http://download.oracle.com/docs/cd/E13226_01/workshop/docs81/doc/en/core/index.html
you will learn that there are .WSSE http://en.wikipedia.org/wiki/Wsse files containing security policies for a WS.
You attach it to the WS with
@jws:ws-security-service
You might need a WSSE file also for callbacks (not needed if Synchronous).
Very interesting also this article:
https://www6.software.ibm.com/developerworks/education/ws-understand-web-services4/section2.html
which goes over security.
In a nutshell we need to:
- identify and authenticate the client (security token)
- ensure the integrity of the message (digital signature)
- prevent unauthorized parties from eavedropping our message (encryption)
It turns out that JPD files (WLI) cannot be secured:
http://download.oracle.com/docs/cd/E14981-01/wli/docs1031/bpguide/bpguideCreateApp.html
WS-Security policy (WSSE) files are not supported for business processes (JPDs). Therefore, the following annotations are not supported for JPD files: com.bea.wli.common.WSSecurityCallback and com.bea.wli.common.WSSecurityService.
If you want to use WS-Security, then you must front-end the JPD with a JWS. The client would invoke a JWS using WS-Security, then the JWS would locally invoke the JPD via a Process Control.
If you use the annotation com.bea.wli.common.WSSecurityService you might get an error:
Exception trying to load wsse policy definition error: The document is not a wsSecurityPolicy@http://www.bea.com/2003/03/wsse/config
More info on WS-SecurityPolicy http://en.wikipedia.org/wiki/WS-SecurityPolicy
sample empty policy file:
xmlns="http://www.bea.com/2003/03/wsse/config"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
(see http://www.devarticles.com/c/a/Web-Graphic-Design/Working-with-Web-Services/7/ )
One can secure at web.xml level:
http://download-llnw.oracle.com/docs/cd/E13222_01/wls/docs81/webapp/web_xml.html#1017885
This is a sample security-constraint xml:
http://docs.sun.com/app/docs/doc/819-3669/bncbk?a=view
No comments:
Post a Comment