Pete Tibbster

+ Follow
since Aug 29, 2004
Cows and Likes
Total received
In last 30 days
Total given
Total received
Received in last 30 days
Total given
Given in last 30 days
Forums and Threads
Scavenger Hunt
expand Ranch Hand Scavenger Hunt
expand Greenhorn Scavenger Hunt

Recent posts by Pete Tibbster

The WS-* security standards are part of the OASIS web service security standards. See

Here is an interesting article on these standards:
[ March 08, 2005: Message edited by: Pete Tibbster ]
16 years ago
I've been looking into implementing a web service client using Apache Axis 1.1. However from what I see this is pretty much based on the JAX-RPC libraries.

Its unclear to me what the incentive would be to use something like Apache Axis rather that the Sun JAX-RPC libraries.

Can someone help explain?
16 years ago
you could...
1. You could write the error to the console log. Use System.out.println(error) to write an entry to the java plugin console.
2. You could create a JLabel, add it to your screen and set the text to the error message to display the error back to the user.
16 years ago
There are tools out there that can create you an xsd from an example xml file. I've used Trang in the past to do this. Download trang.jar
from here

To create the xsd file open a command propt and execute the following (replacing the xml/xsd values) --->

java -jar trang.jar example.xml generated.xsd

This creates you a basic xsd based on the example xml file. It won't be able to know what the restrictions are for individual elements from your example but this is something you can add later if you know them!

hope this helps.
16 years ago
The url string should be in this format:
jdbc:oracle:<drivertype>:@<db server>:<db port>:<instance>

from your original post with your tnsnames settings, i'm reading that your oracle instance is

Therefore, shouldn't you be using this...... (no foo at the end)

Also, maybe the hostname lookup isn't working as you expect from your code. Do you get a different result if you swap the hostname for the actual IP address?
[ February 28, 2005: Message edited by: Pete Tibbster ]
Here is a very recent article which references the WSS token passing mechanism and the need for a standard framework for implementing these standards - just what i'm after ! I've included it here in case anyone else might be interested and hasn't seen it.

This may be the answer to all my questions! - i look forward to the next part of the series : -

WS-Security in the Enterprise, Part 1: Problem Introduction
16 years ago
I have previously looked at IBM XSS which does not seem to implement libraries to help with token passing. The verisign toolkit looks interesting and is not one i've come across before. However again appears nothing to aid token passing.
16 years ago
Hi R Kumar,

The token passing is part of the OASIS WS-Security standard. It details a mechanism for authentication through passing tokens (xml elements) within the header of the soap envelope. The specification for this is available using the URL below (page 7 starts details the the UsernameToken) ----> OASIS WSS Username Token profile

Typically a username token is sent initially to authenticate a user in a SOAP request. Here is an example.

<wsse:Security xmlns:wsse="">
<wsse assword Type="">
od61xScYr9hAukzvz/DQXAtdxAA=</wsse assword>
<wsse:Nonce EncodingType="">9VRW1tSrc7175HQ+X2cXLe75</wsse:Nonce>
<wsu:Created xmlns:wsu="">2004-11-18T10:46:19Z</wsu:Created>

If authentication is successful, in my case, the external webservice returns a custom token which is appended to the header of future requests.

It seems that some vendors, such as Microsoft in the .Net framework, fully implement the full standard whereas others only implement parts. This microsoft link details the .Net implementation --->WS-Security Drilldown in Web Services Enhancements 2.0

As per my original post, the latest version of weblogic does not have out-of-the-box functionality to create username tokens with a password digest (only supports plain text passwords).

I'm currently looking into using the Apache Axis libraries to interface with this webservice, based on this source code -->AXIS-WSSE

From my research it seems the apache project 'WSS4J' is aiming to fully implement these token passing standards but is still very much in development. I found very little documentation on WSS4J other than api javadocs.

R Kumar - you mention you've been using the WSS4J libraries. I'm guessing you downloaded the source code and built it yourself? What has your experience been with WSS4J?

Has anyone else implemented the WS-Security token passing mechanism in Java to communicate with a .Net (or other) web service that implements these standards?

Best Regards,

[ February 14, 2005: Message edited by: Pete Tibbster ]
[ February 14, 2005: Message edited by: Pete Tibbster ]
16 years ago

How can I create a 'nonce' value? I need to create one to generate the password digest element of a WS-Security Username Token. Is there a standard java library that I can use to generate this?

Thanks very much in advance
16 years ago

I need to write something that interfaces with a .Net soap service. I've been given the WSDL file. This 3rd party service dictates the use of WSS tokens which are attached in the soap header. The username token will contain the username, password (sent as a digest), nonce and timestamp elements.

I'm using Weblogic 8.1.3 but there from the answer I got from BEA there is no inbuilt support for passing such a token which contains a password digest (only plain text passwords supported in WL). I'm therefore looking for an existing library / framework that can provide this.

I've been researching this on the internet and from what I found I have the following options below.

1. Use Apache Axis with WSS4J (although this seems very much in development at the moment.)

2. Use the Sun Web Service Developer Pack 1.5 (JWSDP)

3. Use a licensed application such as Glue

Has anyone got any previous experience with implementing token passing including nonce generation, creating password digests, with any of the options below. Is one of these a better implementation than the others or is there one missing from the list I should be considering???

Any help would be very useful.
Thanks in advance.
16 years ago
I'm upgrading an application from WebLogic 5.1 to 8.1.

The 5.1 Application uses a custom RDBMS security realm which extends AbstractManageableRealm. EJBs are set-up with security roles and the security realm authenticates access to these using this security realm which accesses the db to pull out user/group info.

In 8.1 AbstractManageableRealm is deprecated. I've tried to hunt through the bea documentation but can't find exactly how I can convert this custom realm into one that will work with 8.1

Can anyone give me any help or pointers??

Thanks in advance,
[ August 29, 2004: Message edited by: Pete Tibbster ]
17 years ago