This chapter contains the following sections:
In Axis 1.4 and WSS4J 1.5.8, you configure your security environment for inbound and outbound requests using handlers and deployment descriptors. For more information, see the Axis Deployment Tutorial at http://ws.apache.org/wss4j/axis.html
.
In Oracle WSM 11g, you attach policies to Web service endpoints. Each policy consists of one or more assertions, defined at the domain-level, that define the security requirements. A set of predefined policies and assertions are provided out-of-the-box. For more details about the predefined policies, see "Predefined Policies" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services. For more information about configuring and attaching policies, see "Configuring Policies" and "Attaching Policies to Web Services" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.
Table 7-1the most common Axis and WSS4J interoperability scenarios based on the following security requirements: authentication, message protection, and transport.
For more information about:
Configuring and attaching Oracle WSM 11g policies, see "Configuring Policies" and "Attaching Policies to Web Services" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.
Configuring and attaching policies on Axis and WSS4J, see the Axis Deployment Tutorial at http://ws.apache.org/wss4j/axis.html
.
Table 7-1 Interoperability with Axis and WSS4J Security Environments
Interoperability Scenario | Client—>Web Service | Oracle WSM 11g Policies | Axis/WSS4J Policies |
---|---|---|---|
Axis/WSS4J—>Oracle WSM 11g |
oracle/wss10_username_token_with_message_protection_service_policy |
UsernameToken Timestamp Signature Encrypt |
|
Oracle WSM 11g—>Axis/WSS4J |
oracle/wss10_username_token_with_message_protection_client_policy |
UsernameToken Timestamp Signature Encrypt |
|
Axis/WSS4J—>Oracle WSM 11g |
oracle/wss10_saml_token_with_message_protection_service_policy |
SAMLTokenUnsigned Timestamp Signature Encrypt |
|
Oracle WSM 11g—>Axis/WSS4J |
oracle/wss10_saml_token_with_message_protection_client_policy |
SAMLTokenUnsigned Timestamp Signature Encrypt |
|
Axis/WSS4J—>Oracle WSM 11g |
oracle/wss_username_token_over_ssl_service_policy |
UsernameToken Timestamp |
|
Oracle WSM 11g—>Axis/WSS4J |
oracle/wss_username_token_over_ssl_client_policy |
Timestamp UsernameToken |
|
Axis/WSS4J—>Oracle WSM 11g |
oracle/wss_saml_token_over_ssl_service_policy |
SAMLTokenUnsigned Timestamp |
|
Oracle WSM 11g—>Axis/WSS4J |
oracle/wss_saml_token_over_ssl_client_policy |
Timestamp SAMLTokenUnsigned |
Perform the following steps to create the handler and property files that are required in each of the Axis and WSS4J interoperability scenarios:
Create and compile a password callback class, PWCallback.java, that can resolve passwords required by username and keystore aliases.
The deployment descriptors defined in the following sections, contain username information, but not password information. As a best practice, you should not store sensitive information such as passwords in clear text within the deployment descriptor. To obtain the password, the Axis handler calls the password callback class. This mechanism is similar to JAAS. For more information, see the WSS4J documentation at http://ws.apache.org/wss4j
.
Create the keystore properties file, crypto.properties, as shown below. Include this file in the classes directory.
org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin org.apache.ws.security.crypto.merlin.keystore.type=jks org.apache.ws.security.crypto.merlin.keystore.password=welcome1 org.apache.ws.security.crypto.merlin.file=default-keystore.jks
Create the saml.properties file, required for SAML interoperability scenarios only, as shown below.
org.apache.ws.security.saml.issuerClass=org.apache.ws.security.saml.SAMLIssuerImpl org.apache.ws.security.saml.issuer.cryptoProp.file=crypto.properties org.apache.ws.security.saml.issuer.key.name=orakey org.apache.ws.security.saml.issuer.key.password=orakey org.apache.ws.security.saml.issuer=www.oracle.com org.apache.ws.security.saml.subjectNameId.name=weblogic org.apache.ws.security.saml.authenticationMethod=password org.apache.ws.security.saml.confirmationMethod=senderVouches
The following sections describe how to implement username token with message protection that conforms to the WS-Security 1.0 standard, describing the following interoperability scenarios:
Perform the steps described in the following table.
Table 7-2 Username Token With Message Protection (WS-Security 1.0)—Axis and WSS4J Client —> Oracle WSM 11g Web Service
Component | Steps |
---|---|
Web Service—Oracle WSM 11gJ |
Perform the following steps:
|
Web Service Client—Axis and WSS4J |
Perform the following steps:
|
The following shows an example of the client_deploy.wsdd deployment descriptor.
Example 7-1 client_deploy.wsdd Deployment Descriptor
<deployment xmlns="http://xml.apache.org/axis/wsdd/" xmlns:java="http://xml.apache.org/axis/wsdd/providers/java"> <transport name="http" pivot="java:org.apache.axis.transport.http.HTTPSender"/> <globalConfiguration > <!-- wss10_username_token_with_message_protection --> <requestFlow> <handler type="java:org.apache.ws.axis.security.WSDoAllSender" > <parameter name="passwordCallbackClass" value="com.oracle.xmlns.ConfigOverride_jws.CO_SOA.BPELProcess1.PWCallback"/> <parameter name="passwordType" value="PasswordText"/> <parameter name="user" value="weblogic"/> <parameter name="action" value="UsernameToken Timestamp Signature Encrypt"/> <parameter name="encryptionKeyTransportAlgorithm" value="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/> <parameter name="encryptionKeyIdentifier" value="DirectReference" /> <parameter name="encryptionPropFile" value="crypto.properties" /> <parameter name="encryptionUser" value="orakey" /> <parameter name="encryptionParts" value= "{Element}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd} UsernameToken;{Content}{http://schemas.xmlsoap.org/soap/envelope/}Body" /> <parameter name="signatureUser" value="orakey" /> <parameter name="signaturePropFile" value="crypto.properties" /> <parameter name="signatureKeyIdentifier" value="DirectReference" /> <parameter name="signatureParts" value= "{Element}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd} UsernameToken;{Element}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd} Timestamp;{Element}{http://schemas.xmlsoap.org/soap/envelope/}Body" /> </handler> </requestFlow> <responseFlow> <handler type="java:org.apache.ws.axis.security.WSDoAllReceiver"> <parameter name="passwordCallbackClass" value="com.oracle.xmlns.ConfigOverride_jws.CO_SOA.BPELProcess1.PWCallback"/> <parameter name="action" value="Timestamp Signature Encrypt" /> <parameter name="signaturePropFile" value="crypto.properties" /> <parameter name="decryptionPropFile" value="crypto.properties" /> <parameter name="enableSignatureConfirmation" value="false" /> </handler> </responseFlow> </globalConfiguration > </deployment>
Perform the steps described in the following table.
Table 7-3 Username Token With Message Protection (WS-Security 1.0)—Oracle WSM 11g Client —> Axis and WSS4J Web Service
Component | Steps |
---|---|
Web Service—Axis/WSS4J |
Perform the following steps:
|
Web Service Client—Oracle WSM 11g |
Perform the following steps:
|
The following shows an example of the server_deploy.wsdd deployment descriptor.
Example 7-2 server_deploy.wsdd Deployment Descriptor
<ns1:service name="HelloWorld" provider="java:RPC" style="wrapped" use="literal"> <!-- wss10_username_token_with_message_protection --> <requestFlow> <handler type="java:org.apache.ws.axis.security.WSDoAllReceiver"> <parameter name="passwordCallbackClass" value="PWCallback1"/> <parameter name="user" value="wss4j"/> <parameter name="action" value="UsernameToken Timestamp Signature Encrypt"/> <parameter name="signaturePropFile" value="crypto.properties" /> <parameter name="decryptionPropFile" value="crypto.properties" /> </handler> </requestFlow> <responseFlow> <handler type="java:org.apache.ws.axis.security.WSDoAllSender" > <parameter name="passwordCallbackClass" value="PWCallback1"/> <parameter name="user" value="orakey"/> <parameter name="action" value="Timestamp Signature Encrypt"/> <parameter name="encryptionKeyTransportAlgorithm" value="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/> <parameter name="signaturePropFile" value="crypto.properties" /> <parameter name="signatureKeyIdentifier" value="DirectReference" /> <parameter name="signatureParts" value="{Element}{http://schemas.xmlsoap.org/soap/envelope/}Body;{Element} {http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd}Timestamp" /> <parameter name="encryptionKeyIdentifier" value="DirectReference" /> </handler> </responseFlow> </ns1:service>
The following sections describe how to implement username token with message protection that conforms to the WS-Security 1.0 standard, describing the following interoperability scenarios:
Perform the steps described in the following table.
Table 7-4 SAML Token With Message Protection (WS-Security 1.0)—Axis and WSS4J Client —> Oracle WSM 11g Web Service
Component | Steps |
---|---|
Web Service—Oracle WSM 11gJ |
Perform the following steps:
|
Web Service Client—Axis and WSS4J |
Perform the following steps:
|
The following shows an example of the client_deploy.wsdd deployment descriptor.
Example 7-3 client_deploy.wsdd Deployment Descriptor
<deployment xmlns="http://xml.apache.org/axis/wsdd/" xmlns:java="http://xml.apache.org/axis/wsdd/providers/java"> <transport name="http" pivot="java:org.apache.axis.transport.http.HTTPSender"/> <globalConfiguration > <!-- wss10_saml_token_with_message_protection --> <requestFlow> <handler type="java:org.apache.ws.axis.security.WSDoAllSender" > <parameter name="passwordCallbackClass" value="com.oracle.xmlns.ConfigOverride_jws.CO_SOA.BPELProcess1.PWCallback"/> <parameter name="passwordType" value="PasswordText"/> <parameter name="user" value="weblogic"/> <parameter name="action" value="Timestamp Signature SAMLTokenSigned Encrypt"/> <parameter name="samlPropFile" value="saml.properties"/> <parameter name="encryptionKeyTransportAlgorithm" value="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/> <parameter name="encryptionKeyIdentifier" value="DirectReference" /> <parameter name="encryptionPropFile" value="crypto.properties" /> <parameter name="encryptionUser" value="orakey" /> <parameter name="encryptionParts" value="{Content}{http://schemas.xmlsoap.org/soap/envelope/}Body" /> <parameter name="signatureUser" value="orakey" /> <parameter name="signaturePropFile" value="crypto.properties" /> <parameter name="signatureKeyIdentifier" value="DirectReference" /> <parameter name="signatureParts" value="{Element} {http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd} Timestamp;{Element} {http://schemas.xmlsoap.org/soap/envelope/}Body" /> </handler> </requestFlow> <responseFlow> <handler type="java:org.apache.ws.axis.security.WSDoAllReceiver"> <parameter name="passwordCallbackClass" value="com.oracle.xmlns.ConfigOverride_jws.CO_SOA.BPELProcess1.PWCallback" /> <parameter name="action" value="Timestamp Signature Encrypt" /> <parameter name="signaturePropFile" value="crypto.properties" /> <parameter name="decryptionPropFile" value="crypto.properties" /> <parameter name="enableSignatureConfirmation" value="false" /> </handler> </responseFlow> </globalConfiguration > </deployment>
Perform the steps described in the following table.
Table 7-5 SAML Token With Message Protection (WS-Security 1.0)—Oracle WSM 11g Client —> Axis and WSS4J Web Service
Component | Steps |
---|---|
Web Service—Axis/WSS4J |
Perform the following steps:
|
Web Service Client—Oracle WSM 11g |
Perform the following steps:
|
The following shows an example of the server_deploy.wsdd deployment descriptor.
Example 7-4 server_deploy.wsdd Deployment Descriptor
<ns1:service name="HelloWorld" provider="java:RPC" style="wrapped" use="literal"> <!-- wss10_username_token_with_message_protection --> <requestFlow> <handler type="java:org.apache.ws.axis.security.WSDoAllReceiver"> <parameter name="passwordCallbackClass" value="PWCallback1"/> <parameter name="user" value="wss4j"/> <parameter name="action" value="SAMLTokenUnsigned Timestamp Signature Encrypt"/> <parameter name="signaturePropFile" value="crypto.properties" /> <parameter name="decryptionPropFile" value="crypto.properties" /> </handler> </requestFlow> <responseFlow> <handler type="java:org.apache.ws.axis.security.WSDoAllSender" > <parameter name="passwordCallbackClass" value="PWCallback1"/> <parameter name="user" value="orakey"/> <parameter name="action" value="Timestamp Signature Encrypt"/> <parameter name="encryptionKeyTransportAlgorithm" value="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/> <parameter name="signaturePropFile" value="crypto.properties" /> <parameter name="signatureKeyIdentifier" value="DirectReference" /> <parameter name="signatureParts" value="{Element}{http://schemas.xmlsoap.org/soap/envelope/}Body;{Element} {http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd}Timestamp" /> <parameter name="encryptionKeyIdentifier" value="DirectReference" /> </handler> </responseFlow> </ns1:service>
The following sections describe how to implement username token over SSL, describing the following interoperability scenarios:
"Username Token Over SSL—Axis and WSS4J Client —> Oracle WSM 11g Web Service"
"Username Token Over SSL—Oracle WSM 11g Client —> Axis and WSS4J Web Service"
Perform the steps described in the following table.
Table 7-6 Username Token Over SSL—Axis and WSS4J Client —> Oracle WSM 11g Web Service
Component | Steps |
---|---|
Web Service—Oracle WSM 11gJ |
Perform the following steps:
|
Web Service Client—Axis and WSS4J |
Perform the following steps:
|
Perform the steps described in the following table.
Table 7-7 Username Token Over SSL—Oracle WSM 11g Client —> Axis and WSS4J Web Service
Component | Steps |
---|---|
Web Service—Axis/WSS4J |
Perform the following steps:
|
Web Service Client—Oracle WSM 11g |
Perform the steps described in the following sections.
|
The following sections describe how to implement SAML token (sender vouches) over SSL, describing the following interoperability scenarios:
"SAML Token (Sender Vouches) Over SSL—Axis and WSS4J Client —> Oracle WSM 11g Web Service"
"SAML Token (Sender Vouches) Over SSL—Oracle WSM 11g Client —> Axis and WSS4J Web Service"
Perform the steps described in the following table.
Table 7-8 SAML (Sender Vouches) Over SSL—Axis and WSS4J Client —> Oracle WSM 11g Web Service
Component | Steps |
---|---|
Web Service—Oracle WSM 11gJ |
Perform the following steps:
|
Web Service Client—Axis and WSS4J |
Perform the following steps:
|
Perform the steps described in the following table.
Table 7-9 SAML (Sender Vouches) Over SSL—Oracle WSM 11g Client —> Axis and WSS4J Web Service
Component | Steps |
---|---|
Web Service—Axis/WSS4J |
Perform the following steps:
|
Web Service Client—Oracle WSM 11g |
Perform the steps described in the following sections.
|