7 Interoperability with Axis 1.4 and WSS4J 1.5.8 Security Environments

This chapter contains the following sections:

7.1 Overview of Interoperability With Axis 1.4 and WSS4J 1.5.8 Security Environments

In Axis 1.4 and WSS4J 1.5.8, you configure your security environment for inbound and outbound requests using handlers and deployment descriptors. For more information, see the Axis Deployment Tutorial at http://ws.apache.org/wss4j/axis.html.

In Oracle WSM 11g, you attach policies to Web service endpoints. Each policy consists of one or more assertions, defined at the domain-level, that define the security requirements. A set of predefined policies and assertions are provided out-of-the-box. For more details about the predefined policies, see "Predefined Policies" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services. For more information about configuring and attaching policies, see "Configuring Policies" and "Attaching Policies to Web Services" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.

Table 7-1the most common Axis and WSS4J interoperability scenarios based on the following security requirements: authentication, message protection, and transport.

For more information about:

Table 7-1 Interoperability with Axis and WSS4J Security Environments

Interoperability Scenario Client—>Web Service Oracle WSM 11g Policies Axis/WSS4J Policies

"Username Token with Message Protection (WS-Security 1.0)"

Axis/WSS4J—>Oracle WSM 11g

oracle/wss10_username_token_with_message_protection_service_policy

UsernameToken Timestamp Signature Encrypt

"Username Token with Message Protection (WS-Security 1.0)"

Oracle WSM 11g—>Axis/WSS4J

oracle/wss10_username_token_with_message_protection_client_policy

UsernameToken Timestamp Signature Encrypt

"SAML Token with Message Protection (WS-Security 1.0)"

Axis/WSS4J—>Oracle WSM 11g

oracle/wss10_saml_token_with_message_protection_service_policy

SAMLTokenUnsigned Timestamp Signature Encrypt

"SAML Token with Message Protection (WS-Security 1.0)"

Oracle WSM 11g—>Axis/WSS4J

oracle/wss10_saml_token_with_message_protection_client_policy

SAMLTokenUnsigned Timestamp Signature Encrypt

"Username Token Over SSL"

Axis/WSS4J—>Oracle WSM 11g

oracle/wss_username_token_over_ssl_service_policy

UsernameToken Timestamp

"Username Token Over SSL"

Oracle WSM 11g—>Axis/WSS4J

oracle/wss_username_token_over_ssl_client_policy

Timestamp UsernameToken

"SAML Token (Sender Vouches) Over SSL"

Axis/WSS4J—>Oracle WSM 11g

oracle/wss_saml_token_over_ssl_service_policy

SAMLTokenUnsigned Timestamp

"SAML Token (Sender Vouches) Over SSL"

Oracle WSM 11g—>Axis/WSS4J

oracle/wss_saml_token_over_ssl_client_policy

Timestamp SAMLTokenUnsigned


7.2 Required Files for Interoperability With Axis and WSS4J

Perform the following steps to create the handler and property files that are required in each of the Axis and WSS4J interoperability scenarios:

  1. Create and compile a password callback class, PWCallback.java, that can resolve passwords required by username and keystore aliases.

    The deployment descriptors defined in the following sections, contain username information, but not password information. As a best practice, you should not store sensitive information such as passwords in clear text within the deployment descriptor. To obtain the password, the Axis handler calls the password callback class. This mechanism is similar to JAAS. For more information, see the WSS4J documentation at http://ws.apache.org/wss4j.

  2. Create the keystore properties file, crypto.properties, as shown below. Include this file in the classes directory.

    org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin
    org.apache.ws.security.crypto.merlin.keystore.type=jks
    org.apache.ws.security.crypto.merlin.keystore.password=welcome1
    org.apache.ws.security.crypto.merlin.file=default-keystore.jks
    
  3. Create the saml.properties file, required for SAML interoperability scenarios only, as shown below.

    org.apache.ws.security.saml.issuerClass=org.apache.ws.security.saml.SAMLIssuerImpl
    org.apache.ws.security.saml.issuer.cryptoProp.file=crypto.properties
    org.apache.ws.security.saml.issuer.key.name=orakey
    org.apache.ws.security.saml.issuer.key.password=orakey
    org.apache.ws.security.saml.issuer=www.oracle.com
    org.apache.ws.security.saml.subjectNameId.name=weblogic
    org.apache.ws.security.saml.authenticationMethod=password
    org.apache.ws.security.saml.confirmationMethod=senderVouches
    

7.3 Username Token with Message Protection (WS-Security 1.0)

This section describes how to implement username token with message protection that conforms to the WS-Security 1.0 standard in the following interoperability scenarios:

7.3.1 Configuring Axis and WSS4J Client and Oracle WSM 11g Web Service

To configure Axis and WSS4J client and Oracle WSM 11g Web Service, perform the steps described in the following sections:

7.3.1.1 Configuring Oracle WSM 11g Web Service

  1. Attach the following policy to the Web service: oracle/wss10_username_token_with_message_protection_service_policy.

    For more information about attaching the policy, see "Attaching Policies to Web Services" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.

  2. Deploy the Web service.

7.3.1.2 Configuring Axis and WSS4J Client

  1. Build your Web service client proxy.

  2. Create the password callback class, PWCallback.java, and keystore properties file, crypto.properties, as described in "Required Files for Interoperability With Axis and WSS4J".

  3. Include the keystore file (for example, default-keystore.jks) and crypto.properties file directly under the classes folder.

    Ensure that you are using keystore with v3 certificates. By default, the JDK 1.5 keytool generates keystores with v1 certificates.

  4. Edit the deployment descriptor, client_deploy.wsdd, similar to Example 7-1.

    In the example, the receiver decrypts, verifies, and validates the username token; the sender inserts a username token, timestamp, signs the body, username token, and timestamp, and encrypts the body and username token. As shown in the example, the encryption key transport is overridden to match the Oracle WSM default requirements

  5. Set the following property within the client code to use the deployment descriptor defined in the previous step.

    System.setProperty("axis.ClientConfigFile", "client_deploy.wsdd");
    
  6. Deploy the Web service client.

The following shows an example of the client_deploy.wsdd deployment descriptor.

Example 7-1 client_deploy.wsdd Deployment Descriptor

<deployment xmlns="http://xml.apache.org/axis/wsdd/"
             xmlns:java="http://xml.apache.org/axis/wsdd/providers/java">
 <transport name="http" 
  pivot="java:org.apache.axis.transport.http.HTTPSender"/>
  <globalConfiguration >
   <!-- wss10_username_token_with_message_protection -->
   <requestFlow>
     <handler type="java:org.apache.ws.axis.security.WSDoAllSender" >
       <parameter name="passwordCallbackClass" 
        value="com.oracle.xmlns.ConfigOverride_jws.CO_SOA.BPELProcess1.PWCallback"/>
       <parameter name="passwordType" value="PasswordText"/>
       <parameter name="user" value="weblogic"/>
       <parameter name="action" value="UsernameToken Timestamp Signature Encrypt"/>
       <parameter name="encryptionKeyTransportAlgorithm" 
        value="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/>
       <parameter name="encryptionKeyIdentifier" value="DirectReference" />
       <parameter name="encryptionPropFile" value="crypto.properties" />
       <parameter name="encryptionUser" value="orakey" />
       <parameter name="encryptionParts" value=
    "{Element}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}
     UsernameToken;{Content}{http://schemas.xmlsoap.org/soap/envelope/}Body" />
       <parameter name="signatureUser" value="orakey" />
       <parameter name="signaturePropFile" value="crypto.properties" />
       <parameter name="signatureKeyIdentifier" value="DirectReference" />
       <parameter name="signatureParts" value=
    "{Element}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}
UsernameToken;{Element}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-
1.0.xsd}
Timestamp;{Element}{http://schemas.xmlsoap.org/soap/envelope/}Body" />
     </handler>
   </requestFlow>
   <responseFlow>
     <handler type="java:org.apache.ws.axis.security.WSDoAllReceiver">
       <parameter name="passwordCallbackClass" value="com.oracle.xmlns.ConfigOverride_jws.CO
_SOA.BPELProcess1.PWCallback"/>
       <parameter name="action" value="Timestamp Signature Encrypt" />
       <parameter name="signaturePropFile" value="crypto.properties" />
       <parameter name="decryptionPropFile" value="crypto.properties" />
       <parameter name="enableSignatureConfirmation"  value="false" />
     </handler>
   </responseFlow>
  </globalConfiguration >
</deployment>

7.3.2 Configuring Oracle WSM 11g Client and Axis and WSS4J Web Service

To configure Oracle WSM 11g client and Axis and WSS4J Web Service, perform the steps described in the following sections:

7.3.2.1 Configuring Axis and WSS4J Web Service

  1. Build your Web service.

  2. Create the password callback class, PWCallback.java, and keystore properties file, crypto.properties, as described in "Required Files for Interoperability With Axis and WSS4J".

  3. Include the keystore file (for example, default-keystore.jks) and crypto.properties file directly under the classes folder.

    Ensure that you are using keystore with v3 certificates. By default, the JDK 1.5 keytool generates keystores with v1 certificates.

  4. Edit the deployment descriptor, server_deploy.wsdd, as shown in Example 7-2.

    In the example, the receiver decrypts, verifies, and validates the username token; the sender inserts a username token, timestamp, signs the body, username token, and timestamp, and encrypts the body and username token. As shown in the example, the encryption key transport is overridden to match the Oracle WSM default requirements.

    Note:

    WSS4J enforces an order to the elements in the header. Ensure action ordering is updated in server_deploy.wsdd as shown in Example 7-2.
  5. Deploy the Web service.

7.3.2.2 Configuring Oracle WSM 11g Client

  1. Attach the following policy to the Web service: oracle/wss10_username_token_with_message_protection_client_policy.

    For more information about attaching the policy, see "Attaching Policies to Web Service Clients" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.

  2. For JSE clients only, configure the Web service client properties, as follows:

    Note: This step is not required for JEE clients.

    myPort.setProperty(ClientConstants.WSS_KEYSTORE_TYPE,"JKS");
    myPort.setProperty(ClientConstants.WSS_KEYSTORE_LOCATION,
     "/keystore-path/default-keystore.jks");
    myPort.setProperty(ClientConstants.WSS_KEYSTORE_PASSWORD, "welcome1");
    myPort.setProperty(ClientConstants.WSS_RECIPIENT_KEY_ALIAS,"orakey");
    ...
    

    Where setProperty is defined as follows:

    public void setProperty(String name, String value) {
       ((Stub) _port)._setProperty(name, value);
    }
    
  3. Deploy the Web service client.

The following shows an example of the server_deploy.wsdd deployment descriptor.

Example 7-2 server_deploy.wsdd Deployment Descriptor

<ns1:service name="HelloWorld" provider="java:RPC" style="wrapped" use="literal">
<!-- wss10_username_token_with_message_protection -->
<requestFlow>
   <handler type="java:org.apache.ws.axis.security.WSDoAllReceiver">
      <parameter name="passwordCallbackClass" value="PWCallback1"/>
      <parameter name="user" value="wss4j"/>
      <parameter name="action" value="Signature UsernameToken Timestamp Encrypt"/>
      <parameter name="signaturePropFile" value="crypto.properties" />
      <parameter name="decryptionPropFile" value="crypto.properties" />
   </handler>
</requestFlow>
<responseFlow>
   <handler type="java:org.apache.ws.axis.security.WSDoAllSender" >
       <parameter name="passwordCallbackClass" value="PWCallback1"/>
       <parameter name="user" value="orakey"/>
       <parameter name="action" value="Timestamp Signature Encrypt"/>
       <parameter name="encryptionKeyTransportAlgorithm" 
          value="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/>
       <parameter name="signaturePropFile" value="crypto.properties" />
       <parameter name="signatureKeyIdentifier" value="DirectReference" />
       <parameter name="signatureParts" 
value="{Element}{http://schemas.xmlsoap.org/soap/envelope/}Body;{Element}
{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd}Timestamp" />
       <parameter name="encryptionKeyIdentifier" value="DirectReference" />
   </handler>
</responseFlow>
</ns1:service>

7.4 SAML Token with Message Protection (WS-Security 1.0)

This section describes how to implement username token with message protection that conforms to the WS-Security 1.0 standard in the following interoperability scenarios:

7.4.1 Configuring Axis and WSS4J Client and Oracle WSM 11g Web Service

To configure Axis and WSS4J client and Oracle WSM 11g Web service, perform the steps described in the following sections:

7.4.1.1 Configuring Oracle WSM 11g Web Service

  1. Attach the following policy to the Web service: oracle/wss10_saml_token_with_message_protection_service_policy.

    For more information about attaching the policy, see "Attaching Policies to Web Services" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.

  2. Deploy the Web service.

7.4.1.2 Configuring Axis and WSS4J Client

  1. Build your Web service client proxy.

  2. Create the password callback class, PWCallback.java, keystore properties file, crypto.properties file, and saml.properties file, as described in "Required Files for Interoperability With Axis and WSS4J".

  3. Include the keystore file (for example, default-keystore.jks) and crypto.properties file directly under the classes folder.

    Ensure that you are using keystore with v3 certificates. By default, the JDK 1.5 keytool generates keystores with v1 certificates.

  4. Edit the deployment descriptor, client_deploy.wsdd, similar to Example 7-3.

    In the example, the receiver decrypts, verifies, and validates the SAML token; the sender inserts a SAML token, timestamp, signs the body, SAML token, and timestamp, and encrypts the body. As shown in the example, the encryption key transport is overridden to match the Oracle WSM default requirements.

  5. Set the following property within the client code to use the deployment descriptor defined in the previous step.

    System.setProperty("axis.ClientConfigFile", "client_deploy.wsdd");
    
  6. Deploy the Web service client.

The following shows an example of the client_deploy.wsdd deployment descriptor.

Example 7-3 client_deploy.wsdd Deployment Descriptor

<deployment xmlns="http://xml.apache.org/axis/wsdd/"
             xmlns:java="http://xml.apache.org/axis/wsdd/providers/java">
 <transport name="http" 
  pivot="java:org.apache.axis.transport.http.HTTPSender"/>
  <globalConfiguration >
<!-- wss10_saml_token_with_message_protection -->
    <requestFlow>
      <handler type="java:org.apache.ws.axis.security.WSDoAllSender" >
        <parameter name="passwordCallbackClass" 
         value="com.oracle.xmlns.ConfigOverride_jws.CO_SOA.BPELProcess1.PWCallback"/>
        <parameter name="passwordType" value="PasswordText"/>
        <parameter name="user" value="weblogic"/>
        <parameter name="action" value="Timestamp Signature SAMLTokenSigned Encrypt"/>
        <parameter name="samlPropFile" value="saml.properties"/>
        <parameter name="encryptionKeyTransportAlgorithm" 
         value="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/>
        <parameter name="encryptionKeyIdentifier" value="DirectReference" />
        <parameter name="encryptionPropFile" value="crypto.properties" />
        <parameter name="encryptionUser" value="orakey" />
        <parameter name="encryptionParts" 
         value="{Content}{http://schemas.xmlsoap.org/soap/envelope/}Body" />
        <parameter name="signatureUser" value="orakey" />
        <parameter name="signaturePropFile" value="crypto.properties" />
        <parameter name="signatureKeyIdentifier" value="DirectReference" />
        <parameter name="signatureParts" value="{Element}
          {http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd}
          Timestamp;{Element}
          {http://schemas.xmlsoap.org/soap/envelope/}Body" />
      </handler>
    </requestFlow>
    <responseFlow>
      <handler type="java:org.apache.ws.axis.security.WSDoAllReceiver">
        <parameter name="passwordCallbackClass" 
         value="com.oracle.xmlns.ConfigOverride_jws.CO_SOA.BPELProcess1.PWCallback" />
        <parameter name="action" value="Timestamp Signature Encrypt" />
        <parameter name="signaturePropFile" value="crypto.properties" />
        <parameter name="decryptionPropFile" value="crypto.properties" />
        <parameter name="enableSignatureConfirmation" value="false" />
    </handler>
  </responseFlow>
  </globalConfiguration >
</deployment>

7.4.2 Configuring Oracle WSM 11g Client and Axis and WSS4J Web Service

To configure Oracle WSM 11g client and Axis and WSS4J Web Service, perform the steps described in the following sections:

7.4.2.1 Configuring Axis and WSS4J Web Service

  1. Build your Web service.

  2. Create the password callback class, PWCallback.java, keystore properties file, crypto.properties file, and saml.properties file as described in "Required Files for Interoperability With Axis and WSS4J".

  3. Include the keystore file (for example, default-keystore.jks) and crypto.properties file directly under the classes folder.

    Ensure that you are using keystore with v3 certificates. By default, the JDK 1.5 keytool generates keystores with v1 certificates.

  4. Edit the deployment descriptor, server_deploy.wsdd, as shown in Example 7-4.

    In the example, the receiver decrypts, verifies, and validates the SAML token; the sender inserts a SAML token, timestamp, signs the body, SAML token, and timestamp, and encrypts the body. As shown in the example, the encryption key transport is overridden to match the Oracle WSM default requirements.

    Note:

    WSS4J enforces an order to the elements in the header. Ensure action ordering is updated in server_deploy.wsdd as shown in Example 7-4.
  5. Deploy the Web service.

7.4.2.2 Configuring Oracle WSM 11g Client

  1. Attach the following policy to the Web service: oracle/wss10_saml_token_with_message_protection_client_policy.

    For more information about attaching the policy, see "Attaching Policies to Web Service Clients" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.

  2. For JSE clients only, configure the Web service client properties, as follows:

    Note: This step is not required for JEE clients.

    myPort.setProperty(ClientConstants.WSS_KEYSTORE_TYPE,"JKS");
    myPort.setProperty(ClientConstants.WSS_KEYSTORE_LOCATION,
     "/keystore-path/default-keystore.jks");
    myPort.setProperty(ClientConstants.WSS_KEYSTORE_PASSWORD, "welcome1");
    myPort.setProperty(ClientConstants.WSS_RECIPIENT_KEY_ALIAS,"orakey");
    ...
    

    Where setProperty is defined as follows:

    public void setProperty(String name, String value) {
       ((Stub) _port)._setProperty(name, value);
    }
    
  3. Deploy the Web service client.

The following shows an example of the server_deploy.wsdd deployment descriptor.

Example 7-4 server_deploy.wsdd Deployment Descriptor

<ns1:service name="HelloWorld" provider="java:RPC" style="wrapped" use="literal">
<!-- wss10_username_token_with_message_protection -->
<requestFlow>
   <handler type="java:org.apache.ws.axis.security.WSDoAllReceiver">
      <parameter name="passwordCallbackClass" value="PWCallback1"/>
      <parameter name="user" value="wss4j"/>
      <parameter name="action" value="Signature SAMLTokenUnsigned Timestamp Encrypt"/>
      <parameter name="signaturePropFile" value="crypto.properties" />
      <parameter name="decryptionPropFile" value="crypto.properties" />
   </handler>
</requestFlow>
<responseFlow>
   <handler type="java:org.apache.ws.axis.security.WSDoAllSender" >
       <parameter name="passwordCallbackClass" value="PWCallback1"/>
       <parameter name="user" value="orakey"/>
       <parameter name="action" value="Timestamp Signature Encrypt"/>
       <parameter name="encryptionKeyTransportAlgorithm" 
          value="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/>
       <parameter name="signaturePropFile" value="crypto.properties" />
       <parameter name="signatureKeyIdentifier" value="DirectReference" />
       <parameter name="signatureParts" 
value="{Element}{http://schemas.xmlsoap.org/soap/envelope/}Body;{Element}
{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd}Timestamp" />
       <parameter name="encryptionKeyIdentifier" value="DirectReference" />
   </handler>
</responseFlow>
</ns1:service>

7.5 Username Token Over SSL

This section describes how to implement username token over SSL in the following interoperability scenarios:

7.5.1 Configuring Axis and WSS4J Client and Oracle WSM 11g Web Service

To configure Axis and WSS4J client and Oracle WSM 11g Web service, perform the steps described in the following sections:

7.5.1.1 Configuring Oracle WSM 11g Web Service

  1. Configure the server for SSL.

    For more information, see "Configuring SSL on WebLogic Server (One-Way)" and "Configuring SSL on WebLogic Server (Two-Way)" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.

  2. Attach the following policy to the Web service: oracle/wss_username_token_over_ssl_service_policy.

    For more information about attaching the policy, see "Attaching Policies to Web Services" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.

  3. Deploy the Web service.

7.5.1.2 Configuring Axis and WSS4J Client

  1. Build your Web service client proxy.

  2. Create the password callback class, PWCallback.java, and keystore properties file, crypto.properties, as described in "Required Files for Interoperability With Axis and WSS4J".

  3. Edit the deployment descriptor, client_deploy.wsdd, similar the example below. In the example, the receiver validates the username token and timestamp; the sender inserts a timestamp.

    <deployment xmlns="http://xml.apache.org/axis/wsdd/"
                 xmlns:java="http://xml.apache.org/axis/wsdd/providers/java">
     <transport name="http" 
      pivot="java:org.apache.axis.transport.http.HTTPSender"/>
    <globalConfiguration >
    <!-- wss_username_token -->
    <requestFlow >
       <handler type="java:org.apache.ws.axis.security.WSDoAllSender" >
          <parameter name="action" value="UsernameToken Timestamp"/>
          <parameter name="user" value="weblogic"/>
          <parameter name="passwordCallbackClass" 
           value="com.oracle.xmlns.ConfigOverride_jws.CO_SOA.BPELProcess1.PWCallback"/>
          <parameter name="passwordType" value="PasswordText"/>
      </handler>
    </requestFlow >
    </globalConfiguration >
    </deployment>
    
  4. Set the following property within the client code to use the deployment descriptor defined in the previous step.

    System.setProperty("axis.ClientConfigFile", "client_deploy.wsdd");
    
  5. Deploy the Web service client.

7.5.2 Configuring Oracle WSM 11g Client and Axis and WSS4J Web Service

To configure Oracle WSM 11g client and Axis and WSS4J Web service, perform the steps described in the following sections:

7.5.2.1 Configuring Axis and WSS4J Web Service

  1. Configure the server for SSL.

  2. Build your Web service.

  3. Create the password callback class, PWCallback.java, and crypto.properties file, as described in "Required Files for Interoperability With Axis and WSS4J".

  4. Edit the deployment descriptor, server_deploy.wsdd, similar to the example below. In the example, the receiver validates the username token and the timestamp; the sender inserts a timestamp.

    <ns1:service name="HelloWorld" provider="java:RPC" style="wrapped" 
     use="literal">
    <!-- wss_username_token_over_ssl -->
      <requestFlow>
        <handler type="java:org.apache.ws.axis.security.WSDoAllReceiver">
          <parameter name="passwordCallbackClass" value="PWCallback1"/>
          <parameter name="action" value="Timestamp UsernameToken"/>
        </handler>
      </requestFlow>
      <responseFlow> 
         <handler type="java:org.apache.ws.axis.security.WSDoAllSender" >
          <parameter name="action" value="Timestamp"/>
          </handler>
      </responseFlow>
    </ns1:service>
    
  5. Deploy the Web service.

7.5.2.2 Configuring Oracle WSM 11g Client

  1. Attach the following policy to the Web service client: wss_username_token_over_ssl_client_policy.

    For more information about attaching the policy, see "Attaching Policies to Web Service Clients" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.

  2. For JSE clients only, configure the Web service client properties, as shown below. The username and password must be set by the client for generating the username token.

    Note: This step is not required for JEE clients.

    myPort.setUsername("wss4j");
    myPort.setPassword("security"););
    
  3. Deploy the Web service client.

    When running the client, include the following client system property, where default-keystore.jks specifies the keystore that contains the certificate corresponding to the server certificate.

    -Djavax.net.ssl.trustStore=default-keystore.jks
    

7.6 SAML Token (Sender Vouches) Over SSL

This section describes how to implement SAML token (sender vouches) over SSL in the following interoperability scenarios:

7.6.1 Configuring Axis and WSS4J Client and Oracle WSM 11g Web Service

To configure Axis and WSS4J client and Oracle WSM 11g Web service, perform the steps described in the following sections:

7.6.1.1 Configuring Oracle WSM 11g Web Service

  1. Configure the server for SSL.

    For more information, see "Configuring SSL on WebLogic Server (One-Way)" and "Configuring SSL on WebLogic Server (Two-Way)" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.

  2. Attach the following policy to the Web service: wss_saml_token_over_ssl_service_policy.

    For more information about attaching the policy, see "Attaching Policies to Web Services" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.

  3. Deploy the Web service.

7.6.1.2 Configuring Axis and WSS4J Client

  1. Build your Web service client proxy.

  2. Create the password callback class, PWCallback.java; keystore properties file, crypto.properties; and SAML properties file, saml.properties, as described in "Required Files for Interoperability With Axis and WSS4J".

  3. Edit the deployment descriptor, client_deploy.wsdd, similar the example below. In the example, the receiver validates the SAML token and timestamp; the sender inserts a timestamp.

    <deployment xmlns="http://xml.apache.org/axis/wsdd/"
                 xmlns:java="http://xml.apache.org/axis/wsdd/providers/java">
    <transport name="http" 
      pivot="java:org.apache.axis.transport.http.HTTPSender"/>
     <globalConfiguration >
    <!-- wss_saml_token -->
    <requestFlow >
       <handler type="java:org.apache.ws.axis.security.WSDoAllSender" >
          <parameter name="action" value="SAMLTokenSigned Timestamp"/>
          <parameter name="samlPropFile" value="saml.properties"/>
          <parameter name="user" value="weblogic"/>
          <parameter name="passwordCallbackClass"
     value="com.oracle.xmlns.ConfigOverride_jws.CO_SOA.BPELProcess1.PWCallback"/>
          <parameter name="passwordType" value="PasswordText"/>
          <parameter name="signatureUser" value="orakey" />
          <parameter name="signatureKeyIdentifier" value="DirectReference" />
          <parameter name="signaturePropFile" value="crypto.properties" />
       </handler>
    </requestFlow >
    </globalConfiguration >
    </deployment>
    
  4. Set the following property within the client code to use the deployment descriptor defined in the previous step.

    System.setProperty("axis.ClientConfigFile", "client_deploy.wsdd");
    
  5. Deploy the Web service client.

7.6.2 Configuring Oracle WSM 11g Client and Axis and WSS4J Web Service

To configure Oracle WSM 11g client and Axis and WSS4J Web service, perform the steps described in the following sections:

7.6.2.1 Configuring Axis and WSS4J Web Service

  1. Configure the server for SSL.

  2. Build your Web service.

  3. Create the password callback class, PWCallback.java, and crypto.properties file, as described in "Required Files for Interoperability With Axis and WSS4J".

  4. Edit the deployment descriptor, server_deploy.wsdd, similar to the example below.

    In the example, the receiver validates the SAML token and the timestamp; the sender inserts a timestamp.

    <ns1:service name="HelloWorld" provider="java:RPC" style="wrapped" 
     use="literal">
    <!-- wss_saml_token_over_ssl -->
    <requestFlow>
       <handler type="java:org.apache.ws.axis.security.WSDoAllReceiver">
          <parameter name="passwordCallbackClass" value="PWCallback1"/>
          <parameter name="action" value="Timestamp SAMLTokenUnsigned"/>
       </handler>
    </requestFlow>
    <responseFlow>
       <handler type="java:org.apache.ws.axis.security.WSDoAllSender" >
          <parameter name="action" value="Timestamp"/>
       </handler>
    </responseFlow>
    </ns1:service>
    
  5. Deploy the Web service.

7.6.2.2 Configuring Oracle WSM 11g Client

  1. Attach the following policy to the Web service client: wss_saml_token_over_ssl_client_policy.

    For more information about attaching the policy, see "Attaching Policies to Web Service Clients" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.

  2. For JSE clients, configure the Web service client properties, as shown below. The username must be set by the client for generating the SAML assertion.

    Note:

    This step is not required for JEE clients.v
    myPort.setUsername("wss4j");
    
  3. Deploy the Web service client.

    When running the client, include the following client system property, where default-keystore.jks specifies the keystore that contains the certificate corresponding to the server certificate.

    -Djavax.net.ssl.trustStore=default-keystore.jks