Oracle® Fusion Middleware Securing WebLogic Web Services for Oracle WebLogic Server 11g Release 1 (10.3.6) Part Number E13713-06 |
|
|
PDF · Mobi · ePub |
The chapter describes how to configure access control security for your WebLogic Web service using Java API for XML-based RPC (JAX-RPC).
This chapter includes the following sections:
Access control security refers to configuring the Web service to control the users who are allowed to access it, and then coding your client application to authenticate itself, using HTTP/S or username tokens, to the Web service when the client invokes one of its operations.
You specify access control security for your Web service by using one or more of the following annotations in your JWS file:
weblogic.jws.security.RolesAllowed
weblogic.jws.security.SecurityRole
weblogic.jws.security.RolesReferenced
weblogic.jws.security.SecurityRoleRef
weblogic.jws.security.RunAs
Note:
The @weblogic.security.jws.SecurityRoles and @weblogic.security.jws.SecurityIdentity JWS annotations were deprecated as of WebLogic Server 9.1.The following procedure describes the high-level steps to use these annotations to enable access control security; later sections in the chapter describe the steps in more detail.
Note:
It is assumed in the following procedure that you have already created a JWS file that implements a WebLogic Web service and you want to update it with access control security.It is also assumed that you use Ant build scripts to iteratively develop your Web service and that you have a working build.xml file that you can update with new information.
Finally, it is assumed that you have a client application that invokes the non-secured Web service. If these assumptions are not true, see Getting Started With JAX-RPC Web Services for Oracle WebLogic Server.
Update your JWS file, adding the @weblogic.jws.security.RolesAllowed
, @weblogic.jws.security.SecurityRole
, @weblogic.jws.security.RolesReferenced
, or @weblogic.jws.security.SecurityRoleRef
annotations as needed at the appropriate level (class or operation).
See Updating the JWS File With the Security-Related Annotations.
Optionally specify that WebLogic Server internally run the Web service using a specific role, rather than the role assigned to the user who actually invokes the Web service, by adding the @weblogic.jws.security.RunAs
JWS annotation.
Optionally specify that your Web service can be, or is required to be, invoked using HTTPS by adding the @weblogic.jws.security.UserDataConstraint
JWS annotation.
See Configuring Transport-Level Security Via UserDataConstraint: Main Steps (JAX-RPC Only) for details. This section also discusses how to update your client application to use SSL.
Recompile and redeploy your Web service as part of the normal iterative development process.
See "Developing WebLogic Web Services" in Getting Started With WebLogic Web Services Using JAX-RPC.
Using the Administration Console, create valid WebLogic Server users, if they do not already exist. If the mapping of users to roles is external, also use the Administration Console to create the roles specified by the @SecurityRole
annotation and map the users to the roles.
Note:
The mapping of users to roles is defined externally if you do not specify the mapToPrincipals attribute of the @SecurityRole annotation in your JWS file to list all users who can invoke the Web service.See "Users, Groups, and Security Roles" in Securing WebLogic Resources Using Roles and Policies.
Update your client application to use the HttpTransportInfo
WebLogic API to specify the appropriate user and password when creating the Service
object.
See Setting the Username and Password When Creating the Service Object.
Update the clientgen
Ant task in your build.xml
file to specify the username and password of a valid WebLogic user (in the case where your Web service uses the @RolesAllowed
annotation) and the trust store that contains the list of trusted certificates, including WebLogic Server's (in the case you specify @UserDataConstraint
).
You do this by adding the standard Ant <sysproperty>
nested element to the clientgen
Ant task, and set the key
attribute to the required Java property, as shown in the following example.
Note:
The example hard-codes the username and password; prompting for both provides more security. You need the username and password for @RolesAllowed, and trustStore if SSL must be used.<clientgen wsdl="http://example.com/myapp/myservice.wsdl" destDir="/output/clientclasses" packageName="myapp.myservice.client" serviceName="StockQuoteService" > <sysproperty key="javax.net.ssl.trustStore" value="/keystores/DemoTrust.jks"/> <sysproperty key="weblogic.wsee.client.ssl.stricthostchecking" value="false"/> <sysproperty key="javax.xml.rpc.security.auth.username" value="juliet"/> <sysproperty key="javax.xml.rpc.security.auth.password" value="secret"/> </clientgen>
Regenerate client-side components and recompile client Java code as usual.
Use the WebLogic-specific @weblogic.jws.security.RolesAllowed
annotation in your JWS file to specify an array of @weblogic.jws.security.SecurityRoles
annotations that list the roles that are allowed to invoke the Web service. You can specify these two annotations at either the class- or method-level. When set at the class-level, the roles apply to all public operations. You can add additional roles to a particular operation by specifying the annotation at the method level.
The @SecurityRole
annotation has the following two attributes:
role
is the name of the role that is allowed to invoke the Web service.
mapToPrincipals
is the list of users that map to the role. If you specify one or more users with this attribute, you do not have to externally create the mapping between users and roles, typically using the Administration Console. However, the mapping specified with this attribute applies only within the context of the Web service.
The @RolesAllowed
annotation does not have any attributes.
You can also use the @weblogic.jws.security.RolesReferenced
annotation to specify an array of @weblogic.jws.security.SecurityRoleRef
annotations that list references to existing roles. For example, if the role manager
is already allowed to invoke the Web service, you can specify that the mgr
role be linked to the manager
role and any user mapped to mgr
is also able to invoke the Web service. You can specify these two annotations only at the class-level.
The @SecurityRoleRef
annotation has the following two attributes:
role
is the name of the role reference.
link
is the name of the already-specified role that is allowed to invoke the Web service. The value of this attribute corresponds to the value of the role
attribute of a @SecurityRole annotation
specified in the same JWS file.
The @RolesReferenced
annotation does not have any attributes.
The following example shows how to use the annotations described in this section in a JWS file, with the relevant sections shown in bold:
package examples.webservices.security_roles; import javax.jws.WebMethod; import javax.jws.WebService; // WebLogic JWS annotations import weblogic.jws.WLHttpTransport; import weblogic.jws.security.RolesAllowed; import weblogic.jws.security.RolesReferenced; import weblogic.jws.security.SecurityRole; import weblogic.jws.security.SecurityRoleRef; @WebService(name="SecurityRolesPortType", serviceName="SecurityRolesService", targetNamespace="http://example.org") @WLHttpTransport(contextPath="security", serviceUri="SecurityRolesService", portName="SecurityRolesPort") @RolesAllowed ( { @SecurityRole (role="manager", mapToPrincipals={ "juliet","amanda" }), @SecurityRole (role="vp") } ) @RolesReferenced ( @SecurityRoleRef (role="mgr", link="manager") ) /** * This JWS file forms the basis of simple Java-class implemented WebLogic * Web Service with a single operation: sayHello * */ public class SecurityRolesImpl { @WebMethod() public String sayHello(String message) { System.out.println("sayHello:" + message); return "Here is the message: '" + message + "'"; } }
The example shows how to specify that only the manager
, vp
, and mgr
roles are allowed to invoke the Web service. The mgr
role is actually a reference to the manager
role. The users juliet
and amanda
are mapped to the manager
role within the context of the Web service. Because no users are mapped to the vp
role, it is assumed that the mapping occurs externally, typically using the Administration Console to update the WebLogic Server security realm.
See "JWS Annotation Reference" in WebLogic Web Services Reference for reference information on these annotations.
Use the WebLogic-specific @weblogic.jws.security.RunAs
annotation in your JWS file to specify that the Web service is always run as a particular role. This means that regardless of the user who initially invokes the Web service (and the role to which the user is mapped), the service is internally executed as the specified role.
You can set the @RunAs
annotation only at the class-level. The annotation has the following attributes:
role
is the role which the Web service should run as.
mapToPrincipal
is the principal user that maps to the role.
The following example shows how to use the @RunAs
annotation in a JWS file, with the relevant sections shown in bold:
package examples.webservices.security_roles; import javax.jws.WebMethod; import javax.jws.WebService; // WebLogic JWS annotations import weblogic.jws.WLHttpTransport; import weblogic.jws.security.RunAs; @WebService(name="SecurityRunAsPortType", serviceName="SecurityRunAsService", targetNamespace="http://example.org") @WLHttpTransport(contextPath="security_runas", serviceUri="SecurityRunAsService", portName="SecurityRunAsPort") @RunAs (role="manager", mapToPrincipal="juliet") /** * This JWS file forms the basis of simple WebLogic * Web Service with a single operation: sayHello * */ public class SecurityRunAsImpl { @WebMethod() public String sayHello(String message) { System.out.println("sayHello:" + message); return "Here is the message: '" + message + "'"; } }
When you use the @RolesAllowed
JWS annotation to secure a Web service, only the specified roles are allowed to invoke the Web service operations. This means that you must specify the username and password of a user that maps to the role when creating the Service
object in your client application that invokes the protected Web service.
WebLogic Server provides the HttpTransportInfo
class for setting the username and password and passing it to the Service
constructor. The following example is based on the standard way to invoke a Web service from a standalone Java client (as described in Invoking Web Services in Getting Started With WebLogic Web Services Using JAX-RPC) but also shows how to use the HttpTransportInfo
class to set the username and password. The sections in bold are discussed after the example.
package examples.webservices.sec_wsdl.client; import weblogic.wsee.connection.transport.http.HttpTransportInfo; import java.rmi.RemoteException; import javax.xml.rpc.ServiceException; import javax.xml.rpc.Stub; /** * This is a simple standalone client application that invokes the * the <code>sayHello</code> operation of the SecWsdlService Web service. * * @author Copyright © 1996, 2008, Oracle and/or its affiliates. * All rights reserved. */ public class Main { public static void main(String[] args) throws ServiceException, RemoteException{ HttpTransportInfo info = new HttpTransportInfo(); info.setUsername("juliet".getBytes()); info.setPassword("secret".getBytes()); SecWsdlService service = new SecWsdlService_Impl(args[0] + "?WSDL", info); SecWsdlPortType port = service.getSecWsdlPort(); try { String result = null; result = port.sayHello("Hi there!"); System.out.println( "Got result: " + result ); } catch (RemoteException e) { throw e; } } }
The main points to note in the preceding example are as follows:
Import the HttpTransportInfo
class into your client application:
import weblogic.wsee.connection.transport.http.HttpTransportInfo;
Use the setXXX()
methods of the HttpTransportInfo
class to set the username and password:
HttpTransportInfo info = new HttpTransportInfo(); info.setUsername("juliet".getBytes()); info.setPassword("secret".getBytes());
In the example, it is assumed that the user juliet
with password secret
is a valid WebLogic Server user and has been mapped to the role specified in the @RolesAllowed
JWS annotation of the Web service.
If you are accessing a Web service using a proxy, the Java code would be similar to:
HttpTransportInfo info = new HttpTransportInfo(); Proxy p = new Proxy(Proxy.Type.HTTP, new InetSocketAddress(proxyHost, Integer.parseInt(proxyPort))); info.setProxy(p); info.setProxyUsername(user.getBytes()); info.setProxyPassword(pass.getBytes());
Pass the info
object that contains the username and password to the Service
constructor as the second argument, in addition to the standard WSDL first argument:
SecWsdlService service = new SecWsdlService_Impl(args[0] + "?WSDL", info);
See "Invoking Web Services" in Getting Started With WebLogic Web Services Using JAX-RPC for general information about invoking a non-secured Web service.