Win a copy of Design for the Mind this week in the Design forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

is there a standard way to make tomcat support security for web service message level?

 
tarek helmy
Ranch Hand
Posts: 42
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
is there a standard way to make tomcat support security for web service message level?
taken in mind that web service use jax-ws and jaas

 
Ulf Dittmer
Rancher
Posts: 42967
73
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
The relevant standard is called WS-Security, and it's not implemented by Tomcat, but by the SOAP stack that you're using. For JAX-WS you can either use Axis2, Metro or CXF - they all support WS-Security. Most likely you'd have to write the JAAS integration yourself, but then, I'm not quite sure what it has to do with this; maybe you can clarify.
 
tarek helmy
Ranch Hand
Posts: 42
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
yes i develope custom JAAS and use JAX-WS in developing web services
but because of lack of tomact for handling WS-Security, i extend the tomcat securty manager, and add another type of auth method called it "wsse"
and custom authintacator that check incomming soap message and integrate with configured JAAS relam, that populate user principles and let the web container to manager security for web service
but i'm now, relize that this approche is not standard and should be another one that fit is this case
so, how can i use metro for securing web service to support userToken or saml token
 
Ulf Dittmer
Rancher
Posts: 42967
73
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
because of lack of tomact for handling WS-Security

That statement doesn't really make sense. Tomcat is a servlet container and web server - it does not support ANY web service standards. WS support is added through a web app that implements a SOAP stack; if you need WS-Security, use a SOAP stack that supports it (like the ones I mentioned).

how can i use metro for securing web service to support userToken or saml token

The Metro user's guide goes into a lot of detail on that, especially in chapter 14: https://metro.dev.java.net/guide/
 
tarek helmy
Ranch Hand
Posts: 42
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
i installed metro with tomcat 5.5
and test it by deploy web service from metro samples
and then i deployed custom web service that use UsernameToken
the web service deployed, but when i send valid request contains valid UserName Token in the header of SOAP message, i got these message:

com.sun.xml.ws.security.opt.impl.incoming.UsernameTokenHeader validate
SEVERE: WSS1408: UsernameToken Authentication Failed

also i test jaas configured there in tomact, by secure pages and test it using user defined in tomcat-users.xml
 
tarek helmy
Ranch Hand
Posts: 42
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
yes i develope custom JAAS and use JAX-WS in developing web services
but because of lack of tomact for handling WS-Security, i extend the tomcat securty manager, and add another type of auth method called it "wsse"
and custom authintacator that check incomming soap message and integrate with configured JAAS relam, that populate user principles and let the web container to manager security for web service
but i'm now, relize that this approche is not standard and should be another one that fit is this case
so, how can i use metro for securing web service to support userToken or saml token
 
Ulf Dittmer
Rancher
Posts: 42967
73
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
when i send valid request contains valid UserName Token in the header of SOAP messag...

How do you know that the request is valid - how are you generating it? Post the request here so we can take a look.

how can i use metro for securing web service to support userToken or saml token

Have you worked through chapter 14 of the user's guide? Did you get those example to run? If not, where did you get stuck?
 
tarek helmy
Ranch Hand
Posts: 42
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks, it working now
but i can not override Authentication error messages and other error messages
i want to return custom response message in case of these errors occur in web service using Metro


appreciate your efforts
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic