Thursday, March 4, 2010

How to become an expert in Web Service security in 30 seconds

First read this:

you will learn that there are .WSSE files containing security policies for a WS.

You attach it to the WS with
You might need a WSSE file also for callbacks (not needed if Synchronous).

Very interesting also this article:

which goes over security.
In a nutshell we need to:
- identify and authenticate the client (security token)
- ensure the integrity of the message (digital signature)
- prevent unauthorized parties from eavedropping our message (encryption)

It turns out that JPD files (WLI) cannot be secured:

WS-Security policy (WSSE) files are not supported for business processes (JPDs). Therefore, the following annotations are not supported for JPD files: com.bea.wli.common.WSSecurityCallback and com.bea.wli.common.WSSecurityService.
If you want to use WS-Security, then you must front-end the JPD with a JWS. The client would invoke a JWS using WS-Security, then the JWS would locally invoke the JPD via a Process Control.

If you use the annotation com.bea.wli.common.WSSecurityService you might get an error:
Exception trying to load wsse policy definition error: The document is not a wsSecurityPolicy@

More info on WS-SecurityPolicy

sample empty policy file:


 (see )

One can secure at web.xml level:

This is a sample security-constraint xml:

No comments: