The Web Service Provider may provide for one of the various mechanisms to intercept and handle the incoming web service SOAP message in order to enforce security on the web service invocation.
This task involves both the server-side and client-side configuration as documented in the following sections.
Configuring the Server to Secure Web Services Access involves copying Agent registration artifacts, and adding the Access Manager JAAS-compliant Login Module for Web Service security to the JBoss Server login-configuration file.
You can use either the agent configured in previous steps or a new agent. To use a new agent you must copy the ObAccessClient.xml from the /agent directory on the JBoss host, to another directory on this host.
No specific details are provided for configuring or deploying a Web Service because any of several frameworks can be used to create a Web Service. The provider of the Web Services deployed on the JBoss Container should adhere to the following guidelines in general:
Include functionality to look for specific headers injected by the client order to retrieve the OAM SSO token.
Use the OAM JAAS Login Module to validate the OAM SSO token
If any EJB Session Beans are exposed as Web Services, the JBoss-specific JAAS Login Module
ClientLoginModule must be used to propagate the OAM token to the EJB container.
Use the following procedure to configure the server to secure Web Services access.
Existing Agent: From its location on the JBoss host to another directory on the Agent host.
New Agent: From $MW_HOME/middleware/user_projects/domains/base_domain/output/agent_name to another directory on the Agent host.
The .wsdd file is generated when the WS stubs are created (and is located inside the application's WEB-INF folder).
<application-policy name="WSRealm"> <authentication> <login-module code="oracle.security.am.agent.common.jaas.login.OAMLoginModule" flag="required"> <module-option name="loginType">tokenBased</module-option> <module-option name="configPath">D:/agentconfig</module-option> <module-option name="rolesParam">OAM_GROUPS</module-option> <module-option name="publicAuthnResourceName">/Authen/Basic</module-option> <module-option name="publicAuthzResourceName">/Authen/SSOToken</module-option> </login-module> </authentication> </application-policy>
JBoss_install_dir\bin\run –b 0.0.0.0
You can configure user authentication with the OAM Server and then create a security header element, containing the SSO token, for the SOAP message.
Ideally, this step is performed before invoking a Web Service method, which means that this code must be added in the client code while invoking the Web Service.