Configuring WS-Security for JAX-WS web services in WebSphere Process Server V7

Calling secure JAX-WS web services remotely from different WebSphere cells

Learn how to configure WS-Security for a JAX-WS web service and a JSP client. The tutorial shows how to configure the WebSphere® environment so that the JSP client in one WebSphere cell can call the JAX-WS web service in WebSphere Process Server located in a different cell.

Share:

About this tutorial

This tutorial describes how to configure WS-Security for a JAX-WS web service to run in WebSphere Process Server V7 in one WebSphere cell, and a JSP client to run in a different WebSphere cell. It also provides the steps needed for single sign-on across WebSphere cells.

Although WS-Security addresses message-level authentication, confidentiality, and integrity, the scope of WS-Security in this tutorial is limited to propagating credentials through the use of Lightweight Third Party Authentication (LTPA) tokens. Other means of propagating credentials in the WS-Security envelope are supported in WebSphere Application Server.

Objectives

The objective of this tutorial is to make it easy for WebSphere users to configure WS-Security for a JSP client to run in a WebSphere cell, and a JAX-WS web service to run in a WebSphere Process Server cell.

Prerequisites

To follow the steps in this tutorial, you need WebSphere Integration Developer V7 to generate and configure the JSP client and the JAX-WS web service. The WebSphere Process Server test environment that comes with WebSphere Integration Developer is adequate to run the test, but you need to create another WebSphere cell for the JSP client to demonstrate the single-sign on capability through LTPA.

System requirements

  • WebSphere Integration Developer V7
  • WebSphere Process Server V7 test environment that comes with WebSphere Integration Developer
  • Another WebSphere cell

Duration

This tutorial takes about 2 hours to complete.

Download files

There are two project interchange files listed in the Download section of the tutorial:


Introduction

WebSphere Process Server (hereafter called Process Server) provides a runtime environment for a number of different types of SCA services, such as a BPEL process, a Java™ component and a business rules group. These services can be exposed in a number of different ways that enable clients to call them. One of the ways that services in Process Server can be exposed is as a web service. Process Server V7 supports SOAP 1.1/HTTP, SOAP 1.2/HTTP, SOAP 1.1/JMS, and SOAP 1.1/HTTP using JAX-RPC. It is a common scenario to have a client running in one WebSphere cell that needs to securely call a web service in Process Server in a different WebSphere cell.

This tutorial provides the steps needed to configure WS-Security on both the JSP client and the JAX-WS web service running in different WebSphere cells. The tutorial also provides the LTPA configuration steps needed on both cells to enable single sign-on across the WebSphere cells. The user is prompted to enter the user ID and password when accessing the JSP client. With the right credentials, the user has to log in only once through the JSP client. These credentials will flow from the JSP client WebSphere cell to the web service WebSphere cell. Once successfully authenticated, the user can invoke the web service.

Here are the high-level steps to configure WS-Security on the JSP client and the web service and to configure single sign-on across WebSphere cells via LTPA:

  1. Set up two WebSphere cells with one application server in each cell.
  2. Exchange LTPA keys between the WebSphere cells. This way, credentials encrypted in one WebSphere cell are decrypted and validated in another WebSphere cell. The default file-based user registry that comes with WebSphere works fine for the tests in this tutorial.
  3. Restart all WebSphere environments for the LTPA security changes to take effect.
  4. Secure the JSP client so that the user is prompted for an ID and password.
  5. Create a WS-Policy with only WS-Security policy, which specifies only an LTPA token to carry the user credentials.
  6. Attach the WS-Policy to both the JAX-WS web service and the JSP client.
  7. Create a custom WS-Policy binding and attach it to the JAX-WS web service.
  8. Create the corresponding custom WS-Policy binding and attach it to the web service client.

To follow the steps in this tutorial, you only need the Integration Developer tool, the Process Server test environment, and a WebSphere cell that you can create from the Process Server code base available with Integration Developer. The screen shots shown in this tutorial are taken from Integration Developer V7. If you want to perform the steps in this tutorial, start with the PI_Start.zip project interchange that is available in the Download section of the tutorial. Alternatively, you can download PI_Final.zip and then follow the configuration steps that are performed in the WebSphere administrative console.


Configuring single sign-on

To configure single sign-on, follow the steps in the following tutorial: Configuring WS-Security for JAX-RPC web services in WebSphere Process Server V7.


Using the sample code

Each project interchange file in the Download section has three projects:

  1. TestWebService: This an SCA module, which has one Java component exposed as a JAX-WS web service to be deployed in the Process Server cell.
  2. TestJAXWSClient: This is a dynamic web project, which has the web service client code generated from the JAX-WS web service WSDL.
  3. TestJAXWSClientEAR: This is the EAR project, which references TestJAXWSClient.

Adding a security role for the dynamic web module TestJAXWSClient

To perform this task, follow the steps in the following tutorial: Configuring WS-Security for JAX-RPC web services in WebSphere Process Server V7.

If you deploy TestJAXWSClientEAR, you are prompted for the user ID and password when you access the JSP client. You will also successfully call the web service. However, since the web service is not protected, the user credentials are not checked by the web service runtime.


Creating a custom WS-Policy

This section provides the steps to create a WS-Policy to be used by the web service.

  1. Log in to the administrative console of the web service
  2. In the navigation table on the left, expand Services > Policy sets and click Application policy sets.
  3. In the Application policy sets window, click New to create a new policy.
  4. Enter a unique policy name in the Name field, such as Test JAX WS Policy.
  5. In the Policies window, click the Add button and select WS-Security.
  6. Click Save to save the policy.
  7. Click Test JAX WS Policy in the Application policy sets window.
  8. In the Policies window, click the WS-Security link and then click Main policy.
  9. Uncheck the Message level protection box. Click OK and Save. Click Main policy again.
  10. Click Request token policies.
  11. Click Add Token Type.
  12. Select LTPA.
  13. In the LTPA token name field, enter LTPA Token. Click OK and Save.

Attaching the custom WS-Policy to the web service and the web service client

Attaching the WS-Policy to the web service

  1. Log in to the administrative console of the web service.
  2. In the navigation table on the left, expand Services and then click Service providers.
  3. In the Service providers window, click the TestJavaExport1_TestJavaServiceHttpService link.
  4. In the Policy Set Attachments window, check the top box associated with TestJavaExport1_TestJavaServiceHttpService.
  5. Click Attach and select Test JAX WS Policy, which is the custom policy that was just created, and then select Save.

Attaching the WS-Policy to the web service client

Before attaching the WS-policy to the client, you need to export the policy from the web service environment and import the policy into the web service client environment.

Exporting the custom WS-Policy from the web service environment

  1. Log in to the administrative console of the web service.
  2. In the navigation table on the left, expand Services > Policy sets and click Application policy sets.
  3. In the Application policy sets window, check the box next to the custom policy you just created and click Export.
  4. Click the custom policy.zip link to save the zip policy file locally.

Importing the custom WS-Policy into the web service client environment

  1. Log in to the administrative console of the web service client.
  2. In the navigation table on the left, expand Services > Policy sets and click Application policy sets.
  3. In the Application policy sets window, click Import, and then select From selected location.
  4. Specify the pathname to the policy zip file saved on the local machine, or click Browse to locate it.
  5. Click OK and Save.

Attaching the custom WS-Policy to the web service client

  1. Log in to the administrative console of the web service client.
  2. In the navigation table on the left, expand Services and then click Service clients.
  3. Click the web service client link.
  4. Check the top level check box next to the web service client.
  5. Click Attach Client Policy Set and select the custom policy Test JAX WS Policy that was just imported.
  6. Click Save.

Creating a custom WS-Policy binding for the web service

This section provides the steps to create a WS-Policy binding to be used by the web service:

  1. Log in to the administrative console of the web service.
  2. In the navigation table on the left, expand Services > Policy sets and click General provider policy set bindings.
  3. In the General provider policy set bindings window, click New to create a new policy binding.
  4. Enter the name of the binding, such as Test JAX WS Policy Binding, in the Bindings configuration name field.
  5. Click Add and select WS-Security.
  6. Click Authentication and protection.
  7. In the Authentication token section, click New Token and select Token Consumer.
  8. In the name field, enter LTPA Token Consumer.
  9. Select LTPA Token v2.0 from the Token type drop-down list.
  10. Click OK and Save.
  11. Click the WS-Security link at the top of the page.
  12. Click Callers.
  13. Click New.
  14. Enter LTPA Token Caller in the Name field.
  15. Enter LTPA V2 in the Caller identity local part field.
  16. Click OK and Save.

Attaching the WS-Policy binding to the web service

  1. Log in to the administrative console of the web service.
  2. In the navigation table on the left, expand Services and then click Service providers.
  3. In the Service providers window, click the TestJavaExport1_TestJavaServiceHttpService link.
  4. In the Policy Set Attachments window, check the top box associated with TestJavaExport1_TestJavaServiceHttpService.
  5. Click Assign Binding and select the custom policy binding Test JAX WS Policy Binding, which was just created, and then select Save.

Creating a custom WS-Policy binding for the web service client

This section provides the steps to create a WS-Policy binding to be used by the web service client:

  1. Log in to the administrative console of the web service client.
  2. In the navigation table on the left, expand Services > Policy sets and click General client policy set bindings.
  3. In the General client policy set bindings window, click New to create a new policy binding.
  4. Enter the name of the binding, such as Test JAX WS Client Policy Binding, in the Bindings configuration name field.
  5. Click Add and select WS-Security.
  6. Click Authentication and protection.
  7. In the Authentication tokens section, click New Token and select Token Generator.
  8. In the name field, enter LTPA Token Generator.
  9. Select LTPA Token v2.0 from the Token type drop-down list.
  10. Click OK and Save.

Attaching the WS-Policy binding to the web service client

  1. Log in to the administrative console of the web service client.
  2. In the navigation table on the left, expand Services and then click Service clients.
  3. In the Service clients window, click the web service client link.
  4. In the Policy Set Attachments window, check the top box associated with the web service client.
  5. Click Assign Binding and select the custom policy binding Test JAX WS Client Policy Binding, which was just created, and then select Save.

Testing the web service client

To test the web service client with the web service, deploy and start TestWebServiceApp in the WebSphere Process Server cell, and start TestJAXWSClientEAR in the other WebSphere cell. Perform the following steps:

  1. Point the web browser to http://localhost:9081/TestJAXWSClient. Change the host and port if needed.
  2. Enter a user ID and password when prompted. Enter admin for the ID and the corresponding password. You may enter another ID or password that is defined in both user registries for both WebSphere cells.
  3. If authenticated successfully, you are presented with the index.html page as shown in Figure 1.
    Figure 1. Test client
    Test client
  4. Enter your name in the text field and click Submit. If the web service call is successful, you see the greeting as shown in Figure 2.
    Figure 2. Web service call result
    Web service call result

If you do not see the greeting as shown in Figure 2, you most likely have a web service exception.


Conclusion

This tutorial provided instructions on how to configure WS-Security for a JAX-WS web service and its JSP client. The tutorial also provided the steps to configure single sign-on between two WebSphere cells.

Acknowledgements

The author would like to thank Tony Yan for his review of this tutorial.


Downloads

DescriptionNameSize
Project interchange filePI_Start.zip28KB
Project interchange filePI_Final.zip28KB

Resources

Learn

Discuss

Comments

developerWorks: Sign in

Required fields are indicated with an asterisk (*).


Need an IBM ID?
Forgot your IBM ID?


Forgot your password?
Change your password

By clicking Submit, you agree to the developerWorks terms of use.

 


The first time you sign into developerWorks, a profile is created for you. Information in your profile (your name, country/region, and company name) is displayed to the public and will accompany any content you post, unless you opt to hide your company name. You may update your IBM account at any time.

All information submitted is secure.

Choose your display name



The first time you sign in to developerWorks, a profile is created for you, so you need to choose a display name. Your display name accompanies the content you post on developerWorks.

Please choose a display name between 3-31 characters. Your display name must be unique in the developerWorks community and should not be your email address for privacy reasons.

Required fields are indicated with an asterisk (*).

(Must be between 3 – 31 characters.)

By clicking Submit, you agree to the developerWorks terms of use.

 


All information submitted is secure.

Dig deeper into Business process management on developerWorks


static.content.url=http://www.ibm.com/developerworks/js/artrating/
SITE_ID=1
Zone=Business process management, WebSphere
ArticleID=757235
ArticleTitle=Configuring WS-Security for JAX-WS web services in WebSphere Process Server V7
publish-date=09142011