12.9. Example Applications

The following example applications demonstrate configuring web services and web service clients for different security mechanisms. If you are going to work through the examples sequentially, you must manually undo the changes to the service and then refresh the client in order for the client to receive the most recent version of the service's WSDL file, which contains the latest security configuration information.

12.9.1. Example: Username Authentication with Symmetric Key (UA)

The section describes the following tasks:

To Secure the Example Service Application (UA)

The following example application starts with the example provided in Developing with NetBeans and demonstrates adding security to both the web service and to the web service client.

For this example, the security mechanism of Username Authentication with Symmetric Key is used to secure the application. To add security to the service part of the example, follow these steps.

  1. Create the CalculatorApplication example by following the steps described in the following sections of Developing with NetBeans .
    1. Creating a Web Service
    2. Skip the section on adding Reliable Messaging.
    3. Deploying and Testing a Web Service (first two steps only, do not run the project yet)
  2. Expand CalculatorApplication | Web Services, then right-click the node for the web service (CalculatorWS) and select Edit Web Service Attributes.
  3. Deselect Reliable Messaging if it is selected.
  4. In the CalculatorWSPortBinding section, select Secure Service.
  5. From the drop-down list for Security Mechanism, select Username Authentication with Symmetric Key.
  6. Select Use Development Defaults to set up the keystore and truststore files, and to create a user for this application, if needed.
  7. Click OK to close the CalculatorWSService dialog.

    A new file is added to the project. To view the WSIT configuration file, expand Web Pages | WEB-INF, then double-click the file wsit-org.me.calculator.CalculatorWS.xml . This file contains the security elements within wsp:Policy tags.

    An example of this file can be viewed in the tutorial by clicking this link: Service-Side WSIT Configuration Files .

  8. Right-click the CalculatorApplication node and select Run. A browser will open and display the WSDL file for the application.
  9. Follow the steps to secure the client application as described in To Secure the Example Web Service Client Application (UA) .

To Secure the Example Web Service Client Application (UA)

This section demonstrates adding security to the web service client that references the web service created in the previous section. This web service is secured using the security mechanism described in Username Authentication with Symmetric Key . When this security mechanism is used with a web service, the web service client must provide a username and password in addition to specifying the certificate of the server.

To add security to the client that references this web service, complete the following steps.

  1. Create the client application by following the steps described in Creating a Client to Consume a WSIT-Enabled Web Service .

    Whenever you make changes on the service, refresh the client so that the client will pick up the change. To refresh the client, right-click the node for the Web Service Reference for the client, and select Refresh Client.

  2. Expand the node for the web service client application, CalculatorWSServletClient.
  3. Expand the Web Service References node.
  4. Right-click on CalculatorWSService, select Edit Web Service Attributes.
  5. In the Security section of the Quality of Service tab, select Use Development Defaults. Click OK to close.

    By default, the user name of wsitUser and the password of changeit will be entered in this section. If the example doesn't run, make sure that you have a user with this name and password set up in the file realm of the Application Server or GlassFish, as described in Adding Users to GlassFish .

  6. If you'd like to, in the tree, drill down from the project to Source Packages | META-INF. Double-click on CalculatorWSService.xml , and verify that lines similar to the following are present:

                            <wsp:All>
                            <sc:TrustStore wspp:visibility="private"
                            location="<GF_HOME>\glassfish\domains\domain1\config\cacerts.jks"
                            storepass="changeit" peeralias="xws-security-server"/>
                            <sc:CallbackHandlerConfiguration wspp:visibility="private">
                            <sc:CallbackHandler default="wsitUser" name="usernameHandler"/>
                            <sc:CallbackHandler default="changeit" name="passwordHandler"/>
                            </sc:CallbackHandlerConfiguration>
                            </wsp:All>
                        

    By selecting Use Development Defaults when securing the service, these values are automatically generated for you.

    An example of this file can be viewed in the tutorial by clicking this link: Client-Side WSIT Configuration Files .

  7. Right-click the CalculatorWSServletClient node and select Run. The result of the add operation will display in a browser window.

12.9.2. Example: Username with Digest Passwords

This example is similar to Example: Username Authentication with Symmetric Key (UA) except that digest passwords (along with Created and Nonce) are used in UsernameToken, and UsernameToken is not encrypted in the message.

To Secure the Service Application, all the steps remain same, except for step 6. For step 6, do the following:

  1. Click on Configure, select Support Hash Passwords. Click OK.
  2. Unselect Use Development Defaults, if already selected. Specify the KeyStore. Click on Validators, and specify the username validator.

    The Username Validator created should extend PasswordValidationCallback.WsitDigestPasswordValidator. Here is a sample UsernameValidator for Digest passwords.


                      import com.sun.xml.wss.impl.callback.PasswordValidationCallback;

                      public class SampleWsitDigestPasswordValidator extends
                          PasswordValidationCallback.WsitDigestPasswordValidator {
                              public  void setPassword(PasswordValidationCallback.Request request){
                                  //Get this password from somewhere - for example a JDBC Realm
                      String passwd = "abcd!1234"; 
                                  PasswordValidationCallback.DigestPasswordRequest req =
                                      (PasswordValidationCallback.DigestPasswordRequest)request;
                                  req.setPassword(passwd);
                       }
                      }
                    
    Use of Digest Passwords can be supported for any realm which store plain passwords (not hashed ones). Currently this is supported for JDBC realm in Glassfish. Or optionally, a user can write his own custom realm.

The steps for securing the client remain same as in Example: Username Authentication with Symmetric Key (UA).

12.9.3. Example: Mutual Certificates Security (MCS)

The section describes the following tasks:

To Secure the Example Service Application (MCS)

The following example application starts with the example provided in Developing with NetBeans and demonstrates adding security to both the web service and to the web service client.

For this example, the security mechanism of Mutual Certificates Security is used to secure the application. To add security to the service part of the example, follow these steps.

  1. Create the CalculatorApplication example by following the steps described in the following sections of Developing with NetBeans .
    1. Creating a Web Service
    2. Skip the section on adding Reliable Messaging.
    3. Deploying and Testing a Web Service (first two steps only, do not run the project yet)
  2. Expand CalculatorApplication | Web Services, then right-click the node for the web service, CalculatorWS, and select Edit Web Service Attributes.
  3. Deselect Reliable Messaging if it is selected.
  4. Select Secure Service.
  5. From the drop-down list for Security Mechanism, select Mutual Certificates Security.
  6. Select Use Development Defaults.
  7. Click OK to close the dialog.

    A new file is added to the project. To view the WSIT configuration file, expand Web Pages | WEB-INF, then double-click the file wsit-org.me.calculator.CalculatorWS.xml . This file contains the security elements within wsp:Policy tags.

  8. Right-click the CalculatorApplication node and select Run.

    A browser will open and display the WSDL file for the application.

  9. Verify that the WSDL file contains the AsymmetricBinding element.
  10. Follow the steps to secure the client application as described in To Secure the Example Web Service Client Application (MCS) .

To Secure the Example Web Service Client Application (MCS)

This section demonstrates adding security to the web service client that references the web service created in the previous section. This web service is secured using the security mechanism described in Mutual Certificates Security .

To add security to the client that references this web service, complete the following steps.

  1. Create the client application following the steps described in Creating a Client to Consume a WSIT-Enabled Web Service .

    Whenever you make changes on the service, refresh the client so that the client will pick up the change. To refresh the client, right-click the node for the Web Service Reference for the client, and select Refresh Client.

  2. If you'd like, in the tree, drill down from the project to Source Packages | META-INF. Double-click on CalculatorWSService.xml , click the Source tab, and look at the section in the section <wsp:All> to see the WSIT code that has been added to this configuration file.
  3. Compile and run this application by right-clicking the CalculatorWSServletClient node and selecting Run. The result of the add operation will display in a browser window.

12.9.4. Example: Transport Security (SSL)

This section describes the following tasks:

To Secure the Example Service Application (SSL)

The following example application starts with the example provided in Developing with NetBeans and demonstrates adding transport security to both the web service and to the web service client.

For this example, the security mechanism of Transport Security (SSL) is used to secure the application. To add security to the service part of the example, follow these steps.

  1. Create the CalculatorApplication example by following the steps described in the following sections of Developing with NetBeans :
    1. Creating a Web Service
    2. Skip the section on adding Reliable Messaging.
    3. Deploying and Testing a Web Service (first two steps only, do not run the project yet)
  2. Expand CalculatorApplication | Web Services, then right-click the node for the web service, CalculatorWS, and select Edit Web Service Attributes.
  3. Deselect Reliable Messaging if it is selected.
  4. Select Secure Service.
  5. From the drop-down list for Security Mechanism, select Transport Security (SSL).
  6. Select Use Development Defaults.
  7. Click OK to close the dialog.

    A new file is added to the project. To view the WSIT configuration file, expand Web Pages | WEB-INF, then double-click the file wsit-org.me.calculator.CalculatorWS.xml . This file contains the security elements within wsp:Policy tags.

  8. To require the service to use the HTTPS protocol, security requirements must be specified in the service's application deployment descriptor, which is web.xml for a web service implemented as a servlet. Selecting Use Development Defaults takes care of this task for you.

    To view or change the security information, follow these steps:

    1. From your web service application, expand Web Pages | WEB-INF.
    2. Double-click web.xml to open it in the editor.
    3. Select the Security tab.
    4. Expand the Security Constraint named SSL transport for CalculatorWSService .
    5. A Web Resource Collection named Secure Area contains the URL Pattern to be protected, /CalculatorWSService//* and the HTTP Methods to be protected, , POST.
    6. Unselect Enable Authentication Constraint if it is selected.
    7. The Enable User Data Constraint box is checked and CONFIDENTIAL is chosen as the Transport Guarantee to specify that the application uses SSL.
    8. Click the XML tab to view the resulting deployment descriptor additions.
  9. Right-click the CalculatorApplication node and select Run. If the server presents its certificate, s1as, accept this certificate. A browser will open and display the WSDL file for the application.
  10. Follow the steps to secure the client application as described in To Secure the Example Web Service Client Application (SSL) .

To Secure the Example Web Service Client Application (SSL)

This section demonstrates adding security to the web service client that references the web service created in the previous section. This web service is secured using the security mechanism described in Transport Security (SSL) .

To add security to the client that references this web service, complete the following steps.

  1. Create the client application by following the steps described in Creating a Client to Consume a WSIT-Enabled Web Service , with the exception that you need to specify the secure WSDL when creating the Web Service Client.

    To do this, create the client application up to the step where you create the Servlet (step 5 as of this writing) by following the steps described in Creating a Client to Consume a WSIT-Enabled Web Service , with the following exception.

    In the step where you are directed to cut and paste the URL of the web service that you want the client to consume into the WSDL URL field, type https :// fully-qualified-hostname:8181 /CalculatorApplication/CalculatorWSService?wsdl (changes indicated in bold) to indicate that this client should reference the web service using the secure port. The first time you access this service, accept the certificate (s1as) when you are prompted. This is the server certificate popping up to confirm its identity to the client.

    In some cases, you might get an error dialog telling you that the URL https:// fully-qualified-hostname :8181/CalculatorApplication/CalculatorWSService?wsdl couldn't be downloaded. However, this the correct URL, and it does load when you run the service. So, when this error occurs, repeat the steps that create the Web Service Client using the secure WSDL. The second time, the web service reference is created and you can continue creating the client.

    If you prefer to use localhost in place of the fully-qualified hostname (FQHN) in this example, you must follow the steps in Transport Security (SSL) Workaround .

  2. Continue creating the client following the remainder of the instructions in Creating a Client to Consume a WSIT-Enabled Web Service .

    Some users are working through this document and just making the recommended changes and refreshing the client. For this example, you must create a new client so that you can specify the secure WSDL to create the correct setup for the client.

    Whenever you make changes on the service, refresh the client so that the client will pick up the change. To refresh the client, right-click the node for the Web Service Reference for the client, and select Refresh Client.

  3. Compile and run this application by right-clicking on the CalculatorWSServletClient node and selecting Run. The result of the add operation will display in a browser window.

12.9.5. Example: SAML Authorization over SSL (SA)

This section describes the following tasks:

To Secure the Example Service Application (SA)

The following example application starts with the example provided in Developing with NetBeans and demonstrates adding security to both the web service and to the web service client.

For this example, the security mechanism of SAML Authorization over SSL is used to secure the application. The steps are similar to the ones described in Example: Username Authentication with Symmetric Key (UA) , with the addition of the writing of a client-side SAML callback handler to populate the client's request with a SAML assertion.

To add security to the service part of the example, follow these steps.

  1. Create the CalculatorApplication example by following the steps described in the following sections of Developing with NetBeans :
    1. Creating a Web Service
    2. Skip the section on adding Reliable Messaging.
    3. Deploying and Testing a Web Service (first two steps only, do not run the project yet)
  2. Expand CalculatorApplication | Web Services, right-click the node for the web service, CalculatorWS, and select Edit Web Service Attributes.
  3. Deselect the Reliable Messaging option if it is selected.
  4. Select Secure Service.
  5. From the drop-down list for Security Mechanism, select SAML Authorization over SSL.
  6. Select Use Development Defaults to have the web.xml file modified to include a security constraint that forces the use of SSL.
  7. Click OK to exit the editor.

    A new file is added to the project. To view the WSIT configuration file, expand Web Pages | WEB-INF, then double-click the file wsit-org.me.calculator.CalculatorWS.xml . This file contains the security elements within wsp:Policy tags.

  8. To require the service to use the HTTPS protocol, security requirements must be specified in the service's application deployment descriptor, which is web.xml for a web service implemented as a servlet. Selecting Use Development Defaults takes care of this task for you.

    To view or change the security information in the deployment descriptor, follow these steps:

    1. From your web service application, expand Web Pages | WEB-INF.
    2. Double-click web.xml to open it in the editor.
    3. Select the Security tab.
    4. Expand the Security Constraint named SSL transport for CalculatorWSService .
    5. A Web Resource Collection named Secure Area contains the URL Pattern to be protected, /CalculatorWSService//* and the HTTP Methods to be protected, , POST.
    6. Unselect Enable Authentication Constraint if it is selected.
    7. The Enable User Data Constraint box is checked and CONFIDENTIAL is chosen as the Transport Guarantee to specify that the application uses SSL.
    8. Click the XML tab to view the resulting deployment descriptor additions.
  9. Right-click the CalculatorApplication node and select Run. Accept the s1as certificate if you are prompted to. A browser will open and display the WSDL file for the application.
  10. Follow the steps to secure the client application as described in To Secure the Example Web Service Client Application (SA) .

To Secure the Example Web Service Client Application (SA)

This section demonstrates adding security to the web service client that references the web service created in the previous section. This web service is secured using the security mechanism described in SAML Authorization over SSL .

To add security to the client that references this web service, complete the following steps.

  1. This example uses a non-JSR-109-compliant client for variety. To do this, create the client application up to the step where you create the Servlet (step 5 as of this writing) by following the steps described in Creating a Client to Consume a WSIT-Enabled Web Service , with the following exceptions:
    1. In the step where you are directed to cut and paste the URL of the web service that you want the client to consume into the WSDL URL field, type https:// fully-qualified-hostname :8181/CalculatorApplication/CalculatorWSService?wsdl , to indicate that this client should reference the web service using the secure port.

      The first time you access this service, accept the certificate ( s1as ) when you are prompted. This is the server certificate popping up to confirm its identity to the client.

      In some cases, you might get an error dialog telling you that the URL https:// fully-qualified-hostname :8181/CalculatorApplication/CalculatorWSService?wsdl couldn't be downloaded. However, this the correct URL, and it does load when you run the service. So, when this error occurs, repeat the steps that create the Web Service Client using the secure WSDL. The second time, the web service reference is created and you can continue creating the client.

      If you prefer to use localhost in place of the fully-qualified hostname (FQHN) in this example, follow the steps in Transport Security (SSL) Workaround .

    2. Name the application CalculatorClient (since it's not a servlet.).
  2. Instead of creating a client servlet as is described in Creating a Client to Consume a WSIT-Enabled Web Service , just add the web service operation to the generated index.jsp file to create a non-JSR-109 client. To do this, perform these steps:
    1. If the index.jsp file is not open in the right pane, expand Web Pages, then double-click index.jsp to open it.
    2. Drill down through the Web Service References node until you get to the add operation.
    3. Drag the add operation to the line immediately following the following line:
      <body>
    4. Edit the values for i and j if you'd like.
  3. Write a SAMLCallback handler for the client side to populate a SAML assertion into the client's request to the service.

    To create the SAMLCallbackHandler , follow these steps:

    1. Right-click the CalculatorClient node.
    2. Select New | Java Package.
    3. For Package Name, type xwss.saml and click Finish.
    4. Drill down from CalculatorClient | Source Packages | xwss.saml.
    5. Right-click xwss.saml and select New | Other.
    6. From the Categories list, select Java.
    7. From the File Types list, select Empty Java File and click Next.
    8. For Class Name, type SamlCallbackHandler and click Finish.

      The empty file appears in the IDE.

    9. Download the example file SamlCallbackHandler.java from the following URL:

      https://xwss.java.net/servlets/ProjectDocumentList?folderID=6645&expandFolder=6645&folderID=6645

    10. Open the file in a text editor.
    11. Modify the home variable to provide the hard-coded path to your GlassFish installation.

      For example, modify the line:

      String home = System.getProperty("WSIT_HOME");

      to

      String home = "/home/glassfish";
    12. Copy the contents of this file into the SamlCallbackHandler.java window that is displaying in the IDE.
  4. Drill down from CalculatorClient | Web Service References.
  5. Right-click CalculatorWSService and select Edit Web Service Attributes.
  6. Select the Quality of Service tab of the CalculatorWSService dialog.
  7. Unselect Use Development Defaults.
  8. Enter the name of the SAML Callback Handler written earlier in this section, xwss.saml.SamlCallbackHandler , into the SAML Callback Handler field.
  9. Click OK to close this dialog.
  10. To view the WSIT Configuration options, in the tree, drill down from the project to Source Packages | META-INF. Double-click CalculatorWSService.xml , click the Source tab, and look for the lines where xwss.saml.SamlCallbackHandler is specified as the SAML Callback Handler class for the client.
  11. Compile and run this application by right-clicking the CalculatorClient node and selecting Run. The result of the add operation will display in a browser window.

12.9.6. Example: SAML Sender Vouches with Certificates (SV)

This section describes the following tasks:

To Secure the Example Service Application (SV)

The following example application starts with the example provided in Developing with NetBeans and demonstrates adding security to both the web service and to the web service client.

For this example, the security mechanism of SAML Sender Vouches with Certificates is used to secure the application. The steps are similar to the ones described in Example: Username Authentication with Symmetric Key (UA) , with the addition of the writing of a client-side SAML callback handler to populate the client's request with a SAML assertion.

To add security to the service part of the example, follow these steps.

  1. Create the CalculatorApplication example by following the steps described in the following sections of Developing with NetBeans :
    1. Creating a Web Service
    2. Skip the section on adding Reliable Messaging.
    3. Deploying and Testing a Web Service (first two steps only, do not run the project yet)
  2. Expand CalculatorApplication | Web Services, then right-click the node for the web service, CalculatorWS, and select Edit Web Service Attributes.
  3. Deselect the Reliable Messaging option if it is selected.
  4. Select Secure Service.
  5. From the drop-down list for Security Mechanism, select SAML Sender Vouches with Certificates.
  6. Select Use Development Defaults. This step properly configures the keystore, truststore, and default user for this security mechanism.
  7. Click OK.

    A new file is added to the project. To view the WSIT configuration file, expand Web Pages | WEB-INF, then double-click the file wsit-org.me.calculator.CalculatorWS.xml . This file contains the security elements within wsp:Policy tags.

  8. Right-click the CalculatorApplication node and select Run. Accept the s1as certificate if you are prompted to.

    A browser will open and display the WSDL file for the application.

  9. Follow the steps to secure the client application as described in To Secure the Example Web Service Client Application (SV) .

To Secure the Example Web Service Client Application (SV)

This section demonstrates adding security to the web service client that references the web service created in the previous section. This web service is secured using the security mechanism described in SAML Sender Vouches with Certificates .

To add security to the client that references this web service, complete the following steps.

  1. This example uses a non-JSR-109-compliant client. To do this, create the client application up to the step where you create the Servlet (step 5 as of this writing) by following the steps described in Creating a Client to Consume a WSIT-Enabled Web Service , with one exception: name the application CalculatorClient (since it's not a servlet.).
  2. Instead of creating a client servlet as is described in Creating a Client to Consume a WSIT-Enabled Web Service , just add the web service operation to the generated index.jsp file to create a non-JSR-109 client. To do this, follow these steps:
    1. If the index.jsp file is not open in the right pane, double-click it to open it.
    2. Drill down through the Web Service References node until you get to the add operation.
    3. Drag the add operation to the line immediately following the following line:
      <body>
    4. Edit the values for i and j if you'd like.
  3. Write a SAMLCallback handler for the client side to populate a SAML assertion into the client's request to the service.

    To create the SAMLCallbackHandler , follow these steps:

    1. Right-click the CalculatorClient node.
    2. Select New | Java Package.
    3. For Package Name, type xwss.saml and click Finish.
    4. Drill down from CalculatorClient | Source Packages | xwss.saml.
    5. Right-click xwss.saml and select New | Other.
    6. From the Categories list, select Java.
    7. From the File Types list, select Empty Java File and click Next.
    8. For Class Name, type SamlCallbackHandler and click Finish.

      The empty file appears in the IDE.

    9. Download the example file SamlCallbackHandler.java from the following URL:

      https://xwss.java.net/servlets/ProjectDocumentList?folderID=6645&expandFolder=6645&folderID=6645

    10. Open the file in a text editor.
    11. Modify the home variable to provide the hard-coded path to your GlassFish installation.

      For example, modify the line:

      String home = System.getProperty("WSIT_HOME");

      to

      String home = "/home/glassfish";
    12. Copy the contents of this file into the SamlCallbackHandler.java window that is displaying in the IDE.
  4. Drill down from CalculatorClient | Web Service References.
  5. Right-click on CalculatorWSService and select Edit Web Service Attributes.
  6. Select the Quality of Service tab of the CalculatorWSService dialog.
  7. In the SAML Callback Handler field, type the name of the class written in step 3 above, xwss.saml.SamlCallbackHandler .
  8. Configure the keys: Click on the keystore button, select the alias "xws-security-client", enter the password "changeit", in the password field. Submit this dialog; Click on the truststore button, select the alias "xws-security-server". Submit the dialog.
  9. Click OK to close this dialog.
  10. In the tree, drill down from the project to Source Packages | META-INF. Double-click CalculatorWSService.xml, click the Source tab, and look for that lines where xwss.saml.SamlCallbackHandler is specified as the SAML Callback Handler class for the client. In some instances, NetBeans will not correctly specify the keystore and truststore information for non-JSR-196 clients, and thus will require that the keystore and truststore entries be manually configured. To do this, follow the example in this section.
    • Find the sc:KeyStore and sc:TrustStore elements. If these elements contain parameters for location and storepass in CalculatorWSService.xml, then just continue to the next step. If not, replace the existing keystore and truststore attributes to include these parameters. The following code shows an example of how these elements should be specified.

                                      <sc:TrustStore wspp:visibility="private"
                                      location="<GF_HOME>\glassfish\domains\domain1\config\cacerts.jks"
                                      storepass="changeit" peeralias="xws-security-server"/>
                                      <sc:KeyStore wspp:visibility="private"
                                      location="<GF_HOME>\glassfish\domains\domain1\config\keystore.jks"
                                      storepass="changeit" alias="xws-security-client"/>
                                  
  11. Compile and run this application by right-clicking the CalculatorClient node and selecting Run. The result of the add operation will display in a browser window.

12.9.7. Example: STS Issued Token (STS)

This section describes the following tasks:

Another STS example application can be found at the following URL: https://wsit.java.net/source/browse/wsit/wsit/samples/ws-trust/ .

To Create and Secure the STS (STS)

To create and secure a Security Token Service for this example, follow these steps.

  1. Create a new project for the STS by selecting File | New Project.
  2. Select Web, then Web Application, then Next.
  3. Type MySTSProject for the Project Name, then click Finish.
  4. Right-click the MySTSProject node, select New, then select Other.
  5. Select Web Services from the Categories list.
  6. Select Secure Token Service (STS) from the File Type(s) list, then click Next.
  7. Type the name MySTS for the Web Service Class Name.
  8. Enter or select org.me.my.sts in the Package field, then click Finish. If prompted to reload the catalog.xml file, click No.

    The IDE takes a while to create the STS. When created, it appears under the project's Web Services node as MySTSService .

  9. The STS wizard creates an implementation of the provider class. To view it, expand Source Packages, then org.me.my.sts. Double-click MySTS.java to open it in the right pane.
  10. In the Projects window, expand the MySTSProject node, then expand the Web Services node. Right-click the MySTSService[IMySTSService_Port] node and select Edit Web Service Attributes to configure the STS.
  11. Select the "Version Compatibility" to ".NET 3.5 / Metro 1.3" ( e.g. see Web Service Attributes Editor Page ) . It will use WS-SX version of all WS-* specifications.
  12. Select Secure Service if it's not already selected.
  13. Verify that the Security Mechanism of Username Authentication with Symmetric Key is selected.
  14. Select the Configure button. For Algorithm Suite, verify that Basic128 bit is selected (so that it matches the value selected for the service.) Select OK to close the configuration dialog.
  15. If not already selected, select Act as Secure Token Service (STS).

    If you'd like to use an STS other than the default, click the STS Configure button, and click the Add button to add a different service provider. Click OK to close the STS Configuration dialog.

  16. Click Configure. In the Issuer field, enter MySTS. Click OK to close.
  17. Click the Keystore button to provide your keystore with the alias identifying the service certificate and private key. To do this, click the Load Aliases button, select wssip , then click OK to close the dialog.
  18. Click OK.

    A new file is added to the project. To view the WSIT configuration file, expand Configuration Files | xml-resources | web-services | MySTS | wsdl, then double-click the file MySTSService.wsdl . This file contains the tc:STSConfiguration element within the wsp:Policy elements..

  19. Right-click the MySTSProject tab, select Properties. Select the Run category, and type the following in the Relative URL field: /MySTSService?wsdl .
  20. Run the Project (right-click the project and select Run).

    The STS WSDL appears in the browser.

Check Building custom STS to build a custom STS to control the user attributes to be included in the SAML assertion.

To Secure the Example Service Application (STS)

The following example application starts with the example provided in Developing with NetBeans and demonstrates adding security to both the web service and to the web service client.

For this example, the security mechanism of STS Issued Token is used to secure the application. The steps are similar to the ones described in Example: Username Authentication with Symmetric Key (UA) , with the addition of creating and securing an STS.

To add security to the service part of the example, follow these steps.

  1. Create the CalculatorApplication example by following the steps described in the following sections of Developing with NetBeans .
    1. Creating a Web Service
    2. Skip the section on adding Reliable Messaging.
    3. Deploying and Testing a Web Service (first two steps only, do not run the project yet).
  2. Expand CalculatorApplication | Web Services, then right-click the node for the web service, CalculatorWS, and select Edit Web Service Attributes.
  3. Select the "Version Compatibility" to ".NET 3.5 / Metro 1.3" ( e.g. see Web Service Attributes Editor Page ) . It will use WS-SX version of all WS-* specifications.
  4. Deselect the Reliable Messaging option if it is selected.
  5. Select Secure Service.
  6. From the drop-down list for Security Mechanism, select STS Issued Token.
  7. Click Configure. For Issuer Address and Issuer Metadata Address, enter http://localhost:8080/MySTSProject/MySTSService . For Issuer Metadata, enter http://localhost:8080/MySTSProject/MySTSService/mex
  8. For Algorithm Suite, select Basic 128 bit. For Key Size, select 128 (the algorithm suite value of the service must match the algorithm suite value of the STS). Select OK to close the configuration dialog.

    If you have configured Unlimited Strength Encryption as described in To Create a Third-Party STS , you can leave the key size at 256. Otherwise, you must set it to 128.

  9. Select Use Development Defaults.
  10. Click OK.

    A new file is added to the project. To view the WSIT configuration file, expand Web Pages | WEB-INF, then double-click the file wsit-org.me.calculator.CalculatorWS.xml and select the Source page. This file contains the security elements within wsp:Policy tags.

  11. Right-click the CalculatorApplication node and select Run. This step compiles the application and deploys it onto GlassFish. A browser will open and display the WSDL file for the application.

To Secure the Example Web Service Client Application (STS)

This section demonstrates adding security to the CalculatorApplication's web service client. The service was secured using the security mechanism described in STS Issued Token .

To add security to the web service client, complete the following steps.

  1. Create the client application by following the steps described in Creating a Client to Consume a WSIT-Enabled Web Service .

    Whenever you make changes on the service, refresh the client so that the client will pick up the change. To refresh the client, right-click the node for the Web Service Reference for the client, and select Refresh Client.

  2. Drill down from CalculatorWSServletClient | Web Service References.
  3. Right-click CalculatorWSService and select Edit Web Service Attributes, then select the Quality of Service tab.
  4. Provide the client's private key by pointing to an alias in the keystore. To do this, click the Keystore button, click the Load Aliases button, and select xws-security-client from the Alias list.
  5. Provide the service's certificate by pointing to an alias in the client truststore. To do this, click the Truststore button,, click the Load Aliases button for the truststore and select xws-security-server from the Alias list.
    • In some instances, NetBeans will not detect that this client is a JSR-196 client, and thus will require that the keystore and truststore entries be manually configured. To do this, follow the steps in this section.
    • Expand CalculatorWSServletClient | Source Packages | META-INF.
    • Double-click CalculatorWSService.xml to open it in the Source window. Click the Source tab to view the code. Find the sc:KeyStore and sc:TrustStore elements. If these elements contain parameters for location and storepass , then just continue to the next section. If not, add these attributes to this file. The following code shows an example of how these elements should be specified.

                                      <sc:TrustStore wspp:visibility="private"
                                      location="<GF_HOME>\glassfish\domains\domain1\config\cacerts.jks"
                                      storepass="changeit" peeralias="xws-security-server"/>
                                      <sc:KeyStore wspp:visibility="private"
                                      location="<GF_HOME>\glassfish\domains\domain1\config\keystore.jks"
                                      storepass="changeit" alias="xws-security-client"/>
                                  
  6. Expand the Security Token Service node to provide details for the STS to be used. When the Endpoint and the Metadata values are the same, you only need to enter the Endpoint value. For the Endpoint field, enter the following value: http://localhost:8080/MySTSProject/MySTSService. For WS Trust Version field, select 1.3 if STS endpoint uses ".NET 3.5 / Metro 1.3" version compatibility. Otherwise use the default WS Trust Version.
  7. Click OK to close this dialog.
  8. The service requires a token to be issued from the STS at http://localhost:8080/MySTSProject/MySTSService , with WSDL file http://localhost:8080/MySTSProject/MySTSService?wsdl . To do this, follow these steps:
    1. Right-click the CalculatorWSServletClient node and select New | Web Service Client.

      The New Web Service Client window appears.

    2. Select the WSDL URL option.
    3. Cut and paste the URL of the web service that you want the client to consume into the WSDL URL field. For this example, here is the URL for the MySTS web service:
      http://localhost:8080/MySTSProject/MySTSService?wsdl
    4. Type org.me.calculator.client.sts in the Package field, then click Finish.

      The Projects window displays the new web service client.

  9. Drill down from CalculatorWSServletClient | Web Service References.
  10. Right-click MySTSService and select Edit Web Service Attributes.
  11. Select the Quality of Service tab of the MySTSService dialog.
  12. Provide the client's private key by pointing to an alias in the keystore. To do this, click the Keystore button, click the Load Aliases button, and select xws-security-client from the Alias list. If the Keystore button is not selectable, follow the instructions in the next step for adding the keystore entry manually.
  13. Verify the STS's certificate by pointing to an alias in the client truststore. To do this, click the Truststore button,, click the Load Aliases button and select wssip from the Alias list.
    • In some instances, NetBeans will not detect that this client is a JSR-196 client, and thus will require that the keystore and truststore entries be manually configured. To do this, follow the steps in this section.
    • Expand CalculatorWSServletClient | Source Packages | META-INF.
    • Double-click MySTSService.xml to open it in the Source window. Click the Source tab to view the code. Find the sc:KeyStore and sc:TrustStore elements. If these elements contain parameters for location and storepass , then just continue to the next section. If not, add these attributes to this file. The following code shows an example of how these elements should be specified.

                                      <sc:TrustStore wspp:visibility="private"
                                      location="<GF_HOME>\glassfish\domains\domain1\config\cacerts.jks"
                                      storepass="changeit" peeralias="wssip"/>
                                      <sc:KeyStore wspp:visibility="private"
                                      location="<GF_HOME>\glassfish\domains\domain1\config\keystore.jks"
                                      storepass="changeit" alias="xws-security-client"/>
                                  
  14. Enter the default user name and password.

    If you followed the steps in Adding Users to GlassFish , this will be User Name wsitUser and Password changeit .

  15. Click OK to close this dialog.
  16. Compile and run this application by right-clicking the CalculatorWSServletClient project and selecting Run. The result of the add operation will display in a browser window.

12.9.8. Example: Broker Trust STS (BT)

Broker Trust STS example illustrates the interaction between client and server of different domains through STS's of corresponding domains. In this kind of scenarios, STS of different domains must have a trust relationship between them. Lets take client/STS2 are in domain A, and server/STS1 are in domain B. Here, STS1 is the remote STS on the server domain(B) and STS2 is the local STS on the client domain(B). There is a trust relationship between STS1 and STS2. Here are steps which client has to follow to comminicate with server.

  • Client wants to communicate with Server.
  • Server asks Client to get a token from STS1 to comminicate with it.
  • Now Client would like to communicate with remote STS (i.e. STS1).
  • STS1 asks Client to get a token from Client's local STS (i.e. STS2) to comminicate with it.
  • Now Client sends a request to local STS (i.e. STS2) asking for a token to communicate with STS1.
  • STS2 issues a token to Client, which Client uses to comminicate with STS1.
  • STS1 issues a token to Client, which Client uses to comminicate with Server.
  • Now Client comminicates with server using a token issued by STS1, which Server understands.

This section describes the following tasks:

To Create and Secure the First STS (BT)

To create and secure a Security Token Service(i.e. Remote STS) for this example, follow these steps.

  1. Create a new project for the STS by selecting File | New Project.
  2. Select Web, then Web Application, then Next.
  3. Type MySTS1Project for the Project Name, then click Finish.
  4. Right-click the MySTS1Project node, select New, then select Other.
  5. Select Web Services from the Categories list.
  6. Select Secure Token Service (STS) from the File Type(s) list, then click Next.
  7. Type the name MySTS1 for the Web Service Class Name.
  8. Enter or select org.me.my.sts1 in the Package field, then click Finish. If prompted to reload the catalog.xml file, click No.

    The IDE takes a while to create the first STS. When created, it appears under the project's Web Services node as MySTS1Service .

  9. The STS wizard creates an implementation of the provider class. To view it, expand Source Packages, then org.me.my.sts1. Double-click MySTS1.java to open it in the right pane.
  10. In the Projects window, expand the MySTS1Service node, then expand the Web Services node. Right-click the MySTS1Service[IMySTS1Service_Port] node and select Edit Web Service Attributes to configure the STS.
  11. Select the "Version Compatibility" to ".NET 3.5 / Metro 1.3" ( e.g. see Web Service Attributes Editor Page ) . It will use WS-SX version of all WS-* specifications.
  12. Select Secure Service if it's not already selected.
  13. Verify that the Security Mechanism of "STS Issued Token" is selected.
  14. Select the Configure button. For Algorithm Suite, verify that Basic128 bit is selected (so that it matches the value selected for the service.) Select OK to close the configuration dialog.
  15. If not already selected, select Act as Secure Token Service (STS).

    If you'd like to use an STS other than the default, click the STS Configure button, and click the Add button to add a different service provider. Click OK to close the STS Configuration dialog.

  16. Click Configure. In the Issuer field, enter MySTS1. Click OK to close.
  17. Click the Keystore button to provide your keystore with the alias identifying the service certificate and private key. To do this, click the Load Aliases button, select wssip , then click OK to close the dialog.
  18. Click OK.

    A new file is added to the project. To view the WSIT configuration file, expand Configuration Files | xml-resources | web-services | MySTS1 | wsdl, then double-click the file MySTS1Service.wsdl . This file contains the tc:STSConfiguration element within the wsp:Policy elements..

  19. Right-click the MySTS1Project tab, select Properties. Select the Run category, and type the following in the Relative URL field: /MySTS1Service?wsdl .
  20. Run the Project (right-click the project and select Run).

    The STS WSDL appears in the browser.

To Create and Secure the Second STS (BT)

To create and secure a Security Token Service(i.e. local STS) for this example, follow these steps.

  1. Create a new project for the 2nd STS by selecting File | New Project.
  2. Select Web, then Web Application, then Next.
  3. Type MySTS2Project for the Project Name, then click Finish.
  4. Right-click the MySTS2Project node, select New, then select Other.
  5. Select Web Services from the Categories list.
  6. Select Secure Token Service (STS) from the File Type(s) list, then click Next.
  7. Type the name MySTS2 for the Web Service Class Name.
  8. Enter or select org.me.my.sts2 in the Package field, then click Finish. If prompted to reload the catalog.xml file, click No.

    The IDE takes a while to create the first STS. When created, it appears under the project's Web Services node as MySTS2Service .

  9. The STS wizard creates an implementation of the provider class. To view it, expand Source Packages, then org.me.my.sts2. Double-click MySTS2.java to open it in the right pane.
  10. In the Projects window, expand the MySTS2Service node, then expand the Web Services node. Right-click the MySTS2Service[IMySTS2Service_Port] node and select Edit Web Service Attributes to configure the STS.
  11. Select the "Version Compatibility" to ".NET 3.5 / Metro 1.3" ( e.g. see Web Service Attributes Editor Page ) . It will use WS-SX version of all WS-* specifications.
  12. Select Secure Service if it's not already selected.
  13. Verify that the Security Mechanism of Username Authentication with Symmetric Key is selected.
  14. Select the Configure button. For Algorithm Suite, verify that Basic128 bit is selected (so that it matches the value selected for the service.) Select OK to close the configuration dialog.
  15. If not already selected, select Act as Secure Token Service (STS).

    If you'd like to use an STS other than the default, click the STS Configure button, and click the Add button to add a different service provider. Click OK to close the STS Configuration dialog.

  16. Click Configure. In the Issuer field, enter MySTS2. Click OK to close.
  17. Click the Keystore button to provide your keystore with the alias identifying the service certificate and private key. To do this, click the Load Aliases button, select wssip , then click OK to close the dialog.
  18. Click OK.

    A new file is added to the project. To view the WSIT configuration file, expand Configuration Files | xml-resources | web-services | MySTS2 | wsdl, then double-click the file MySTS2Service.wsdl . This file contains the tc:STSConfiguration element within the wsp:Policy elements..

  19. Right-click the MySTS2Project tab, select Properties. Select the Run category, and type the following in the Relative URL field: /MySTS2Service?wsdl .
  20. Run the Project (right-click the project and select Run).

    The STS WSDL appears in the browser.

To Secure the Example Service Application (BT)

The following example application starts with the example provided in Developing with NetBeans and demonstrates adding security to both the web service and to the web service client.

For this example, the security mechanism of STS Issued Token is used to secure the application. The steps are similar to the ones described in Example: Username Authentication with Symmetric Key (UA), with the addition of creating and securing an STS.

To add security to the service part of the example, follow these steps.

  1. Create the CalculatorApplication example by following the steps described in the following sections of Developing with NetBeans .
    1. Creating a Web Service
    2. Skip the section on adding Reliable Messaging.
    3. Deploying and Testing a Web Service (first two steps only, do not run the project yet).
  2. Expand CalculatorApplication | Web Services, then right-click the node for the web service, CalculatorWS, and select Edit Web Service Attributes.
  3. Select the "Version Compatibility" to ".NET 3.5 / Metro 1.3" ( e.g. see Web Service Attributes Editor Page ) . It will use WS-SX version of all WS-* specifications.
  4. Deselect the Reliable Messaging option if it is selected.
  5. Select Secure Service.
  6. From the drop-down list for Security Mechanism, select STS Issued Token.
  7. Click Configure. For Issuer Address and Issuer Metadata Address, enter http://localhost:8080/MySTS1Project/MySTS1Service . For Issuer Metadata, enter http://localhost:8080/MySTS1Project/MySTS1Service/mex
  8. For Algorithm Suite, select Basic 128 bit. For Key Size, select 128 (the algorithm suite value of the service must match the algorithm suite value of the STS). Select OK to close the configuration dialog.

    If you have configured Unlimited Strength Encryption as described in To Create a Third-Party STS , you can leave the key size at 256. Otherwise, you must set it to 128.

  9. Select Use Development Defaults.
  10. Click OK.

    A new file is added to the project. To view the WSIT configuration file, expand Web Pages | WEB-INF, then double-click the file wsit-org.me.calculator.CalculatorWS.xml and select the Source page. This file contains the security elements within wsp:Policy tags.

  11. Right-click the CalculatorApplication node and select Properties. Select the Run category, and type the following in the Relative URL field: /CalculatorWSService?wsdl .
  12. Right-click the CalculatorApplication node and select Run. This step compiles the application and deploys it onto GlassFish. A browser will open and display the WSDL file for the application.

To Secure the Example Web Service Client Application (BT)

This section demonstrates adding security to the CalculatorApplication's web service client. The service was secured using the security mechanism described in STS Issued Token .

To add security to the web service client, complete the following steps.

  1. Create the client application by following the steps described in Creating a Client to Consume a WSIT-Enabled Web Service .

    Whenever you make changes on the service, refresh the client so that the client will pick up the change. To refresh the client, right-click the node for the Web Service Reference for the client, and select Refresh Client.

  2. Drill down from CalculatorWSServletClient | Web Service References.
  3. Right-click CalculatorWSService and select Edit Web Service Attributes, then select the Quality of Service tab.
  4. Provide the client's private key by pointing to an alias in the keystore. To do this, click the Keystore button, click the Load Aliases button, and select xws-security-client from the Alias list.
  5. Provide the service's certificate by pointing to an alias in the client truststore. To do this, click the Truststore button,, click the Load Aliases button for the truststore and select xws-security-server from the Alias list.
    • In some instances, NetBeans will not detect that this client is a JSR-196 client, and thus will require that the keystore and truststore entries be manually configured. To do this, follow the steps in this section.
    • Expand CalculatorWSServletClient | Source Packages | META-INF.
    • Double-click CalculatorWSService.xml to open it in the Source window. Click the Source tab to view the code. Find the sc:KeyStore and sc:TrustStore elements. If these elements contain parameters for location and storepass , then just continue to the next section. If not, add these attributes to this file. The following code shows an example of how these elements should be specified.

                                      <sc:TrustStore wspp:visibility="private"
                                      location="<GF_HOME>\glassfish\domains\domain1\config\cacerts.jks"
                                      storepass="changeit" peeralias="xws-security-server"/>
                                      <sc:KeyStore wspp:visibility="private"
                                      location="<GF_HOME>\glassfish\domains\domain1\config\keystore.jks"
                                      storepass="changeit" alias="xws-security-client"/>
                                  
  6. Click OK to close this dialog.
  7. The service requires a token to be issued from the first STS (i.e Remote STS) at http://localhost:8080/MySTS1Project/MySTS1Service , with WSDL file http://localhost:8080/MySTS1Project/MySTS1Service?wsdl. To do this, follow these steps:
    1. Right-click the CalculatorWSServletClient node and select New | Web Service Client.

      The New Web Service Client window appears.

    2. Select the WSDL URL option.
    3. Cut and paste the URL of the web service that you want the client to consume into the WSDL URL field. For this example, here is the URL for the MySTS1 web service:
      http://localhost:8080/MySTS1Project/MySTS1Service?wsdl
    4. Type org.me.calculator.client.sts1 in the Package field, then click Finish.

      The Projects window displays the new web service client.

  8. Drill down from CalculatorWSServletClient | Web Service References.
  9. Right-click MySTS1Service and select Edit Web Service Attributes.
  10. Select the Quality of Service tab of the MySTS1Service dialog.
  11. Provide the client's private key by pointing to an alias in the keystore. To do this, click the Keystore button, click the Load Aliases button, and select xws-security-client from the Alias list. If the Keystore button is not selectable, follow the instructions in the next step for adding the keystore entry manually.
  12. Verify the STS's certificate by pointing to an alias in the client truststore. To do this, click the Truststore button,, click the Load Aliases button and select wssip from the Alias list.
    • In some instances, NetBeans will not detect that this client is a JSR-196 client, and thus will require that the keystore and truststore entries be manually configured. To do this, follow the steps in this section.
    • Expand CalculatorWSServletClient | Source Packages | META-INF.
    • Double-click MySTSService.xml to open it in the Source window. Click the Source tab to view the code. Find the sc:KeyStore and sc:TrustStore elements. If these elements contain parameters for location and storepass , then just continue to the next section. If not, add these attributes to this file. The following code shows an example of how these elements should be specified.

                                      <sc:TrustStore wspp:visibility="private"
                                      location="<GF_HOME>\glassfish\domains\domain1\config\cacerts.jks"
                                      storepass="changeit" peeralias="wssip"/>
                                      <sc:KeyStore wspp:visibility="private"
                                      location="<GF_HOME>\glassfish\domains\domain1\config\keystore.jks"
                                      storepass="changeit" alias="xws-security-client"/>
                                  
  13. Expand the Security Token Service node to provide details for the second STS(i.e. local STS) to be used. When the Endpoint and the Metadata values are the same, you only need to enter the Endpoint value. For the Endpoint field, enter the following value: http://localhost:8080/MySTS2Project/MySTS2Service. For WS Trust Version field, select 1.3 if STS endpoint uses ".NET 3.5 / Metro 1.3" version compatibility. Otherwise use the default WS Trust Version.
  14. Click OK to close this dialog.
  15. The First STS(i.e. Remote STS) requires a token to be issued from the second STS(i.e. local STS) at http://localhost:8080/MySTS2Project/MySTS2Service , with WSDL file http://localhost:8080/MySTS2Project/MySTS2Service?wsdl . To do this, follow these steps:
    1. Right-click the CalculatorWSServletClient node and select New | Web Service Client.

      The New Web Service Client window appears.

    2. Select the WSDL URL option.
    3. Cut and paste the URL of the web service that you want the client to consume into the WSDL URL field. For this example, here is the URL for the MySTS2 web service:
      http://localhost:8080/MySTS2Project/MySTS2Service?wsdl
    4. Type org.me.calculator.client.sts2 in the Package field, then click Finish.

      The Projects window displays the new web service client.

  16. Drill down from CalculatorWSServletClient | Web Service References.
  17. Right-click MySTS2Service and select Edit Web Service Attributes.
  18. Select the Quality of Service tab of the MySTS2Service dialog.
  19. Provide the client's private key by pointing to an alias in the keystore. To do this, click the Keystore button, click the Load Aliases button, and select xws-security-client from the Alias list. If the Keystore button is not selectable, follow the instructions in the next step for adding the keystore entry manually.
  20. Verify the STS's certificate by pointing to an alias in the client truststore. To do this, click the Truststore button,, click the Load Aliases button and select wssip from the Alias list.
    • In some instances, NetBeans will not detect that this client is a JSR-196 client, and thus will require that the keystore and truststore entries be manually configured. To do this, follow the steps in this section.
    • Expand CalculatorWSServletClient | Source Packages | META-INF.
    • Double-click MySTS2Service.xml to open it in the Source window. Click the Source tab to view the code. Find the sc:KeyStore and sc:TrustStore elements. If these elements contain parameters for location and storepass , then just continue to the next section. If not, add these attributes to this file. The following code shows an example of how these elements should be specified.

                                      <sc:TrustStore wspp:visibility="private"
                                      location="<GF_HOME>\glassfish\domains\domain1\config\cacerts.jks"
                                      storepass="changeit" peeralias="wssip"/>
                                      <sc:KeyStore wspp:visibility="private"
                                      location="<GF_HOME>\glassfish\domains\domain1\config\keystore.jks"
                                      storepass="changeit" alias="xws-security-client"/>
                                  
  21. Enter the default user name and password.

    If you followed the steps in Adding Users to GlassFish , this will be User Name wsitUser and Password changeit .

  22. Click OK to close this dialog.
  23. Compile and run this application by right-clicking the CalculatorWSServletClient project and selecting Run. The result of the add operation will display in a browser window.

12.9.9. Example: STS Issued Token With SecureConversation (STS+SC)

This example illustrates, how SecureConversation Token is used to interact with STS. To have a basic idea of SecureConversation, find this article : Secure Conversations for Web Services With Metro

This section describes the following tasks:

To Create and Secure the STS with SecureConversationToken (STS+SC)

Same as provided in To Create and Secure the STS (STS)

To Secure the Example Service Application (STS+SC)

The following example application starts with the example provided in Developing with NetBeans and demonstrates adding security to both the web service and to the web service client.

For this example, the security mechanism of STS Issued Token is used to secure the application. The steps are similar to the ones described in Example: Username Authentication with Symmetric Key (UA) , with the addition of creating and securing an STS.

To add security to the service part of the example, follow these steps.

  1. Create the CalculatorApplication example by following the steps described in the following sections of Developing with NetBeans .
    1. Creating a Web Service
    2. Skip the section on adding Reliable Messaging.
    3. Deploying and Testing a Web Service (first two steps only, do not run the project yet).
  2. Expand CalculatorApplication | Web Services, then right-click the node for the web service, CalculatorWS, and select Edit Web Service Attributes.
  3. Select the "Version Compatibility" to ".NET 3.5 / Metro 1.3" ( e.g. see Web Service Attributes Editor Page ) . It will use WS-SX version of all WS-* specifications.
  4. Deselect the Reliable Messaging option if it is selected.
  5. Select Secure Service.
  6. From the drop-down list for Security Mechanism, select STS Issued Token.
  7. Click Configure. For Issuer Address and Issuer Metadata Address, enter http://localhost:8080/MySTSProject/MySTSService . For Issuer Metadata, enter http://localhost:8080/MySTSProject/MySTSService/mex
  8. Select the Configure button and do the following :

    For Algorithm Suite, verify that Basic128 bit is selected (so that it matches the value selected for the service.)

    Check the Establish Secure Session (Secure Conversation) check box to enable the secure conversaion feature

    If you have configured Unlimited Strength Encryption as described in To Create a Third-Party STS , you can leave the key size at 256. Otherwise, you must set it to 128.

    Select OK to close the configuration dialog.
  9. Select Use Development Defaults.
  10. Click OK.

    A new file is added to the project. To view the WSIT configuration file, expand Web Pages | WEB-INF, then double-click the file wsit-org.me.calculator.CalculatorWS.xml and select the Source page. This file contains the security elements within wsp:Policy tags.

  11. Right-click the CalculatorApplication node and select Run. This step compiles the application and deploys it onto GlassFish. A browser will open and display the WSDL file for the application.

To Secure the Example Web Service Client Application (STS+SC)

Same as provided in To Secure the Example Web Service Client Application (STS)

12.9.10. Example: Kerberos Token (Kerb)

This section contains the steps for running a Kerberos Token Profile-based WS Security scenario. Kerberos support was added to Metro in 1.1 release. The Netbeans support for configuring a Kerberos Token based secure web service is available from Metro 1.3 and Netbeans 6.5.

For an article discussing using Kerberos with WSIT, go to Building Kerberos-Based Secure Services Using Metro. This article has a sample application, but does not use Netbeans IDE.

The section describes the following tasks:

To Set Up Your System for Kerberos Profile

If your system is not already set up to use Kerberos, refer to the steps mentioned in Configuring Kerberos for Glassfish and Tomcat.

To Secure the Example Service Application (Kerb)

The following example application starts with the example provided in Developing with NetBeans and demonstrates adding security to both the web service and to the web service client.

For this example, a Kerberos token is used to secure the application. To add security to the service part of the example, follow these steps.

  1. Create the CalculatorApplication example by following the steps described in the following sections of Developing with NetBeans.
    1. Creating a Web Service
    2. Skip the section on adding Reliable Messaging.
    3. Deploying and Testing a Web Service (first two steps only, do not run the project yet)
  2. Expand CalculatorApplication | Web Services, then right-click the node for the web service (CalculatorWS) and select Edit Web Service Attributes.
  3. Deselect Reliable Messaging if it is selected.
  4. In the CalculatorWSPortBinding section, select Secure Service.
  5. From the drop-down list for Security Mechanism, select Symmetric Binding with Kerberos Tokens.
  6. Select Kerberos button, and specify the Login Module to be used for the service. For details on Login Module to specify refer Configuring Kerberos for Glassfish and Tomcat.
    Kerberos Configuration Attributes - Service
    Screen shot of web service attributes editor page
  7. Click OK to close the CalculatorWSService dialog.

    Expand Web Pages | WEB-INF, then double-click the file wsit-org.me.calculator.CalculatorWS.xml to open it in the edit window.The Binding level policy looks like: (This section of code has been formatted to fit the page)


                            <wsp:Policy wsu:Id="IFinancialService_policy">
                            <wsp:ExactlyOne>
                            <wsp:All>
                            <wsaws:UsingAddressing
                            xmlns:wsaws="http://www.w3.org/2006/05/addressing/wsdl"/>
                            <sp:SymmetricBinding>
                            <wsp:Policy>
                            <sp:ProtectionToken>
                            <wsp:Policy>
                            <sp:KerberosToken
                            sp:IncludeToken="http://docs.oasis-open.org/ws-sx/
                            ws-securitypolicy/200702/IncludeToken/Once">
                            <wsp:Policy>
                            <sp:WssGssKerberosV5ApReqToken11/>
                            </wsp:Policy>
                            </sp:KerberosToken>
                            </wsp:Policy>
                            </sp:ProtectionToken>
                            <sp:Layout>
                            <wsp:Policy>
                            <sp:Strict/>
                            </wsp:Policy>
                            </sp:Layout>
                            <sp:IncludeTimestamp/>
                            <sp:OnlySignEntireHeadersAndBody/>
                            <sp:AlgorithmSuite>
                            <wsp:Policy>
                            <sp:Basic128/>
                            </wsp:Policy>
                            </sp:AlgorithmSuite>
                            </wsp:Policy>
                            </sp:SymmetricBinding>
                            <sp:Wss11>
                            <wsp:Policy>
                            <sp:MustSupportRefKeyIdentifier/>
                            <sp:MustSupportRefIssuerSerial/>
                            <sp:MustSupportRefThumbprint/>
                            <sp:MustSupportRefEncryptedKey/>
                            </wsp:Policy>
                            </sp:Wss11>
                            <sc:KerberosConfig xmlns:
                            sc="http://schemas.sun.com/2006/03/wss/server"
                            loginModule="KerberosServer"/>
                            </wsp:All>
                            </wsp:ExactlyOne>
                            </wsp:Policy>
                        
  8. Right-click the CalculatorApplication node and select Run. A browser will open and display the WSDL file for the application.

    If the application doesn't build, expand CalculatorApplication | Web Pages | WEB-INF, and double-click web.xml to open it in the right pane. Select the Security tab, and remove any existing security constraints. Then run the project again.

  9. Follow the steps to secure the client application as described in To Secure the Example Web Service Client Application (Kerb).

To Secure the Example Web Service Client Application (Kerb)

This section demonstrates adding security to the web service client that references the web service created in the previous section. . This section also assumes that Kerberos environment has already been setup on the system. Refer to Configuring Kerberos for Glassfish and Tomcat for more details.

To add security to the client that references this web service, complete the following steps.

  1. Create the client application by following the steps described in Creating a Client to Consume a WSIT-Enabled Web Service.

    Whenever you make changes on the service, refresh the client so that the client will pick up the change. To refresh the client, right-click the node for the Web Service Reference for the client, and select Refresh Client.

  2. Expand the node for the web service client application, CalculatorWSServletClient.
  3. Expand the Web Service References node.
  4. Right-click on CalculatorWSService, select Edit Web Service Attributes.
  5. Expand the Web Service References node.
  6. In the Security section of the Quality of Service tab, select Kerberos. Specify Login Module, Service Principal and check the box if credentials should be delegated.

    Specify the Login Module to the one you created in login.conf file for the client in the section Configuring Kerberos for Glassfish and Tomcat, and the service principal for which the ticket needs to be obtained.

    Kerberos support in Metro security supports credential delegation from client to service, such that the server can initiate other security contexts on behalf of the client. This feature is useful for single sign-on in a multi-tier environment. Select the checkbox for credential delegation.

    At the service, we can obtain the delegated credentials from the Subject of the authenticated user. The PrivateCredential set of the will have the delegated client credentials (as GSSCredential). We can pass this GSSCredential to GSSManager.createContext() pretending to be the client.

    Also, the PublicCredential set of the authenticated Subject will always have KerberosPrincipal corresponding to the client.

    Kerberos Configuration Attributes - Client
    Screen shot of web service attributes editor page
  7. Right-click the CalculatorWSServletClient node and select Run. The result of the add operation will display in a browser window.

    If your client is a Java SE client, you need to set the following system properties while running your client code:


                            -Djava.security.policy=/domains/domain1/config/server.policy

                            -Djava.security.auth.login.config=/domains/domain1/config/login.conf
                            
    If it is WebApp deployed on glassfish, nothing else needs to be done.

Terms of Use; Privacy Policy; Copyright ©2013-2014 (revision 20131025.e7cbc9d)
 
 
Close
loading
Please Confirm
Close