Webservice Archive

Two way SSL Webservice on Weblogic Server

This article provides sample Webservice and Webservice Client for two way SSL. It also demonstrates the use of WLSSSLAdapter class to send certificates to the server.

1. Create a JWS with the following policy  : Wssp1.2-2007-Https-ClientCertReq.xml

 

package examples.webservices.security_jws;

import weblogic.jws.WLHttpTransport;
import weblogic.jws.Policies;
import weblogic.jws.Policy;
import javax.jws.WebService;
import javax.jws.WebMethod;
import javax.jws.soap.SOAPBinding;

@WebService(name="SecureHelloWorldPortType", 
            serviceName="SecureHelloWorldService", 
            targetNamespace="http://www.bea.com")

@SOAPBinding(style=SOAPBinding.Style.DOCUMENT, 
             use=SOAPBinding.Use.LITERAL,
             parameterStyle=SOAPBinding.ParameterStyle.WRAPPED)

@WLHttpTransport(contextPath="SecureHelloWorldService", 
                 serviceUri="SecureHelloWorldService",
		 portName="SecureHelloWorldServicePort")

@Policy(uri = "policy:Wssp1.2-2007-Https-ClientCertReq.xml")

public class SecureHelloWorldImpl {

  @WebMethod()
  public String sayHello(String s) {
    return "Hello " + s;  
  }
}

2. Build and Deploy the service on WebLogic Server

3. Deploy a war file with the following jsp in another server.

<html>
<head>
<title>WS Client App</title>
</head>
<body bgcolor="#cccccc">
<blockquote>
<h2>Protected Page</h2>
</blockquote>

<%@ page import="examples.webservices.security_jws.client.SecureHelloWorldService"%>
<%@ page import="examples.webservices.security_jws.client.SecureHelloWorldService_Impl"%>
<%@ page import="examples.webservices.security_jws.client.SecureHelloWorldPortType"%>

<%@ page import="javax.xml.rpc.Stub"%>
<%@ page import="weblogic.wsee.connection.transport.https.WlsSSLAdapter"%>
<%@ page import="weblogic.security.SSL.TrustManager"%>
<%@ page import="java.security.cert.X509Certificate"%>

<%
 try
 {
    String wsdl = "https://localhost:7002/SecureHelloWorldService/SecureHelloWorldService?WSDL";
    //SecureHelloWorldService service = new SecureHelloWorldService_Impl(wsdl);
    SecureHelloWorldService service = new SecureHelloWorldService_Impl();
    SecureHelloWorldPortType port = service.getSecureHelloWorldServicePort();

    WlsSSLAdapter adapter = new WlsSSLAdapter();
    adapter.setKeystore("C://WSSecurity//LABS//twoway_jws//identity.jks","mystorepass".toCharArray(), "JKS" );
    adapter.setClientCert("mykey","mykeypass".toCharArray());
    adapter.setTrustManager( new TrustManager(){
                 public boolean certificateCallback(X509Certificate[] chain, int validateErr){
                   return true;
                 }
           }); 

   weblogic.wsee.connection.transport.https.HttpsTransportInfo info = new  weblogic.wsee.connection.transport.https.HttpsTransportInfo(adapter);
   Stub stub = (Stub)port;
   stub._setProperty(Stub.ENDPOINT_ADDRESS_PROPERTY,"https://localhost:7002/SecureHelloWorldService/SecureHelloWorldService?WSDL");
   stub._setProperty("weblogic.wsee.client.ssladapter", adapter);

   out.println(port.sayHello("World"));
 } 
catch (Exception e)
{
out.println("File input error"+e);
}           

%>

</body>
</html>

4. Configure SSL on the server on which client app is deployed.

5. On the server on which the service is deployed , do the 2 way SSL configuration.

a) Go to Home >Summary of Servers > YourServer > SSL > Advanced >
Two Way Client Cert Behavior: Client Certs Requested and Enforced
Hostname Verification: None

b) Go to Home >Summary of Security Realms >myrealm >Providers >DefaultIdentityAsserter

Under Common

Chosen Select X509

Under Provider Specific

Trusted Client Principals: <CN of the client’s certificate>
Default User Name Mapper Attribute Type: CN
Use Default User Name Mapper: Checked

c) Create a user in the security realm with the CN value of the certificate.

6) Import the client’s public certificate in the trust store of the server.

Using RolesAllowed and SecurityRole annotations to secure Webservices on Weblogic

1. Write a JWS that uses the RolesAllowed and SecurityRole annotation

package examples.webservices.security_jws;

import weblogic.jws.WLHttpTransport;
import weblogic.jws.Policies;
import weblogic.jws.Policy;
import javax.jws.WebService;
import javax.jws.WebMethod;
import javax.jws.soap.SOAPBinding;

import weblogic.jws.security.RolesAllowed;
import weblogic.jws.security.SecurityRole;

@WebService(name="SecureHelloWorldPortType", 
            serviceName="SecureHelloWorldService", 
            targetNamespace="http://www.bea.com")

@SOAPBinding(style=SOAPBinding.Style.DOCUMENT, 
             use=SOAPBinding.Use.LITERAL,
             parameterStyle=SOAPBinding.ParameterStyle.WRAPPED)

@WLHttpTransport(contextPath="SecureHelloWorldService", 
                 serviceUri="SecureHelloWorldService",
		 portName="SecureHelloWorldServicePort")

@RolesAllowed (  { 
    @SecurityRole (role="testrole")
} ) 

public class SecureHelloWorldImpl {

  @WebMethod()
  public String sayHello(String s) {
    return "Hello " + s;  
  }
}

2) While deploying the EAR select custom roles

 

custom roles

3)

Go to myrealm> Realm Roles > Global Roles > Edit Globl Roles and create a new role
testrole and add an existing user to the role

custom roles

 

4) You can invoke the Webservice from SOAP UI by providing the username & password in the request properties.

 

SOAPUI

How to load webservices security policy from classpath

1) Add the following JAVA OPTION to the classpath

-Dweblogic.wsee.policy.LoadFromClassPathEnabled=true

2) Write a simple policy.

Encrypt.xml

 

<?xml version="1.0"?>
<wsp:Policy
  xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
  xmlns:wssp="http://www.bea.com/wls90/security/policy"
  >
  <wssp:Confidentiality>
    <wssp:KeyWrappingAlgorithm URI="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
    <wssp:Target>
      <wssp:EncryptionAlgorithm 
         URI="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/>
      <wssp:MessageParts 
         Dialect="http://schemas.xmlsoap.org/2002/12/wsse#part">
         wsp:Body()
      </wssp:MessageParts>
    </wssp:Target>
    <wssp:KeyInfo/>
  </wssp:Confidentiality>
</wsp:Policy>

3) Write a JWS that uses this Policy

SecureHelloWorldImpl.java

 

package examples.webservices.security_jws;

import weblogic.jws.WLHttpTransport;
import weblogic.jws.Policies;
import weblogic.jws.Policy;
import javax.jws.WebService;
import javax.jws.WebMethod;
import javax.jws.soap.SOAPBinding;

@WebService(name="SecureHelloWorldPortType", 
            serviceName="SecureHelloWorldService", 
            targetNamespace="http://www.bea.com")

@SOAPBinding(style=SOAPBinding.Style.DOCUMENT, 
             use=SOAPBinding.Use.LITERAL,
             parameterStyle=SOAPBinding.ParameterStyle.WRAPPED)

@WLHttpTransport(contextPath="SecureHelloWorldService", 
                 serviceUri="SecureHelloWorldService",
		 portName="SecureHelloWorldServicePort")

@Policies({
    @Policy(uri="Encrypt.xml",direction=Policy.Direction.inbound)
	})

public class SecureHelloWorldImpl {

  @WebMethod()
  public String sayHello(String s) {
    return "Hello " + s;  
  }
}

4. Build the service.

5. By default policies are placed under the policy folder in WEB-INF

policy-folder

 

6. Create a jar having the policy file

WEB-INF\policies>jar -cvf policy.jar Encrypt.xml

7. Keep policy.jar in the classpath of the server. You can keep it at any location and add the jar to Weblogic Server classpath.
You can also keep it in your domain lib folder.

8. Remove the policies folder from the WEB-INF

9. Deploy the ear.

10. Check the WSDL. The policy should appear there.

wsdl

 

9. Access the application from any client.

10. Your SOAP Request should look like this.

 

<?xml version="1.0" encoding="UTF-8"?>
<env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/">
   <env:Header>
      <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" env:mustUnderstand="1">
         <ns1:EncryptedKey xmlns:ns1="http://www.w3.org/2001/04/xmlenc#" Id="hVJypuPV1a2vyBqJ">
            <ns1:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5" />
            <ns2:KeyInfo xmlns:ns2="http://www.w3.org/2000/09/xmldsig#">
               <wsse:SecurityTokenReference xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="str_B42tel6VDu8at1J1">
                  <ns2:X509Data>
                     <ns2:X509IssuerSerial>
                        <ns2:X509IssuerName>CN=CertGenCAB,OU=FOR TESTING ONLY,O=MyOrganization,L=MyTown,ST=MyState,C=US</ns2:X509IssuerName>
                        <ns2:X509SerialNumber>94119899133620682327187254280110341585</ns2:X509SerialNumber>
                     </ns2:X509IssuerSerial>
                  </ns2:X509Data>
               </wsse:SecurityTokenReference>
            </ns2:KeyInfo>
            <ns1:CipherData>
               <ns1:CipherValue>SIa0pKmZU59OzQGjbYfk/+hbBoVvysjuWrOugwNelkSEW83ohLo/+QZGYqgnNgyo5xbqZp98sS5nPocf5pjuLA==</ns1:CipherValue>
            </ns1:CipherData>
            <ns1:ReferenceList>
               <ns1:DataReference URI="#BrYjknvNmVglOMV2" />
            </ns1:ReferenceList>
         </ns1:EncryptedKey>
      </wsse:Security>
   </env:Header>
   <env:Body>
      <ns1:EncryptedData xmlns:ns1="http://www.w3.org/2001/04/xmlenc#" Id="BrYjknvNmVglOMV2" Type="http://www.w3.org/2001/04/xmlenc#Content" MimeType="text/xml" Encoding="UTF-8">
         <ns1:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc" />
         <ns1:CipherData>
            <ns1:CipherValue>oMNKOEIew22gfa7nx8nUEkYmu0Ksw+lrwxJUJyEfNxjYH0ugkZ8eJv3AAvz0HIv89HKc+ij3Og1o9ncFnFN0DD805ju441DUDBiRleOvy9E=</ns1:CipherValue>
         </ns1:CipherData>
      </ns1:EncryptedData>
   </env:Body>
</env:Envelope>