Securing Identity Web Services using NetBeans Enterprise Pack
By aravind on Sep 06, 2006
Securing identity web services can be accomplished using any of the Web Service Security Basic Token Profiles (WS-I BSP) or using Liberty tokens. The key here is that the user's security token must be included in the web service security header by the WSC.
The newly released NetBeans Enterprise Pack 5.5 (currently in beta) has greatly simplified securing identity web services using Liberty tokens. The NetBeans tutorials explains the use of WS-I BSP security mechanisms for securing web services. However securing identity web services requires few additional steps (explained below) at the WSC after selecting "LibertyDiscoverySecurity" mechanism in the drop down menu. However for the WSP, the selection of either "Liberty Bearer Token" of "Liberty X509 Token" would suffice. BTW, I assume you have gone over the tutorial and are familiar with configuring the security mechanisms.
The issue at the WSC is that user must be authenticated so that WSC can send the user's security token to WSP. In order to authenticate the user, the deployment descriptors i.e., web.xml and sub-web.xml must be modified as follows. In web.xml, the following security constrains must be added to protect the WSC
<security-constraint> <display-name>Access Manager Security Constraint</display-name> <web-resource-collection> <web-resource-name>AUTHENTICATED_RESOURCE</web-resource-name> <url-pattern>/\*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>AUTHENTICATED_USERS</role-name> </auth-constraint> </security-constraint>
Additionally in sun-web.xml, we need to enable user authentication by providing a "Http" handler by replacing the following line:
<sun-web-app error-url="" httpservlet-security-provider="AMHttpProvider">Secondly, the security role mapping must also be provided after the definition for the <context-root>
<security-role-mapping> <role-name>AUTHENTICATED_USERS</role-name> <principal-name>AUTHENTICATED_USERS</principal-name> <security-role-mapping>
After making the above changes and redeploying "Stock Client" and "Stock Service" would require the user to authenticate before accessing the WSC. The Access Manager bundled with NetBeans provide couple of sample users: jsmith and jondoe with passwords same as the user name. Analyzing the web service request would now show the user's identity being sent as part of the web service security headers.