Welcome!

Cloud Security Authors: Yeshim Deniz, Pat Romanski, Elizabeth White, Zakia Bouachraoui, Liz McMillan

Related Topics: Weblogic, Cloud Security

Weblogic: Article

WebLogic Web Services Security

WebLogic Web Services Security

Security is a priority for most of our customers. As more and more customers adopt Web services, they find a need to understand how Web services can be secured and what authentication mechanism to use. In order to keep Web services open and support multiple client types, it's necessary to understand how to handle Web-services security.

This article takes a look under the hood of WebLogic Web services security. I'll explain how WebLogic Web services can be secured, how authentication works, and how to develop clients in various programming languages to authenticate against WebLogic Web services.

WebLogic Web Service Components
Web services hosted by WebLogic Server are implemented using standard J2EE components such as EJBs and JMS, and are packaged as standard J2EE enterprise applications. WebLogic Web services use Simple Object Access Protocol (SOAP) 1.1 as the message format and HTTP 1.1 as the connection protocol.

The Web services runtime component is a set of servlets and associated infrastructure needed to create a Web service. One element of the runtime is a set of servlets that handle SOAP requests from a client. These servlets are included in the WebLogic Server distribution. Another element of the runtime is an Ant task that generates and assembles all the components of a WebLogic Web service.

WebLogic Web services are packaged as standard J2EE Enterprise applications that consist of the following specific components:

  • A Web application that contains, at a minimum, a servlet that sends and receives SOAP messages to and from the client. It's automatically included as part of the Web services development process.
  • A stateless session EJB that implements an RPC-style Web service or a JMS listener (such as a message-driven bean) for a message-style Web service.

    In an RPC-style Web service, the stateless session EJBs might do all the actual work of the Web service, or they may parcel out the work to other EJBs. The implementer of the Web service decides which EJBs do the real work. In a message-style Web service, a J2EE object (typically a message-driven bean) gets the messages from the JMS destination and processes them.

    WebLogic Web services are packaged as Enterprise archive (.ear) files that contain the Web application's Web archive (.war) files and EJB archive (.jar) files.

    Securing WebLogic Web Services
    Since WebLogic Web services are packaged as standard J2EE Enterprise applications, access to a Web service may be secured by securing some or all of the following standard J2EE components that make up the Web service:

  • The SOAP servlets
  • The stateless session EJB upon which an RPC-style Web service is based

    Basic HTTP authentication or SSL can be used to authenticate a client that is attempting to access a WebLogic Web service. Because the preceding components are standard J2EE components, they may be secured using standard J2EE security procedures.

    Securing Message-Style Web Services
    A message-style Web service may be secured by securing the SOAP servlet that handles SOAP messages between the client and the service.

    When the Web service is assembled, either manually or by using the wsgen Ant task, you reference SOAP servlets in the web.xml file of the Web application. These servlets handle the SOAP messages passed between WebLogic Server and client applications. They are always deployed on WebLogic Server and are shared by all deployed WebLogic Web services.

    The particular SOAP servlet referenced by a Web service depends on its type (RPC-style or message-style). The following list describes each SOAP servlet:

  • weblogic.soap.server.servlet.DestinationSendAdapter: Handles SOAP messages in a message-style Web service that receives data from a client application and sends it to a JMS destination
  • weblogic.soap.server.servlet.QueueReceiveAdapter: Handles SOAP messages in a message-style Web service that sends data from a JMS Queue to a client application
  • weblogic.soap.server.servlet.TopicReceiveAdapter: Handles SOAP messages in a message-style Web service that sends data from a JMS Topic to a client application
  • weblogic.soap.server.servlet.StatelessBeanAdapter: Handles SOAP messages between an RPC-style Web service and a client application

    For example, in a message-style Web service in which client applications send data to a JMS destination, the SOAP servlet that handles the SOAP messages is weblogic.soap.server.servlet.DestinationSendAdapter. The wsgen Ant task used to assemble the Web service adds the elements shown in Listing 1 to the web.xml deployment descriptor of the Web application.

    To restrict access to the DestinationSendAdapter SOAP servlet, you first define a role that is mapped to one or more principals in a security realm, then specify that the security constraint applies to this SOAP servlet by adding the following url-pattern element inside the web-resources-collection element to the web.xml deployment descriptor of the Web application:

    <url-pattern>/sendMsg</url-pattern>

    Securing an RPC-Style Web Service
    You can restrict access to an RPC-style Web service by restricting access to the stateless session EJB that implements the Web service or the SOAP servlet.

    Listings 2 and 3 show how to set up the web.xml and weblogic.xml files to secure the SOAP servlets. Make sure that the WSDL file is still accessible by the clients. To ensure that, avoid using wild-card mapping; instead secure the SOAP servlet adapter path explicitly. The listings provide an example of how to secure the account manager proxy Web service. As you can see, the role is defined in web.xml and is associated to the group in the realm.

    Web Services Clients
    In order to understand how security for Web services clients is handled, it's necessary to understand how SOAP and HTTP authentication works.

    SOAP Authentication
    Web services use the SOAP protocol, a high-level messaging protocol implemented over some underlying transport mechanism. Web services security is still an emerging field and there are extensions emerging around the SOAP specification to support security features. Currently, SOAP uses the underlying transport protocol infrastructure for authentication. So WebLogic Server SOAP indirectly uses HTTP 1.1 authentication.

    HTTP Authentication
    The method for user authentication used with HTTP is quite simple. Since HTTP is a stateless protocol - that is, the server doesn't remember any information about a request once it has finished - the browser needs to resend the username and password on each request (see Figure 1).

    On the first access to an authenticated resource, the server will return a 401 status ("Unauthorized") and include a WWW-Authenticate response header, which will indicate the realm name and which authentication scheme to use. The browser should then ask the user to enter a username and password. It then requests the same resource again, this time including an authorization header that contains the scheme name ("Basic") and the username and password entered.

    The server checks the username and password, and if they are valid, returns the page. If the password is not valid for that user, or the user is not allowed access, the server returns a 401 status as before. The browser can then ask the user to retry the username and password.

    Assuming the username and password are valid, the user might next request a protected resource. In this case, the server would respond with a 401 status, and the browser could send the request again with the user and password details. This would be slow, however, so instead the browser sends the authorization header on subsequent requests. Refer to the W3C HTTP Working Group RFC 2617 (www.w3c.org/Protocols/Specs.html) for more details on HTTP authentication.

    Client Types
    Even though the previous section focused on browser clients, the protocol is the same for any type of client. Any client that needs to access secured Web services is expected to understand this HTTP authentication protocol and implement it in order to be authenticated. This section shows how authentication information can be passed from various types of clients.

    MS Visual Basic Clients
    Microsoft provides an HTTPConnector interface for the transport layer. It uses two properties, AuthUser and AuthPassword, to pass credentials. Listing 4 is an example of invoking a secured WebLogic Web service using Visual Basic and MS SOAP Toolkit 2.0.

    AuthUser and AuthPassword should not be confused with ProxyUser and ProxyPassword. They are used to provide the credentials for the proxy server, if there are any. This authentication works the same way, except that an error number 407 is returned instead of 401.

    Java Clients
    WebLogic Server provides Java client libraries to access secured resources. Usernames and credentials are passed using "java.naming.security.principal" and "java.naming.security.credentials". Listing 5 describes how a Java client would invoke a secured WebLogic Web service using WebServiceProxy.

    JAX-RPC Clients
    JAX-RPC (Java API for XML-based remote procedure calls) is a new standard released in June 2002 that defines APIs for invoking Web services. WebLogic Server 7.0 supports JAX-RPC. The JAX-RPC interfaces "Stub" and "Call" both support the properties "javax.xml.rpc.security.auth.username" and "javax.xml.rpc.security.auth.password" with which the authentication information may be passed. You can also use the static constants Stub.USERNAME_PROPERTY and Stub.PASSWORD_PROPERTY to set the security information before making a service call (see Listing 6). The username and password may also be passed while getting the port using get<web service>port().

    MS C++ Clients
    Similarly, you can write a C/C++ client using APIs provided by the vendor. The MS SOAP toolkit may be used to write C++ clients on a Windows platform. The username and password are passed using Connector Property. Following is an example that sets the username and password.

    Connector->Property["AuthUser"] = "<UserName>";
    Connector->Property["AuthPassword"] = "<Password>";

    Conclusion
    This article discussed authentication for WebLogic Web services and securing Web services components. As Web services are a natural choice for heterogeneous environments involving different technologies, it's necessary to understand how to access secured Web services using clients of various types.

  • More Stories By Anbarasu Krishnaswamy

    Anbarasu Krishnaswamy has over 15 years of IT industry experience, nine of which were with BEA. In his current role as the Enterprise Architect Lead, he leads the enterprise architecture and SOA practices for the central region professional services at BEA. As a SOA practitioner, he has helped several customers with SOA transformation and implementation. His experience also includes design and development of Java/J2EE applications, client/server computing, Web development, and enterprise application integration (EAI). Anbarasu holds a MBA from NIU and an MS in computer science and engineering.

    Comments (0)

    Share your thoughts on this story.

    Add your comment
    You must be signed in to add a comment. Sign-in | Register

    In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.


    IoT & Smart Cities Stories
    René Bostic is the Technical VP of the IBM Cloud Unit in North America. Enjoying her career with IBM during the modern millennial technological era, she is an expert in cloud computing, DevOps and emerging cloud technologies such as Blockchain. Her strengths and core competencies include a proven record of accomplishments in consensus building at all levels to assess, plan, and implement enterprise and cloud computing solutions. René is a member of the Society of Women Engineers (SWE) and a m...
    Early Bird Registration Discount Expires on August 31, 2018 Conference Registration Link ▸ HERE. Pick from all 200 sessions in all 10 tracks, plus 22 Keynotes & General Sessions! Lunch is served two days. EXPIRES AUGUST 31, 2018. Ticket prices: ($1,295-Aug 31) ($1,495-Oct 31) ($1,995-Nov 12) ($2,500-Walk-in)
    Andrew Keys is Co-Founder of ConsenSys Enterprise. He comes to ConsenSys Enterprise with capital markets, technology and entrepreneurial experience. Previously, he worked for UBS investment bank in equities analysis. Later, he was responsible for the creation and distribution of life settlement products to hedge funds and investment banks. After, he co-founded a revenue cycle management company where he learned about Bitcoin and eventually Ethereal. Andrew's role at ConsenSys Enterprise is a mul...
    Nicolas Fierro is CEO of MIMIR Blockchain Solutions. He is a programmer, technologist, and operations dev who has worked with Ethereum and blockchain since 2014. His knowledge in blockchain dates to when he performed dev ops services to the Ethereum Foundation as one the privileged few developers to work with the original core team in Switzerland.
    Digital Transformation and Disruption, Amazon Style - What You Can Learn. Chris Kocher is a co-founder of Grey Heron, a management and strategic marketing consulting firm. He has 25+ years in both strategic and hands-on operating experience helping executives and investors build revenues and shareholder value. He has consulted with over 130 companies on innovating with new business models, product strategies and monetization. Chris has held management positions at HP and Symantec in addition to ...
    The challenges of aggregating data from consumer-oriented devices, such as wearable technologies and smart thermostats, are fairly well-understood. However, there are a new set of challenges for IoT devices that generate megabytes or gigabytes of data per second. Certainly, the infrastructure will have to change, as those volumes of data will likely overwhelm the available bandwidth for aggregating the data into a central repository. Ochandarena discusses a whole new way to think about your next...
    CloudEXPO | DevOpsSUMMIT | DXWorldEXPO are the world's most influential, independent events where Cloud Computing was coined and where technology buyers and vendors meet to experience and discuss the big picture of Digital Transformation and all of the strategies, tactics, and tools they need to realize their goals. Sponsors of DXWorldEXPO | CloudEXPO benefit from unmatched branding, profile building and lead generation opportunities.
    Dynatrace is an application performance management software company with products for the information technology departments and digital business owners of medium and large businesses. Building the Future of Monitoring with Artificial Intelligence. Today we can collect lots and lots of performance data. We build beautiful dashboards and even have fancy query languages to access and transform the data. Still performance data is a secret language only a couple of people understand. The more busine...
    All in Mobile is a place where we continually maximize their impact by fostering understanding, empathy, insights, creativity and joy. They believe that a truly useful and desirable mobile app doesn't need the brightest idea or the most advanced technology. A great product begins with understanding people. It's easy to think that customers will love your app, but can you justify it? They make sure your final app is something that users truly want and need. The only way to do this is by ...
    DXWorldEXPO LLC announced today that Big Data Federation to Exhibit at the 22nd International CloudEXPO, colocated with DevOpsSUMMIT and DXWorldEXPO, November 12-13, 2018 in New York City. Big Data Federation, Inc. develops and applies artificial intelligence to predict financial and economic events that matter. The company uncovers patterns and precise drivers of performance and outcomes with the aid of machine-learning algorithms, big data, and fundamental analysis. Their products are deployed...