if your http-server will implement SSL implement the mod_ssl module on Apache
http://www.modssl.org
if your appServer is implementing SSL at the transport level then:
"To configure SSL for your application, follow these steps:
Select one of the mechanisms that require SSL. These include
Transport Security (SSL),
Message Authentication over SSL, and
SAML Authorization over SSL. Server Configuration GlassFish is
already configured for SSL. No further SSL configuration is necessary if
you are using Transport Security.However, if you are using one of the
Message Security mechanisms with SSL, you must update the GlassFish
certificates as described in Updating GlassFish Certificates. Configure a user on GlassFish as described in Adding Users to GlassFish. Client Configuration
For configuring your system for SSL in order to work through the
examples in this tutorial, the same keystore and truststore files are
used for both the client and the service. This obviates the needs to set
system properties to point to the client stores, as both GlassFish and
NetBeans are aware of these certificates and point to them by default. ..."</snip>example and tutorial is located at:
http://download.oracle.com/docs/cd/E17802_01/webservices/webservices/reference/tutorials/wsit/doc/WSIT_Security5.html
if your webservice is securing the messages individually then implement the Rampart Module
http://axis.apache.org/axis2/java/rampart/
to be engaged on Axis2 web-services
http://axis.apache.org/axis2/java/core/
feel feel free to ping me offline for implementation and/or coding details
Martin Gainty
______________________________________________
Jogi és Bizalmassági kinyilatkoztatás/Verzicht und Vertraulichkeitanmerkung/Note de déni et de confidentialité
Ez az
üzenet bizalmas. Ha nem ön az akinek szánva volt, akkor kérjük, hogy
jelentse azt nekünk vissza. Semmiféle továbbítása vagy másolatának
készítése nem megengedett. Ez az üzenet csak ismeret cserét szolgál és
semmiféle jogi alkalmazhatósága sincs. Mivel az electronikus üzenetek
könnyen megváltoztathatóak, ezért minket semmi felelöség nem terhelhet
ezen üzenet tartalma miatt.
Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung fuer den Inhalt uebernehmen.
Ce message est confidentiel et peut ętre privilégié. Si vous n'ętes pas le destinataire prévu, nous te demandons avec bonté que pour satisfaire informez l'expéditeur. N'importe quelle diffusion non autorisée ou la copie de ceci est interdite. Ce message sert ŕ l'information seulement et n'aura pas n'importe quel effet légalement obligatoire. Étant donné que les email peuvent facilement ętre sujets ŕ la manipulation, nous ne pouvons accepter aucune responsabilité pour le contenu fourni.
Subject: Glassfish - Webservice security
Date: Wed, 4 May 2011 16:51:39 +0200
From: Matthieu.VINCENT_at_cpexterne.org
To: users_at_glassfish.java.net
Hi everyone,
I’m trying to develop an
application exposing some webservices.
I’d like to secure them with ws-security, does
anyone already done this kind of things because I’m quite stucked on the
subject.
I’ve successfully do it with Basic
authentication, but I’ve to do it with ws-security and configuration (of
sun-web.xml I suppose?) is not so intuitive and I cannot find any good example
on the web
I’m using glassfish v2.1.
Some precision: I would prefer to expose my
webservices not using EJB pattern, if possible…
Thanks in advance
Regards,
Matthieu