当前页面: 开发资料首页 → Netbeans 专题 → Securing Web Services Using the Liberty Token Profile
Securing Web Services Using the Liberty Token Profile
摘要: NetBeans Enterprise Pack 5.5 comes bundled with all the necessary runtimes to enable you to start developing secure, identity-enabled web services clients and providers. These runtimes include
NetBeans Enterprise Pack 5.5 comes bundled with all the necessary runtimes to enable you to start developing secure, identity-enabled web services clients and providers. These runtimes include:
- Sun Java System Application Server Platform Edition 9, Update 1
- Sun Java System Access Manager 7.1 and Policy Agent 2.2 for Web Services
This tutorial illustrates how you can secure an identity-based web service provider (WSP) within an enterprise or organization. Identity in a web service client to web service provider web service interaction can be characterized as:
- Identity of the web service client who is accessing the web service provider
- Identity of the end user who is accessing the web service client to talk to the web service provider
Netbeans Enterprise Pack provides support for token profiles that fall into two categories:
- Basic Security Profile (WSI) tokens used purely for web service client to web service provider interaction. Here the only identity information that is passed to the web service provider is that of the web service client.
- Liberty Security token profiles are used where there is a need to get the end user identity. End user here is the user who uses the WSC to request a service from WSP. The IDE automates authenticating the end user for the WSP and setting the security context for the WSP Java EE web service to that of the end user.
This tutorial explains how the IDE uses the Liberty token profile to send the caller's identity to the Calendar Service.
Prerequisites
This tutorial assumes that you have some basic knowledge of, or programming experience with, the Java language and platform and the NetBeans IDE.
System Requirements
These tutorials assume that your system meets the requirements specified in the System Requirements topic of the NetBeans Enterprise Pack 5.5 Release Notes.
Software Needed for the Tutorial
Before you begin, you must install the following software on your computer:
- NetBeans IDE 5.5 with NetBeans Enterprise Pack 5.5 (download)
- In order to complete the deployment steps in this tutorial, you must have Sun Java System Application Server Platform Edition 9 Update 1. This Application Server is bundled with the NetBeans Enterprise Pack 5.5 download.
Contents
- Configuring the Tutorial Environment
- Creating the Tutorial Projects
- Securing Web Services Using a Liberty Security Mechanism
- Deploying and Running the Project
- Exploring the Client Application Deployment Descriptor
- Exploring the Log Files
- Additional Configuration Tasks
- Troubleshooting
- References
- Summary
Configuring the Tutorial Environment
- Start the IDE.
- To verify that the Sun Java System Application Server is configured in the IDE, click the Runtime tab and expand the Servers node.
- If the Servers node does not contain a Sun Java System Application Server 9 node, follow the steps in Adding an Application Server.
- In the Runtime window, expand the Servers node, right-click the Sun Java System Application Server 9 node and choose Start from the pop-up menu.
Wait until the following message appears in the Output window:
Application server startup complete.
When the server is running, the IDE displays a green arrow badge on the Sun Java System Application Server 9 node.
Note: If the Start option is not available, your server is already running.
Creating the Tutorial Projects
There are two tutorial projects: CalendarServer and CalendarClient. The Calendar application is a simple implementation for the creation of calendar events. It maintains a static map of calendar events and returns them as required.
To create the CalendarServer project:
- From the IDE's main menu, choose File > New Project.
- In the Categories list, expand the Samples node, then select the Identity Blueprints node.
- In the Projects list, select Calendar Service.
- Click Next.
- Accept the default Project Name (CalendarServer) and optionally change the Project Location.
- Click Finish.
A progress dialog box appears, and then the CalendarServer project node appears in the Projects window.
To create the CalendarClient project:
- From the IDE's main menu, choose File > New Project.
- In the Categories list, expand the Samples node, then select the Identity Blueprints node.
- In the Projects list, select Calendar Client.
- Click Next.
- Accept the default values for Project Name (CalendarClient) and Project Location.
- Click Finish.
A progress dialog box appears, and then the CalendarClient project node appears in the Projects window.
Securing Web Services Using a Liberty Security Mechanism
Before you can deploy the project, the web service must be secured using one of the Liberty security mechanisms. In this scenario, we are using the Liberty Bearer Token security profile.
To configure the web service provider:
- In the Projects window, expand the CalendarServer project node and the Web Services node.
- Under the Web Services node, right-click the CalendarService node and choose Edit Web Service Attributes from the pop-up menu.
The Web Service Attributes Editor opens with the Security tab open so you can configure the web service provider security. - Select the Enable Message Level Security checkbox.
- Under Security Mechanism, from the Request drop-down list, select LibertyBearerToken.
- Click OK.
To configure the web service client:
- In the Projects window, expand the CalendarClient node and the Web Service References node.
- Under the Web Service References node, right-click the CalendarService node and choose Edit Web Service Attributes from the pop-up menu.
The Web Service Attributes Editor opens with the Security tab open so you can configure the web service client security. - Select the Enable Message Level Security checkbox.
- Under Security Mechanism, from the Request drop-down list, select LibertyDiscoverySecurity.
- Select the Response checkbox to verify the response.
- Under Existing Certificate Settings, leave the Use Default Key Store checkbox selected.
- Click OK.
Deploying and Running the Project
- In the Projects window, right-click the CalendarServer project node and choose Deploy Project.
The IDE does the following:
- Starts the application server if it is not already started.
- Builds the CalendarServer project.
You can see the build results in the Output window. - Deploys server.war to the Application Server.
- In the Projects window, right-click the CalendarClient project node and choose Run Project.
The IDE does the following:
- Builds the CalendarClient project.
You can see the build results in the Output window. - Deploys client.war to the Application Server.
- Opens the application in the browser.
- Builds the CalendarClient project.
- Type jsmith in the User Name and Password fields.
- Click Log In.
The Welcome page of the application opens. - From the drop-down list, select jsmith and in the date field, enter a date or accept the default.
- Click Get events.
Notice that the Calendar of jsmith is posted.
Exploring the Client Application Deployment Descriptor
- In the Projects window, expand the CalendarClient project node and expand the Configuration Files node.
- Right-click the sun-web.xml node and choose Edit.
Notice line 3:
<sun-web-app error-url="" httpservlet-security-provider="AMHttpProvider">
and then starting at line 15:
<message-security-binding auth-layer="SOAP" provider-id="AMClientProvider"> <message-security> <message/> <request-protection auth-source="content"/> <response-protection auth-source="content"/> </message-security> </message-security-binding>
Notice that these providers ensure that the web service is secured with the Liberty token profile to talk to the CalendarServer.
The following diagram illustrates the workflow of the request originating from the web service client (WSC) to the web service provider (WSP) through the identity provider (IDP) and Discovery Service (Disco). Keep in mind that there is an end user involved in this WSC access and that the user's identity is what is finally transmitted to the WSP in this security context.
In the diagram above, the HTTPProvider referred to is the AMHttpProvider configured in the Sun deployment descriptor. Similarly the SOAPProvider is the AMClientProvider configured in the Sun deployment descriptor. The WSP is first registered to the Discovery Service as part of the deployment from the IDE. Then when the WSC tries to send a request to the WSP, the end user accessing the WSC is first authenticated successfully with the Access Manager to interact with the Discovery Service. Then the workflow continues to obtain the WSP credentials and the request is sent to the WSP. Upon receiving the request, the WSP's configured Liberty SOAPProviders perform the token verification and set the subject to be that of the authenticated user at the WSC side. Now the business logic at the WSP proceeds.
Exploring the Log Files
The instructions in this section are optional. They are meant for users who are interested in seeing the changes in the log files.
- Before you proceed to the next step, enable the finest logging level.
Follow the instructions in Changing the Security Level on the Application Server. - In the Projects window, right-click the CalendarClient project node and choose Run Project from the pop-up menu.
- Open the Application Server log file (server.log) in the following directory: application-server-installation-directory\domains\domain1\logs.
If you accepted the default values during installation, this would be the C:\Sun\AppServer\domains\domain1\logs directory. - Look for ServerAuthContext.validateRequest and ClientAuthContext.secureRequest to find the changes in the log file.
Samples of the modified parts of the log file are available from the links below.
Additional Configuration Tasks
This section provides information about additional configuration tasks that you may want to perform.
Adding an Application Server
- In the Runtime window, right-click the Servers node and choose Add Server from the pop-up menu.
The Add Server Instance dialog box opens. - In the Choose Server page, from the Server drop-down list, select Sun Java System Application Server.
- (Optional) In the Name field, accept the default value or type the name you want to use to identify the server in the IDE.
- Click Next.
The Platform Location Folder page opens. - In the Platform Location field, use the Browse button to navigate to and select the Application Server installation location.
If you accepted the default values during the installation, the location is C:\Sun\Appserver. - Select the Register Local Default Domain radio button.
- Click Next.
- Supply the user name and password for the domain's administrator.
If you accepted the default values during the installation, the user name is admin and the password is adminadmin. - Click Finish.
Verifying the Configuration of the Access Manager Installation
- Start the application server.
- In the Runtime window, expand the Sun Java System Access Managers node.
- Right-click the Default Instance node and choose View Admin Console.
A new browser session starts, pointing at the following URL: http://localhost:8080/amserver.
The Sun Java System Access Manager Log In page opens, indicating that Access Manager server is running.
Configuration Information for Application Server not Installed on Port 8080
If the installation of the Sun Java System Application Server was done on a port other than 8080, you must perform the additional configuration steps shown below.
- In the Projects window, expand CalendarClient > Web Pages > WEB-INF and wsdl, and open the CalendarService.wsdl file in the editor.
- Click the Source button to switch to the Source view of the file.
- Scroll to the bottom of the file and locate the following line:
<soap:address location="http://localhost:8080/CalendarService/CalendarService"/> - Replace the 8080 value with the port number where the Application Server is installed.
- Save your changes and close the file.
Changing the Security Level on the Application Server
- In the Runtime window, right-click the Sun Java System Application Server 9 node and choose View Admin Console.
- Type admin for the username and adminadmin for the password.
- In the left navigation frame, click the Application Server link.
- In the right frame, click the Logging tab and then click the Log Levels tab.
- Scroll to the bottom of the page and set the Security to FINEST.
- Click the Save button and log out.
Configuring Support for the LibertySAMLToken Profile
For the Liberty sample, NetBeans Enterprise Pack supports 3 token profiles: LibertyBearerToken, LibertyX509Token, and LibertySAMLToken. If you want to use the LibertySAMLToken profile, you must perform the following manual configuration steps:
- Make sure the application server is running.
- Start a new browser session and point at the following URL: http://localhost:8080/amserver.
- At the Login screen, use the following values to log in:
User: amadmin
Password: admin123 (this is the default password). - Click the Web Services tab and then, in the Web Services page, click the Discovery Service tab.
- Scroll to the bottom of the page and in the Resource Offerings for Bootstrapping area, click the default Service Type, urn:liberty:disco:2003-08.
The Edit Resource Offerings page opens. - Under Service Instance, in the Service Description area, select the checkbox next to the urn:liberty:security:2003-08:null:null entry and click the Delete button.
The Service Description area now has no items. - In the Service Description area, click the New Description button.
The New Security Mechanism ID page opens. - In the New Security Mechanism ID page, in the Available list, select urn:liberty:security:2005-02:null:X509 and click OK.
Note: If the system asks you for an End Point URL, you can use http://localhost:8080/amserver/Liberty/disco. If your server is not installed on port 8080, replace 8080 with the correct port number.
The Edit Resource Offering page opens and under Service Instance, in the Service Description area, there is now an entry labeled urn:liberty:security:2005-02:null:X509. - At the Edit Resource Offering page, click Save, then at the Discovery Service page, click Save.
- In the upper navigation area, click Log Out.
Troubleshooting
This section provides workaround information for issues that you may encounter.
Exception Thrown When Invoking the Client
When the client is invoked it throws the following exception on the browser:
Caught an exception java.rmi.ServerException: JAXRPCSERVLET28: Missing port information
The possible cause for this exception:
- The security mechanism chosen for the client is not in the list of supported mechanisms for the server. In this case, ensure that you select the same security mechanism for the client and the server.
References
- Liberty Alliance Project Identity Web Services Framework Specification (PDF)
- Sun Java System Application Server Platform Edition 9 Documentation
- For answers to any other questions you may have about using the Liberty Security token profile to secure web services, see NetBeansUserFAQ in the NetBeans wiki.
- Securing Web Services Using the SAML or UserNameToken Profiles
Summary
In this tutorial, you used NetBeans Enterprise Pack 5.5 to secure an identity-based web service provider (WSP). You used Liberty Security Profile-based authentication for a calendar web service. You learned how to secure an identity-based web service provider (WSP), and how to authenticate the user accessing the web service via a web service client (WSC). The tutorial shows the inherent ease of use provided by NetBeans since all you needed to do was use the Web Service Client and Provider Security Configuration wizards.