Sun Java System Application Server Enterprise Edition 8 2004Q4 XML and Web Services Security Guide |
Application-Specific Message ProtectionWhen the Application Server provider configuration is insufficient for your security needs, and you want to override the default protection, you can apply application-specific message security to a Web service.
Application-specific security is implemented by adding the message security binding to the Web service endpoint, whether it is an EJB or servlet Web service endpoint. Modify Sun-specific XML files to add the message binding information.
For more details on message security binding for EJB Web services, servlet Web services, and clients, refer the following DTDs in the directory install_dir\lib\dtds.
This section contains the following topics:
Using a Signature to Enable Message Protection for All Methods
To enable message protection for all methods using digital signature, update the message-security-binding element for the EJB Web service endpoint in the application’s sun-ejb-jar.xml file. In this file, add request-protection and response-protection elements, which are analogous to the request-policy and response-policy elements in the server/client configuration. In order to apply the same protection mechanisms for all methods, leave the method-name element blank. Using a Digital Signature to Enable Message Protection for a Specific Method will discuss listing specific methods or using wild card characters.
This section uses the sample application discussed in Understanding and Running the Example Application to apply application-level message security in order to show only the differences necessary for protecting Web services using various mechanisms.
To enable message protection for all methods using digital signature, including both requests and responses, follow these steps.
- In a text editor, open the application’s sun-ejb-jar.xml file. For the xms example, this file is located in the directory install_dir\samples\webservices\security\ejb\apps\xms\xms-ejb\src\conf.
- Modify the sun-ejb-jar.xml file by adding the text highlighted in bold:
<sun-ejb-jar>
<enterprise-beans>
<unique-id>1</unique-id>
<ejb>
<ejb-name>HelloWorld</ejb-name>
<jndi-name>HelloWorld</jndi-name>
<webservice-endpoint>
<port-component-name>HelloIF</port-component-name>
<endpoint-address-uri>service/HelloWorld</endpoint-address-uri>
<message-security-binding auth-layer="SOAP">
<message-security>
<request-protection auth-source="content" />
<response-protection auth-source="content"/>
</message-security>
</message-security-binding>
</webservice-endpoint>
</ejb>
</enterprise-beans>
</sun-ejb-jar>- Compile, deploy, and run the application as described in Running the Sample Application.
Using a Digital Signature to Enable Message Protection for a Specific Method
To enable message protection for a specific method, or for a set of methods that can be identified using a wildcard value, follow these steps.
This section uses the sample application discussed in Understanding and Running the Example Application to apply application-level message security in order to show only the differences necessary for protecting Web services using various mechanisms.
To enable message protection for a particular method or set of methods using digital signature, follow these steps.
- In a text editor, open the application’s sun-ejb-jar.xml file. For the xms example, this file is located in the directory install_dir\samples\webservices\security\ejb\apps\xms\xms-ejb\src\conf.
- Modify the sun-ejb-jar.xml file by adding the text highlighted in bold:
<sun-ejb-jar>
<enterprise-beans>
<unique-id>1</unique-id>
<ejb>
<ejb-name>HelloWorld</ejb-name>
<jndi-name>HelloWorld</jndi-name>
<webservice-endpoint>
<port-component-name>HelloIF</port-component-name>
<endpoint-address-uri>service/HelloWorld</endpoint-address-uri>
<message-security-binding auth-layer="SOAP">
<message-security>
<message>
<java-method>
<method-name>ejbCreate</method-name>
</java-method>
</message>
<message>
<java-method>
<method-name>sayHello</method-name>
</java-method>
</message>
<request-protection auth-source="content" />
<response-protection auth-source="content"/>
</message-security>
</message-security-binding>
</webservice-endpoint>
</ejb>
</enterprise-beans>
</sun-ejb-jar>- Compile, deploy, and run the application as described in Running the Sample Application.
This example authenticates the source of the content of both the request and response messages corresponding to the named methods. In this release, there is not good support for this in our clients because there is no way for our client security runtime to know what method it is invoking at the point where it needs to select the applicable policy. There is a bug submitted on this.