58.9 Configuring the Login Module to Secure Web Service Access

The Web Service Provider may provide for one of the various mechanisms to intercept and handle the incoming web service SOAP message in order to enforce security on the web service invocation.

This task involves both the server-side and client-side configuration as documented in the following sections.

• Configuring the Server to Secure Web Services Access

• Configuring the Client to Secure Web Services Access

58.9.1 Configuring the Server to Secure Web Services Access

Configuring the Server to Secure Web Services Access involves copying Agent registration artifacts, and adding the Access Manager JAAS-compliant Login Module for Web Service security to the JBoss Server login-configuration file.

Note:

You can use either the agent configured in previous steps or a new agent. To use a new agent you must copy the ObAccessClient.xml from the /agent directory on the JBoss host, to another directory on this host.

No specific details are provided for configuring or deploying a Web Service because any of several frameworks can be used to create a Web Service. The provider of the Web Services deployed on the JBoss Container should adhere to the following guidelines in general:

• Include functionality to look for specific headers injected by the client order to retrieve the OAM SSO token.

• Use the OAM JAAS Login Module to validate the OAM SSO token

• If any EJB Session Beans are exposed as Web Services, the JBoss-specific JAAS Login Module ClientLoginModule must be used to propagate the OAM token to the EJB container.

Use the following procedure to configure the server to secure Web Services access.

1. Copy ObAccessClient.xml as follows (one or the other):

   • Existing Agent: From its location on the JBoss host to another directory on the Agent host.

   • New Agent: From $MW_HOME/middleware/user_projects/domains/base_domain/output/agent_name to another directory on the Agent host.

2. Register the SOAP Handler with the Web Service (ideally using the .wsdd file).

   The .wsdd file is generated when the WS stubs are created (and is located inside the application's WEB-INF folder).

3. Edit the JBoss Server login-configuration file to add an entry for the Access Manager JAAS-compliant Login Module for Web Service security, as follows:

   JBoss_install_dir\server\default\conf\login-config.xml

   <application-policy name="WSRealm">
     <authentication>
       <login-module code="oracle.security.am.agent.common.jaas.login.OAMLoginModule"
         flag="required">
         <module-option name="loginType">tokenBased</module-option>
         <module-option name="configPath">D:/agentconfig</module-option>
         <module-option name="rolesParam">OAM_GROUPS</module-option>
         <module-option name="publicAuthnResourceName">/Authen/Basic</module-option>
         <module-option name="publicAuthzResourceName">/Authen/SSOToken</module-option>
       </login-module>
     </authentication>
   </application-policy>
   

4. Save the JBoss Server login configuration file.
5. Deploy the application.
6. Start JBoss using the following command:

   JBoss_install_dir\bin\run –b 0.0.0.0 
   

   See Configuring JBoss Server to Access a Host Name (not localhost)

7. Proceed to Configuring the Client to Secure Web Services Access

58.9.2 Configuring the Client to Secure Web Services Access

You can configure user authentication with the OAM Server and then create a security header element, containing the SSO token, for the SOAP message.

Ideally, this step is performed before invoking a Web Service method, which means that this code must be added in the client code while invoking the Web Service.

To configure:

1. On the WS-client: Perform user authentication with OAM Server and then create a security header element, containing the SSO token, for the SOAP message.
2. Invoke the Web service, as usual.
3. Proceed with "Configuring Logging for the JBoss Agent and Login Module".