Web Service Security: Three Steps

I've been looking at adding security to the simple web service created in the J2EE Tutorial's Creating a Simple Web Service and Client with JAX-RPC section. Once it all makes sense to me, I'll turn it all into a tutorial. Currently, my understanding (aided by Petr Blaha, a very helpful NetBeans developer and colleague) goes like this:
  1. Configure a security realm on the Sun Java System Application Server. (Or on whatever J2EE 1.4 application server you use for deployment. No, Tomcat is not a J2EE 1.4 application server.) For the SJS Application Server, you need to start it and then right-click its node in the IDE's Runtime window and choose View Admin Console. Under Configuration > Security > Realms > file, you can add the user ID and password:

    Next, add a security role mapping to the server's server-specific deployment descriptor (at least, this is necessary for the SJS Application Server):

  2. Add a security constraint, log-in configuration, and security role to the web service's web.xml (i.e., its deployment descriptor):

        <web-resource-name>Web Service Security Resource</web-resource-name>
      <description>Big Bosses</description>

    • security-constraint. Limits access to the resources defined in a web-resource-collection.

    • login-config. Specifies the method used to authenticate the user, where BASIC (which is the default setting) uses browser authentication.

    • security-role. The role name must have a corresponding entry in the server-specific file, which maps roles to principals in the security realm defined on the server.

  3. Add two lines to the main method of the static-stub client (as described in the J2EE Tutorial's Example: Basic Authentication with JAX-RPC section):

    stub._setProperty(javax.xml.rpc.Stub.USERNAME_PROPERTY, "very-high-up-guy");
    stub._setProperty(javax.xml.rpc.Stub.PASSWORD_PROPERTY, "abcde");

    There are other (and better) ways of setting security from the client side, but this is the simplest scenario.

    Now run the web service. The first time you do this, the server should prompt you for the user name and password. And then, once it's succesfully launched, run the client. A little password dialog box appears where you can type in the username and password:

    Everything should now be well with the world -- if you type in the correct username and password and click OK... Bob's your father's brother and the static-stub client will have successfully made access to the web service.


Hi This is babu from ramco System, Now iam developing application in webservice. so we plan to use websphere 6.0 version. I able to run username token security in tomcat5, so how can i implement username token security in WAS. I able to run without security service in WAS, but my requirement is enabling security using username and password. please help me to solve the problem. regards Babu J

Posted by babu jayaraman on April 17, 2006 at 04:43 PM PDT #

Post a Comment:
  • HTML Syntax: NOT allowed

Geertjan Wielenga (@geertjanw) is a Principal Product Manager in the Oracle Developer Tools group living & working in Amsterdam. He is a Java technology enthusiast, evangelist, trainer, speaker, and writer. He blogs here daily.

The focus of this blog is mostly on NetBeans (a development tool primarily for Java programmers), with an occasional reference to NetBeans, and sometimes diverging to topics relating to NetBeans. And then there are days when NetBeans is mentioned, just for a change.


« April 2014