In message security, security information is inserted into messages that travel through the networking layers and reaches the message destinations.
Setting up wadm
Configuring Message Security Provider
Message Security Provider in Application
This section describes the following topics:
Actions of Request and Response Policy Configurations
To configure other security facilities
Security Enhancements to server.xml
Security Enhancements to sun-web.xml
The following table shows message protection policy configuration and the resulting message security operations performed by the WS-Security SOAP message security providers for that configuration.
Table 8–1 Message Protection Policy Configuration
Message Protection Policy |
Resulting WS-Security SOAP Message Protection Operation |
auth-source= "sender" |
The message contains the wase:security header that contains a wsse:UsernameToken with password. |
auth-source="content" |
The content of the SOAP message body is signed. The message contains a wsse:Security header that contains the message body signature represented as a ds:Signature. |
auth-source="sender" auth-recipient="before-content" OR auth-recipient="after-content" |
The content of the SOAP message body is encrypted and replaced with the resulting xend:EncryptedData. The message contains a wsse:Security header that contains a wsse:UsernameToken with password and an xenc:EncryptedKey. The xenc:EncryptedKey contains the key used to encrypt the SOAP message body. The key is encrypted in the public key of the recipient. |
auth-source= "content" auth-recipient= "before-content" |
The content of the SOAP message body is encrypted and replaced with the resulting xend:EncryptedData. The xenc:EncryptedData is signed. The message contains a wsse:Security header that contains an xenc:EncryptedKey and a ds:Signature. The xenc:EncryptedKey contains the key used to encrypt the SOAP message body. The key is encrypted in the public key of the recipient. |
auth-source="content" auth-recipient="after-content" |
The content of the SOAP message body is signed, then encrypted, and then replaced with the resulting xend:EncryptedData. The message contains a wsse:Security header that contains an xenc:EncryptedKey and a ds:Signature. The xenc:EncryptedKey contains the key used to encrypt the SOAP message body. The key is encrypted in the public key of the recipient. |
auth-recipient="before-content" OR auth-recipient="after-content" |
The content of the SOAP message body is encrypted and replaced with the resulting xend:EncryptedData. The message contains a wsse:Security header that contains an xenc:EncryptedKey. The xenc:EncryptedKey contains the key used to encrypt the SOAP message body. The key is encrypted in the public key of the recipient. |
No policy specified |
No security operations are performed by the modules. |
The Web Server implements message security using message security providers integrated in its SOAP processing layer. The message security providers depend on other security facilities of Web Server.
If using a username token, configure a user database, if necessary.
When using a username and password token, an appropriate realm must be configured and an appropriate user database must be configured for the realm.
Manage certificates and private keys, if necessary.
After configuring the Web Server facilities for use by message security providers as described in Managing Certificates in Sun Java System Web Server 7.0 Administrator’s Guide.
The server element in server.xml contains one or more soap-auth-provider elements, each of which contains a list of configured soap message security providers. The server element also includes a default-soap-auth-provider-name for the default SOAP message-level authentication provider.
See Chapter 3, Elements in server.xml, in Sun Java System Web Server 7.0 Administrator’s Configuration File Reference for more information.
Administration Command-Line Interface (CLI) support is provided to add, remove, and list the soap-auth-provider element in server.xml. The CLI also supports adding a deafult-soap-auth-provider-name to server.xml.
Security-related additions to sun-web.xml are described in detail in the following sections.
The syntax for the webservice-endpoint element is as follows:
<!ELEMENT webservice-endpoint (port-component name, endpoint-address-uri?, (login-config|message-security-binding)?,transport-guarantee?, service-gname?,tie-class?, servlet-imp-class?)>Table 8–2 webservice-endpoint Element
Element Name |
Occurrences |
Description |
Type |
port-component-name |
1 |
Unique name of a Web Service within a module. This name should be the same as the endpoint: name in sun-jaxws.xml. |
PCDATA |
endpoint-address-uri |
0 or 1 |
Unused for Web Server |
PCDATA |
login-config |
Unused for Web Server | ||
message-security-binding |
0 or 1 |
Used to bind a Web Service endpoint or port to a specific security provider. This element can also be used to provide a definition of message security requirements to be enforced by the security provider. |
See Table 8–3 message-security—binding |
transport-guarantee |
0 or 1 |
Unused for Web Server |
PCDATA |
service-qname |
0 or 1 |
Unused for Web Server | |
tie-class |
0 or 1 |
Unused for Web Server |
PCDATA |
servlet-impl-class |
0 or 1 |
Unused for Web Server |
Class name |
The message-security-binding element is used to bind a web service endpoint or port to a specific security provider.
The syntax for this element is as follows:
<!ELEMENT message-security-binding (message-security*)> <!ATLIST message-security-binding auth-layer %message-layer;#REQUIRED provider-id CDATA #IMPLIED >Table 8–3 message-security-binding Element
Element name |
Occurrences |
Description |
Type |
message-security |
0 or more |
Specifies the message security requirements of request and response for the endpoint or port |
See Table 8–5 |
Table 8–4 Attributes of the message-security-binding Element
Attribute name |
Description |
Type |
Default |
auth-layer |
Layer at which the security should be enforced |
Entity message-layer |
This attribute is required. |
provider-id |
Identifies the provider-config that should be used |
CDATA |
If a value is not specified, then the default provider is used. If no default provider exists at the layer, the authentication requirements defined in the message-security-binding are not enforced. |
The syntax for the message-security element is as follows:
<!ELEMENT message-security (message+, request-protection?, response-protection?)>
Table 8–5 message-security Element
Element name |
Occurrences |
Description |
Type |
message |
1 or more |
Describes the methods or operations to which the security requirements apply | |
request-protection |
0 or 1 |
Describes the authentication requirements applicable to a request | |
response-protection |
0 or 1 |
Describes the authentication requirements applicable to a response |
The syntax for the message element is as follows: <!ELEMENT (java-method?|operation-name?)>.
Table 8–6 message element
Element name |
occurrences |
Description |
Type |
java-method |
0 or 1 |
Java methods on which the security should be enforced | |
operation-name |
0 or 1 |
WSDL name of an operation of the web service |
PCDATA |
The syntax for the request-protection element is as follows.
<!ELEMENT request-protection EMPTY> <!ATTLIST request-protection auth-source (sender|content)#IMPLIED auth-recipient (before-content |after-content)#IMPLIEDTable 8–7 request-protection Element
Attribute name |
Description |
Value |
Default |
auth-source |
Defines a requirement for message layer sender authentication for example, username and password or content authentication, for example, digital signature |
sender or content |
Implied |
auth-recipient |
Defines a requirement for message layer authentication of the receiver of a message to its sender for example, by XML encryption. A before-content attribute value indicates that recipient authentication occurs before any content authentication. |
before-content or after-content |
Implied |
The syntax for the response-protection element is as follows:
<<!ELEMENT response-protection EMPTY> <!ATTLIST response-protection auth-source (sender|content)#IMPLIED auth-recipient (before-content |after-content)#IMPLIEDTable 8–8 Attributes of the response-protection Element
Attribute name |
Description |
Value |
Default |
auth-source |
Defines a requirement for message layer sender authentication, for example, username and password) or content authentication, for example, digital signature |
sender or content |
Implied |
auth-recipient |
Defines a requirement for message layer authentication of the receiver of a message to its sender, for example by XML encryption. The before-content attribute value indicates that recipient authentication occurs before any content authentication with respect to the target of the containing auth-policy. |
before-content or after-content |
Implied |
The syntax for the java-method element is as follows:
<!ELEMENT java-method (method-name,method-params?)>Table 8–9 java-method Element
Element name |
Occurrences |
Description |
Value |
method-name |
1 |
Name of the service method |
PCDATA |
method-params |
0 or 1 |
List of the fully qualified Java type names of the method parameters. |
The syntax for method-params (method-param*) element is as follows:
Table 8–10 Attributes of the method-params Element
Element name |
Occurrences |
Description |
Value |
method-params |
0 or more |
Fully qualified Java type name of a method parameter |
PCDATA |
The message-layer entity defines the value of the value of the auth-layer attribute.
The syntax for message-layer entity is:<!Entity %message-layer "(SOAP)"
The following sub-web.xml example shows how to use the server.xml message security provider provider1 in a web application.
<?xml version="1.0" encoding="UTF-8"?> <!-- Copyright 2006-2007 Sun Microsystems,Inc. All rights reserved. Use is subject to license terms. --> <!DOCTYPE sun-web-app PUBLIC "-//Sun Microsystems, Inc. //DTD Application Server 8.1 Servlet 2.4//EN" "http://www.sun.com/software/appserver/dtds/sun-web-app_2_4-1.dtd"> <sun-web-app> <context-root>/jaxws-fromwsdl-soap12</context-root> <servlet> <servlet-name>fromwsdl</servlet-name> <webservices-endpoint> <port-component-name>fromwsdl-soap12</port-component-name> <message-security-binding auth-layer="SOAP" <provider-id>provider1</provider-id> </message-security-binding> </webservices-endpoint> </servlet> </sun-web-app>
The port-component-name element should be the same as the name attribute in the endpoint element in sun-jaxws.xml. If the provider-id element is not specified in sun-web.xml, then the default-soap-auth-provider-name configured in server.xml is be used as the provider.
Deploy the sample web application fromwsdl-soap12.war on to the Sun Java System Web Server 7.0.