corner imagecorner image
FeaturesPluginsDocs & SupportCommunityPartners

Securing Web Services Using the SAML or UserNameToken Profiles

This tutorial illustrates how you can enable SAML-based and UserNameToken-based authentication between a web service client and a web service provider using the bundled Access Manager along with the integrated support for the WS-Security standard in Application Server's web services client and server-side containers.

Contents

Content on this page applies to NetBeans IDE 6.5, 6.1 and 6.0
Verifying the Configuration of the Access Manager Installation Installing the Sun Java System Access Manager Configuring the Tutorial Environment Creating the Tutorial Projects Securing Web Services
Using the SAML-HolderOfKey Security Mechanism Using the UserNameToken Security Mechanism
Deploying and Running the Project Exploring the Log Files Additional Configuration Tasks References Summary

To follow this tutorial, you need the following software and resources.

Software or Resource Version Required
NetBeans IDE "All" pack 6.0, 6.1 or 6.5
Java Development Kit (JDK) version 6 or
version 5
Java Application Server SDK
Including Access Manager Latest App Platform or
Java EE and Tools distribution

The Java EE and Tools distribution of the Java Application Server SDK includes NetBeans IDE.

Installing the Sun Java System Access Manager

If you have already installed and configured the Access Manager in the past, please check your userdir and if it exists, delete the file

[Your_Userdir]/AccessManager/AMConfig_opt_SUNWappserver_domains)domain1_applications_j2ee-modules_amserver_

before you begin a fresh installation.

To install the Sun Java System Access Manager, you must first esnure that you have installed the full NetBeans IDE. Next,

Obtain the latest Java Application Platform SDK from http://java.sun.com/javaee/downloads/index.jsp. Run the Java SDK installer, specifying an installation directory of your choice, and accepting the default options. Choose Add-Ons that include the Sun Java System Access Manager. Continue to run the Installer, when it finishes, start the Server and select Finish. Start the IDE. In the Services tab, select the Servers node. right-click the Servers node and choose Add Server from the pop-up menu.. The Add Server Instance dialog opens. Click Next. The Platform Location Folder page opens. In the Platform Location field, use the Browse button to navigate to and select the directory containing the Java Application Platform SDK you have just installed. Click Finish. The Sun Java System Access Manager appears as a node in the Services Tab under the Application Server you have just installed. You must start the Application Server to begin working with Sun Java System Access Manager.

Verifying the Configuration of the Access Manager Installation

In the Services window, expand the Sun Java System Access Managers node. Right-click the Access Manager node and select the View Admin Console action. You are then redirected to the Login page, which is displayed immediately on successive logins. You can login into the Sun Java System Access Manager.The Log In page opens, indicating that Access Manager server is running.

You need to configure the Access Manager to run properly. It is configured by default when you first start the Glassfish Server you obtained from the SDK, but you can reconfigure it later, if needed. For further information, check the [your_SDKGlassfish_location]/addons/README.html file.

Configuring the Tutorial Environment

Start the IDE. To verify that the Sun Java System Application Server is configured in the IDE, click the Runtime tab and expand the Servers node. If the Servers node does not contain a Java EE SDK GlassFish node, follow the steps in Adding an Application Server. In the Runtime window, expand the Servers node, right-click the Java EE SDK GlassFish node and choose Start from the pop-up menu.
Wait until the following message appears in the Output window:
Application server startup complete.
When the server is running, the IDE displays a green arrow badge on the Sun Java System Application Server 9 node.
Note: If the Start option is not available, your server is already running.

Creating the Tutorial Projects

The two tutorial projects are StockQuoteService and StockQuoteClient.

To create the StockQuoteService project:

From the IDE's main menu, choose File > New Project. In the Categories list, expand the Samples node, then select the Identity Blueprints node. In the Projects list, select Stock Service. Click Next. Accept the default Project Name (StockQuoteService) and optionally change the Project Location. Click Finish.

To create the StockQuoteClient project:

From the IDE's main menu, choose File > New Project. In the Categories list, expand the Samples node, then select the Identity Blueprints node. In the Projects list, select StockQuote Client. Click Next. Accept the default values for Project Name (StockQuote Client) and Project Location. Click Finish.
The Projects window now contains a StockQuote Client project node.

If you have installed NetBeans IDE with the bundled GlassFish v2 server, it is now selected as the default server for both sample projects. You need to select the Java EE SDK Glassfish instead.

To change the project servers to Java EE SDK Glassfish:

Open the Projects tab Right-click the StockQuoteService project node and select Properties. Select the Run category. Open the Server: drop-down list and select Java EE SDK Glassfish Click OK. Repeat these steps for the StockQuoteClient project.

Securing Web Services: Using the SAML-HolderOfKey Security Mechanism

In this scenario, we are using the SAML-HolderOfKey security profile without the response being signed but using the default key store. To do this, we will first edit the token profile for the Access Manager and then configure the web service provider and client.

To edit the SAML-HolderOfKey profile:

In the Runtime window, expand the Sun Java System Access Managers node, then expand the Profiles nodes. Select the SAML-HolderOfKey node Right-click and choose Edit. The Edit SAML-HolderOfKey Profile dialog box opens.
Screenshot of the Edit SAML Holder of Key Profile dialog box, showing Use Default Key Store box selected Clear the Sign Response checkbox. Locate Existing Certificate Settings, and confirm the Use Default Key Store checkbox selected. Click OK.

To configure the web service provider:

In the Projects window,expand the StockQuoteService project node and the Web Services node. Within the Web Services, right-click the StockService node and select Edit Web Service Attributes from the pop-up menu. The StockService window opens with the AM Security tab selected.
Screenshot of the AM Security tab of the Edit Web Service Attributes dialog for the StockService, with Enable Message Level Security box selected and the SAML Holder of Key mechanism selected Select the Enable Message Level Security checkbox. From the Request drop-down list, select the SAML-HolderOfKey security mechanism. Click OK.

To configure the web service client:

In the Projects window, expand the StockQuoteClient node and the Web Service References node. Locate the Web Service References node, right-click the StockService node and choose Edit Web Service Attributes from the pop-up menu.
The Web Service Client Security Configuration dialog box opens.
Screenshot of the AM Security tab of the Edit Web Service Attributes dialog for the StockService client reference, with Enable Message Level Security box selected and the SAML Holder of Key mechanism selected Select the Enable Message Level Security checkbox. From the Request drop-down list, select the SAML-HolderOfKey mechanism. Locate Existing Certificate Settings. Confirm that the Use Default Key Store checkbox is selected. Click OK.

If error icons appear in the Web Services References fo StockQuoteClient, deploy the StockQuoteService project (right-click the service project node and select Undeploy and Deploy) and refresh the client (right-click the web service reference node and select Refresh Client).

You can now proceed to deploying and running the sample by following the instructions in Deploying and Running the Project.

Securing Web Services: Using the UserNameToken Security Mechanism

In this scenario, you use the UserNameToken security profile with signed response and use the default key store. To do this, you first edit the token profile for the Access Manager and then configure the web service provider and client.

To edit the UserNameToken profile:

In the Runtime window, expand the Sun Java System Access Managers node, then expand the Profiles nodes. Select the UserNameToken node, then right-click and choose Edit. The Edit UserNameToken Profile dialog box opens.
Screenshot of Edit UserNameToken Profile dialog, showing user name Sherry added and Sign Response and Use Default Key Store boxes selected Select Use Default Key Store. Locate Username Token Profile Info. Click the Add button to add a UserNameToken record for the web service client.
The Add User dialog box opens. In the Username field, type sherry. In the Password field, type mypw, and click OK. Click OK to close the Edit UserNameToken Profile dialog box.

To configure the web service provider:

In the Projects window, expand the StockQuoteService node and the Web Services node. Within the Web Services, right-click the StockService node and select Edit Web Service Attributes from the pop-up menu. The StockService window opens with the AM Security tab selected.
Screenshot of the AM Security tab of the Edit Web Service Attributes dialog for the StockService, with Enable Message Level Security box selected and the UserNameToken mechanism selected Select the Enable Message Level Security checkbox. From the Request drop-down list, select the UserNameToken security mechanism.
 Click OK.

To configure the web service client:

In the Projects window, expand the StockClient node. Within the StockClient project, expand the Web Service References node. Right-click the StockService node and choose Edit Web Service Attributes from the pop-up menu. The Web Service Client Security Configuration dialog box opens.
Screenshot of the AM Security tab of the Edit Web Service Attributes dialog for the StockService client reference, with Enable Message Level Security and Use Default Key Store boxes selected and the UserNameToken mechanism selected Select the Enable Message Level Security checkbox. From the Request drop-down list, select the UserNameToken security mechanism. In the Username field, type sherry and in the Password field, type mypw. Select Use Default Key Store. Click OK.

You can now proceed to deploying and running the sample by following the instructions in Deploying and Running the Project.

Deploying and Running the Project

In the Projects window, right-click the StockQuoteService project node and choose Undeploy and Deploy Project.
The IDE does the following:
Starts the application server if it is not already started. Builds the StockQuoteService project. You can see the build results in the Output window. Deploys server.war to the Application Server.
In the Projects window, right-click the StockQuoteClient project node and choose Run Project.
The IDE does the following:
Builds the StockQuoteClient project. You can see the build results in the Output window. Deploys client.war to the Application Server. Opens the application in the browser

Confirm that the URL field displays http://localhost:8080/stockquoteclient/

[image] Click Submit.
[image]

You can click on the "View SOAP Messages" part of the display to see SOAP messages associated with this request.

Exploring the Log Files

The instructions in this section are optional. Use these instructions to view the changes in the log files.

Before you proceed to the next step, enable the most granular logging level.
Follow the instructions in Changing the Security Level on the Application Server. In the Projects window, right-click the StockQuoteClient project node and choose Run Project from the pop-up menu. Open the Application Server log file (server.log) in the following directory: application-server-installation-directory\domains\domain1\logs.
If you accepted the default values during installation, the window displays the C:\Sun\AppServer\domains\domain1\logs directory. Notice the changes in the log file.
The log file is edited to show that the modules are is using the methods defined in the configuration panels.
Samples of sections of the modified log file are available from the following links..
UsernameTokenProfile client request in the log file UsernameTokenProfile server response in the log file SAML-HolderofKey client request in the log file SAML-HolderofKey server response in the log file

Additional Configuration Tasks

This section provides information about additional configuration tasks that you might want to perform.

 

Configuration Information for Application Server Not Installed on Port 8080

If the installation of the Sun Java System Application Server was performed on a port other than 8080, you must perform the additional configuration steps, as follows:

In the Projects window, expand StockQuoteClient > Web Pages > WEB-INF and wsdl, and open the stock.wsdl file in the editor. Click the Source button to switch to the Source view of the file. Scroll to the bottom of the file and locate the following line:
<soap:address location="http://localhost:8080/stockservice/stockservice" xmlns:soap12="http://schemas.xmlsoap.org/wsdl/soap12/"/> Replace the 8080 value with the port number where the Application Server is installed. Save your changes and close the file.

Changing the Security Level on the Application Server

In the Runtime window, right-click the Java EE SDK GlassFish node and choose View Admin Console. Type admin for the username and adminadmin for the password. In the left navigation frame, click the Application Server link. In the right frame, click the Logging tab and then click the Log Levels tab.
Application Server admin console, Log Levels tab, click to enlarge Scroll to the bottom of the page and set the Security to FINEST.
Application Server admin console, Security setting, click to enlarge Click the Save button and log out.

References

The SAML specification (PDF) OASIS WSS UserNameToken Profile (PDF) Sun Java System Application Server Platform Edition 9 Documentation For answers to any other questions you might have about securing web services by using NetBeans IDE 6.0, see NetBeansUserFAQ in the NetBeans wiki.

Summary

In this tutorial, we have learned how to enable SAML-based and UserNameToken-based authentication between a web service client and a web service provider. To do this, we have

Next Steps

To learn more about Identity Management, see the appropriate help topics in the NetBeans IDE.

To send comments and suggestions, obtain support, and stay informed of the latest changes to the NetBeans IDE development features, join the

mailing list.


Bookmark this page

del.icio.us furl simpy slashdot technorati digg
Companion
Projects: MySQL Database Server   GlassFish Community: an Open Source Application Server   Open Solaris  Open JDK: an Open SourceJDK   Mobile & Embedded Community     Sponsored by 
Sponsored by Sun Microsystems

You are viewing a mobilized version of this site...
View original page here

How do you rate mobile version of this page?

Mobilized by Mowser Mowser