Webservice secure

I would like to secure my webservice just like cfc.If i go to
cfc it will ask me for userid and password. can i do that for wsdl.
thankx

You can try using the @common:security annotation:
* Users in the Administrators role may access any method in this web service.
* @common:security roles-allowed="Administrators"
@common:security roles-allowed="Administrators"
public class HelloWorld implements com.bea.jws.WebService
* Only users in the Managers (or Administrators) role may access this method
* @common:operation
* @common:security roles-allowed="Managers"
@common:operation
@common:security roles-allowed="Managers"
public String helloManagers()
return "Hello, Managers.";
* Only users in the Employees (or Administrators) role may access this method
* @common:operation
* @common:security roles-allowed="Employees"
@common:operation
@common:security roles-allowed="Employees"
public String helloEmployees()
return "Hello, Employees.";
Thanks,
Sandeep

Similar Messages

  • BPEL to invoke a webservice secured by BASIC auth

    Hi
    I have been trying to write a simple BPEL process to invoke a remote webservice secured by basic authentication. I was able to build the BPEL process and then the composite application that I deployed successfully to glassfish, all within NetBeans IDE. As per the wiki notes: http://wiki.open-esb.java.net/Wiki.jsp?page=HTTPBasicAuthentication, I also added the Policy element to the wsdl for the service that I am trying to invoke as follows:
    <wsdl:service name="PMSDatabase">
            <wsdl:port name="PMSDatabaseSOAP11port_http" binding="ns2:PMSDatabaseSOAP11Binding">
                <soap:address location="http://namadgi:9999/MessageCentre/services/PMSDatabase"/>
            </wsdl:port>
            <wsdl:port name="PMSDatabaseSOAP12port_http" binding="ns2:PMSDatabaseSOAP12Binding">
                <soap12:address location="http://namadgi:9999/MessageCentre/services/PMSDatabase"/>
            </wsdl:port>
            <wsdl:port name="PMSDatabaseHttpport" binding="ns2:PMSDatabaseHttpBinding">
                <http:address location="http://namadgi:9999/MessageCentre/services/PMSDatabase"/>
                <wsp:PolicyReference URI="#HttpBasicAuthBindingBindingPolicy"/>
            </wsdl:port>
        </wsdl:service>
        <wsp:Policy wsu:Id="HttpBasicAuthBindingBindingRealmPolicy">
            <mysp:MustSupportBasicAuthentication on="true">
                <mysp:BasicAuthenticationDetail>
                   <mysp:WssTokenCompare/>
                </mysp:BasicAuthenticationDetail>
            </mysp:MustSupportBasicAuthentication>
            <mysp:UsernameToken mysp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
               <wsp:Policy>
                    <sp:WssUsernameToken10>mcs_user</sp:WssUsernameToken10>
                    <sp:WssPassword>${pass_token}</sp:WssPassword>
               </wsp:Policy>
          </mysp:UsernameToken>
        </wsp:Policy>When i try to run a testcase, the BPEL process fails during the invoke activity and I get the following error in the output:
    <detailText>BPCOR-6135:A fault was not handled in the process scope; Fault Name is {http://www.sun.com/wsbpel/2.0/process/executable/SUNExtension/ErrorHandling}systemFault; Fault Data is &lt;?xml version=&quot;1.0&quot; encoding=&quot;UTF-8&quot;?&gt;&lt;jbi:message xmlns:sxeh=&quot;http://www.sun.com/wsbpel/2.0/process/executable/SUNExtension/ErrorHandling&quot; type=&quot;sxeh:faultMessage&quot; version=&quot;1.0&quot; xmlns:jbi=&quot;http://java.sun.com/xml/ns/jbi/wsdl-11-wrapper&quot;&gt;&lt;jbi:part&gt;HTTPBC-E00753: HTTP POST request failed, portType {http://service.messagecentre.dha.gov.au}PMSDatabaseHttpport
        URL: http://namadgi:9999/MessageCentre/services/PMSDatabase/deletePMSVoidPeriod
        QUERY:
        PATH_INFO:
        Exception detail: request requires HTTP authentication: User mcs_user not found in directory.&lt;/jbi:part&gt;&lt;/jbi:message&gt;. Sending errors for the pending requests in the process scope before terminating the process instance
       Caused by: BPCOR-6131:An Error status was received while doing an invoke (partnerLink=PartnerLink1, portType={http://service.messagecentre.dha.gov.au}PMSDatabasePortType, operation=deletePMSVoidPeriod)
    BPCOR-6129:Line Number is 48
    BPCOR-6130:Activity Name is Invoke1
       Caused by: HTTPBC-E00753: HTTP POST request failed, portType {http://service.messagecentre.dha.gov.au}PMSDatabaseHttpport
        URL: http://namadgi:9999/MessageCentre/services/PMSDatabase/deletePMSVoidPeriod
        QUERY:
        PATH_INFO:
        Exception detail: request requires HTTP authentication: User mcs_user not found in directory.
       Caused by: request requires HTTP authentication: User mcs_user not found in directory.</detailText>Where else do i need to configure the BASIC auth details to get this to work?

    Please post your request to [email protected] for quick response.
    Error states "mcs_user" is invalid user. Please make sure that the user is valid.

  • Webservice - security error

    Hi All,
    We are receiving the security error provided below while invokingthe LegalReportingUnitService -http://Host:Port/finLeLegalEntitiesModel/LegalReportingUnitService?WSDL using HTTP Analyzer (Jdeveloper) or SOAP UI.
    Also we find that the web service is having OWSM Policies - Directly Attached Policy - oracle/wss11_saml_or_username_token_with_message_protection_service_policy
    Please let us know what information has to be provided apart from username/password credentials to this webservice.
    a. Error message while invoking the web service using ext port & SSL url :
    https://xxxx-fin-ext.example.com:xxxxx/finLeLegalEntitiesModel/LegalReportingUnitService?WSDL
    Error Message: 401 Unauthorized.
    Log details:
    Response Header-----------------=_Part_9_498083750.1342417354448
    Content-Type: application/xop+xml;charset=UTF-8;type="text/xml"
    Content-Transfer-Encoding: 8bit
    Content-ID: <a1759cc915eb4db6ab48a1b97d3f1386>
    <?xml version="1.0" encoding="UTF-8" ?>
    <env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ns1="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:ns2="http://xmlns.oracle.com/apps/financials/legalEntity/legalEntities/legalReportingUnitService/types/" xmlns:ns3="http://xmlns.oracle.com/apps/financials/legalEntity/legalEntities/legalReportingUnitService/"><env:Header><ns1:Security><ns1:UsernameToken><ns1:Username>Fusion</ns1:Username><ns1:Password>welcome</ns1:Password></ns1:UsernameToken></ns1:Security></env:Header><env:Body><ns2:createLegalReportingUnit><ns2:legalReportingUnit xmlns:ns2="http://xmlns.oracle.com/apps/financials/legalEntity/legalEntities/legalReportingUnitService/types/"><ns3:PartyId xmlns:ns3="http://xmlns.oracle.com/apps/financials/legalEntity/legalEntities/legalReportingUnitService/">300000002842377</ns3:PartyId><ns3:LegalEntityId xmlns:ns3="http://xmlns.oracle.com/apps/financials/legalEntity/legalEntities/legalReportingUnitService/">300000002842369</ns3:LegalEntityId><ns3:GeographyId xmlns:ns3="http://xmlns.oracle.com/apps/financials/legalEntity/legalEntities/legalReportingUnitService/">300000000225396</ns3:GeographyId><ns3:Name xmlns:ns3="http://xmlns.oracle.com/apps/financials/legalEntity/legalEntities/legalReportingUnitService/">Test123</ns3:Name><ns3:MainEstablishmentFlag xmlns:ns3="http://xmlns.oracle.com/apps/financials/legalEntity/legalEntities/legalReportingUnitService/">Y</ns3:MainEstablishmentFlag><ns3:MainEffectiveFrom xmlns:ns3="http://xmlns.oracle.com/apps/financials/legalEntity/legalEntities/legalReportingUnitService/">2011-07-03+05:30</ns3:MainEffectiveFrom><ns3:MainEffectiveTo xmlns:ns3="http://xmlns.oracle.com/apps/financials/legalEntity/legalEntities/legalReportingUnitService/">2012-07-16+05:30</ns3:MainEffectiveTo><ns3:EffectiveFrom xmlns:ns3="http://xmlns.oracle.com/apps/financials/legalEntity/legalEntities/legalReportingUnitService/">2012-07-16+05:30</ns3:EffectiveFrom><ns3:EffectiveTo xmlns:ns3="http://xmlns.oracle.com/apps/financials/legalEntity/legalEntities/legalReportingUnitService/">2012-07-16+05:30</ns3:EffectiveTo><ns3:ObjectVersionNumber xmlns:ns3="http://xmlns.oracle.com/apps/financials/legalEntity/legalEntities/legalReportingUnitService/">1</ns3:ObjectVersionNumber><ns3:ActivityCode xmlns:ns3="http://xmlns.oracle.com/apps/financials/legalEntity/legalEntities/legalReportingUnitService/"/><ns3:SubActivityCode xmlns:ns3="http://xmlns.oracle.com/apps/financials/legalEntity/legalEntities/legalReportingUnitService/"/><ns3:TypeOfCompany xmlns:ns3="http://xmlns.oracle.com/apps/financials/legalEntity/legalEntities/legalReportingUnitService/"/></ns2:legalReportingUnit></ns2:createLegalReportingUnit></env:Body></env:Envelope>
    ------=_Part_9_498083750.1342417354448—
    b. Error message while invoking this web service using int port –
    http://xxx-fin-int.example.com:xxxx/finLeLegalEntitiesModel/LegalReportingUnitService?WSDL
    Error Message: 500 Internal Server error.
    Log details:
    Response Header: ------=_Part_8_481967515.1342415673437
    Content-Type: application/xop+xml;charset=UTF-8;type="text/xml"
    Content-Transfer-Encoding: 8bit
    Content-ID: <f4ef59739fc64cacb9829403d3a171d5>
    <?xml version="1.0" encoding="UTF-8" ?>
    <env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/"><env:Header/><env:Body><env:Fault xmlns:ns0="http://schemas.oracle.com/owsm/policy-enforcement-2007-06"><faultcode>ns0:GenericFault</faultcode><faultstring>GenericFault : generic error</faultstring><faultactor></faultactor></env:Fault></env:Body></env:Envelope>
    ------=_Part_8_481967515.1342415673437—
    Regards,
    Ramesh

    Hi, I am using Weblogic Oracle 12c and standalone server no clusters. I have a webservice configured which is working from the Weblogic, using DemoTrust.jks I just downloaded the SOAP-UI and having issues with this, I set up the aut Tab to use Global HTTP Settings for the authorization type and added a keystore which is pointing to the DemoTrust.jks.
    When I run a test, I receive this error
    Tue Jul 31 09:40:38 PDT 2012:DEBUG:<< "<env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/"><env:Header/><env:Body><env:Fault xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"><faultcode>wsse:InvalidSecurity</faultcode><faultstring>Error on verifying message against security policy Error code:1000</faultstring></env:Fault></env:Body></env:Envelope>"
    You wouldn't know what this is about, from what I am reading it seems I need to pass a policy to the server from the client but unsure what to configure.
    If you have any insight I would appreciate it.

  • Webservices Security in SOAP Receiver Adapter

    Hi All,
    I am configuring web services security settings in my File To Webservice scenario.
    The scneario is:
    File -
    asynch--XISynch-Webservice(X.509)
    The webservice is using X.509 certificates for security.
    I have configured SOAP receiver channel with webservices secuirty settings and same with Receiver agreement.
    But when I run this scenario in the SOAP Receiver channel monitoring I get below error.
    Message processing failed. Cause: com.sap.aii.af.ra.ms.api.RecoverableException: java.security.PrivilegedActionException: com.sap.aii.af.security.impl.exception.MessageSecurityException: MessageSecurityException in Method: ApplyMessageLevelSecurity.run(). AccessControlException. Please check that your Code has the XiSecurityRuntimePermission.Context: com.sap.aii.af.security.impl.exception.MessageSecurityException: Exception in Method: apply( Message, CPALookupObject ). General exception, no further informations. Message: MessageSecurityContext in Method: apply( Message, CPALookupObject ). ApplyThread-Exception Message: ProcessException in Method: run(). Key: 0700; To-String: com.sap.aii.af.security.impl.exception.MessageSecurityException: ProcessException in Method: run(). Key: 0700. To-String: com.sap.aii.af.security.impl.exception.MessageSecurityException: MessageSecurityContext in Method: apply( Message, CPALookupObject ). ApplyThread-Exception Message: ProcessException in Method: run(). Key: 0700; To-String: com.sap.aii.af.security.impl.exception.MessageSecurityException: ProcessException in Method: run(). Key: 0700.
    Does anybody have idea about this error?
    Please help me to resolve this.
    Thanks,
    Shweta.

    Hi,
    I am doubtful if after add ing all the security realted settings you could be able to test it via RWB monitoring.
    Its better to test this kind of scenario with either real time application where all security certificates and settings will on right place.
    Thanks
    Swarup

  • BPEL to invoke Webservice secured with HTTP Basic authentication

    Hi All,
    Iam trying to call a Synchronous BPEL porcess from BPEL by passing HTTP basic authentication.I have done below steps to achieve this.
    1) Created Target Synchronous process ex : B
    2) Created Source Syncronous Process ex : A
    Iam trying to call B(Target) from A(source).
    3) Open Composite.xml of A(Source)
    4) Right Click on External Refernce B(Target) parter link and click Configure WS policies
    5) Under Security tab attach oracle/wss_username_token_client_policy
    6) Login to em/console
    7) Right click on A(Source) Composite and click Service/Refence Properties>>B(Target)
    8) Enter username and password under HTTP Basic Authentication.
    9)Test from em.console(when we are testing under security tab I have checked None radio button)
    So this is the Error message which is throwing.
    ==================================
    The selected operation process could not be invoked.
    An exception occured while invoking the webservice operation. Please see logs for more details.
    oracle.sysman.emSDK.webservices.wsdlapi.SoapTestException: SOAP must understand error:{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security, {http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security.
    java.lang.Exception: oracle.sysman.emSDK.webservices.wsdlapi.SoapTestException: SOAP must understand error:{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security, {http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security. at oracle.sysman.emas.model.wsmgt.WSTestModel.invokeOperation(WSTestModel.java:570) at oracle.sysman.emas.view.wsmgt.WSView.invokeOperation(WSView.java:381) at oracle.sysman.emas.view.wsmgt.WSView.invokeOperation(WSView.java:298) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at com.sun.el.parser.AstValue.invoke(AstValue.java:157) at com.sun.el.MethodExpressionImpl.invoke(MethodExpressionImpl.java:283) at org.apache.myfaces.trinidadinternal.taglib.util.MethodExpressionMethodBinding.invoke(MethodExpressionMethodBinding.java:53) at org.apache.myfaces.trinidad.component.UIXComponentBase.broadcastToMethodBinding(UIXComponentBase.java:1245) at org.apache.myfaces.trinidad.component.UIXCommand.broadcast(UIXCommand.java:183) at oracle.adf.view.rich.component.fragment.ContextSwitchingComponent$1.run(ContextSwitchingComponent.java:87) at oracle.adf.view.rich.component.fragment.ContextSwitchingComponent._processPhase(ContextSwitchingComponent.java:298) at oracle.adf.view.rich.component.fragment.ContextSwitchingComponent.broadcast(ContextSwitchingComponent.java:91) at oracle.adf.view.rich.component.fragment.UIXInclude.broadcast(UIXInclude.java:87) at oracle.adf.view.rich.component.fragment.ContextSwitchingComponent$1.run(ContextSwitchingComponent.java:87) at oracle.adf.view.rich.component.fragment.ContextSwitchingComponent._processPhase(ContextSwitchingComponent.java:298) at oracle.adf.view.rich.component.fragment.ContextSwitchingComponent.broadcast(ContextSwitchingComponent.java:91) at oracle.adf.view.rich.component.fragment.UIXInclude.broadcast(UIXInclude.java:81) at javax.faces.component.UIViewRoot.broadcastEvents(UIViewRoot.java:475) at javax.faces.component.UIViewRoot.processApplication(UIViewRoot.java:756) at oracle.adfinternal.view.faces.lifecycle.LifecycleImpl._invokeApplication(LifecycleImpl.java:673) at oracle.adfinternal.view.faces.lifecycle.LifecycleImpl._executePhase(LifecycleImpl.java:273) at oracle.adfinternal.view.faces.lifecycle.LifecycleImpl.execute(LifecycleImpl.java:165) at javax.faces.webapp.FacesServlet.service(FacesServlet.java:265) at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227) at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125) at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:292) at weblogic.servlet.internal.TailFilter.doFilter(TailFilter.java:26) at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56) at oracle.adfinternal.view.faces.webapp.rich.RegistrationFilter.doFilter(RegistrationFilter.java:85) at org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl$FilterListChain.doFilter(TrinidadFilterImpl.java:420) at oracle.adfinternal.view.faces.activedata.AdsFilter.doFilter(AdsFilter.java:54) at org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl$FilterListChain.doFilter(TrinidadFilterImpl.java:420) at org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl._doFilterImpl(TrinidadFilterImpl.java:247) at org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl.doFilter(TrinidadFilterImpl.java:157) at org.apache.myfaces.trinidad.webapp.TrinidadFilter.doFilter(TrinidadFilter.java:92) at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56) at oracle.help.web.rich.OHWFilter.doFilter(Unknown Source) at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56) at oracle.sysman.emSDK.license.LicenseFilter.doFilter(LicenseFilter.java:101) at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56) at oracle.adf.model.servlet.ADFBindingFilter.doFilter(ADFBindingFilter.java:191) at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56) at oracle.sysman.emas.fwk.MASConnectionFilter.doFilter(MASConnectionFilter.java:41) at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56) at oracle.adf.library.webapp.LibraryFilter.doFilter(LibraryFilter.java:159) at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56) at oracle.sysman.eml.app.AuditServletFilter.doFilter(AuditServletFilter.java:179) at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56) at oracle.sysman.eml.app.EMRepLoginFilter.doFilter(EMRepLoginFilter.java:203) at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56) at oracle.sysman.core.app.perf.PerfFilter.doFilter(PerfFilter.java:141) at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56) at oracle.sysman.eml.app.ContextInitFilter.doFilter(ContextInitFilter.java:527) at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56) at oracle.dms.wls.DMSServletFilter.doFilter(DMSServletFilter.java:202) at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56) at weblogic.servlet.internal.RequestEventsFilter.doFilter(RequestEventsFilter.java:27) at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56) at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3588) at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321) at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:121) at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2200) at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2106) at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1428) at weblogic.work.ExecuteThread.execute(ExecuteThread.java:201) at weblogic.work.ExecuteThread.run(ExecuteThread.java:173) Caused by: oracle.sysman.emSDK.webservices.wsdlapi.SoapTestException: SOAP must understand error:{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security, {http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security. at oracle.sysman.emas.model.wsmgt.PortName.invokeOperation(PortName.java:712) at oracle.sysman.emas.model.wsmgt.WSTestModel.invokeOperation(WSTestModel.java:564) ... 68 more Caused by: oracle.sysman.emSDK.webservices.wsdlapi.SoapTestException: SOAP must understand error:{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security, {http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security. at oracle.sysman.emSDK.webservices.wsdlapi.dispatch.DispatchUtil.invoke(DispatchUtil.java:260) at oracle.sysman.emSDK.webservices.wsdlparser.OperationInfoImpl.invokeWithDispatch(OperationInfoImpl.java:843) at oracle.sysman.emas.model.wsmgt.PortName.invokeOperation(PortName.java:664) ... 69 more Caused by: javax.xml.ws.soap.SOAPFaultException: SOAP must understand error:{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security, {http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security. at oracle.j2ee.ws.client.jaxws.DispatchImpl.throwJAXWSSoapFaultException(DispatchImpl.java:874) at oracle.j2ee.ws.client.jaxws.DispatchImpl.invoke(DispatchImpl.java:707) at oracle.j2ee.ws.client.jaxws.OracleDispatchImpl.synchronousInvocationWithRetry(OracleDispatchImpl.java:226) at oracle.j2ee.ws.client.jaxws.OracleDispatchImpl.invoke(OracleDispatchImpl.java:97) at oracle.sysman.emSDK.webservices.wsdlapi.dispatch.DispatchUtil.invoke(DispatchUtil.java:256) ... 71 more
    =======================================
    Please let me know if Iam missing any steps.
    Thanks
    SSV

    Followed this post.......
    This is avery good question
    in 11g i have taken out the steps from my document which i created for one our customer
    go to composite
    Right click on the external reference service and select “Configure WS policies” :done
    Under the security tab, click add button and select “oracle/ wss_username_token_client_policy :done
    6. Now Open the property Inspector window and click the add button under “Binding properties” tab. :done
    7. Include the “oracle.webservices.auth.username--> :done
    value-->password :done
    8. Include the “oracle.webservices.auth.password”-->name :done
    value-->password :done
    Thanks
    SSV

  • Transport Authentication (webservice security)

    HI,
    I want to provide security for my webservices.so
    I have choosed Transport Authentication. and i succeded but even i set the usename and passwords in the visualadministrator>webservicesecurityservice>select webservice clientproxy-->Transportsecurity and set the authentication to Basic and enter the user name and password.
    my webservice is valid only for username:admin and password:admin.(i have entered different username and pwd at above step)
    even i set the username and password in visualstudio i cannot use that username and password while running the webservice, whenever i give the username:admin and password:admin it is valid .
    how to set the new username and password.can anybody help me about this transport authentication
    Thanks and Regards
    Srinivas

    HI,
    I want to provide security for my webservices.so
    I have choosed Transport Authentication. and i succeded but even i set the usename and passwords in the visualadministrator>webservicesecurityservice>select webservice clientproxy-->Transportsecurity and set the authentication to Basic and enter the user name and password.
    my webservice is valid only for username:admin and password:admin.(i have entered different username and pwd at above step)
    even i set the username and password in visualstudio i cannot use that username and password while running the webservice, whenever i give the username:admin and password:admin it is valid .
    how to set the new username and password.can anybody help me about this transport authentication
    Thanks and Regards
    Srinivas

  • Webservice + secured jms (Web Service over the JMS trans).

    Apologize since this post is in the webservice forum as well but since it is related to jms as well i put it here as well.
    I have a web service that is using JMS (@WLJmsTransport Web Service over the JMS transport)
    and everything seems to be ok BUt i do not know how to use this if the JMS is secured .
    By Adding security on JMS queue what other things i need to do in order for the webservice to access the queue ?
    (where i specify the credentials ?)
    @WebService(serviceName = "ASyncService", targetNamespace = "http://axyz.org/notification/v1", endpointInterface = "
    axyz.notification.ASyncPort")
    @WLJmsTransport(contextPath = "notify", serviceUri = "async_event", portName = "ASyncServicePort", queue = "events", connectionFactory = "cnfct_receiver")
    Thank you !

    The annotation you gave is for accessing the webservice but in this case it seems the webservice has to access a secured jms
    However having your response lead me to @RunAs which solved my problem.
    Very hard to find this information.
    Thank you very much for your answer !
    Nice blog as well !
    Edited by: user630775 on Jan 28, 2010 2:02 AM

  • REST Webservices security

    I am trying to set up the REST Webservices module, but I seem to be running into issues with security and authentication. I can get sessions from the client side properly, but I cannot call any methods on components.
    */atg/rest/security/restSecurityConfiguration.xml*
    <programlisting>
      <rest-security>
        <default-acl value="EVERYONE:read,write,execute"/>
          <resource component="/path/to/component/TestComponent" secure="false" requiresSessionConfirmation="false">
            <method name="getTestComponentName" secure="false">
              <acl value="EVERYONE:read,write,execute" />
            </method>
          </resource>
      </rest-security>
    </programlisting>
    TestComponent.java
    public class TestComponent {
      public String getTestComponentName() {
        return this.getClass().getCanonicalName();
    }I have turned on the DEBUG level logging in ACC for the RestSecurityProcessor and this is what I see in my logs when I try to access my TestComponent (which is just testing to see if I have access to methods):
    INFO  [RestSecurityProcessor] DEBUG Received POST request for
    INFO  [RestSecurityProcessor] DEBUG Resource container is valid component. Returning true.
    INFO  [RestSecurityProcessor] DEBUG handlePostRequest: Handling component /path/to/component/TestComponent
    INFO  [RestSecurityProcessor] DEBUG getParentSecurityConfiguration: Looking for wild card ComponentSecurityConfiguration for component /path/to/component/TestComponent
    INFO  [RestSecurityProcessor] DEBUG getParentSecurityConfiguration: Looking for default ComponentSecurityConfiguration
    INFO  [RestSecurityProcessor] DEBUG handlePostRequest: Can't find ComponentSecurityConfiguration for component /path/to/component/TestComponent
    ERROR [RestSecurityServlet] Error code: 401
    Access to the requested resource is not allowed: /path/to/component/TestComponent
    atg.rest.RestException: Access to the requested resource is not allowed: /path/to/component/TestComponent
         at atg.rest.processor.RestSecurityProcessor.handlePostRequest(RestSecurityProcessor.java:315)
         at atg.rest.processor.RestSecurityProcessor.doRESTPost(RestSecurityProcessor.java:208)
         at atg.rest.servlet.RestPipelineServlet.serviceRESTRequest(RestPipelineServlet.java:406)
    *snip*Edited by: Gommy on Apr 8, 2013 6:19 AM - Fix typo in package path

    After finding a default restSecurityConfiguration.xml inside of REST/config.jar:/atg/rest/security/, I located a .dtd ( http://www.atg.com/dtds/rest/restSecurity_1.0.dtd ) to figure out what exactly ATG was expecting for a configuration.
    1. Turns out the <programlisting> tag isn't expected (error in the documentation for our version of ATG, apparently), <rest-security> is the top-level element for this configuration file. This was causing the file to not be parsed at all.
    2. requiresSessionConfirmation does not exist on the resource element.
    The TestComponent and its properties were correct. Just the restSecurityConfiguration.xml was incorrect due to very poor documentation, no full example to see what a correct file should look like, and lack of obvious schemas (i.e., no schemas or links to schemas are provided in any documentation) to validate against.

  • Webservice Security - With minimal changes

    Hi,
    Standalone java application (Customer) is invoking the JAX-WS webservice of provider (sitting on weblogic 12c). Now we need to implement Security for webservice call with very minimal changes at customer end. There is no issues for any change at Provider side as we are owning that. But the solution should have no or minimum changes at customer end.
    Can we achieve this with configuration at weblogic side without doing coding changes?
    Please provide information regarding this. Appreciate your quick help.
    Thanks in advance,
    Sri

    AFAIK, only manual changes available in DTS for its packages being binary objects.
    Arthur My Blog

  • Webservice security through SAML

    I am in need of securing an ejb webservice by using SAML Tokens.I am using weblogic 10.3
    I was looking at your company’s website for the same.
    It will be an immense help if you can please publish some straight forward stepts for the same.

    I am in need of securing an ejb webservice by using SAML Tokens.I am using weblogic 10.3
    I was looking at your company’s website for the same.
    It will be an immense help if you can please publish some straight forward stepts for the same.

  • Webservice security page

    I created a webservice (by .Net) and it worked fine before.  When it starts, it pops out a login page (e.g. http://localhost/security/login.aspx?ReturnUrl=%2fWebApplication1%2fWebService1.asmx%3fWSD L&WSDL).  After I enter the user ID and password, it then opens the page I want (e.g. http://localhost/WebApplication1/WebService1.asmx?).  It works fine.
    Then, in Flex, I created a WebService in Flex (see below).  It worked find before if there was no login page.  After having the login page, I don't know how to direct to the login page before open the page I want.
    Anyone knows how to do it?  Thanks for help.
    <mx:WebService id="ws1" wsdl="http://localhost/WebApplication1/WebService1.asmx?WSDL" fault="fault(event)"
    >
    <mx:operation name="Search" resultFormat="object" result="Search(event)" />
    </mx:WebService>

    I created a webservice (by .Net) and it worked fine before.  When it starts, it pops out a login page (e.g. http://localhost/security/login.aspx?ReturnUrl=%2fWebApplication1%2fWebService1.asmx%3fWSD L&WSDL).  After I enter the user ID and password, it then opens the page I want (e.g. http://localhost/WebApplication1/WebService1.asmx?).  It works fine.
    Then, in Flex, I created a WebService in Flex (see below).  It worked find before if there was no login page.  After having the login page, I don't know how to direct to the login page before open the page I want.
    Anyone knows how to do it?  Thanks for help.
    <mx:WebService id="ws1" wsdl="http://localhost/WebApplication1/WebService1.asmx?WSDL" fault="fault(event)"
    >
    <mx:operation name="Search" resultFormat="object" result="Search(event)" />
    </mx:WebService>

  • Webservice Security API available?

    Hi all,
    I have to call a set of Webservices which use WS Security (XML Signatures). I know that this is supported via deployable Proxies along with serverside configuration profiles (handled by Visual Administrator). This way i can configure static profiles for my Webservice Proxies. So far, so good.
    But i have to use diferent X.509 Certificates for my Webservice Documents depending on different customers the application works for.
    Is there an API to get and manipulate the wss config at runtime for a single proxy? E.g. change the signature file or change the associated profile to another profile?
    Can anybody help me?
    Regards
    Michael

    do shell script "sudo mdutil -i on /" with administrator privileges
    Never, ever, ever use 'sudo' within 'do shell script'.
    At one level, sudo expects to prompt the user for authentication. You can't do that within 'do shell script'.
    If you need elevated privileges that's what '... with administrator privileges' is for.
    All of your commands should work if you remove the 'sudo'.

  • Webservice security by IP

    Hello,
    I have Weblogic Express 8.1. I have a new webservice built and ready to deploy. However I need to add security for it. I deploy all my applications as an exploded EAR file format. This new webservice is part of the exploded EAR.
    I would like to secure the webservice by restricting access to it by IP or DNS address, but I can't have this restriction on the other applications in the EAR. How can I do this? If this is possible, I open to any suggestions that will have a limited impact on the consumers of my service.
    Thanks,
    Jay

    Hi Jay,
    I have similar task – to secure access to my WS on WL 8.1. However, I have not restrictions about IP or DNS. Your note has risen a question to me - why anybody needs to secure access to the WS in this way ? Why just not to challenge the Service requestor and deny response ? The only answer I have is a Denial Attack…
    What if place the WS behind the firewall opened to certain client IPs/DNS names only? That is, delegate security protection to the infrastructure security. If your WS is internal for your company, I would go with a Service Proxy – the “bold” Web Service Provider which controls who is requesting the Service and delegates the job to the real Provider. In this case, the request for the service has to carry a requester identity you have to be abele recognize.
    I doubt I have answered your question but got really curious about the reasons you looking for such solution.
    Good luck,
    - Michael

  • Webservice security

    Hi All
       I want to provide the security for my webservice which is in WAS.In this process
    i am using username/password authentication  to authenticat the user to access the webservice.
        But the issue is that the authentication is admin/admin  by default.I want to change the default authentication for the webservice.I am trying to do in the Visual
    administrator to give the new authentication parameters.But it is not working.
    can any body help me regarding this issue
    Thanks and Regards
    Satyam

    Here are some resources:
    Oracle9iAS Documentation Library
    http://download-west.oracle.com/docs/cd/A97688_09/index.htm
    In particular, you might try:
    Services Guide
    http://download.oracle.com/docs/cd/A97688_09/generic.903/a97690/toc.htm
    JAAS Provider API Reference
    http://download.oracle.com/docs/cd/A97688_09/generic.903/q20221/index.html
    Also OTN's Web Services Center
    http://otn.oracle.com/tech/webservices/
    Tutorial: Security for Web Services
    http://otn.oracle.com/sample_code/tutorials/wspki/toc.htm
    And, although they cover 9.0.2, these docs might help:
    Oracle9i Application Server Security Guide
    http://otn.oracle.com/docs/products/ias/doc_library/90200doc_otn/core.902/a90146/toc.htm

  • Webservices security and authentication..?

    Hi Guys,
    Thanks for the previous help. Can anyone suggest a solution/mechanism to
    enforce security and authentication for published webservices?
    I have situation where an external system (of Business Partner) would
    like to request-services of webservices deployed via SOAP XML messaging.
    How could i authenticate the system requesting the service is our
    business partner system?
    Any suggestions welcome,
    thanks\
    RA

    You have two choices:
    1. Use HTTP simple ( password based ) authentication. This is
    usually called transportation level authentication.
    2. Use SOAP signature and time stamp (X509 Certificate based) authentication.
    This is called content level authentication.
    In both case, you need modify the SOAP client to put in authentication information
    and add interceptor in server side to do actually authentication before SOAP router
    actually dispatch the calls to the service.
    Heyun Zheng
    Ramesh Ankam <[email protected]> wrote:
    Hi Guys,
    Thanks for the previous help. Can anyone suggest a solution/mechanism
    to
    enforce security and authentication for published webservices?
    I have situation where an external system (of Business Partner) would
    like to request-services of webservices deployed via SOAP XML messaging.
    How could i authenticate the system requesting the service is our
    business partner system?
    Any suggestions welcome,
    thanks\
    RA

Maybe you are looking for