The following sections describe how to configure security for your Web Service:
Transport-level security refers to securing the connection between a client application and a Web Service with Secure Sockets Layer (SSL).
See Secure Sockets Layer (SSL) for general information about SSL and the implementations included in WebLogic Server.
To configure transport-level Web Services security:
You can configure one-way SSL where WebLogic Server is required to present a certificate to the client application, or two-way SSL where both the client applications and WebLogic server present certificates to each other.
To configure two-way or one-way SSL for the core WebLogic Server security subsystem, see Configuring SSL.
@weblogic.jws.security.UserDataConstaint
annotation to require that the Web Service be invoked using the HTTPS transport.For details, see weblogic.jws.security.UserDataConstraint.
See Iterative Development of WebLogic Web Services.
build.xml
file that invokes the clientgen
Ant task to use a static WSDL to generate the JAX-RPC stubs of the Web Service, rather than the dynamic deployed WSDL of the service.
The reason clientgen
cannot generate the stubs from the dynamic WSDL in this case is that when you specify the @UserDataConstraint
annotation, all client applications are required to specify a truststore, including clientgen
. However, there is currently no way for clientgen
to specify a truststore, thus the Ant task must generate its client components from a static WSDL that describes the Web Service in the same way as the dynamic WSDL.
-Djava.protocol.handler.pkgs=weblogic.net
-Dweblogic.security.SSL.trustedCAKeyStore=trustStore
where trustStore
specifies the name of the client-side truststore that contains the list of trusted certificates (one of which should be the server’s certificate).To disable host name verification, also specify the following property:
-Dweblogic.security.SSL.ignoreHostnameVerification=true
-Djavax.net.ssl.trustStore=trustStore
where trustStore
specifies the name of the client-side truststore that contains the list of trusted certificates (one of which should be the server’s certificate). To disable host name verification, also specify the following property:
-Dweblogic.wsee.client.ssl.stricthostchecking=false
See Configuring Two-Way SSL for a Client Application for details about two-way SSL.
If you configured two-way SSL for WebLogic Server, the client application must present a certificate to WebLogic Server, in addition to WebLogic Server presenting a certificate to the client application as required by one-way SSL. You must also follow these requirements:
The SSL package of J2SE requires that the password of the client’s private key must be the same as the password of the client’s keystore. For this reason, the client keystore can include only one private key and X.509 certificate pair.
You can use the Cert Gen utility or Sun Microsystem's keytool utility to perform this step. For development purposes, the keytool
utility is the easiest way to get started.
See Obtaining Private Keys and Digital Signatures.
-Djavax.net.ssl.trustStore=
trustStore
-Djavax.net.ssl.trustStorePassword=
trustStorePassword
where trustStore
specifies the name of the client-side truststore that contains the list of trusted certificates (one of which should be the server’s certificate) and trustStorePassword
specifies the truststore’s password.
The preceding properties are in addition to the standard properties you must set to specify the client-side keystore:
-Djavax.net.ssl.keyStore=
keyStore
javax.net.ssl.keyStorePassword=
keyStorePassword
The dev2dev CodeShare is a community of developers that share ideas, code and best practices related to BEA technologies. The site includes code examples for a variety of BEA technologies, including using SSL with Web Services.
To view and download the SSL Web Services code examples on the dev2dev site, go to the main Projects page and click on Web Services in the By Technology column.