Application-Specific Message Protection
When the Enterprise Server provided configuration is insufficient for your security needs, and you want to override the default protection, you can apply application-specific message security to a web service.
Application-specific security is implemented by adding the message security binding to the web service endpoint, whether it is an EJB or servlet web service endpoint. Modify Sun-specific XML files to add the message binding information.
Message security can also be specified using a WSIT security policy in the WSDL file. For details, see the WSIT page at https://wsit.dev.java.net/.
For more information about message security providers, see Message Security Providers.
For more details on message security binding for EJB web services, servlet web services, and clients, see the XML file descriptions in Appendix A, Deployment Descriptor Files, in Sun GlassFish Enterprise Server 2.1 Application Deployment Guide.
-
For sun-ejb-jar.xml, see The sun-ejb-jar.xml File in Sun GlassFish Enterprise Server 2.1 Application Deployment Guide.
-
For sun-web.xml, see The sun-web.xml File in Sun GlassFish Enterprise Server 2.1 Application Deployment Guide.
-
For sun-application-client.xml, see The sun-application-client.xml file in Sun GlassFish Enterprise Server 2.1 Application Deployment Guide.
This section contains the following topics:
-
Using a Signature to Enable Message Protection for All Methods
-
Configuring Message Protection for a Specific Method Based on Digital Signatures
Using a Signature to Enable Message Protection for All Methods
To enable message protection for all methods using digital signature, update the message-security-binding element for the EJB web service endpoint in the application’s sun-ejb-jar.xml file. In this file, add request-protection and response-protection elements, which are analogous to the request-policy and response-policy elements discussed in Chapter 10, Configuring Message Security, in Sun GlassFish Enterprise Server 2.1 Administration Guide. To apply the same protection mechanisms for all methods, leave the method-name element blank. Configuring Message Protection for a Specific Method Based on Digital Signatures discusses listing specific methods or using wildcard characters.
This section uses the sample application discussed in Understanding and Running the Sample Application to apply application-level message security to show only the differences necessary for protecting web services using various mechanisms.
To Enable Message Protection for All Methods
Using Digital Signature
-
In a text editor, open the application’s sun-ejb-jar.xml file.
For the xms example, this file is located in the directory app-dir/xms-ejb/src/conf, where app-dir is defined in To Set Up the Sample Application.
-
Modify the sun-ejb-jar.xml file by adding the message-security-binding element as shown:
<sun-ejb-jar> <enterprise-beans> <unique-id>1</unique-id> <ejb> <ejb-name>HelloWorld</ejb-name> <jndi-name>HelloWorld</jndi-name> <webservice-endpoint> <port-component-name>HelloIF</port-component-name> <endpoint-address-uri>service/HelloWorld</endpoint-address-uri> <message-security-binding auth-layer="SOAP"> <message-security> <request-protection auth-source="content" /> <response-protection auth-source="content"/> </message-security> </message-security-binding> </webservice-endpoint> </ejb> </enterprise-beans> </sun-ejb-jar> -
Compile, deploy, and run the application as described in To Run the Sample Application.
Configuring Message Protection for a Specific Method Based on Digital Signatures
To enable message protection for a specific method, or for a set of methods that can be identified using a wildcard value, follow these steps. As in the example discussed in Using a Signature to Enable Message Protection for All Methods, to enable message protection for a specific method, update the message-security-binding element for the EJB web service endpoint in the application’s sun-ejb-jar.xml file. To this file, add request-protection and response-protection elements, which are analogous to the request-policy and response-policy elements discussed in Chapter 10, Configuring Message Security, in Sun GlassFish Enterprise Server 2.1 Administration Guide. The administration guide includes a table listing the set and order of security operations for different request and response policy configurations.
This section uses the sample application discussed in Understanding and Running the Sample Application to apply application-level message security to show only the differences necessary for protecting web services using various mechanisms.
To Enable Message Protection for a Particular
Method or Set of Methods Using Digital Signature
-
In a text editor, open the application’s sun-ejb-jar.xml file.
For the xms example, this file is located in the directory app-dir/xms-ejb/src/conf, where app-dir is defined in To Set Up the Sample Application.
-
Modify the sun-ejb-jar.xml file by adding the message-security-binding element as shown:
<sun-ejb-jar> <enterprise-beans> <unique-id>1</unique-id> <ejb> <ejb-name>HelloWorld</ejb-name> <jndi-name>HelloWorld</jndi-name> <webservice-endpoint> <port-component-name>HelloIF</port-component-name> <endpoint-address-uri>service/HelloWorld</endpoint-address-uri> <message-security-binding auth-layer="SOAP"> <message-security> <message> <java-method> <method-name>ejbCreate</method-name> </java-method> </message> <message> <java-method> <method-name>sayHello</method-name> </java-method> </message> <request-protection auth-source="content" /> <response-protection auth-source="content"/> </message-security> </message-security-binding> </webservice-endpoint> </ejb> </enterprise-beans> </sun-ejb-jar> -
Compile, deploy, and run the application as described in To Run the Sample Application.
- © 2010, Oracle Corporation and/or its affiliates