Welcome!

Weblogic Authors: Yeshim Deniz, Elizabeth White, Michael Meiner, Michael Bushong, Avi Rosenthal

Related Topics: Weblogic, Cloud Security

Weblogic: Article

WebLogic Web Services Security

WebLogic Web Services Security

Security is a priority for most of our customers. As more and more customers adopt Web services, they find a need to understand how Web services can be secured and what authentication mechanism to use. In order to keep Web services open and support multiple client types, it's necessary to understand how to handle Web-services security.

This article takes a look under the hood of WebLogic Web services security. I'll explain how WebLogic Web services can be secured, how authentication works, and how to develop clients in various programming languages to authenticate against WebLogic Web services.

WebLogic Web Service Components
Web services hosted by WebLogic Server are implemented using standard J2EE components such as EJBs and JMS, and are packaged as standard J2EE enterprise applications. WebLogic Web services use Simple Object Access Protocol (SOAP) 1.1 as the message format and HTTP 1.1 as the connection protocol.

The Web services runtime component is a set of servlets and associated infrastructure needed to create a Web service. One element of the runtime is a set of servlets that handle SOAP requests from a client. These servlets are included in the WebLogic Server distribution. Another element of the runtime is an Ant task that generates and assembles all the components of a WebLogic Web service.

WebLogic Web services are packaged as standard J2EE Enterprise applications that consist of the following specific components:

  • A Web application that contains, at a minimum, a servlet that sends and receives SOAP messages to and from the client. It's automatically included as part of the Web services development process.
  • A stateless session EJB that implements an RPC-style Web service or a JMS listener (such as a message-driven bean) for a message-style Web service.

    In an RPC-style Web service, the stateless session EJBs might do all the actual work of the Web service, or they may parcel out the work to other EJBs. The implementer of the Web service decides which EJBs do the real work. In a message-style Web service, a J2EE object (typically a message-driven bean) gets the messages from the JMS destination and processes them.

    WebLogic Web services are packaged as Enterprise archive (.ear) files that contain the Web application's Web archive (.war) files and EJB archive (.jar) files.

    Securing WebLogic Web Services
    Since WebLogic Web services are packaged as standard J2EE Enterprise applications, access to a Web service may be secured by securing some or all of the following standard J2EE components that make up the Web service:

  • The SOAP servlets
  • The stateless session EJB upon which an RPC-style Web service is based

    Basic HTTP authentication or SSL can be used to authenticate a client that is attempting to access a WebLogic Web service. Because the preceding components are standard J2EE components, they may be secured using standard J2EE security procedures.

    Securing Message-Style Web Services
    A message-style Web service may be secured by securing the SOAP servlet that handles SOAP messages between the client and the service.

    When the Web service is assembled, either manually or by using the wsgen Ant task, you reference SOAP servlets in the web.xml file of the Web application. These servlets handle the SOAP messages passed between WebLogic Server and client applications. They are always deployed on WebLogic Server and are shared by all deployed WebLogic Web services.

    The particular SOAP servlet referenced by a Web service depends on its type (RPC-style or message-style). The following list describes each SOAP servlet:

  • weblogic.soap.server.servlet.DestinationSendAdapter: Handles SOAP messages in a message-style Web service that receives data from a client application and sends it to a JMS destination
  • weblogic.soap.server.servlet.QueueReceiveAdapter: Handles SOAP messages in a message-style Web service that sends data from a JMS Queue to a client application
  • weblogic.soap.server.servlet.TopicReceiveAdapter: Handles SOAP messages in a message-style Web service that sends data from a JMS Topic to a client application
  • weblogic.soap.server.servlet.StatelessBeanAdapter: Handles SOAP messages between an RPC-style Web service and a client application

    For example, in a message-style Web service in which client applications send data to a JMS destination, the SOAP servlet that handles the SOAP messages is weblogic.soap.server.servlet.DestinationSendAdapter. The wsgen Ant task used to assemble the Web service adds the elements shown in Listing 1 to the web.xml deployment descriptor of the Web application.

    To restrict access to the DestinationSendAdapter SOAP servlet, you first define a role that is mapped to one or more principals in a security realm, then specify that the security constraint applies to this SOAP servlet by adding the following url-pattern element inside the web-resources-collection element to the web.xml deployment descriptor of the Web application:

    <url-pattern>/sendMsg</url-pattern>

    Securing an RPC-Style Web Service
    You can restrict access to an RPC-style Web service by restricting access to the stateless session EJB that implements the Web service or the SOAP servlet.

    Listings 2 and 3 show how to set up the web.xml and weblogic.xml files to secure the SOAP servlets. Make sure that the WSDL file is still accessible by the clients. To ensure that, avoid using wild-card mapping; instead secure the SOAP servlet adapter path explicitly. The listings provide an example of how to secure the account manager proxy Web service. As you can see, the role is defined in web.xml and is associated to the group in the realm.

    Web Services Clients
    In order to understand how security for Web services clients is handled, it's necessary to understand how SOAP and HTTP authentication works.

    SOAP Authentication
    Web services use the SOAP protocol, a high-level messaging protocol implemented over some underlying transport mechanism. Web services security is still an emerging field and there are extensions emerging around the SOAP specification to support security features. Currently, SOAP uses the underlying transport protocol infrastructure for authentication. So WebLogic Server SOAP indirectly uses HTTP 1.1 authentication.

    HTTP Authentication
    The method for user authentication used with HTTP is quite simple. Since HTTP is a stateless protocol - that is, the server doesn't remember any information about a request once it has finished - the browser needs to resend the username and password on each request (see Figure 1).

    On the first access to an authenticated resource, the server will return a 401 status ("Unauthorized") and include a WWW-Authenticate response header, which will indicate the realm name and which authentication scheme to use. The browser should then ask the user to enter a username and password. It then requests the same resource again, this time including an authorization header that contains the scheme name ("Basic") and the username and password entered.

    The server checks the username and password, and if they are valid, returns the page. If the password is not valid for that user, or the user is not allowed access, the server returns a 401 status as before. The browser can then ask the user to retry the username and password.

    Assuming the username and password are valid, the user might next request a protected resource. In this case, the server would respond with a 401 status, and the browser could send the request again with the user and password details. This would be slow, however, so instead the browser sends the authorization header on subsequent requests. Refer to the W3C HTTP Working Group RFC 2617 (www.w3c.org/Protocols/Specs.html) for more details on HTTP authentication.

    Client Types
    Even though the previous section focused on browser clients, the protocol is the same for any type of client. Any client that needs to access secured Web services is expected to understand this HTTP authentication protocol and implement it in order to be authenticated. This section shows how authentication information can be passed from various types of clients.

    MS Visual Basic Clients
    Microsoft provides an HTTPConnector interface for the transport layer. It uses two properties, AuthUser and AuthPassword, to pass credentials. Listing 4 is an example of invoking a secured WebLogic Web service using Visual Basic and MS SOAP Toolkit 2.0.

    AuthUser and AuthPassword should not be confused with ProxyUser and ProxyPassword. They are used to provide the credentials for the proxy server, if there are any. This authentication works the same way, except that an error number 407 is returned instead of 401.

    Java Clients
    WebLogic Server provides Java client libraries to access secured resources. Usernames and credentials are passed using "java.naming.security.principal" and "java.naming.security.credentials". Listing 5 describes how a Java client would invoke a secured WebLogic Web service using WebServiceProxy.

    JAX-RPC Clients
    JAX-RPC (Java API for XML-based remote procedure calls) is a new standard released in June 2002 that defines APIs for invoking Web services. WebLogic Server 7.0 supports JAX-RPC. The JAX-RPC interfaces "Stub" and "Call" both support the properties "javax.xml.rpc.security.auth.username" and "javax.xml.rpc.security.auth.password" with which the authentication information may be passed. You can also use the static constants Stub.USERNAME_PROPERTY and Stub.PASSWORD_PROPERTY to set the security information before making a service call (see Listing 6). The username and password may also be passed while getting the port using get<web service>port().

    MS C++ Clients
    Similarly, you can write a C/C++ client using APIs provided by the vendor. The MS SOAP toolkit may be used to write C++ clients on a Windows platform. The username and password are passed using Connector Property. Following is an example that sets the username and password.

    Connector->Property["AuthUser"] = "<UserName>";
    Connector->Property["AuthPassword"] = "<Password>";

    Conclusion
    This article discussed authentication for WebLogic Web services and securing Web services components. As Web services are a natural choice for heterogeneous environments involving different technologies, it's necessary to understand how to access secured Web services using clients of various types.

  • More Stories By Anbarasu Krishnaswamy

    Anbarasu Krishnaswamy has over 15 years of IT industry experience, nine of which were with BEA. In his current role as the Enterprise Architect Lead, he leads the enterprise architecture and SOA practices for the central region professional services at BEA. As a SOA practitioner, he has helped several customers with SOA transformation and implementation. His experience also includes design and development of Java/J2EE applications, client/server computing, Web development, and enterprise application integration (EAI). Anbarasu holds a MBA from NIU and an MS in computer science and engineering.

    Comments (0)

    Share your thoughts on this story.

    Add your comment
    You must be signed in to add a comment. Sign-in | Register

    In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.


    @ThingsExpo Stories
    DX World EXPO, LLC, a Lighthouse Point, Florida-based startup trade show producer and the creator of "DXWorldEXPO® - Digital Transformation Conference & Expo" has announced its executive management team. The team is headed by Levent Selamoglu, who has been named CEO. "Now is the time for a truly global DX event, to bring together the leading minds from the technology world in a conversation about Digital Transformation," he said in making the announcement.
    "Space Monkey by Vivent Smart Home is a product that is a distributed cloud-based edge storage network. Vivent Smart Home, our parent company, is a smart home provider that places a lot of hard drives across homes in North America," explained JT Olds, Director of Engineering, and Brandon Crowfeather, Product Manager, at Vivint Smart Home, in this SYS-CON.tv interview at @ThingsExpo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.
    SYS-CON Events announced today that Conference Guru has been named “Media Sponsor” of the 22nd International Cloud Expo, which will take place on June 5-7, 2018, at the Javits Center in New York, NY. A valuable conference experience generates new contacts, sales leads, potential strategic partners and potential investors; helps gather competitive intelligence and even provides inspiration for new products and services. Conference Guru works with conference organizers to pass great deals to gre...
    The Internet of Things will challenge the status quo of how IT and development organizations operate. Or will it? Certainly the fog layer of IoT requires special insights about data ontology, security and transactional integrity. But the developmental challenges are the same: People, Process and Platform. In his session at @ThingsExpo, Craig Sproule, CEO of Metavine, demonstrated how to move beyond today's coding paradigm and shared the must-have mindsets for removing complexity from the develop...
    In his Opening Keynote at 21st Cloud Expo, John Considine, General Manager of IBM Cloud Infrastructure, led attendees through the exciting evolution of the cloud. He looked at this major disruption from the perspective of technology, business models, and what this means for enterprises of all sizes. John Considine is General Manager of Cloud Infrastructure Services at IBM. In that role he is responsible for leading IBM’s public cloud infrastructure including strategy, development, and offering m...
    "Evatronix provides design services to companies that need to integrate the IoT technology in their products but they don't necessarily have the expertise, knowledge and design team to do so," explained Adam Morawiec, VP of Business Development at Evatronix, in this SYS-CON.tv interview at @ThingsExpo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.
    To get the most out of their data, successful companies are not focusing on queries and data lakes, they are actively integrating analytics into their operations with a data-first application development approach. Real-time adjustments to improve revenues, reduce costs, or mitigate risk rely on applications that minimize latency on a variety of data sources. In his session at @BigDataExpo, Jack Norris, Senior Vice President, Data and Applications at MapR Technologies, reviewed best practices to ...
    Widespread fragmentation is stalling the growth of the IIoT and making it difficult for partners to work together. The number of software platforms, apps, hardware and connectivity standards is creating paralysis among businesses that are afraid of being locked into a solution. EdgeX Foundry is unifying the community around a common IoT edge framework and an ecosystem of interoperable components.
    Large industrial manufacturing organizations are adopting the agile principles of cloud software companies. The industrial manufacturing development process has not scaled over time. Now that design CAD teams are geographically distributed, centralizing their work is key. With large multi-gigabyte projects, outdated tools have stifled industrial team agility, time-to-market milestones, and impacted P&L stakeholders.
    "Akvelon is a software development company and we also provide consultancy services to folks who are looking to scale or accelerate their engineering roadmaps," explained Jeremiah Mothersell, Marketing Manager at Akvelon, in this SYS-CON.tv interview at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.
    "IBM is really all in on blockchain. We take a look at sort of the history of blockchain ledger technologies. It started out with bitcoin, Ethereum, and IBM evaluated these particular blockchain technologies and found they were anonymous and permissionless and that many companies were looking for permissioned blockchain," stated René Bostic, Technical VP of the IBM Cloud Unit in North America, in this SYS-CON.tv interview at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Conventi...
    In his session at 21st Cloud Expo, Carl J. Levine, Senior Technical Evangelist for NS1, will objectively discuss how DNS is used to solve Digital Transformation challenges in large SaaS applications, CDNs, AdTech platforms, and other demanding use cases. Carl J. Levine is the Senior Technical Evangelist for NS1. A veteran of the Internet Infrastructure space, he has over a decade of experience with startups, networking protocols and Internet infrastructure, combined with the unique ability to it...
    22nd International Cloud Expo, taking place June 5-7, 2018, at the Javits Center in New York City, NY, and co-located with the 1st DXWorld Expo will feature technical sessions from a rock star conference faculty and the leading industry players in the world. Cloud computing is now being embraced by a majority of enterprises of all sizes. Yesterday's debate about public vs. private has transformed into the reality of hybrid cloud: a recent survey shows that 74% of enterprises have a hybrid cloud ...
    "Cloud Academy is an enterprise training platform for the cloud, specifically public clouds. We offer guided learning experiences on AWS, Azure, Google Cloud and all the surrounding methodologies and technologies that you need to know and your teams need to know in order to leverage the full benefits of the cloud," explained Alex Brower, VP of Marketing at Cloud Academy, in this SYS-CON.tv interview at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clar...
    Gemini is Yahoo’s native and search advertising platform. To ensure the quality of a complex distributed system that spans multiple products and components and across various desktop websites and mobile app and web experiences – both Yahoo owned and operated and third-party syndication (supply), with complex interaction with more than a billion users and numerous advertisers globally (demand) – it becomes imperative to automate a set of end-to-end tests 24x7 to detect bugs and regression. In th...
    "MobiDev is a software development company and we do complex, custom software development for everybody from entrepreneurs to large enterprises," explained Alan Winters, U.S. Head of Business Development at MobiDev, in this SYS-CON.tv interview at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.
    Coca-Cola’s Google powered digital signage system lays the groundwork for a more valuable connection between Coke and its customers. Digital signs pair software with high-resolution displays so that a message can be changed instantly based on what the operator wants to communicate or sell. In their Day 3 Keynote at 21st Cloud Expo, Greg Chambers, Global Group Director, Digital Innovation, Coca-Cola, and Vidya Nagarajan, a Senior Product Manager at Google, discussed how from store operations and ...
    "There's plenty of bandwidth out there but it's never in the right place. So what Cedexis does is uses data to work out the best pathways to get data from the origin to the person who wants to get it," explained Simon Jones, Evangelist and Head of Marketing at Cedexis, in this SYS-CON.tv interview at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.
    SYS-CON Events announced today that CrowdReviews.com has been named “Media Sponsor” of SYS-CON's 22nd International Cloud Expo, which will take place on June 5–7, 2018, at the Javits Center in New York City, NY. CrowdReviews.com is a transparent online platform for determining which products and services are the best based on the opinion of the crowd. The crowd consists of Internet users that have experienced products and services first-hand and have an interest in letting other potential buye...
    SYS-CON Events announced today that Telecom Reseller has been named “Media Sponsor” of SYS-CON's 22nd International Cloud Expo, which will take place on June 5-7, 2018, at the Javits Center in New York, NY. Telecom Reseller reports on Unified Communications, UCaaS, BPaaS for enterprise and SMBs. They report extensively on both customer premises based solutions such as IP-PBX as well as cloud based and hosted platforms.