Creating secure Web Service applications with Geronimo 2.2

With the application of WEB service more and more widely, how to ensure the security of access and transmission of services, has gradually aroused the attention of developers and users. Web Service Security can be considered in two ways: Access security and transport security. The former mainly means that only authorized users can access the application, while the latter focuses on how to ensure the privacy and integrity of messages during message transmission. This article describes how to develop and deploy secure Web Service applications in Apache Geronimo to ensure the security of information interactions, focusing on how to secure Web Service application access and transport based on the HTTP/HTTPS protocol.

Introduction to Web Service security

On the Java EE platform, there are two WEB Service application specifications for Jax-RPC and JAX-WS, but neither of them provides a detailed security detail. So how do you ensure that Web Service applications are secure? As is known to all, the server and client of WEB service applications use SOAP as an interaction protocol, and SOAP as an application-layer protocol can be transmitted based on a variety of other protocols, such as HTTP/HTTPS,FTP. In the practical application environment, the HTTP/HTTPS protocol is the most widely used. In fact, in the specification of soap and Web Service, soap based on Http/https is mainly described. Obviously, when we consider the security of Web Service, it is one of the natural choices to have security control over the transport protocol.

Web Service Provider in Apache Geronimo

Apache Geronimo integrates three popular Web Service engines, namely, Apache Axis, Apache Axis2 and Apache CXF. For Axis, by integrating its support for Jax-RPC specifications, the following two projects focus on providing support for the JAX-WS specification. Axis2 and CXF are enabled by default in the two release versions of Geronimo Geronimo-tomcat and Geronimo-jetty respectively. For both releases of Geronimo, users can switch to another WEB Service engine by installing a corresponding plug-in and making a simple configuration, please refer to the documentation for Geronimo, which is no longer described in this article. By default, the examples in this article are run on the Geronimo-tomcat release and use Axis2 as the Web Service engine and follow the JAX-WS specification.

A simple Web Service application

In this article, we take the application of an online bookstore as an example, which provides the function of reviewing books by book titles and providing services externally in the form of Web service. There is also a WEB client application to access the services provided by the online bookstore. As shown in Listing 1, the server side is a simple POJO class with the addition of a WebService identity. It provides a Querybyname method to retrieve a book object with the incoming name as a parameter, and eventually returns an array of books objects.

Listing 1. Online Bookstore service-side implementation

@WebService (name = "Bookstore", targetnamespace = "Http://geronimo.apache.org/bookstore")
public class Bookstoreimpl {

private list<book> books = new Linkedlist<book> ();

@PostConstruct
protected void Initialize () {
Books.add (new book ("1", "Thinking in Java", "Bruce"); br> Books.add (new book ("2", "is CE Bible", "is CE Team"));
}

Public book[] Querybyname (String name) {
if (name = = NULL | | name.length () = 0) {
R Eturn New Book[0]; 　　　　
}
List<book> foundbooklist = new arraylist<book> ();
　　　　　　for [book Book:books] {
if (Book.getname (). IndexOf (name)!=-1) {
Foundbooklist.add (book);
　　
}
Return Foundbooklist.toarray (new book[0]);
　　

@PreDestroy
protected void Destory () {
books.clear ();
}
}

Also, in the deployment file Web.xml, we publish the POJO class shown in Listing 1 as a Servlet, with a reference to listing 2 for specific configuration.

Listing 2. Web.xml Configuration Fragment

<servlet>
　<servlet-name>BookStore</servlet-name>
　　<servlet-class>
　　　　　　org.apache.geronimo.samples.securityWebService.BookStoreImpl
　</servlet-class>
　</servlet>
　<servlet-mapping>
　<servlet-name>BookStore</servlet-name>
　　<url-pattern>/bookstore</url-pattern>
　</servlet-mapping>

After the application shown above is deployed to Apache Geronimo, after the browser has entered Http://localhost:8080/SecurityWebServices/bookstore, as shown in picture 1, That means the application of the online bookstore has been successfully deployed.

Picture 1. Bookstoreimplservice access page