ant script Archive

Securing WebServices using Username / Password mechanism

Security is an important aspect of your application design. When the web services are deployed and accessed, you might like to restrict its accesses to particular set of users/ groups or any users of a particular role. Hence we specify the policies for the application  webservice in this case at the transport level.

WebServices can be secured using the below mechanisms:

Transport-level security secures the connection between the client application and WebLogic Server with Secure Sockets Layer (SSL). SSL provides secure connections by allowing two applications connecting over a network to authenticate the other’s identity and by encrypting the data exchanged between the applications. Authentication allows a server, and optionally a client, to verify the identity of the application on the other end of a network connection. A client certificate (two-way SSL) can be used to authenticate the user.

Encryption makes data transmitted over the network intelligible only to the intended recipient.

Transport-level security includes HTTP BASIC authentication as well as SSL.

Message-Level Security refers to securing some or all of the message content, which relies on the WS-Security specification. WS-Security provides support for encrypting and/or signing part or all of a message. It also provides authentication using token-based credentials. In addition to WS-Security, WebLogic Server also supports the WS-SecureConversation standard to enable a secure session to be established between two trusted parties to facilitate the exchange of multiple messages in a stateful and secure manner.

Access control security answers the question “who can do what?” First you specify the security roles that are allowed to access a Web Service; a security role is a privilege granted to users or groups based on specific conditions. Then, when a client application attempts to invoke a Web Service operation, the client authenticates itself to WebLogic Server, and if the client has the authorization, it is allowed to continue with the invocation. Access control security secures only WebLogic Server resources. That is, if you configureonly access control security, the connection between the client application and WebLogic Server is not secure and the SOAP message is in plain text

 

The below post describes a demonstration of simple username/password-based authentication for webservices.

Pre-requisites :

1: WebService  deployed.

You can refer the below posts to create a sample WebService and a Java stand alone client to access the same.

http://weblogic-wonders.com/weblogic/2011/05/20/webservice-by-bottom-up-approach-using-ant-script/

http://weblogic-wonders.com/weblogic/2011/05/23/creating-stand-alone-webservice-client-from-wsdl/

 

Please follow the steps below:

1. Defining security poilicies:

Define the  policies to the WebService from the console:-

Go to Deployments –> WebService application deployed –> Security –> Policies. From the predicate list select a User / Group/ Role who can access the WebService.

Click save to create the security policy for the WebService.

2: Test the setup:

If you access the WebService without proper credentials, then you would experience the below error.

Exception in thread "main" javax.xml.ws.soap.SOAPFaultException: Access denied to operation sayHelloWorld

at com.sun.xml.ws.fault.SOAP11Fault.getProtocolException(SOAP11Fault.java:188)

at com.sun.xml.ws.fault.SOAPFaultBuilder.createException(SOAPFaultBuilder.java:116)

at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:119)

at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:89)

at com.sun.xml.ws.client.sei.SEIStub.invoke(SEIStub.java:118)

at $Proxy29.sayHelloWorld(Unknown Source)

at com.test.webservice.client.Main.main(Main.java:17)

Caused by: javax.xml.ws.soap.SOAPFaultException: Access denied to operation sayHelloWorld

at weblogic.wsee.jaxws.security.AuthorizationTube.processRequest(AuthorizationTube.java:189)

In the java client, specify the user credentials to access the WebService as below.

Map<String, Object> rc = ((BindingProvider)port).getRequestContext();

rc.put(BindingProvider.USERNAME_PROPERTY, "weblogic");

rc.put(BindingProvider.PASSWORD_PROPERTY, "weblogic");

The JAX-WS BindingProvider class contains username and password properties that we set to specifythe user’s credentials. The underlying web service stub takes care of base 64 encoding these credentials and including them in the HTTP headers of the SOAP request.

A typical java standalone client would look like below.

 

import com.test.webservice.client.*;

import java.util.Map;

import javax.xml.ws.BindingProvider;

public class Main {

public static void main(String[] args) {

com.test.webservice.client.HelloWorldService service = new com.test.webservice.client.HelloWorldService();

com.test.webservice.client.HelloWorldPortType port = service.getHelloWorldPortTypePort();

Map<String, Object> rc = ((BindingProvider)port).getRequestContext();

rc.put(BindingProvider.USERNAME_PROPERTY, "weblogic");

rc.put(BindingProvider.PASSWORD_PROPERTY, "weblogic");

String result=port.sayHelloWorld(" Anandraj ");

System.out.println("********* RESULT from WebService ***********");
System.out.println(result);

System.out.println("********************************************");
}

}

 

Compile and execute the java client, then you would be able to invoke the secured WebService successfully.

You can refer the below link for securing the WebService using the Basic Authentication:

http://weblogic-wonders.com/weblogic/2010/01/04/securing-webservices-using-basic-authentication-on-weblogic-server/

For further reading :

http://download.oracle.com/docs/cd/E12840_01/wls/docs103/webserv_sec/message.html

Regards,

Wonders Team. 🙂

 

 

Creating stand alone WebService Client from WSDL

The below post provides an implementation of a Java stand alone client for a sample Java WebService.  All you need to know is the URL to its public contract file, or WSDL.

Per-Requisites:

A WSDL file, describing the WebService deployed on the Server.

You can refer the below link to create a WebService in WebLogic.

http://weblogic-wonders.com/weblogic/2011/05/19/webservices-in-weblogic/

Please follow the below steps to generate a standalone WebService client  using ant script.

1.  Setting up the Environment:

Open a command prompt and set the classpath by running the setDomainEnv.sh under the domain directory.

2. Create Ant Script:

Create a standard ant script with the clientgen ant task.

The clientgen WebLogic Web Service Ant task to generate the artifacts that your client application needs to invoke the Web Service operation. These artifacts include:

  • The Java class for the Service interface implementation for the particular Web Service you want to invoke.
  • JAXB data binding artifacts.
  • The Java class for any user-defined XML Schema data types included in the WSDL file.

A definition of clientgen is as below.

<taskdef name=”clientgen”
classname=”weblogic.wsee.tools.anttasks.ClientGenTask” />

A sample snippet of clientgen ant task would like below.

<clientgen

type="JAXWS"

wsdl="http://${wls.hostname}:${wls.port}/HelloWorldImpl/HelloWorldService?WSDL"

destDir="${clientclass-dir}"

packageName="com.test.webservice.client"/>

The clientgen Ant task uses the WSDL of the deployed HelloWorldService Web Service to generate the necessary artifacts and puts them into the output/clientclassdirectory, using the specified package name.

A complete ant task looks like below.

************************************************

 

<project name="webservices-simple_client" default="all">

<!-- set global properties for this build -->

<property name="wls.hostname" value="localhost" />

<property name="wls.port" value="7001" />

<property name="example-output" value="output" />

<property name="clientclass-dir" value="${example-output}/clientclass" />

<path id="client.class.path">

<pathelement path="${clientclass-dir}"/>

<pathelement path="${java.class.path}"/>

</path>

<taskdef name="clientgen"

classname="weblogic.wsee.tools.anttasks.ClientGenTask" />

<target name="clean" >

<delete dir="${clientclass-dir}"/>

</target>

<target name="all" depends="clean,build-client,run" />

<target name="build-client">

<clientgen

type="JAXWS"

wsdl="http://${wls.hostname}:${wls.port}/HelloWorldImpl/HelloWorldService?WSDL"

destDir="${clientclass-dir}"

packageName="com.test.webservice.client"/>

<javac

srcdir="${clientclass-dir}" destdir="${clientclass-dir}"

includes="**/*.java"/>

<javac

srcdir="." destdir="${clientclass-dir}"

includes="com/test/webservice/client/*.java"/>

</target>

<target name="run" >

<java fork="true"

classname="com.test.webservice.client.Main"

failonerror="true" >

<classpath refid="client.class.path"/>

</java>

</target>

</project>

 

************************************************

4.  Create the client specific artifacts:

Create client specific artifacts by running the below ant command

ant build-client

This would generate the client specific files under the output/clientclasses folder.

5. Create a Java client:

Create a java standalone client to access the WebService deployed using the client artifacts generated by the clientgen utility.

A sample client would look like below.

*****************************************************************

 

package com.test.webservice.client;

import com.test.webservice.client.*;

public class Main {

public static void main(String[] args) {

com.test.webservice.client.HelloWorldService service = new com.test.webservice.client.HelloWorldService();

com.test.webservice.client.HelloWorldPortType port = service.getHelloWorldPortTypePort();

String result=port.sayHelloWorld(" Anandraj ");

System.out.println("***RESULT from WebService ***");

System.out.println(result);

System.out.println("***************************");

}

}

 

*****************************************************************

6. Compile and execute the java client and you can see that it is displaying the response from the WebService.

javac -d . Main.java

java com.test.webservice.client.Main

For further reading:

http://download.oracle.com/docs/cd/E13222_01/wls/docs103/webserv/use_cases.html#wp244847

Downloads :

SourceFiles

 

Cheers,

Wonders Team.