Sun Java logo     Previous      Contents      Next     

Sun logo
Sun Java System Application Server Enterprise Edition 8 2004Q4 XML and Web Services Security Guide 

Configuring The Application Server for Web Services Security

Message security enables a server to perform end-to-end authentication of web service invocations and responses at the message layer. The Application Server provides default SOAP message security providers, which are configurable. A message security configuration for a given message layer can contain several message security providers. The message security providers provide information such as the type of authentication that is required for the request and response messages. The types of authentication that are supported include the following:

Two message security providers are included with this release. The default message security configuration is configured for authentication for the SOAP layer. This default configuration includes a default ClientProvider and a default ServerProvider.

To enable Web services security, you must enable the providers as discussed in the following steps:

  1. Enable the Default Providers for the Application Server
  2. Enable Default Client Provider in the Application Client

The policies for the Application Server and the application client must "match", meaning that they must be configured exactly the same.

Enable the Default Providers for the Application Server

After you enable the default providers for message security, you also need to enable the providers used by your clients or the Application Server will reject your requests. Information for enabling the providers used by clients is discussed in Enable Default Client Provider in the Application Client.

To enable the default client and server providers for the Application Server, follow the steps for doing so in either Using the Admin Console or Using the asadmin tool.

Using the Admin Console

To enable the default client and server providers for the Application Server using the Admin Console, follow these steps:

  1. Start the Application Server.
  2. Start the Admin Console by entering the following URL in a browser window:
  1. In the Admin Console tree component, expand the Configurations node.
  2. Select the instance you want to configure:
    1. To configure a particular instance, select the instance’s config node. For example, the default instance, server, select the server-config node.
    2. To configure the default settings for all instances, select the default-config node.
  3. Expand the Security node.
  4. Expand the Message Security node.
  5. Select the SOAP node.
  6. Select the Message Security tab for that node.
  7. On the Edit Message Security Configuration page, modify the following optional properties, as needed:
    • Default Provider – The identify of the server provider to be invoked for any application for which a specific server provider has not been bound. You would generally select the pre-defined ServerProvider for this field.
    • Default Client Provider – The identify of the client provider to be invoked for any application for which a specific client provider has not been bound. You would generally select the pre-defined ClientProvider for this field.
  8. Click Save.

Using the asadmin tool

To enable the default client and server providers in the Application Server using the asadmin tool, enter the following asadmin commands at a terminal window or command prompt. These commands assume that the install_dir/bin directory is in your path, or that these commands are run from the install_dir/bin directory.

To set the default server provider, enter this asadmin command:

asadmin set --user <admin-user> --port <admin-port> server-config.security-service.message-security-config.SOAP.
default_provider=ServerProvider

To set the default client provider, enter this asadmin command:

asadmin set --user <admin-user> --port <admin-port> server-config.security-service.message-security-config.SOAP.
default_client_provider=ClientProvider

Enable Default Client Provider in the Application Client

To enable message security for client applications, modify the file install_dir/domains/domain_dir/config/sun-acc.xml. This file contains the Sun Java System Application Server-specific configuration for the application client container.

To enable a default client provider in the application client, follow these steps:

  1. Stop the Application Server.
  2. In a text editor, open the Sun application client container descriptor, sun-acc.xml, which is located in the directory install_dir/domains/domain_dir/config/.
  3. Add the text in bold to the file to enable the default client provider in the application client. The other code is provided to show where the code to enable message security for client applications should be located. The code that is not in bold may differ slightly in your installation, do not change the text that is not in bold.

    4. <client-container>
      <target-server name="<your_host>" address="<your_host>" port="<your_port>"/>
      <log-service file="" level="WARNING"/>
      <message-security-config auth-layer="SOAP"     default-client-provider="ClientProvider">
        <provider-config
          class-name="com.sun.xml.wss.provider.ClientSecurityAuthModule"       provider-id="ClientProvider" provider-type="client">
          <request-policy auth-source="sender"/>
          <response-policy/>
           <property name="security.config"       value="C:/Sun/AppServer/lib/appclient/wss-client-config.xml"/>
        </provider-config>
      </message-security-config>
    </client-container>

  4. Restart the Application Server.


Previous      Contents      Next     

Copyright 2004 Sun Microsystems, Inc. All rights reserved.