This week's book giveaway is in the HTML Pages with CSS and JavaScript forum.
We're giving away four copies of Testing JavaScript Applications and have Lucas da Costa on-line!
See this thread for details.
Win a copy of Testing JavaScript Applications this week in the HTML Pages with CSS and JavaScript forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Bear Bibeault
  • Ron McLeod
  • Jeanne Boyarsky
  • Paul Clapham
Sheriffs:
  • Tim Cooke
  • Liutauras Vilda
  • Junilu Lacar
Saloon Keepers:
  • Tim Moores
  • Stephan van Hulst
  • Tim Holloway
  • fred rosenberger
  • salvin francis
Bartenders:
  • Piet Souris
  • Frits Walraven
  • Carey Brown

Web Services Security in tomcat6

 
Greenhorn
Posts: 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I am going to ask several things in this post. Be patient at my ignorance.
I am bit confused as to what the right approach is, what components to use when securing web services in tomcat 6. Any suggestions you can provide is greatly appreciated. Currently I have a web service running in tomcat6 (SOAP, HTTP). I want to secure this web service.
From documentation it appears tomcat6 supports JAXWS. I packaged by web service with JAXWS jar files. Apart from this I do not see any JAXWS specific jar files in the apache-tomcat directories. So how is this web service running in tomcat? Does JAXWS use the servlet mechanism to support web services when using JAXWS?

I know if I use axis I have to first put axis jar files in tomcat libraries. If I develop a web service using axis and deploy into tomcat, will it run in the context of axis web application. Is that a true statement?

Coming to Securing the web service, if I want to secure a Web Service developed using JAXWS, using WS-Security standard, what are the things I need to do? Do I have to put axis or CXF or Metro in tomcat to secure my web service? Can I do that without any of them but use simply JAXWS? If I put axis in tomcat, can I secure the web seervice that I developed using JAXWS initially? would it clash with axis?


 
Rancher
Posts: 1337
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

From documentation it appears tomcat6 supports JAXWS.


It does, if you deploy all required JAXWS jar files as part of the web app. But that would be rather a lot - the JAX-WS reference installation comes with 22 jar files (most of which are not required in all usage scenarios, though).

Does JAXWS use the servlet mechanism to support web services when using JAXWS?


All the major Java SOAP implementations (Axis2, Metro, CXF, JBoss-WS, etc.) are based on servlets, so they need a servlet container to run.

If I develop a web service using axis and deploy into tomcat, will it run in the context of axis web application. Is that a true statement?


Sort of. It will run as part of a web app, not necessarily the axis web app. Axis is a servlet with supporting classes and libraries - it can be integrated into any Java web app.

Coming to Securing the web service, if I want to secure a Web Service developed using JAXWS, using WS-Security standard, what are the things I need to do? Do I have to put axis or CXF or Metro in tomcat to secure my web service? Can I do that without any of them but use simply JAXWS? If I put axis in tomcat, can I secure the web seervice that I developed using JAXWS initially? would it clash with axis?


Strictly speaking, it's possible to use just the JAX-WS reference implementation, and secure those services by way of the WSS4J library (which is the standard Java implementation of WS-Security). But that would be a very low level approach, and not a lot of fun to develop. You're better off using Axis2 or Metro, for which integrated WS-Security is available. Note that both Axis2 and Metro support the JAX-WS API, so any services you already have don't need to be changed if you start using those SOAP stacks.
 
Ranch Hand
Posts: 2198
1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi!
22 JARs in the JAX-WS reference implementation?!??
I feel I need some information, since:
1. On the Metro download page:

For Tomcat, the installation process copies the two Metro jar files into Tomcat's shared/lib directory. No Tomcat configuration files are modified.


2. When I download Metro 2.0.1, I find six JARs and a WAR in the lib folder.

Are we talking about the same thing? Are you including additional, web service security, JARs in the count?
Thanks in advance!
 
Lester Burnham
Rancher
Posts: 1337
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Go to https://jax-ws.dev.java.net/2.2.1/ and download the distribution. I stand by my count :-)

Metro is packaged differently, with lots of those libraries bundled together into a single jar files that is larger than those 22 files combined (which is no surprise since it also contains WS-Security and other stuff).

But the crucial thing Randy asked about is WS-Security, and getting that with the JAX-WS reference implementation is tricky, so one should use either Axis-2 or Metro.
 
Ivan Krizsan
Ranch Hand
Posts: 2198
1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

Lester Burnham wrote:Go to https://jax-ws.dev.java.net/2.2.1/ and download the distribution. I stand by my count :-)


Thanks! I managed to get hold of an old version.
 
No thanks. We have all the government we need. This tiny ad would like you to leave now:
Building a Better World in your Backyard by Paul Wheaton and Shawn Klassen-Koop
https://coderanch.com/wiki/718759/books/Building-World-Backyard-Paul-Wheaton
    Bookmark Topic Watch Topic
  • New Topic