JAX-WS and Secure Java Web Services using UsernameToken: WS-Security with Metro and WSIT Example
This tutorial focuses on creating secure JAX-WS web service with UsernameToken WS-Security profile by using Metro and WSIT. You will learn how to create , deploy and run JAX-WS UsernameToken web service security example and UsernameToken jax-ws client. We will also create the service-side username and password validation handlers, Configure the client by providing a callback handler for the username and for the password to send the UsernameToken authentication data.
Table of Contents
Metro web service stack
As we discussed earlier, Metro is the reference implementation of JAXB 2.x and JAX-WS 2.x Java™ standards. Metro also has extensive support WS-* SOAP security extensions. The WS-* technologies are related to Web Service Security,Reliability, and Transactions. WSIT or the Web Service Interoperability Technologies (Also known as Project Tango) provides interoperability between Java Web Services and Microsoft’s WCF( Windows Communication Foundation
Metro is bundled with Java SE 6 and above (but requires the newer 2.2.x version of JAX-WS, this is not provided by default in Java 6 and you’ll need to place the newer jaxws-api.jar in your JDK’s endorsed folder) as well as with application servers such as GlassFish, Oracle Weblogic, JBoss 5.x and above Sun Java App server etc.
Metro implements and W3C Policy Standards. Read details to know more about the different specification versions implementation. The bootstrapping and configuration specifications deals with accessing web service URLs , WSDLs and provides information that are required to build web service clients. Message Optimization Specifications deals with optimized communication between two web service endpoints.
WS-ReliableMessaging specifications deal with system’s ability to deliver messages from point A to point B regardless of network errors and WS-Security specifications targets to secure communication between two web service endpoints.
Related Articles:
In this tutorial, we develop a sample JAX-WS service and client application which include WS-Security with the UsernameToken profile.
Usernametoken ws-security using Metro and WSIT : JAX-WS UsernameToken web service and client examples.
Here we focus on a simple plain-text UsernameToken example using Metro. We will see more secure encrypted versions in the next tutorials. UsernameToken provides a standard way of representing a username and password pair with WS-Security. Please note that, the plain text username and password is used in production only when it is combined with SSL or WS-Security encryption. That means metro requires either transport-level encryption ( SSL) or other message-level encryption to be in use while using this UsernameToken profile. User Name token will be part of SOAP Header rather than HTTP header
Points to remember when using WS-Security with the UsernameToken profile.
- The custom extensions used to configure WSIT user information differ in the XML namespace on the client and server sides. For client the namespace is “ and for server the XML namespace is “
- The policy namespace refers
- The WS-Security/UsernameTokens can be configured either directly as part of WSDL document using WS-SecurityPolicy assertions or using separate configuration files. The service side configuration file is named as “wsit-*.xml” and client side configuration file follows the “wsit-client.xml” naming conventions.
- Metro provides two options for server side authentication when UserNameToken profile is used. It can be either container based or via a validation handler class.
- If it is container based you need to configure the realm, for example if you are using Tomcat container you can configure tomcat-users.xml file to include user credentials to validate the tokens.
- You can also use validation handler classes as part of the application instead of relying on container realm based default validations.
To try the example below, you need to have IDE such as Eclipse, JDK version 7 (Metro requires the newer 2.2.x version of JAX-WS (jaxws-api.jar) available in Java 7. This is not provided by default in Java 6 and you’ll need to place the newer jaxws-api.jar in your JDK’s endorsed folder) , Metro distribution and Tomcat server 6 or above.
The WS-SecurityPolicy configuration is not very easy and it is recommended to use some IDE such as NetBeans to create them. If you have Netbeans and Glassfish installed, the JAX-WS web service development is pretty easy. You can read the to learn more. In this tutorial, I used eclipse and Tomcat so that we can create web service, client and configuration files manually without generating them and deploy and test them on Tomcat.
Create the SEI and the JAX-WS Web Service Implementation class.
The SEI is created and annotated as a web service. It defines three methods. These methods allow the clients to upload images, download images and a simple greetCustomer method.
gfi Endpoint-Security 2013 Endpoint-Security-10 mcafee