOAP request
  that I need.
  For example, I can get a SOAP header into the message like
  so:
  <SOAP-ENV:Envelope xmlns:SOAP-ENV="
  http://schemas.xmlsoap.org/soap/envelope/"
  xmlns:xsd="
  http://www.w3.org/2001/XMLSchema"
  xmlns:xsi="
  http://www.w3.org/2001/XMLSchema-instance">
  <SOAP-ENV:Header>
  <ns0:Security xmlns:ns0="
  http://tempuri.org/">
  <ns0:password>pass</ns0:password>
  <ns0:username>DOMAIN\Administrator</ns0:username>
  </ns0:Security>
  </SOAP-ENV:Header>
  <SOAP-ENV:Body>
  <HelloWorld xmlns="
  http://tempuri.org/" />
  </SOAP-ENV:Body>
  </SOAP-ENV:Envelope>
  .. but, this isn't what my WSE, WS-Security enabled service
  expects. Which is:
  <soap:Envelope xmlns:soap="
  http://schemas.xmlsoap.org/soap/envelope/"
  xmlns:xsi="
  http://www.w3.org/2001/XMLSchema-instance"
  xmlns:xsd="
  http://www.w3.org/2001/XMLSchema"
  xmlns:wsa="
  http://schemas.xmlsoap.org/ws/2004/08/addressing"
  xmlns:wsse="
  http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
  xmlns:wsu="
  http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
  <soap:Header>
  <wsa:Action>
  http://tempuri.org/HelloWorld</wsa:Action>
  <wsa:MessageID>urn:uuid:5be8b55a-df7b-4547-8def-76282fcd8b47</wsa:MessageID>
  <wsa:ReplyTo>
  <wsa:Address>
  http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</wsa:Address>
  </wsa:ReplyTo>
  <wsa:To>
  http://localhost/CampaignMojoAPI.asmx</wsa:To>
  <wsse:Security soap:mustUnderstand="1">
  <wsu:Timestamp
  wsu:Id="Timestamp-aab299a8-81e3-4d8a-bfa4-555f38978584">
  <wsu:Created>2007-06-06T20:26:37Z</wsu:Created>
  <wsu:Expires>2007-06-06T20:31:37Z</wsu:Expires>
  </wsu:Timestamp>
  <wsse:UsernameToken xmlns:wsu="
  http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
  wsu:Id="SecurityToken-b43668b1-51a3-4ba1-a90a-69eca3b98b66">
  <wsse:Username>DOMAIN\Administrator</wsse:Username>
  <wsse:Password Type="
  http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#Passwor dText">pass</wsse:Password>
  <wsse:Nonce>IK4ZemfS1pj3kpdYO5+FBg==</wsse:Nonce>
  <wsu:Created>2007-06-06T20:26:37Z</wsu:Created>
  </wsse:UsernameToken>
  </wsse:Security>
  </soap:Header>
  <soap:Body>
  <HelloWorld xmlns="
  http://tempuri.org/" />
  </soap:Body>
  </soap:Envelope>
  I've tried "addSimpleHeader" and "addHeader", but both seem
  to inject nested xml elements. Can anyone help me shape this WS
  call into the format I need it in? Would it be possible to call
  this WS manually via a direct HTTP post from Flex 2?
  Thanks!,
  Sean

  Yeah,
  Hey guys - thanks for the responses. I looked into this and
  it seems no one uses WS-Security from the browser. That's why even
  Google's APIs use alternative key logins, etc. I read from one user
  that in the next version of Microsoft's AJAX platform that they
  might support it, but that's about it. For now, it looks like
  there's not even an AJAX/Javascript way to do this. If we could do
  it via Javascript, then we could use the FABridge. I don't think
  Flex supports it. I've tried to manipulate the headers into place
  via Flex classes and I don't think enough control is there to get
  the output in the form that's needed.
  I think it's possible to write it in Javascript. But right
  now my time budget just doesn't allow for it. I already spent two
  whole days re-writing how Flex makes Web Service calls so they're
  synchronous with timeouts instead of this massive amount of
  asynchronous code they want you to write, so no more
  re-writing/extending of components for me for a while.
  But if anyone wants to work together to support it via
  AJAX/Javascript, I would invest money into developing it.
  I would like a public WS-Security AJAX/Javascript framework
  for making these calls via WS-Security so I can offer customers a
  standard way of accessing/authenticating against our public API
  set. It would also make it possible for Flex to access standard web
  services with WS-Security enabled.
  Let me know what you guys think, or if anyone else has any
  good suggestions/software.
  Thanks much,
  S.

• PL SQL Web Service Authentication through LDAP

  I have created one PL SQL Web Service and I would like to provide token security through LDAP.
  I have configured LDAP for deployed webservice in oracle IAS 10.1.3 Service.
  Problem Description: <?xml version="1.0" encoding="UTF-8"?>
  <env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:ns0="http://dbconnection1/MobileWebService.wsdl/types/"><env:Body><env:Fault><faultcode>env:MustUnderstand</faultcode><faultstring>SOAP must understand error: {http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security</faultstring></env:Fault></env:Body></env:Envelope>
  I have provided LDAP authentication through oracle iAS Setup.
  Please help

  Hi I am looking out for a good friend of mine, Rajeev Dave from Vijaywada, if your the one, please email me [email protected]
  thanks,

• BPEL process Web Service Authentication

  Hi guys,
  I could use a web service based on BPEL process from local machine, but when I am calling the same service from one of the client machines i get following type of error
  WARNING: Unable to connect to URL: http://server1:7777/orabpel/default/SendTransfer/1.0 due to java.security.PrivilegedActionException: javax.xml.soap.SOAPException: Message send failed: server1:
  23:14:16 HTTP transport error: javax.xml.soap.SOAPException: java.security.PrivilegedActionException: javax.xml.soap.SOAPException: Message send failed
  any help is appreciated

  Hi,
  you may also want to post this question to the BPEL forum
  BPEL
  Frank

• How do I configure automatic web service authentication?

  Hi there,
  I am trying to implement a web service in my form that requires authentication.  When I enter the WSDL location in connection properties I am prompted with an 'Authentication Required' dialogue to which I enter User Name and Password which allows me to proceed to the 'Select an operation' section.  I select an operation and click Next and am presented with some authentication options (Requires HTTP/HTTPS Authentication , Requires Message-Level Authentication), but no matter what combination of these options I select I am still prompted for User Name and Password when I try to call the web service from the compiled PDF.
  The user will not have these credentials.  I need the form to include the credentials automatically when the service is called without user input.  How do I go about doing this?
  Many thanks,
  Kieran

  You will have to do this programmatically. If you look at the Acrobat Javascript reference it shows you how to use the SOAP object and how you can hard code the credentials for the WS call. Note that by hard coding this you are in essence breaking the security.
  Paul

• XI Web Service Authentication problem

  Hi,
  I have a XI Web Service that our third-party PeopleSoft client is trying to consume. I tested the Web Service and that works. I used SOAP client testing tool that I have which posts SOAp message to the web service URL. Before i use this tool using Internext Explorer, I attempt to connect to the Web Service URL (by putting the entire web service URL in the Address Bar), it prompts me for the user name & password and upon successful authentication, MessageServlet gives me a success message.Once authenticated, i am successfully able to post SOAP messages to the Web Service URL.
  I provided my PeopleSoft team with the WSDL document, they uploaded into their system, made some configs, and the SOAP message that they are generating is as below
  As you can see in the SOAp message, they are attempting to pass the user name and password in SOAP header and I understand XI ignores SOAP headers OR that is at least not the way to authenticate.
  Shouldn't they be able to somehow authenticate themselves against SOAP adapter using User name and password that we provided them with and the send SOAP messages?
  ********<soap:Envelope xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><soap:Header>
  <wsse:Security soap:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
  <wsse:UsernameToken><wsse:Username>user name</wsse:Username><wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">password</wsse:Password></wsse:UsernameToken></wsse:Security></soap:Header><soap:Body><MI_EMP_ADDR_CHG_OSSERVICE xmlns="https://pics.sco.ca.gov"><PERSON_ID>BB000001</PERSON_ID><START_DATE>20100501</START_DATE><ADDR_LINE1>100 MAIN ST</ADDR_LINE1><ADDR_LINE2/><CITY>CORONA</CITY><COUNTY>RIVERSIDE</COUNTY><STATE>CA</STATE><ZIP_CODE>91881</ZIP_CODE></MI_EMP_ADDR_CHG_OSSERVICE></soap:Body></soap:Envelope>
  I will appreciate any ideas.
  Thanks,
  Saurabh

  Indeed, they should take care of the authentication according to supported XI mechanisms, as explained here :
  http://help.sap.com/saphelp_nw04/helpdata/en/1f/7e2441509fa831e10000000a1550b0/content.htm
  There is also a note #891877 that explains security level settings for SOAP adapter
  Chris

• Web Services General Question

  Hi All,
  Does web services in Java mean to simply provide a SOAP container that wraps around an EJB (or even a web container)?
  If this is true, all of the work that's been done with the development of EJBs can be preserved, and other system will make calls to the SOAP container in order to get access to the web services provided.
  I'm trying to understand the big picture and slowly get into Web Services in Java.
  Thanks

  I don�t know if this answers your question, but I think that SOAP indeed can be used to expose existing EJB�s to non-Java-Systems.

• Web Service authentication by security role

  I define an web service with authentication by security role.
  I access web service via web dynpro model in EP7.
  It appear below error:
  <b>Exception on execution of web service with WSDL URL 'http://XXX:50000/XXX/Config1?wsdl ' with operation 'XXXXXXXX' in interface 'XXXVi_Document'</b>
  how should i do to solve this problem ?

  Hi WU,
              Use this code with ur webservice & check the error in log file.May be we will get some more info abt this.
  This code will be in execute method
  Request_XXX reqData = new Request_XXXdbModel);
  reqData.wdSetInvocationLogEnabled(true);
  in the catch block give this
  logger.traceThrowableT(
       Severity.ERROR,
       wdComponentAPI.getApplication().getDeployableObjectPart().getName(),
       ex);
       //if (logger.beDebug()) {
       logger.fatalT(requestModel.wdGetRequestLog());
       logger.fatalT(requestModel.wdGetResponseLog());
       logger.fatalT(requestModel.associatedModelClassInfo().getModelInfo().toString());
       logger.fatalT(requestModel.toString());
  request model is ue model & ex is the exception in catch block.
  execute the application after this change & check the server log.In case u r not able to find out the problem,send the stach trace.
  regards
  Sumit

• LDAP security provider and web service authentication

  Background: we are currently developing web services to our existing weblogic application. Our users can configure user/password authentication in one of three ways: database, LDAP, or SSO. Setting SSO aside, we need to implement the same authentication for database and LDAP that we use in our existing logon servlet in our web services. In our servlet we detect which they are configured for and, if database, authenticate the encrypted password to a database table we have for user id/password. If LDAP we use weblogic.servlet.security.ServletAuthentication and the weak() method to authenticate.
  We've to use SOAP headers to communicate username/password from the client to the web service. We want to code a SOAP message handler to grab the username/password and do the authentication there. We've successfully put something together that handles the database authentication no problem and are now struggling with how to handle the LDAP authentication. We distribute a LDAP security provider we've coded for LDAP authentication. I guess what I am looking for is an equivalent functionality provided with weblogic.servlet.security.ServletAuthentication. Note that I realize the weblogic.servlet.security package has been deprecated starting with Weblogic 9.0 but cannot find what functionality replaces it. Any help there would be appreciated as well.
  Note that I am fairly new to web service development (about 10 months now) and definitely new to web service security and Weblogic security. I tried digging into the volumes of documentation out there regarding these two topics but am simply having a difficult time sorting it all out and figuring out how to do what I want to do.
  Thanks in advance!
  Julia

  Hi,
  Add Provider (LDAP Credentials) in Admin console Security Realm --> defaultrealm -->Providers. Configuring Ldap in Admin Console will enable Admin Server to connect to LDAP. All the LDAP preconfigured Users/Groups will be available in Users and Groups Tab of Security Realms >defaultrealm >Users and Groups. Add Roles using Security Realms >defaultrealm > Roles and Policies > Global Roles > Roles. Add Role Conditions to the role by specifying users/groups configured in LDAP. If your webservice runs with SSL Anotate the Webservice file something like this below.
  @RolesAllowed({
  @SecurityRole(role="test")
  @Policy(
  uri="policy:Wssp1.2-2007-Https-UsernameToken-Plain.xml",
  attachToWsdl=true)
  Here the role is Preconfigired role in AdminConsole. Add the following tag in the soapenv:header.
  <soapenv:Header>
  <wsse:Security soapenv:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
  <wsse:UsernameToken>
  <wsse:Username>test</wsse:Username>
  <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">password</wsse:Password>
  </wsse:UsernameToken>
  </wsse:Security>
  </soapenv:Header>