This discussion is archived
8 Replies Latest reply: Nov 19, 2012 9:37 AM by 3728 RSS

Secure a JWS JAX-RPC Web Service

3728 Newbie
Currently Being Moderated
I have a Web Service that is created using a JWS file.
I am using Username Token authentication to access the web service.
In the JWS file, I accomplish this with:
@Policies( { @Policy(uri = "../usernametokenpolicy.xml") } )

where the usernametokenpolicy.xml file contains:
<?xml version="1.0"?>
<wsp:Policy
     xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
     xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200512"
     >
     <sp:SupportingTokens>
          <wsp:Policy>
               <sp:UsernameToken
                    sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200512/IncludeToken/AlwaysToRecipient">
                    <wsp:Policy>
                         <sp:WssUsernameToken10/>
                    </wsp:Policy>
               </sp:UsernameToken>
          </wsp:Policy>
     </sp:SupportingTokens>
</wsp:Policy>

That works, but any user can authenticate to the web service. To limit access to the web service to a single intended user I have tried:
@RolesAllowed ( {
@SecurityRole (role="XXXWSUser",
                                   mapToPrincipals={ "username" })
} )

but I can still use the web service with other users.
How can I limit access to a web service to a single user?

Thank you.
S

Edited by: loopy1 on Nov 19, 2012 5:08 AM
  • 1. Re: Secure a JWS JAX-RPC Web Service
    user696 Explorer
    Currently Being Moderated
    @RolesAllowed ( {
    @SecurityRole (role="XXXWSUser")
    } )

    1.) Create a role 'XXXWSUser' inside weblogic using Adminstration console.(http://docs.oracle.com/cd/E15051_01/wls/docs103/ConsoleHelp/taskhelp/security/ManageSecurityRoles.html)
    2.) assign only 'username' to that role.
    3.) when deploying the application make sure you select "Custom Roles and Policies: Use only roles and policies that are defined in the Administration Console."

    This should work

    Regards,
    Sunil P
  • 2. Re: Secure a JWS JAX-RPC Web Service
    3728 Newbie
    Currently Being Moderated
    Thank you, but I followed your directions, and it does NOT work.

    I can still use the web service as another user (the admin user 'weblogic'), even though the 'weblogic' does not have the "XXXWSUser" role in the Admin console.
    Has this method worked for you to limited web service access to a single user?

    Thank you.
    S
  • 3. Re: Secure a JWS JAX-RPC Web Service
    user696 Explorer
    Currently Being Moderated
    Can you just try removing the Policy file and just use RollesAllowed and see what is the behavior?

    Regards,
    Sunil P
  • 4. Re: Secure a JWS JAX-RPC Web Service
    3728 Newbie
    Currently Being Moderated
    when I remove the policies line:
    //@Policies( { @Policy(uri = "../usernametokenpolicy.xml") } )

    with my Java command line client I get the following error:
    SOAPException: faultCode=env:Client.Authentication; msg=Authentication Required!

    In SoapUI I get:
    MustUnderstand header not processed

    even though I am sending the correct username and password in the SOAP header.
    Without the policies line, how would the weblogic server know to use the Username Token authentication policy?

    Has this method worked for you to limited web service access to a single user?

    Thanks.
    S

    Edited by: loopy1 on Nov 19, 2012 7:26 AM
  • 5. Re: Secure a JWS JAX-RPC Web Service
    user696 Explorer
    Currently Being Moderated
    You should not add them as username password for soap headers.
    Try adding the basic authenication username and password

    Regards,
    Sunil P
  • 6. Re: Secure a JWS JAX-RPC Web Service
    3728 Newbie
    Currently Being Moderated
    Sorry, I am confused by your last suggestion.
    I am sending this type of SOAP message to the server:
    <soapenv:Envelope xmlns:driv="http://xxx/xxx" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
    <soapenv:Header>
    <wsse:Security soapenv:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
    <wsse:UsernameToken wsu:Id="UsernameToken-6">
    <wsse:Username>username</wsse:Username>
    <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">password</wsse:Password>
    <wsse:Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">ZigzbarEGh8MZsWLgwDP9g==</wsse:Nonce>
    <wsu:Created>2012-11-19T15:25:38.601Z</wsu:Created>
    </wsse:UsernameToken>
    </wsse:Security>
    </soapenv:Header>
    <soapenv:Body>
    <driv:getData>
    <driv:id>5656566</driv:id>
    </driv:getData>
    </soapenv:Body>
    </soapenv:Envelope>

    what would it look like using the 'Basic Authentication' you suggest?

    Also, please answer my question, Has your suggested method worked for you to limit web service access to a single user?
    Thank you.
  • 7. Re: Secure a JWS JAX-RPC Web Service
    user696 Explorer
    Currently Being Moderated
    Yes, it worked for me, in the past when working with a customer.
    when you basic authentication you will no longer have ws-security headers. you will have basic authentication header inside the http headers, which will be used by weblogic to verify the details.

    If you want to use ws-security username token to restrict to one user I do not have any solution for you at this point it might require some time and debugging, If you have Oracle support Please open SR, I can have look into it and debug further for a solution.

    Regards,
    Sunil P
  • 8. Re: Secure a JWS JAX-RPC Web Service
    3728 Newbie
    Currently Being Moderated
    Thank you for trying to help. I am sad to report that the method you suggested does NOT work.
    To be clear my JWS file now has (policies commented out, and a role that exists in weblogic):
    //@Policies( { @Policy(uri = "../usernametokenpolicy.xml") } )

    // set up the access for one user only
    @RolesAllowed ( {
    @SecurityRole (role="xxxWSUser")
    } )

    I was able to get it working with the HTTP Authorization header using SoapUI, but the web service also provides the same response when I remove the HTTP Authorization header - so authorization is not actually occurring (anyone can use the web service without the appropriate header).

    I look forward to any other advice or ideas from someone that has got this working in the past. I will contact Oracle Support and open a SR.
    Thanks again.
    S

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points