The WSIT Tutorial

Example: Transport Security (SSL)

This section describes the following tasks:

ProcedureTo Secure the Example Service Application (SSL)

The following example application starts with the example provided in Chapter 3, WSIT Example Using a Web Container and NetBeans IDE and demonstrates adding transport security to both the web service and to the web service client.

For this example, the security mechanism of Transport Security (SSL) is used to secure the application. To add security to the service part of the example, follow these steps.

  1. Create the CalculatorApplication example by following the steps described in the following sections of Chapter 3, WSIT Example Using a Web Container and NetBeans IDE:

    1. Creating a Web Service

    2. Skip the section on adding Reliable Messaging.

    3. Deploying and Testing a Web Service (first two steps only, do not run the project yet)

  2. Expand CalculatorApplication->Web Services, then right-click the node for the web service, CalculatorWS, and select Edit Web Service Attributes.

  3. Deselect Reliable Messaging if it is selected.

  4. Select Secure Service.

  5. From the drop-down list for Security Mechanism, select Transport Security (SSL).

  6. Click OK to close the WSIT Configuration dialog.

    A new file is added to the project. To view the WSIT configuration file, expand Web Pages->WEB-INF, then double-click the file

    Note –

    For Transport Security, the keystore and truststore files are configured outside of NetBeans IDE, in GlassFish. The keystore and truststore files for basic SSL come pre-configured with GlassFish, so there are no additional steps required for this configuration.

  7. To require the service to use the HTTPS protocol, you have to specify the security requirements in the service’s application deployment descriptor, which is web.xml for a web service implemented as a servlet.

    To specify the security information, follow these steps:

    1. From your web service application, expand Web Pages->WEB-INF.

    2. Double-click web.xml to open it in the editor.

    3. Select the Security tab.

    4. On the Security Constraints line, click Add Security Constraint.

    5. Under Web Resource Collection, click Add.

    6. Type a Name for the Resource, CalcWebResource. Type the URL Pattern to be protected, /*. Select which HTTP Methods to protect, for example, POST. Click OK to close this dialog.

    7. Check the Enable User Data Constraint box. Select CONFIDENTIAL as the Transport Guarantee to specify that the application uses SSL.

    8. Click the XML tab to view the resulting deployment descriptor additions.

  8. Right-click the CalculatorApplication node and select Run Project. If the server presents its certificate, s1as, accept this certificate. A browser will open and display the WSDL file for the application.

  9. Follow the steps to secure the client application as described in To Secure the Example Web Service Client Application (SSL).

ProcedureTo Secure the Example Web Service Client Application (SSL)

This section demonstrates adding security to the web service client that references the web service created in the previous section. This web service is secured using the security mechanism described in Transport Security (SSL).

To add security to the client that references this web service, complete the following steps.

  1. Create the client application by following the steps described in Creating a Client to Consume a WSIT-Enabled Web Service, with the exception that you need to specify the secure WSDL when creating the Web Service Client.

    To do this, create the client application up to the step where you create the Servlet (step 7 as of this writing) by following the steps described in Creating a Client to Consume a WSIT-Enabled Web Service, with the following exception.

    In the step where you are directed to cut and paste the URL of the web service that you want the client to consume into the WSDL URL field, type https://fully-qualified-hostname:8181/CalculatorApplication/CalculatorWSService?wsdl (changes indicated in bold) to indicate that this client should reference the web service using the secure port. The first time you access this service, accept the certificate (s1as) when you are prompted. This is the server certificate popping up to confirm its identity to the client.

    In some cases, you might get an error dialog telling you that the URL https://fully-qualified-hostname:8181/CalculatorApplication/CalculatorWSService?wsdl couldn’t be downloaded. However, this the correct URL, and it does load when you run the service. So, when this error occurs, repeat the steps that create the Web Service Client using the secure WSDL. The second time, the web service reference is created and you can continue creating the client.

    Note –

    If you prefer to use localhost in place of the fully-qualified hostname (FQHN) in this example, you must follow the steps in Transport Security (SSL) Workaround.

  2. Continue creating the client following the remainder of the instructions in Creating a Client to Consume a WSIT-Enabled Web Service.

    Note –

    Whenever you make changes on the service, refresh the client so that the client will pick up the change. To refresh the client, right-click the node for the Web Service Reference for the client, and select Refresh Client.

  3. Compile and run this application by right-clicking on the CalculatorWSServletClient node and selecting Run Project.