wood burning stoves*
The moose likes Security and the fly likes is there a standard way to make tomcat support security for web service message level? Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Engineering » Security
Bookmark "is there a standard way to make tomcat support security for web service message level?" Watch "is there a standard way to make tomcat support security for web service message level?" New topic
Author

is there a standard way to make tomcat support security for web service message level?

tarek helmy
Ranch Hand

Joined: Nov 14, 2008
Posts: 42
is there a standard way to make tomcat support security for web service message level?
taken in mind that web service use jax-ws and jaas

Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 41809
    
  62
The relevant standard is called WS-Security, and it's not implemented by Tomcat, but by the SOAP stack that you're using. For JAX-WS you can either use Axis2, Metro or CXF - they all support WS-Security. Most likely you'd have to write the JAAS integration yourself, but then, I'm not quite sure what it has to do with this; maybe you can clarify.


Ping & DNS - my free Android networking tools app
tarek helmy
Ranch Hand

Joined: Nov 14, 2008
Posts: 42
yes i develope custom JAAS and use JAX-WS in developing web services
but because of lack of tomact for handling WS-Security, i extend the tomcat securty manager, and add another type of auth method called it "wsse"
and custom authintacator that check incomming soap message and integrate with configured JAAS relam, that populate user principles and let the web container to manager security for web service
but i'm now, relize that this approche is not standard and should be another one that fit is this case
so, how can i use metro for securing web service to support userToken or saml token
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 41809
    
  62
because of lack of tomact for handling WS-Security

That statement doesn't really make sense. Tomcat is a servlet container and web server - it does not support ANY web service standards. WS support is added through a web app that implements a SOAP stack; if you need WS-Security, use a SOAP stack that supports it (like the ones I mentioned).

how can i use metro for securing web service to support userToken or saml token

The Metro user's guide goes into a lot of detail on that, especially in chapter 14: https://metro.dev.java.net/guide/
tarek helmy
Ranch Hand

Joined: Nov 14, 2008
Posts: 42
i installed metro with tomcat 5.5
and test it by deploy web service from metro samples
and then i deployed custom web service that use UsernameToken
the web service deployed, but when i send valid request contains valid UserName Token in the header of SOAP message, i got these message:

com.sun.xml.ws.security.opt.impl.incoming.UsernameTokenHeader validate
SEVERE: WSS1408: UsernameToken Authentication Failed

also i test jaas configured there in tomact, by secure pages and test it using user defined in tomcat-users.xml
tarek helmy
Ranch Hand

Joined: Nov 14, 2008
Posts: 42
yes i develope custom JAAS and use JAX-WS in developing web services
but because of lack of tomact for handling WS-Security, i extend the tomcat securty manager, and add another type of auth method called it "wsse"
and custom authintacator that check incomming soap message and integrate with configured JAAS relam, that populate user principles and let the web container to manager security for web service
but i'm now, relize that this approche is not standard and should be another one that fit is this case
so, how can i use metro for securing web service to support userToken or saml token
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 41809
    
  62
when i send valid request contains valid UserName Token in the header of SOAP messag...

How do you know that the request is valid - how are you generating it? Post the request here so we can take a look.

how can i use metro for securing web service to support userToken or saml token

Have you worked through chapter 14 of the user's guide? Did you get those example to run? If not, where did you get stuck?
tarek helmy
Ranch Hand

Joined: Nov 14, 2008
Posts: 42
Thanks, it working now
but i can not override Authentication error messages and other error messages
i want to return custom response message in case of these errors occur in web service using Metro


appreciate your efforts
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: is there a standard way to make tomcat support security for web service message level?