• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

is there a standard way to make tomcat support security for web service message level?

 
Ranch Hand
Posts: 42
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
is there a standard way to make tomcat support security for web service message level?
taken in mind that web service use jax-ws and jaas

 
Rancher
Posts: 43081
77
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
The relevant standard is called WS-Security, and it's not implemented by Tomcat, but by the SOAP stack that you're using. For JAX-WS you can either use Axis2, Metro or CXF - they all support WS-Security. Most likely you'd have to write the JAAS integration yourself, but then, I'm not quite sure what it has to do with this; maybe you can clarify.
 
tarek helmy
Ranch Hand
Posts: 42
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
yes i develope custom JAAS and use JAX-WS in developing web services
but because of lack of tomact for handling WS-Security, i extend the tomcat securty manager, and add another type of auth method called it "wsse"
and custom authintacator that check incomming soap message and integrate with configured JAAS relam, that populate user principles and let the web container to manager security for web service
but i'm now, relize that this approche is not standard and should be another one that fit is this case
so, how can i use metro for securing web service to support userToken or saml token
 
Ulf Dittmer
Rancher
Posts: 43081
77
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

because of lack of tomact for handling WS-Security


That statement doesn't really make sense. Tomcat is a servlet container and web server - it does not support ANY web service standards. WS support is added through a web app that implements a SOAP stack; if you need WS-Security, use a SOAP stack that supports it (like the ones I mentioned).

how can i use metro for securing web service to support userToken or saml token


The Metro user's guide goes into a lot of detail on that, especially in chapter 14: https://metro.dev.java.net/guide/
 
tarek helmy
Ranch Hand
Posts: 42
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
i installed metro with tomcat 5.5
and test it by deploy web service from metro samples
and then i deployed custom web service that use UsernameToken
the web service deployed, but when i send valid request contains valid UserName Token in the header of SOAP message, i got these message:

com.sun.xml.ws.security.opt.impl.incoming.UsernameTokenHeader validate
SEVERE: WSS1408: UsernameToken Authentication Failed

also i test jaas configured there in tomact, by secure pages and test it using user defined in tomcat-users.xml
 
tarek helmy
Ranch Hand
Posts: 42
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
yes i develope custom JAAS and use JAX-WS in developing web services
but because of lack of tomact for handling WS-Security, i extend the tomcat securty manager, and add another type of auth method called it "wsse"
and custom authintacator that check incomming soap message and integrate with configured JAAS relam, that populate user principles and let the web container to manager security for web service
but i'm now, relize that this approche is not standard and should be another one that fit is this case
so, how can i use metro for securing web service to support userToken or saml token
 
Ulf Dittmer
Rancher
Posts: 43081
77
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

when i send valid request contains valid UserName Token in the header of SOAP messag...


How do you know that the request is valid - how are you generating it? Post the request here so we can take a look.

how can i use metro for securing web service to support userToken or saml token


Have you worked through chapter 14 of the user's guide? Did you get those example to run? If not, where did you get stuck?
 
tarek helmy
Ranch Hand
Posts: 42
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Thanks, it working now
but i can not override Authentication error messages and other error messages
i want to return custom response message in case of these errors occur in web service using Metro


appreciate your efforts
 
Don't get me started about those stupid light bulbs.
reply
    Bookmark Topic Watch Topic
  • New Topic