Sun Java System Web Server 7.0 Developer's Guide to Java Web Applications

Configuring the Web Server for Message Security

This section describes the following topics:

Actions of Request and Response Policy Configurations

The following table shows message protection policy configuration and the resulting message security operations performed by the WS-Security SOAP message security providers for that configuration.

Table 8–1 Message Protection Policy Configuration

Message Protection Policy 

Resulting WS-Security SOAP Message Protection Operation 

auth-source= "sender"

The message contains the wase:security header that contains a wsse:UsernameToken with password.

auth-source="content"

The content of the SOAP message body is signed. The message contains a wsse:Security header that contains the message body signature represented as a ds:Signature.

auth-source="sender" auth-recipient="before-content" OR auth-recipient="after-content"

The content of the SOAP message body is encrypted and replaced with the resulting xend:EncryptedData. The message contains a wsse:Security header that contains a wsse:UsernameToken with password and an xenc:EncryptedKey. The xenc:EncryptedKey contains the key used to encrypt the SOAP message body. The key is encrypted in the public key of the recipient.

auth-source= "content" auth-recipient= "before-content"

The content of the SOAP message body is encrypted and replaced with the resulting xend:EncryptedData. The xenc:EncryptedData is signed. The message contains a wsse:Security header that contains an xenc:EncryptedKey and a ds:Signature. The xenc:EncryptedKey contains the key used to encrypt the SOAP message body. The key is encrypted in the public key of the recipient.

auth-source="content"

auth-recipient="after-content"

The content of the SOAP message body is signed, then encrypted, and then replaced with the resulting xend:EncryptedData. The message contains a wsse:Security header that contains an xenc:EncryptedKey and a ds:Signature. The xenc:EncryptedKey contains the key used to encrypt the SOAP message body. The key is encrypted in the public key of the recipient.

auth-recipient="before-content" OR auth-recipient="after-content"

The content of the SOAP message body is encrypted and replaced with the resulting xend:EncryptedData. The message contains a wsse:Security header that contains an xenc:EncryptedKey. The xenc:EncryptedKey contains the key used to encrypt the SOAP message body. The key is encrypted in the public key of the recipient.

No policy specified 

No security operations are performed by the modules. 

ProcedureTo Configure Other Security Facilities

The Web Server implements message security using message security providers integrated in its SOAP processing layer. The message security providers depend on other security facilities of Web Server.

  1. If using a username token, configure a user database, if necessary.

    When using a username and password token, an appropriate realm must be configured and an appropriate user database must be configured for the realm.

  2. Manage certificates and private keys, if necessary.

    After configuring the Web Server facilities for use by message security providers as described in Managing Certificates in Sun Java System Web Server 7.0 Administrator’s Guide.

Security Enhancements to server.xml

The server element in server.xml contains one or more soap-auth-provider elements, each of which contains a list of configured soap message security providers. The server element also includes a default-soap-auth-provider-name for the default SOAP message-level authentication provider.

See Chapter 3, Elements in server.xml, in Sun Java System Web Server 7.0 Administrator’s Configuration File Reference for more information.

Administration Command-Line Interface (CLI) support is provided to add, remove, and list the soap-auth-provider element in server.xml. The CLI also supports adding a deafult-soap-auth-provider-name to server.xml.

Security Enhancements to sun-web.xml

Security-related additions to sun-web.xml are described in detail in the following sections.

webservice-endpoint Element

The syntax for the webservice-endpoint element is as follows:

<!ELEMENT webservice-endpoint (port-component name, endpoint-address-uri?,
(login-config|message-security-binding)?,transport-guarantee?,
service-gname?,tie-class?, servlet-imp-class?)>
Table 8–2 webservice-endpoint Element

Element Name 

Occurrences 

Description  

Type 

port-component-name

Unique name of a Web Service within a module. This name should be the same as the endpoint: name in sun-jaxws.xml.

PCDATA 

endpoint-address-uri

0 or 1  

Unused for Web Server  

PCDATA 

login-config

 

Unused for Web Server 

 

message-security-binding

0 or 1  

Used to bind a Web Service endpoint or port to a specific security provider. This element can also be used to provide a definition of message security requirements to be enforced by the security provider. 

See Table 8–3

message-security—binding

transport-guarantee

0 or 1 

Unused for Web Server  

PCDATA 

service-qname

0 or 1  

Unused for Web Server 

 

tie-class

0 or 1  

Unused for Web Server 

PCDATA 

servlet-impl-class

0 or 1 

Unused for Web Server 

Class name 

message-security-binding Element

The message-security-binding element is used to bind a web service endpoint or port to a specific security provider.

The syntax for this element is as follows:

<!ELEMENT message-security-binding (message-security*)>
<!ATLIST message-security-binding
auth-layer %message-layer;#REQUIRED
provider-id CDATA #IMPLIED >
Table 8–3 message-security-binding Element

Element name 

Occurrences 

Description 

Type 

message-security

0 or more  

Specifies the message security requirements of request and response for the endpoint or port 

See Table 8–5

Table 8–4 Attributes of the message-security-binding Element

Attribute name 

Description 

Type 

Default 

auth-layer

Layer at which the security should be enforced 

Entity message-layer 

This attribute is required. 

provider-id

Identifies the provider-config that should be used

CDATA 

If a value is not specified, then the default provider is used. If no default provider exists at the layer, the authentication requirements defined in the message-security-binding are not enforced.

message-security Element

The syntax for the message-security element is as follows:

<!ELEMENT message-security (message+, request-protection?, response-protection?)>

Table 8–5 message-security Element

Element name 

Occurrences 

Description 

Type 

message

1 or more  

Describes the methods or operations to which the security requirements apply 

Table 8–6

request-protection

0 or 1 

Describes the authentication requirements applicable to a request  

Table 8–7

response-protection

0 or 1 

Describes the authentication requirements applicable to a response  

Table 8–8

message Element

The syntax for the message element is as follows: <!ELEMENT (java-method?|operation-name?)>.

Table 8–6 message element

Element name 

occurrences 

Description 

Type 

java-method

0 or 1 

Java methods on which the security should be enforced 

Table 8–9

operation-name

0 or 1 

WSDL name of an operation of the web service 

PCDATA 

Attributes of request-protection Element

The syntax for the request-protection element is as follows.

<!ELEMENT request-protection EMPTY>
<!ATTLIST request-protection
auth-source (sender|content)#IMPLIED
auth-recipient (before-content |after-content)#IMPLIED
Table 8–7 request-protection Element

Attribute name 

Description 

Value  

Default 

auth-source

Defines a requirement for message layer sender authentication for example, username and password or content authentication, for example, digital signature 

sender or content

Implied 

auth-recipient

Defines a requirement for message layer authentication of the receiver of a message to its sender for example, by XML encryption.  

A before-content attribute value indicates that recipient authentication occurs before any content authentication.

before-content or after-content

Implied 

response-protection Element

The syntax for the response-protection element is as follows:

<<!ELEMENT response-protection EMPTY>
<!ATTLIST response-protection
auth-source (sender|content)#IMPLIED
auth-recipient (before-content |after-content)#IMPLIED
Table 8–8 Attributes of the response-protection Element

Attribute name 

Description 

Value  

Default 

auth-source

Defines a requirement for message layer sender authentication, for example, username and password) or content authentication, for example, digital signature

sender or content

Implied 

auth-recipient

Defines a requirement for message layer authentication of the receiver of a message to its sender, for example by XML encryption.  

The before-content attribute value indicates that recipient authentication occurs before any content authentication with respect to the target of the containing auth-policy.

before-content or after-content

Implied 

java-method Element

The syntax for the java-method element is as follows:

<!ELEMENT java-method (method-name,method-params?)>
Table 8–9 java-method Element

Element name 

Occurrences 

Description 

Value 

method-name

Name of the service method  

PCDATA 

method-params

0 or 1  

List of the fully qualified Java type names of the method parameters. 

Table 8–10

method-params Element

The syntax for method-params (method-param*) element is as follows:

Table 8–10 Attributes of the method-params Element

Element name 

Occurrences 

Description 

Value 

method-params

0 or more 

Fully qualified Java type name of a method parameter 

PCDATA 

message-layer Entity

The message-layer entity defines the value of the value of the auth-layer attribute.

The syntax for message-layer entity is:<!Entity %message-layer "(SOAP)"