aspose file tools*
The moose likes Web Services and the fly likes Web Services Security in tomcat6 Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of EJB 3 in Action this week in the EJB and other Java EE Technologies forum!
JavaRanch » Java Forums » Java » Web Services
Bookmark "Web Services Security in tomcat6" Watch "Web Services Security in tomcat6" New topic
Author

Web Services Security in tomcat6

Randy Travis
Greenhorn

Joined: Aug 11, 2010
Posts: 1
I am going to ask several things in this post. Be patient at my ignorance.
I am bit confused as to what the right approach is, what components to use when securing web services in tomcat 6. Any suggestions you can provide is greatly appreciated. Currently I have a web service running in tomcat6 (SOAP, HTTP). I want to secure this web service.
From documentation it appears tomcat6 supports JAXWS. I packaged by web service with JAXWS jar files. Apart from this I do not see any JAXWS specific jar files in the apache-tomcat directories. So how is this web service running in tomcat? Does JAXWS use the servlet mechanism to support web services when using JAXWS?

I know if I use axis I have to first put axis jar files in tomcat libraries. If I develop a web service using axis and deploy into tomcat, will it run in the context of axis web application. Is that a true statement?

Coming to Securing the web service, if I want to secure a Web Service developed using JAXWS, using WS-Security standard, what are the things I need to do? Do I have to put axis or CXF or Metro in tomcat to secure my web service? Can I do that without any of them but use simply JAXWS? If I put axis in tomcat, can I secure the web seervice that I developed using JAXWS initially? would it clash with axis?


Lester Burnham
Rancher

Joined: Oct 14, 2008
Posts: 1337
From documentation it appears tomcat6 supports JAXWS.

It does, if you deploy all required JAXWS jar files as part of the web app. But that would be rather a lot - the JAX-WS reference installation comes with 22 jar files (most of which are not required in all usage scenarios, though).

Does JAXWS use the servlet mechanism to support web services when using JAXWS?

All the major Java SOAP implementations (Axis2, Metro, CXF, JBoss-WS, etc.) are based on servlets, so they need a servlet container to run.

If I develop a web service using axis and deploy into tomcat, will it run in the context of axis web application. Is that a true statement?

Sort of. It will run as part of a web app, not necessarily the axis web app. Axis is a servlet with supporting classes and libraries - it can be integrated into any Java web app.

Coming to Securing the web service, if I want to secure a Web Service developed using JAXWS, using WS-Security standard, what are the things I need to do? Do I have to put axis or CXF or Metro in tomcat to secure my web service? Can I do that without any of them but use simply JAXWS? If I put axis in tomcat, can I secure the web seervice that I developed using JAXWS initially? would it clash with axis?

Strictly speaking, it's possible to use just the JAX-WS reference implementation, and secure those services by way of the WSS4J library (which is the standard Java implementation of WS-Security). But that would be a very low level approach, and not a lot of fun to develop. You're better off using Axis2 or Metro, for which integrated WS-Security is available. Note that both Axis2 and Metro support the JAX-WS API, so any services you already have don't need to be changed if you start using those SOAP stacks.
Ivan Krizsan
Ranch Hand

Joined: Oct 04, 2006
Posts: 2198
    
    1
Hi!
22 JARs in the JAX-WS reference implementation?!??
I feel I need some information, since:
1. On the Metro download page:
For Tomcat, the installation process copies the two Metro jar files into Tomcat's shared/lib directory. No Tomcat configuration files are modified.

2. When I download Metro 2.0.1, I find six JARs and a WAR in the lib folder.

Are we talking about the same thing? Are you including additional, web service security, JARs in the count?
Thanks in advance!


My free books and tutorials: http://www.slideshare.net/krizsan
Lester Burnham
Rancher

Joined: Oct 14, 2008
Posts: 1337
Go to https://jax-ws.dev.java.net/2.2.1/ and download the distribution. I stand by my count :-)

Metro is packaged differently, with lots of those libraries bundled together into a single jar files that is larger than those 22 files combined (which is no surprise since it also contains WS-Security and other stuff).

But the crucial thing Randy asked about is WS-Security, and getting that with the JAX-WS reference implementation is tricky, so one should use either Axis-2 or Metro.
Ivan Krizsan
Ranch Hand

Joined: Oct 04, 2006
Posts: 2198
    
    1
Lester Burnham wrote:Go to https://jax-ws.dev.java.net/2.2.1/ and download the distribution. I stand by my count :-)

Thanks! I managed to get hold of an old version.
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Web Services Security in tomcat6
 
Similar Threads
JBuilder with Axis
Web services security
JDK and web service, and other tools (questions from dummy)
Web Service security
How can I secure a web service?