Monthly Archive: June 2014

Recommended Best Practices for Securing WebLogic Server.

Disable SSL V2, Weak Ciphers, and Null Encryptions

You can use the following jvm options to disable Weak Ciphers.

-Dweblogic.security.SSL.allowUnencryptedNullCipher=false
-Dweblogic.security.disableNullCipher=true

Steps to disable SSL V2 follows later.

Use Secure Cookies to Prevent Session Stealing

Please refer to this article : link

Configure WebLogic Server to use a Specific Cipher Suite or a List of Ciphers

Please refer to this article : link

-Dweblogic.security.SSL.Ciphersuites=TLS_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_RC4_128_MD5

Restrict the SSL Protocol Versions Allowed by WebLogic Server

Please refer to this article : link

You should also allow only the required http methods ( GET/POST) to access the resource on the server. You can restrict other methods from the web.xml

Refer this

Using RolesAllowed and SecurityRole annotations to secure Webservices on Weblogic

1. Write a JWS that uses the RolesAllowed and SecurityRole annotation

package examples.webservices.security_jws;

import weblogic.jws.WLHttpTransport;
import weblogic.jws.Policies;
import weblogic.jws.Policy;
import javax.jws.WebService;
import javax.jws.WebMethod;
import javax.jws.soap.SOAPBinding;

import weblogic.jws.security.RolesAllowed;
import weblogic.jws.security.SecurityRole;

@WebService(name="SecureHelloWorldPortType", 
            serviceName="SecureHelloWorldService", 
            targetNamespace="http://www.bea.com")

@SOAPBinding(style=SOAPBinding.Style.DOCUMENT, 
             use=SOAPBinding.Use.LITERAL,
             parameterStyle=SOAPBinding.ParameterStyle.WRAPPED)

@WLHttpTransport(contextPath="SecureHelloWorldService", 
                 serviceUri="SecureHelloWorldService",
		 portName="SecureHelloWorldServicePort")

@RolesAllowed (  { 
    @SecurityRole (role="testrole")
} ) 

public class SecureHelloWorldImpl {

  @WebMethod()
  public String sayHello(String s) {
    return "Hello " + s;  
  }
}

2) While deploying the EAR select custom roles

 

custom roles

3)

Go to myrealm> Realm Roles > Global Roles > Edit Globl Roles and create a new role
testrole and add an existing user to the role

custom roles

 

4) You can invoke the Webservice from SOAP UI by providing the username & password in the request properties.

 

SOAPUI

How to load webservices security policy from classpath

1) Add the following JAVA OPTION to the classpath

-Dweblogic.wsee.policy.LoadFromClassPathEnabled=true

2) Write a simple policy.

Encrypt.xml

 

<?xml version="1.0"?>
<wsp:Policy
  xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
  xmlns:wssp="http://www.bea.com/wls90/security/policy"
  >
  <wssp:Confidentiality>
    <wssp:KeyWrappingAlgorithm URI="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
    <wssp:Target>
      <wssp:EncryptionAlgorithm 
         URI="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/>
      <wssp:MessageParts 
         Dialect="http://schemas.xmlsoap.org/2002/12/wsse#part">
         wsp:Body()
      </wssp:MessageParts>
    </wssp:Target>
    <wssp:KeyInfo/>
  </wssp:Confidentiality>
</wsp:Policy>

3) Write a JWS that uses this Policy

SecureHelloWorldImpl.java

 

package examples.webservices.security_jws;

import weblogic.jws.WLHttpTransport;
import weblogic.jws.Policies;
import weblogic.jws.Policy;
import javax.jws.WebService;
import javax.jws.WebMethod;
import javax.jws.soap.SOAPBinding;

@WebService(name="SecureHelloWorldPortType", 
            serviceName="SecureHelloWorldService", 
            targetNamespace="http://www.bea.com")

@SOAPBinding(style=SOAPBinding.Style.DOCUMENT, 
             use=SOAPBinding.Use.LITERAL,
             parameterStyle=SOAPBinding.ParameterStyle.WRAPPED)

@WLHttpTransport(contextPath="SecureHelloWorldService", 
                 serviceUri="SecureHelloWorldService",
		 portName="SecureHelloWorldServicePort")

@Policies({
    @Policy(uri="Encrypt.xml",direction=Policy.Direction.inbound)
	})

public class SecureHelloWorldImpl {

  @WebMethod()
  public String sayHello(String s) {
    return "Hello " + s;  
  }
}

4. Build the service.

5. By default policies are placed under the policy folder in WEB-INF

policy-folder

 

6. Create a jar having the policy file

WEB-INF\policies>jar -cvf policy.jar Encrypt.xml

7. Keep policy.jar in the classpath of the server. You can keep it at any location and add the jar to Weblogic Server classpath.
You can also keep it in your domain lib folder.

8. Remove the policies folder from the WEB-INF

9. Deploy the ear.

10. Check the WSDL. The policy should appear there.

wsdl

 

9. Access the application from any client.

10. Your SOAP Request should look like this.

 

<?xml version="1.0" encoding="UTF-8"?>
<env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/">
   <env:Header>
      <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" env:mustUnderstand="1">
         <ns1:EncryptedKey xmlns:ns1="http://www.w3.org/2001/04/xmlenc#" Id="hVJypuPV1a2vyBqJ">
            <ns1:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5" />
            <ns2:KeyInfo xmlns:ns2="http://www.w3.org/2000/09/xmldsig#">
               <wsse:SecurityTokenReference xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="str_B42tel6VDu8at1J1">
                  <ns2:X509Data>
                     <ns2:X509IssuerSerial>
                        <ns2:X509IssuerName>CN=CertGenCAB,OU=FOR TESTING ONLY,O=MyOrganization,L=MyTown,ST=MyState,C=US</ns2:X509IssuerName>
                        <ns2:X509SerialNumber>94119899133620682327187254280110341585</ns2:X509SerialNumber>
                     </ns2:X509IssuerSerial>
                  </ns2:X509Data>
               </wsse:SecurityTokenReference>
            </ns2:KeyInfo>
            <ns1:CipherData>
               <ns1:CipherValue>SIa0pKmZU59OzQGjbYfk/+hbBoVvysjuWrOugwNelkSEW83ohLo/+QZGYqgnNgyo5xbqZp98sS5nPocf5pjuLA==</ns1:CipherValue>
            </ns1:CipherData>
            <ns1:ReferenceList>
               <ns1:DataReference URI="#BrYjknvNmVglOMV2" />
            </ns1:ReferenceList>
         </ns1:EncryptedKey>
      </wsse:Security>
   </env:Header>
   <env:Body>
      <ns1:EncryptedData xmlns:ns1="http://www.w3.org/2001/04/xmlenc#" Id="BrYjknvNmVglOMV2" Type="http://www.w3.org/2001/04/xmlenc#Content" MimeType="text/xml" Encoding="UTF-8">
         <ns1:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc" />
         <ns1:CipherData>
            <ns1:CipherValue>oMNKOEIew22gfa7nx8nUEkYmu0Ksw+lrwxJUJyEfNxjYH0ugkZ8eJv3AAvz0HIv89HKc+ij3Og1o9ncFnFN0DD805ju441DUDBiRleOvy9E=</ns1:CipherValue>
         </ns1:CipherData>
      </ns1:EncryptedData>
   </env:Body>
</env:Envelope>

Testing secure webservice on Weblogic using SOAP UI

Create  the certificates for the client using keytool and store it at a location. You can refer our articles on SSL to get more details on how to create keystores. Once the client keystore is created you need to do the following configuration on SOAP UI.

 

client-keystore

 

outgoing-timestampoutgoing-signature

 

 

Once you’ve done the security configuration you should be able to invoke your secure service

 

request-response

 

REQUEST

 

<soapenv:Envelope xmlns:bea="http://www.bea.com" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
   <soapenv:Header><wsse:Security soapenv:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"><wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="CertId-974A598A574C09B5B614031710223477" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">MIICYTCCAgugAwIBAgIQsAtcv4jhs9Rpsu6mxuT69jANBgkqhkiG9w0BAQQFADB5MQswCQYDVQQGEwJVUzEQMA4GA1UECBMHTXlTdGF0ZTEPMA0GA1UEBxMGTXlUb3duMRcwFQYDVQQKEw5NeU9yZ2FuaXphdGlvbjEZMBcGA1UECxMQRk9SIFRFU1RJTkcgT05MWTETMBEGA1UEAxMKQ2VydEdlbkNBQjAeFw0wNDEwMDMxNjIzNTdaFw0xOTEwMDQxNjIzNTdaMHYxCzAJBgNVBAYTAlVTMRAwDgYDVQQIFgdNeVN0YXRlMQ8wDQYDVQQHFgZNeVRvd24xFzAVBgNVBAoWDk15T3JnYW5pemF0aW9uMRkwFwYDVQQLFhBGT1IgVEVTVElORyBPTkxZMRAwDgYDVQQDFgd1c2VyX2QxMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDbn/m11lE1LDIw/MybKhvDFT8RhVx+ImoV/l85J2BsWWFZAeaM2LPmC/vMcsnptR4XVEGLKtUz5KN8LD388DKkJKXpAwTPMkGtqzOLmNpL4ZKtMgCR0dVqxAqd+ZhuhBJsWPi2r6dnsSumzMNm8U1Rtn8Qve5s6GplPOVLAuD81QIDAQABoy4wLDAqBgNVHQ4EIwQhdGVzdF9jbGllbnRfMTIzNDU2Nzg5MF8wOTg3NjU0MzIxMA0GCSqGSIb3DQEBBAUAA0EAQrN57Of9U2JZOI82G02pYr3zMwvurz3SdsAOI/dh9ctmRMynVYi3vDC8xrZBeMN7+nPZwS+Tb67QA89RI+EdGQ==</wsse:BinarySecurityToken><ds:Signature Id="Signature-8" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#id-9">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>fSztcx6n1FRtd6IY01CVwaQQKBA=</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#Timestamp-7">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>3OKIlCCMbaIigZvmwM3bB6mwQj0=</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#CertId-974A598A574C09B5B614031710223477">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>+wobq47cIXzuDHyINGRQwnhI5Fg=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
ivZKz9J7MP15DmrEgZhqdnkrg09+toBNTtUDHBMf+J9wmJOiVRomM10jZ+6SeqIrLSeowbp6q3Ih
uGjkwGAfX6EapHbWNinTkzUCC+i3T9e3HiZdChiEf5f6/b3Lpk+ZaOTmk6IsdIW4gTaxBefY7d5l
xJOUe7p5yKOuzWcMEJk=
</ds:SignatureValue>
<ds:KeyInfo Id="KeyId-974A598A574C09B5B614031710223488">
<wsse:SecurityTokenReference wsu:Id="STRId-974A598A574C09B5B614031710223489" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"><wsse:Reference URI="#CertId-974A598A574C09B5B614031710223477" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/></wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature><wsu:Timestamp wsu:Id="Timestamp-7" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"><wsu:Created>2014-06-19T09:43:42.335Z</wsu:Created><wsu:Expires>2014-06-19T11:07:02.335Z</wsu:Expires></wsu:Timestamp></wsse:Security></soapenv:Header>
   <soapenv:Body wsu:Id="id-9" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
      <bea:sayHello>
         <bea:s>Faisal</bea:s>
      </bea:sayHello>
   </soapenv:Body>
</soapenv:Envelope>

RESPONSE

 

<?xml version="1.0" encoding="UTF-8"?>
<env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/">
   <env:Header />
   <env:Body>
      <m:sayHelloResponse xmlns:m="http://www.bea.com">
         <m:return>Hello Faisal</m:return>
      </m:sayHelloResponse>
   </env:Body>
</env:Envelope>

Please feel free to comment if you any additional details.

Cheers!
Wonders Team