1. Administering System Security
2. Administering User Security
3. Administering Message Security
About Message Security in GlassFish Server
Security Tokens and Security Mechanisms
Application-Specific Web Services Security
Message Security Administration
Application Developer/Assembler
Sample Application for Web Services
Enabling Default Message Security Providers for Web Services
To Enable a Default Server Provider
To Enable a Default Client Provider
Configuring Message Protection Policies
Message Protection Policy Mapping
To Configure the Message Protection Policies for a Provider
Setting the Request and Response Policy for the Application Client Configuration
Administering Non-default Message Security Providers
To Create a Message Security Provider
To List Message Security Providers
To Update a Message Security Provider
To Delete a Message Security Provider
To Configure a Servlet Layer Server Authentication Module (SAM)
Enabling Message Security for Application Clients
Additional Information About Message Security
4. Administering Security in Cluster Mode
5. Managing Administrative Security
6. Running in a Secure Environment
Message protection policies are defined for request message processing and response message processing. The policies are expressed in terms of requirements for source and/or recipient authentication. The providers apply specific message security mechanisms to cause the message protection policies to be realized in the context of SOAP web services messages.
The following topics are addressed here:
The following table shows message protection policy configurations and the resulting message security operations performed by the WS-Security SOAP message security providers for that configuration.
Table 3-1 Message Protection Policy Mapping to WS-Security SOAP Operations
|
Typically, you would not reconfigure a provider. However, if needed for your situation, you can modify a provider's message protection policies by changing provider type, implementation class, and provider-specific configuration properties. To understand the results of different combinations, see Table 3-1.
Use the set(1) subcommand to set the response policy, then replace the word request in the following commands with the word response.
For example:
asadmin> set server-config.security-service.message-security-config.SOAP. provider-config.ClientProvider.request-policy.auth_source=[sender | content]
For example:
asadmin> set server-config.security-service.message-security-config.SOAP. provider-config.ServerProvider.request-policy.auth_source=[sender | content]
For example:
asadmin> set server-config.security-service.message-security-config.SOAP. provider-config.ClientProvider.request-policy.auth_recipient=[before-content | after-content]
For example:
asadmin> set server-config.security-service.message-security-config.SOAP. provider-config.ServerProvider.request-policy.auth_recipient=[before-content | after-content]
The request and response policies define the authentication policy requirements associated with request and response processing performed by the authentication provider. Policies are expressed in message sender order such that a requirement that encryption occur after content would mean that the message receiver would expect to decrypt the message before validating the signature.
To achieve message security, the request and response policies must be enabled on both the server and client. When configuring the policies on the client and server, make sure that the client policy matches the server policy for request/response protection at application-level message binding.
To set the request policy for the application client configuration, modify the GlassFish Server–specific configuration for the application client container as described in Enabling Message Security for Application Clients.
Example 3-1 Message Security Policy Setting for Application Clients
In the application client configuration file, the request-policy and response-policy elements are used to set the request policy, as shown in the following code snippet. (Additional code in the snippet is provided as illustration and might differ slightly in your installation. Do not change the additional code.)
<client-container> <target-server name="your-host" address="your-host" port="your-port"/> <log-service file="" level="WARNING"/> <message-security-config auth-layer="SOAP" default-client-provider="ClientProvider"> <provider-config class-name="com.sun.enterprise.security.jauth.ClientAuthModule" provider-id="ClientProvider" provider-type="client"> <request-policy auth-source="sender | content" auth-recipient="after-content | before-content"/> <response-policy auth-source="sender | content" auth-recipient="after-content | before-content"/> <property name="security.config" value="as-install/lib/appclient/wss-client-config.xml"/> </provider-config> </message-security-config> </client-container>
Valid values for auth-source include sender and content. Valid values for auth-recipient include before-content and after-content. A table describing the results of various combinations of these values can be found in Configuring Message Protection Policies.
To not specify a request or response policy, leave the element blank, for example:
<response-policy/>