Open standards have gained momentum among enterprises as a mechanism for allowing their internal and external applications to cross network boundaries and communicate with those applications of their partners, customers and suppliers. XML, SOAP, and HTTPS are some of the technologies used to develop these interoperable web services, enabling open, flexible, and adaptive interfaces. This innate openness, though, creates security risks. Without proper protections, a web service can expose vulnerabilities that may lead to dire consequences. Thus, enabling the integrity, confidentiality, and security of web services and their communications is critical for both the enterprises and their consumers.
In order to secure communications between web services, the web service provider (WSP) needs to be configured to enforce message-level security. Similarly, the web service client (WSC) needs to be configured to supply message-level security. The following graphic represents a sample SOAP request with message-level security enabled. The WSC provides the SOAP body (containing the request) within the <env:Body> tag. The WSC's authentication provider inserts a security header in the <wsse:Security> tag, inserts a SAML token in the <saml:Assertion> tag and, signs the message in the <ds:Signature> tag. Once enabled, the request is sent on to the WSP.
The WSP's authentication provider receives the request and verifies the signature and security token before forwarding the request on to the WSP. The web service then processes the request and returns a response. The WSP's authentication provider inserts the appropriate security header in the <wsse:Security> tag and a signature in the <ds:Signature> tag after which the response is returned back to the WSC. Upon receiving the response, the WSC's authentication provider verifies the signature before forwarding it back to the WSC. The following graphic represents a sample SOAP response from a WSP.
The Java™ Application Platform SDK with Tools application bundle can be used to enable message-level security, without changes to the application itself, by modifying the deployment descriptor file of the service's web container. Because the application bundle installs (among other applications) Sun Java System Application Server, these instructions document how to do this by modifying its deployment descriptor file, sun-web.xml. Additionally, the instructions:
Illustrate how to use Sun Java System Access Manager (based on OpenSSO code base) to configure identity repositories, and users.
Introduce the Access Manager security providers (also known as agents).
Demonstrate how web services can be secured using the supported security mechanisms.
Enable user authentication for a WSC.
Secure a WSC.
This lab assumes basic knowledge of, or programming experience with, the following:
Java
Web services technologies
Before beginning:
Download the Java Application Platform SDK with Tools bundle and install it.
Download the Web Services Security ZIP file and decompress it to the source directory named WebServiceSecurity.
AS_HOME refers to the top level directory of the Java Application Platform SDK with Tools installation.
The Web Services Security lab can be downloaded for use after installing the Java Application Platform SDK with Tools application bundle. It demonstrates how to use Sun Java System Access Manager, NetBeans IDE 5.5 and the Java Application Platform SDK to secure communications between the client and server of a sample Stock Quote Service. In the lab, a Stock Quote Service client requests a stock price from a Stock Quote Service provider; in response, the Stock Quote Service provider returns a quote based on the following:
A delayed stock quote is provided when the request is not authenticated.
A real-time stock quote is provided when the request is authenticated and authorized.
Three Netbeans projects are provided in the download. (A Netbeans project is a grouping of Java source files and associated information including, but not limited to, what belongs in the classpath and how to build the source.) The StockClient project serves as a WSC. It presents a graphical user interface within a web browser that will configure the request and send it to the Stock Quote Service provider. ClientServlet.java is the implementation of the Stock Quote Service client. The following methods implement the functionality:
processGetRequest(...) presents the web browser interface with which the user enters the stock quote.
processPostRequest(...) obtains the stock symbol, makes a service call to the WSP, and processes the response received back from the WSP. After processing, the stock quote is printed to the web browser.
The StockServer project serves as the WSP. It receives a request from the WSC, generates the appropriate response, and returns it to the WSC. The following files define aspects of the WSP:
stock.xsd describes the parameters that need to be passed to the Stock Quote Service provider, and included in responses that are returned to the Stock Quote Service client. It defines the QuoteRequest and QuoteReponse elements used in the SOAP body of the request and response, respectively.
stockservice.wsdl is the Web Services Description Language (WSDL) file that describes the Stock Quote Service provider.
StockQuotePortType_Impl.java is the implementation of the Stock Quote Service provider. The main method that implements it's functionality is getStockQuote(...) which parses the stock symbol from the WSC request, does a static lookup in the cache for the stock price, and returns the result. It also tries to obtain the Subject of the authenticated user accessing the service from the SecurityContext. If the web service request is authenticated, a real time quote is returned. Otherwise, a delayed quote of 20 minutes is returned.
The third Netbeans project is the StandAloneStockClient project. This project builds a standalone WSC that does the following:
Secures its own communications with a WSP using the web service security APIs included with Access Manager.
Constructs and secures a SOAP message using the SOAP APIs included with the Java Platform SDK.
See Exercise 5: Secure a Stand-Alone Web Service Client for more information on this project.
Expected duration of the lab: 90 minutes
Exercise 0: Install and Verify Configuration of the Java Application Platform SDK with Tools
Exercise 1: Load the Stock Quote Web Service Provider and Client Projects in Netbeans
Exercise 4: Enable User Authentication for Access to the Stock Quote Service Client
Installation instructions for the Java Application Platform SDK with Tools can be found on the Sun Developer Network (SDN) web site. The bundle installs the following components:
All contents of the Java EE 5 SDK
Sun Java System Access Manager 7.1 (OpenSSO)
Sun Java System Application Server (GlassFish)
NetBeans IDE 5.5 with NetBeans Enterprise Pack 5.5
After installation, verify that the SDK, Application Server, and Access Manager are correctly configured with the following procedure.
To start Application Server, run the following command:
AS_HOME/bin/asadmin start-domain domain1
Access the default Application Server home page by typing the following URL into a browser:
http://localhost:8080/
Access the Application Server Administration Console by typing the following URL into a browser:br>
http://localhost:4848/
Login to the Application Server Administration Console using the default admin and adminadmin as the username and password, respectively.
Click Web Applications in the Common Tasks frame to confirm that Access Manager was installed and deployed with the URI /amserver
Click Launch in the Web Applications frame to display the login page for Access Manager.
Login to the Access Manager Console using the default amadmin and admin123 as the user name and password, respectively.
The following text and screen captures will familiarize you with the Access Manager Console. It provides an interface to configure identities as well as the standard security mechanisms used to authenticate web service requests. (Access Manager provides other features such as policy management for access control, federation, and single-sign-on but these features are not covered in this lab. See the Sun Java System Access Manager product page for more information.)
Using the Access Manager console screen capture displayed above as a guide, click on a configured realm. Click on the Data Stores tab to display that realm's identity data stores. The screen capture below illustrates that the sample realm uses a flat file repository to store identity data. Other types of data stores (such as Sun Java System Directory Server, or Microsoft Active Directory) can be added, or existing ones can be modified or removed.
Now, click on the Subjects tab to display the screen below. Subjects provides the interface for, among other things, managing identities (users) and security provider agents. By default, Users is displayed. As shown, two users have been created:
John Smith user name:jsmith password:jsmith
John Doe user name:jdoe password:jdoe
Additional user entries can be added and existing user entries can be modified or removed.
Lastly, click on the Agents tab to display the screen below. Agents lists the security providers (or agents) that can be used to secure a web service. As previously discussed, the WSC must add security credentials to the SOAP headers in its requests. These credentials will then be validated by the WSP before the request is processed. However, adding security credentials must be accomplished in a standard manner so that inter-operability between multiple vendors is possible. The agents listed below are those supported by Access Manager. Clicking on a specific agent provides its configuration attributes (key values, trusted certificates, etc.). Brief explanations of the supported agents follow the screen capture.
Brief explanations of the supported agents:
UserNameToken: Securing the web service is accomplished using a user name and password and, optionally, signing the request. In this profile, a WSC can supply a UsernameToken as a means of identifying the requester by username and, optionally, a password (or shared secret or password equivalent) to authenticate the identity to the WSP.
X509Token: Securing the web service is accomplished using PKI (public key infrastructure), in which the WSC and the WSP trust each other's public keys or have a common trusted certificate authority. In this profile, a WSC would supply a public key as the means of identifying the requester and to authenticate itself to the WSP.
SAML-HolderOfKey: Securing the web service is accomplished using the Security Assertions Markup Language (SAML). In this profile, a WSC would supply a SAML assertion with the holder-of-keyconfirmation method as the means of identifying the requester and to authenticate itself to the WSP.
SAML-SenderVouches: Securing the web service is accomplished using SAML also but the confirmation method is different. In this profile, a WSC would supply a SAML assertion with the sender-vouches confirmation method to assert that it is acting on behalf of the subject of the SAML subject statement and to authenticate itself to the WSP.
LibertyX509Token: Securing the web service is accomplished using the Web Service Security X.509 Certificate Token Profile. This is similar to the X509 Token profile described above but using the Liberty Alliance Project defined processing rules.
LibertyBearerToken: Securing the web service is accomplished using the Web Service Security SAML Token Profile. This is similar to the SAML HolderOfKey profile described above but using the Liberty Alliance Project defined processing rules.
LibertySAMLToken: Securing the web service is accomplished using Web Service Security SAML Token Profile. This is similar to the SAML SenderVouches profile described above but using the Liberty Alliance Project defined processing rules.
The following procedures guide you in creating the WSP and WSC using two of the projects included in the Web Services Security download.
To load the StockServer project:
Open the Netbeans IDE's console.
Choose File > Open Project
From the Open Project dialog, navigate to the nbprojects directory in the unzipped WebServiceSecurity directory.
Choose StockServer and click Open Project Folder to load the StockServer project.
After loading the project, a dialog box will open telling you to resolve a reference problem.
Right click on StockServer in the left frame and choose Resolve Reference Problems... from the drop down menu.
Click Resolve in the resulting window and find appserv-rt.jar in the Browse dialog box.
appserv-rt.jar can be located in AS_HOME/lib.
After the reference is resolved, close the pop-up window.
To load the StockClient project:
Choose File > Open Project
From the Open Project dialog, navigate to the nbprojects directory in the unzipped WebServiceSecurity directory.
Choose StockClient and click Open Project Folder to load the StockClient project.
The Projects frame now contains a StockServer and StockClient project node.
The following procedures guide you in deploying the Stock Quote Service provider and client and testing unauthenticated communications. As mentioned, a delayed stock quote will be provided when the request is not authenticated.
In the Projects frame, right-click the StockServer project node and choose Deploy Project from the drop down menu.
Netbeans now does the following:
Starts the Application Server (if not already started).
Builds the StockServer project and displays the results in the Output window.
Deploys server.war to the Application Server.
In the Projects frame, right-click the StockClient project node and choose Deploy Project from the drop down menu.
Netbeans now does the following:
Builds the StockClient project and displays the results in the Output window.
Deploys client.war to the Application Server.
To test the client with an unauthenticated request, right-click the StockClient project node in the Projects frame and choose Run Project from the drop down menu.
The Stock Quote Service client interface will open in a browser window at the following URL:
http://localhost:8080/stockclient/
NOTE: You might have to login to the Access Manager Console using the top-level administrator or either of the sample users mentioned above if the session has timed out.
Click Submit to request the stock price for SUNW.
The response is a delayed stock quote as the request is not authenticated. (Note the delay time is set to 20.)
In this exercise, we will use the SAML-HolderOfKey profile to secure the web services communications. A default key store will be used and the response will not be signed. (The default key store is installed with Access Manager.) We will edit the SAML-HolderOfKey profile to reflect these attributes, and configure the Stock Quote Service client and provider - all using the Netbeans console.
To edit the SAML-HolderOfKey profile:
Click the Runtime tab in the left frame of the Netbeans console.
Expand the Sun Java System Access Managers node.
Expand the Default Instance node.
Expand the Profiles node.
Right-click SAML-HolderOfKey and select Edit.
The SAML-HolderOfKey editor is displayed.
Clear the Sign Response checkbox.
Leave the Use Default Key Store checkbox selected and click OK.
This modifies the Application Server deployment descriptor file, sun-web.xml. You can follow this sub-procedure to see sun-web.xml and the changes made.
Expand the StockServer node under the Projects tab.
Expand the Configuration Files node.
Right-click sun-web.xml node and choose Edit.
sun-web.xml is displayed in the right frame of the Netbeans console. The following XML code fragment (which defines the Access Manager implementation of the WS-I BSP SAML-HolderOfKey profile) can be seen in the opened file
<message-security-binding
auth-layer="SOAP"
provider-id="AMServerProvider-SAML-HolderOfKey">
<message-security>
<message>
</message>
<request-protection
auth-source="content"/>
<response-protection auth-source="content"/>
</message-security>
</message-security-binding>
Note that AMServerProvider-SAML-HolderOfKey is defined as the security mechanism. (For more information on this profile, see the WS-I BSP SAML Token Profile specification.
The following profiles can also be used as values for the message-security-binding element in the provider-id attribute:
AMServiceProvider-UserNameToken
to configure for the UsernameToken Profile.
This is the default
configuration. For more information, see the WS-I
BSP UsernameToken Profile specification.
AMServiceProvider-X509Token
to configure for the WS-I BSP X509 Token Profile.
For more
information, see the WS-I
BSP X509 Token Profile specification.
AMServiceProvider-SAML-SenderVouches
to configure for the WS-I BSP SAML Bearer Token Profile.
For
more information, see the WS-I
BSP SAML Token Profile specification.
To configure the Stock Quote Service provider:
Click the Projects tab in the left frame of the Netbeans console.
Expand the StockServer node.
Expand the Web Services node.
Right-click stockservice node and select Edit Web Service Attributes from the drop down menu.
The Web Service Provider Security Configuration editor opens.
Click the Enable Message Level Security checkbox.
Select SAML-HolderOfKey from the Request drop-down menu under Security Mechanisms.
Click OK.
Close the StockServer node.
To configure the Stock Quote Service client:
Expand the StockClient node.
Expand the Web Service References node.
Right-click Stockservice node and select Edit Web Service Attributes.
The Web Service Client Security Configuration editor opens.
Click the Enable Message Level Security checkbox.
Select SAML-HolderOfKey from the Request drop-down menu under Security Mechanisms.
Leave the Use Default Key Store checkbox selected and click OK.
Close the StockServer node.
You can now re-deploy the server and client nodes and run the lab again, following the instructions in Exercise 2: Deploy and Test Unauthenticated Communications between the Stock Quote Web Service Provider and Client. When the stock symbol SUNW is submitted, the response is a real time stock quote rather than the delayed quote as the WSP code has determined that the WSC is authenticated. (Note that the stock quote is the same as above; the delay time though is set to 0.)
In the previous exercises, security was enabled for communications between the WSC and WSP. This implies that the WSC authenticates any user accessing its Stock Quote Service interface and, if required, propogates said user's credentials to the WSP for processing. In this exercise, we will enable user authentication for the Stock Quote Service client using the Liberty Alliance Project Bearer Token security profile. WS-I BSP security mechanisms can also be used but a benefit of using security mechanisms defined by the Liberty Alliance Project is that configurations for user authentication are built in to the profiles. Thus, no additional configuration is needed to explicitly enable user authentication. (See below for instructions on how to enable user authentication for other security mechanisms.)
To configure the Stock Quote Service provider for authentication:
In the Projects frame, expand the StockServer project node.
Expand the Web Services node under StockServer.
Right-click the StockService node under Web Services and choose Edit Web Service Attributes from the drop down menu.
The Web Service Provider Security Configuration editor opens.
Click the Enable Message Level Security checkbox.
Select LibertyBearerToken from the Request drop-down menu under Security Mechanisms.
Click OK.
Close the open StockServer node in the Projects frame.
To configure the Stock Quote Service client for authentication:
In the Projects frame, expand the StockClient project node.
Expand the Web Services References node under StockClient.
Right-click the StockService node under Web Services References and choose Edit Web Service Attributes from the drop down menu.
The Web Service Client Security Configuration editor opens.
Click the Enable Message Level Security checkbox.
Select LibertyDiscoverySecurity from the Request drop-down menu under Security Mechanisms.
Click the Response checkbox to verify the response.
Click the Use Default Key Store checkbox under Existing Certificate Settings.
Click OK.
To deploy and run the Stock Quote Service with user authentication:
Right-click the StockServer project node in the Projects frame and select Deploy Project from the drop-down menu.
Netbeans does the following:
Starts the Application Server if not already started.
Builds the StockServer project and displays the results in the Output window.
Deploys server.war to the Application Server.
Right-click the StockClient project node in the Projects frame and select Run Project from the drop-down menu.
Netbeans does the following:
Builds the StockClient project and displays the results in the Output window.
Deploys client.war to the Application Server.
Opens the Access Manager login screen in a web browser.
Log in to Access Manager by typing jsmith or jdoe in the User Name and Password fields and clicking Login.
The Stock Quote Service client request screen appears.
Click Submit on the client request screen.
When the stock symbol for SUNW is submitted, the response is a real time stock quote. However, this time, the WSP also obtains the security credentials of the user as a SAML assertion in addition to that of the WSC.
To view the changes in the WSC deployment descriptor:
The following procedure displays the Application Server deployment descriptor, sun-web.xml, pointing out the changes made in this exercise.
In the Projects frame, expand the StockClient project node.
Expand the Configuration Files node.
Right-click sun-web.xml and choose Edit from the drop down menu.
Line 3 defines an HTTP provider that forces users to authenticate before accessing the web service client:
<sun-web-app error-url="" httpservlet-security-provider="AMHttpProvider">
Line 19 forces SOAP messages to be authenticated:
<message-security-binding auth-layer="SOAP" provider-id="AMClientProvider">
<message-security>
<message>
<message/>
<request-protection auth-source="content"/>
<response-protection auth-source="content"/>
</message-security>
</message-security-binding>
Now, right-click web.xml and choose Edit from the drop down menu.
The following XML code fragment is added to web.xml to restrict those who access the Stock Quote Service client to authenticated users:
<security-constraint>
<web-resource-collection>
<web-resource-name>AUTHENTICATED_RESOURCE</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>AUTHENTICATED_USERS</role-name>
</auth-constraint>
</security-constraint>
In the previous exercises, we were using the Java Application Platform SDK and its built-in security features to secure web service communications. In this exercise (which uses the StandAloneStockClient project in the nbprojects directory of the unzipped WebServiceSecurity directory), we build a standalone WSC that will secure its own communications with a WSP using the web service security APIs included with Access Manager, and the Java Platform SOAP APIs included with the Java Platform SDK to construct and secure the SOAP messages.
SecuringWS.java (available in the StandAloneStockClient project directory) defines the implementation for securing the web service communications. The main method in this code, main(String[] args), does the following:
Constructs the web service request message as a String by calling the function getStockQuoteRequest(...) and hard coding the stock symbol input from the user into a raw XML document. (Other tools can be used here to construct the web service request.)
Configures a SOAPMessage object with the XML document.
Initializes the Access Manager SOAPRequestHandler with the appropriate provider configuration; in this case, wsc. wsc maps to the wscWSC security provider configuration found in the default realm under the Access Control tab in the Access Manager console. (Click Subjects > Agents > wscWSC to access a view of the screen capture below.) The first highlighted entry in the following screen capture shows that the security mechanism used is UserNameToken Profile. The second highlighted entry shows the user name and password used by this security profile, which is testuser and test respectively.
Sends the secure SOAP message to the WSP using the getStockQuote method. The response from the WSP is then printed to the web browser.
NOTE:You can also view SecuringWS.java after creating the project in the Netbeans console by expanding the StandAloneStockClient project node, then the Source Packages node, and finally the com.samples node.
To create the StandAloneStockClient project in Netbeans:
Choose File > Open Project from the Netbeans IDE's console.
From the Open Project dialog, navigate to the nbprojects directory in the unzipped WebServiceSecurity directory.
Choose StandAloneStockClient and click Open Project Folder to add the StandAloneStockClient project.
After loading the project, a dialog box will open telling you to resolve some reference problems. Close this dialog box and proceed.
Right click on StandAloneStockClient in the left frame and choose Resolve Reference Problems... from the drop down menu.
Select the appropriate file, click Resolve in the resulting window and find the file in the Browse dialog box using the paths defined below.
The following file references will need to be resolved:
AS_HOME/addons/amserver/amclientsdk.jar
AS_HOME/addons/amserver
AS_HOME/lib/javaee.jar
AS_HOME/lib/appserv-ws.jar
AS_HOME/lib/appserv-rt.jar
After the references are resolved, close the dialog box.
Since the UserNameToken Profile is being used in this exercise we need to change the profile we originally defined for the previous exercises.
To change the web service security mechanism for the StockServer project in Netbeans:
In the Projects frame, expand the StockServer project node.
Expand the Web Services node under StockServer.
Right-click the StockService node under Web Services and choose Edit Web Service Attributes from the drop-down menu.
The Web Service Provider Security Configuration opens.
Select UserNameToken from the Request drop-down menu under Security Mechanisms.
Click OK.
Close the open StockServer node in the Projects frame.
Right-click the StockServer project node and choose Deploy Project.
This will redeploy the Stock Service using the UserNameToken profile for authenticating web service requests.
To run the standalone Stock Client:
In the Projects frame, right click the StandAloneStockClient project node and choose Build Project.
Right click the StandAloneStockClient project node again and this time choose Run Project.
The screen capture below shows the output in the Netbeans Console for the secure web service communication.
Using Authorization APIs (com.sun.identity.policy.client.PolicyEvaluator) to secure the web service using roles and groups
Using Identity Management APIs (com.sun.identity.idm.AMIdentity) to customize responses
Using