Given a scenario, implement J2EE based web service web-tier and/or EJB-tier basic security mechanisms, such as mutual authentication, SSL, and access control.

Given a scenario, implement J2EE based web service web-tier and/or EJB-tier basic security mechanisms, such as mutual authentication, SSL, and access control.
Prev	Chapter 8. Security	Next

JAX-RPC implementation has to support HTTP Basic authentication. JAX-RPC specifciation does not require JAX-RPC implementation to support certificate based mutual authentication using HTTP/S (HTTP over SSL).

HTTP Basic Authentication

Add the appropriate security elements to the web.xml deployment descriptor:


<?xml version="1.0"?>

<web-app version="2.4" ...>
	<display-name>Basic Authentication Security Example</display-name>

	<security-constraint>
		<web-resource-collection>
			<web-resource-name>SecureHello</web-resource-name>
			<url-pattern>/hello</url-pattern>
			<http-method>GET</http-method>
			<http-method>POST</http-method>
		</web-resource-collection>

		<auth-constraint>
			<role-name>admin</role-name>
		</auth-constraint>

		<user-data-constraint>
			<transport-guarantee>NONE</transport-guarantee>
		</user-data-constraint>
	</security-constraint>
	
	<login-config>
		<auth-method>BASIC</auth-method>
	</login-config>

	<security-role>
		<role-name>admin</role-name>
	</security-role>
</web-app>

Set security properties in the client code:

try {
	Stub stub = createProxy();
	stub._setProperty(javax.xml.rpc.Stub.USERNAME_PROPERTY, username);
	stub._setProperty(javax.xml.rpc.Stub.PASSWORD_PROPERTY, password);
	stub._setProperty(javax.xml.rpc.Stub.ENDPOINT_ADDRESS_PROPERTY, endpointAddress);
	
	HelloIF hello = (HelloIF)stub;	
	System.out.println(hello.sayHello(" Duke (secure)" ));
} catch (Exception ex) {
	ex.printStackTrace();
}

Mutual Authentication

Configure SSL connector

Add the appropriate security elements to the web.xml deployment descriptor:


<?xml version="1.0"?>
<web-app version="2.4" ...>
	<display-name>Secure Mutual Authentication Example</display-name>

	<security-constraint>
		<web-resource-collection>
			<web-resource-name>SecureHello</web-resource-name>
			<url-pattern>/hello</url-pattern>
			<http-method>GET</http-method>
			<http-method>POST</http-method>
		</web-resource-collection>
		
		<user-data-constraint>
			<transport-guarantee>CONFIDENTIAL</transport-guarantee>
		</user-data-constraint>
	</security-constraint>
	
	<login-config>
		<auth-method>CLIENT-CERT</auth-method>
	</login-config>
</web-app>

Set Security Properties in client code:

try {
	Stub stub = createProxy();
	System.setProperty("javax.net.ssl.keyStore", keyStore);
	System.setProperty("javax.net.ssl.keyStorePassword", keyStorePassword);
	System.setProperty("javax.net.ssl.trustStore", trustStore);
	System.setProperty("javax.net.ssl.trustStorePassword", trustStorePassword);
	stub._setProperty(javax.xml.rpc.Stub.ENDPOINT_ADDRESS_PROPERTY,endpointAddress);

	HelloIF hello = (HelloIF)stub;
	System.out.println(hello.sayHello(" Duke! secure!"));
} catch (Exception ex) {
	ex.printStackTrace();
}

Prev	Up	Next
Identify the purpose and benefits of Web services security oriented initiatives and standards such as Username Token Profile, SAML, XACML, XKMS, WS-Security, and the Liberty Project.	Home	Describe factors that impact the security requirements of a Web service, such as the relationship between the client and service provider, the type of data being exchanged, the message format, and the transport mechanism.