Exit Print View

Sun GlassFish Enterprise Server v3 Administration Guide

  This Document Entire Library
Print View Previous Next

Document Information

Preface

1.  Overview of Enterprise Server Administration

Default Settings and Locations

Configuration Tasks

Administration Tools

Instructions for Administering Enterprise Server

Part I Runtime Administration

2.  General Administration

3.  Administering Domains

4.  Administering the Virtual Machine for the Java Platform

5.  Administering Thread Pools

6.  Administering Web Applications

7.  Administering the Logging Service

8.  Administering the Monitoring Service

9.  Administering Life Cycle Modules

10.  Extending Enterprise Server

Part II Security Administration

11.  Administering System Security

12.  Administering User Security

13.  Administering Message Security

About Message Security in Enterprise Server

Security Tokens and Security Mechanisms

Authentication Providers

Message Protection Policies

Application-Specific Web Services Security

Message Security Administration

Message Security Tasks

Message Security Roles

Sample Application for Web Services

Enabling Default Message Security Providers for Web Services

To Enable a Default Server Provider

To Enable a Default Client Provider

Configuring Message Protection Policies

Message Protection Policy Mapping

To Configure the Message Protection Policies for a Provider

Setting the Request and Response Policy for the Application Client Configuration

Administering Non-default Message Security Providers

To Create a Message Security Provider

To List Message Security Providers

To Update a Message Security Provider

To Delete a Message Security Provider

Enabling Message Security for Application Clients

Additional Information About Message Security

Part III Resources and Services Administration

14.  Administering Database Connectivity

15.  Administering EIS Connectivity

16.  Administering Internet Connectivity

17.  Administering the Object Request Broker (ORB)

18.  Administering the JavaMail Service

19.  Administering the Java Message Service (JMS)

20.  Administering the Java Naming and Directory Interface (JNDI) Service

21.  Administering Transactions

Part IV Appendixes

A.  Subcommands for the asadmin Utility

Index

Configuring Message Protection Policies

Message protection policies are defined for request message processing and response message processing. The policies are expressed in terms of requirements for source and/or recipient authentication. The providers apply specific message security mechanisms to cause the message protection policies to be realized in the context of SOAP web services messages.

The following topics are addressed here:

Message Protection Policy Mapping

The following table shows message protection policy configurations and the resulting message security operations performed by the WS-Security SOAP message security providers for that configuration.

Message Protection Policy Mapping to WS-Security SOAP Operations
Message Protection Policy
Resulting WS-Security SOAP message protection operations
auth-source="sender"
The message contains a wsse:Security header that contains a wsse:UsernameToken (with password).
auth-source="content"
The content of the SOAP message Body is signed. The message contains a wsse:Security header that contains the message Body signature represented as a ds:Signature.
auth-source="sender"

auth-recipient="before-content"

OR

auth-recipient="after-content"
The content of the SOAP message Body is encrypted and replaced with the resulting xend:EncryptedData. The message contains a wsse:Security header that contains a wsse:UsernameToken (with password) and an xenc:EncryptedKey. The xenc:EncryptedKey contains the key used to encrypt the SOAP message body. The key is encrypted in the public key of the recipient.
auth-source="content"

auth-recipient="before-content"
The content of the SOAP message Body is encrypted and replaced with the resulting xend:EncryptedData. The xenc:EncryptedData is signed. The message contains a wsse:Security header that contains an xenc:EncryptedKey and a ds:Signature. The xenc:EncryptedKey contains the key used to encrypt the SOAP message body. The key is encrypted in the public key of the recipient.
auth-source="content"

auth-recipient="after-content"
The content of the SOAP message Body is signed, then encrypted, and then replaced with the resulting xend:EncryptedData. The message contains a wsse:Security header that contains an xenc:EncryptedKey and a ds:Signature. The xenc:EncryptedKey contains the key used to encrypt the SOAP message body. The key is encrypted in the public key of the recipient.
auth-recipient="before-content"

OR

auth-recipient="after-content"
The content of the SOAP message Body is encrypted and replaced with the resulting xend:EncryptedData. The message contains a wsse:Security header that contains an xenc:EncryptedKey. The xenc:EncryptedKey contains the key used to encrypt the SOAP message body. The key is encrypted in the public key of the recipient.
No policy specified.
No security operations are performed by the modules.

To Configure the Message Protection Policies for a Provider

Typically, you would not reconfigure a provider. However, if needed for your situation, you can modify a provider's message protection policies by changing provider type, implementation class, and provider-specific configuration properties. To understand the results of different combinations, see Table 13-1.

Use the set(1) subcommand to set the response policy, then replace the word request in the following commands with the word response.

  1. Add a request policy to the client and set the authentication source by using the set(1) subcommand.

    For example:

    asadmin> set server-config.security-service.message-security-config.SOAP. provider-config.ClientProvider.request-policy.auth_source=[sender | content]

  2. Add a request policy to the server and set the authentication source by using the set subcommand.

    For example:

    asadmin> set server-config.security-service.message-security-config.SOAP. provider-config.ServerProvider.request-policy.auth_source=[sender | content]

  3. Add a request policy to the client and set the authentication recipient by using the set subcommand:

    For example:

    asadmin> set server-config.security-service.message-security-config.SOAP. provider-config.ClientProvider.request-policy.auth_recipient=[before-content | after-content]

  4. Add a request policy to the server and set the authentication recipient by using the set subcommand:

    For example:

    asadmin> set server-config.security-service.message-security-config.SOAP. provider-config.ServerProvider.request-policy.auth_recipient=[before-content | after-content]

Setting the Request and Response Policy for the Application Client Configuration

The request and response policies define the authentication policy requirements associated with request and response processing performed by the authentication provider. Policies are expressed in message sender order such that a requirement that encryption occur after content would mean that the message receiver would expect to decrypt the message before validating the signature.

To achieve message security, the request and response policies must be enabled on both the server and client. When configuring the policies on the client and server, make sure that the client policy matches the server policy for request/response protection at application-level message binding.

To set the request policy for the application client configuration, modify the Enterprise Server–specific configuration for the application client container as described in Enabling Message Security for Application Clients.

Message Security Policy Setting for Application Clients

In the application client configuration file, the request-policy and response-policy elements are used to set the request policy, as shown in the following code snippet. (Additional code in the snippet is provided as illustration and might differ slightly in your installation. Do not change the additional code.)

<client-container>
  <target-server name="your-host" address="your-host"
      port="your-port"/>
  <log-service file="" level="WARNING"/>
  <message-security-config auth-layer="SOAP"
      default-client-provider="ClientProvider">
    <provider-config
        class-name="com.sun.enterprise.security.jauth.ClientAuthModule"
        provider-id="ClientProvider" provider-type="client">
      <request-policy auth-source="sender | content"
        auth-recipient="after-content | before-content"/>
      <response-policy auth-source="sender | content"
        auth-recipient="after-content | before-content"/>
       <property name="security.config"
           value="as-install/lib/appclient/wss-client-config.xml"/>
    </provider-config>
  </message-security-config>
</client-container>

Valid values for auth-source include sender and content. Valid values for auth-recipient include before-content and after-content. A table describing the results of various combinations of these values can be found in Configuring Message Protection Policies.

To not specify a request or response policy, leave the element blank, for example:

<response-policy/>
Copyright © 2010, Oracle and/or its affiliates. All rights reserved. Legal Notices
Previous Next