1. Overview
Web Logic Web Services are developed based on JSR 109 specifications which defines the standard Java EE runtime architecture for implementing Web Services in Java. The Web Logic platform fully supports JAX-RPC style web services and the JAX-WS based web services are supported from web logic 10.x onwards. The development of web services using JAX-RPC seems to be much stable and web logic recommends to use JAX-RPC as of web logic 10.x release. Here in this article, we develop the web service artifacts are generated using JAX-RPC and secure using OpenSSO. The architecture remains similar to my other entry: Securing AXIS2 web services using OpenSSO.
Fig .1 Secuing web logic web services using OpenSSO
In this architecture, there are two levels of integrations that are done to secure and validate web service communications.
The
first integration for WSCs is to obtain the authenticated user context
from the OpenSSO into the web service client application. Alternatively
one could use OpenSSO Policy Agent, however this integration takes the
simplistic approach through J2EE filter. This filter not only
authenticates the user but exposes the authenticated user context to
the SOAP layer via the Thread Local.
The second integration
is to intercept the outgoing SOAP message from a web service client
application via the handler in the “Security” phase and secure them
using OpenSSO SDK.
For the web service provider applications
(WSPs), the openSSO based handler in the Security phase intercepts and
validates the incoming SOAP request, and then authenticates against
OpenSSO to generate the authentication context (session).
Note: For WSPs, OpenSSO officially plans to support through OpenSSO Policy Agents probably by the next express build.
2. Installation Requirements
2.1 Web Logic 10.x Server
2.2 OpenSSO Zip
2.3 OpenSSO WSSProviders Zip
2.4 web logic web service samples
3. Deployment of OpenSSO
This tutorial uses OpenSSO on Web Logic platform, even though you could use any supported platform.
Download the opensso.zip as mentioned in section 2, and follow the
OpenSSO Installation and Configuration Guide as mentioned in the OpenSSO documentation. After
successful installation and configuration, make sure that OpenSSO
instance is accessible by login into the OpenSSO Administration Console.
Note: The OpenSSO Installation and Configuration document uses the ldapjdk.jar workaround to configure the OpenSSO on Web Logic. The workaround is to prepend the OpenSSO shipped ldapjdk.jar before the classpath in web logic's global classpath. Also note that the web service samples developed below assumes the localhost and port 7001 for the container that the OpenSSO is deployed.
4. Preparing OpenSSO WSS Provider Agent Configuration
OpenSSO WSS Agent zip contains client configuration (AMConfig.properties) and OpenSSO ClientSDK so that the web service providers and/or web service clients could easily integrate to validate/secure the web service communications. Here we prepare the AMConfig.properties template that comes with zip file for the installed OpenSSO server instance.
4.1 Unzip openssowssproviders.zip to a location where it can be customizable. Here we refer this as $openssowssagentsdir
4.2 cd $openssowssagentsdir/resources and edit AMConfig.properties as follows:
com.iplanet.services.debug.level=message //This helps in debugging for any failures
com.iplanet.services.debug.directory=<directory where debug files can be written> // for e.g. /tmp/wss
com.iplanet.am.naming.url=http:<openssohost>:<openssoport>/<openssodeploydir>/namingservice
com.sun.identity.agents.app.username=amadmin
com.iplanet.am.service.password=<password for the amadmin>
com.encryption.pwd=<No setting i.e. empty, remove if any macro is present here>
com.iplanet.am.server.protocol=http
com.iplanet.am.server.host=<host where the OpenSSO is deployed> // for e.g. localhost
com.iplanet.am.server.port=<port where the OpenSSO is deployed> // for e.g. 7001
com.iplanet.am.services.deploymentDescriptor=<deployment uri> // for e.g. opensso
com.iplanet.am.cookie.name=iPlanetDirectoryPro
com.sun.identity.saml.xmlsig.keystore=<directory where the keystore.jks is localted>
// here it is $openssowssagentsdir/resources/keystore.jks
com.sun.identity.saml.xmlsig.storepass=$openssowssagentsdir/resources/.storepass
com.sun.identity.saml.xmlsig.keypass=$openssowssagentsdir/resources/.keypass
com.sun.identity.saml.xmlsig.certalias=test
com.sun.identity.login.url=http://<openssohost>:<openssoport>/<deployuri>/UI/Login
com.sun.identity.liberty.authnsvc.url=http://<openssohost>:<openssoport>/<deployurl>/Liberty/authnsvc
com.sun.identity.wss.trustclient.enablemetro=false
5. Develop Web Service Provider Application
Web Logic provides tools to generate the web service artifacts and here we develop the ant based samples to create web service applications.
5.1 Download the Web Logic Samples from the link as in 2.4.
5.2 Unzip the weblogicsamples.zip to your favorite folder. This will be referred as $weblogicsamplesdir. The zip file contains two folders, one for the StockService and the second for the StockClient. The client artifacts will be developed later in Section 6.
5.3 cd to $<weblogic domain directory/bin directory> and execute setDomainEnv.cmd (depending on your platform, I have used windows here)
5.4 cd $weblogicsamplesdir/StockService and edit the client.class.path to reflect to your openssoclientsdk.jar (located under $openssowssagentsdir/lib). Also the path of StockQuotePortImpl.java (it is with "\" for windows)
5.5 Execute ant -f build.xml. This will generate the necessary stubs and creates the directory structure for generating stockservice enterprise application under $weblogicsamplesdir/StockService/dist.
5.6 cd $weblogicsamplesdir/dist/com/sun/samples and copy the generate StockQuotePortImpl.war to a temp directory (/tmp/wss) and unwar using jar -xvf StockQuotePortImpl.war
5.7 Update the war file with opensso jars ( Could have done through ant script)
cp $openssowssagentsdir/lib/openssoclientsdk.jar /tmp/wss/WEB-INF/lib
cp $openssowssagentsdir/resources/AMConfig.properties /tmp/wss/WEB-INF/classes
cp $weblogicsamplesdir/lib/xmlsec.jar /tmp/wss/WEB-INF/lib
Re -war the StockQuotePortImpl.war using jar cvf StockQuotePortImpl.war by going under directory /tmp/wss.
Copy back the StockQuotePortImpl.war to the $weblogicsamplesdir/StockService/dist/com/sun/samples
5.8 Now create the enterprise application and deploy.
cd $weblogicsamplesdir/StockService and run ant build-ear. This create the StockQuoteService.ear under dist directory.
Deploy the StockQuoteService.ear using web logic administration console (Self explanatory).
6. Develop Web Service Client Application
6.1 cd $weblogicsamplesdir/StockClient and update the paths for openssoclientsdk.jar and AMConfig.properties accordingly
6.2 Execute ant -f build.xml, this generates StockClient.war under $weblogicsamplesdir/StockClient/dist directory
6.3 Deploy the StockClient.war using web logic adminstration console. (Self explanatory)
7. Test the sample.
OpenSSO deployment uses default wsc/wsp configuration and the handler uses the same profile for web service security. However, you could choose to modify as per your need.
7.1 Login into OpenSSO Console and navigate to Access Control -> Default realm-> Agents -> Web Service Client -> wsc and choose your preferred security mechanism.
(You can also choose STSSecurity)
7.2 Also choose corresponding wsp security mechanism by navigating to Access Control -> Default realm-> Agents -> Web Service Provider -> wsp and logout
7.3 Test the sample by accessing http://locahost:7001/StockClient/index.jsp. This redirects to OpenSSO Login page. After successful login, click on "GetQuote" on the index.jsp. f successful, you should get a valid stock quote display with links to secured message.
I followed the instructions provided. All the steps worked, but when I run the client (index.jsp) I get "Invalid SSToken" error...
Could you please point me in the right direction to debug...
Thanks
Regards,
Anil Patel
Posted by Anil Patel on February 12, 2009 at 11:07 AM PST #