Implement message-level security via JAX-WS on WebSphere application Server V7

Message-level security via JAX-WS on WebSphere application Server V7: Integrated JEE Authorization

In part 1th, you learned how to use JAX-WS to provide message-level security on WebSphere application Server V7, including how to encrypt and sign messages using a policy set, and how to authenticate using a UsernameToken profile. In part 2nd, you will learn how to use the UsernameToken passed in the SOAP header as a JEE principal to provide programmatic authorization in the service provider.

Brief introduction

Web Services Security (ws-security) is an OASIS standard that describes how to implement message-level safety for a Web service. Specifically, Ws-security describes how to implement confidentiality (such as encryption), integrity (such as digital signatures) and propagate security tokens (token) (such as user names and passwords) for authentication in a SOAP message. However, Ws-security allows multiple security tokens to be sent simultaneously in a SOAP message, and a typical java™platform, Enterprise Edition (JEE) WEB service Provider implementation is based on principal from one of the security tokens (body ) to perform an authorization check. In this article, we will describe how to configure WebSphere to select a security token for a SOAP message as a JEE principal, which can be used to make authorization decisions.

Note that the JEE security model supports declarative security authorization and programmatic security for Web containers and EJB containers. There are subtle differences between using the WEB container programming APIs (such as Getuserprincipal ()) and using the EJB container programming APIs (such as Getcallerprincipal ()). However, the content of this article is to discuss how to configure the Web service to designate one of the tokens in the SOAP header as JEE principal. Once you have set up this principal, you can use the JEE security model and the WebSphere Base safety API as you normally would.

You can use the JEE security model in a declarative or programmatic way to implement authorization for servlet and EJB. However, given the intent of this article, we will demonstrate a servlet-based WEB service that will use the programmatic JEE API to get principal. You can extend the sample to use the JEE programmatic API to perform a programmatic authorization check on a servlet based WEB service provider, or to configure role-based JEE message-level security for the EJB. The JEE declarative and programmatic security for web containers and EJB containers are described in other materials and are therefore not the focus of this article. Our goal is to demonstrate how to support the integration of message-level security tokens to use the JEE authorization framework in conjunction with the WebSphere application Server.

Create a JAX-WS service provider

Use the Rational application Developer (Application Developer) V7.5.2 to create a new dynamic Web project with the project name Helloworldproject.

Next, create a new Java class using Helloworldprovider as the name, and copy the contents of listing 1 to the new class.

Listing 1. Helloworldprovider.java

package　com.ibm.dwexample;
　　　　　　　　　　　　　　 import　javax.annotation.Resource;
　　　　　　　　　　　　　　 import　javax.jws.WebService;
　　　　　　　　　　　　　　 import　javax.xml.ws.WebServiceContext;
　　　　　　　　　　　　　　 @WebService　public　class
　　　　　　　　　　　　 HelloWorldProvider　{　@Resource　WebServiceContext　wsCtx;
　　　　　　　　　　　　　 public
　　　　　　　　　　　　 String　sayHello(String　msg)　{　System.out.println("[provider]
　　　　　　　　　　　　 received　"　+　msg);　System.out.println("[provider]　user　=　"　+
　　　　　　　　　　　　 wsCtx.getUserPrincipal());　return　"Hello　"　+　msg;　}　}

A more interesting part of the Helloworldprovider code is @Resource webservicecontext. This line of code allows the JAX-WS runtime to inject the WEB service context and enable you to access JEE principal from that context. However, in order for the code to actually return the correct principal in the application Server, you must configure the Caller in the service provider bindings; otherwise, the result might be "principal:/unauthenticated*quot;".

Right-click Helloworldproject and select Run as => run on Server. Make sure the Run Server with resources in the Publishing settings for WebSphere Application Server section is selected.

Select the WebSphere application Server v7.0 servers profile and click Finish.