RE: Glassfish - Webservice security

From: Martin Gainty <mgainty_at_hotmail.com>
Date: Wed, 4 May 2011 14:56:39 -0400

if your http-server will implement SSL implement the mod_ssl module on Apache
http://www.modssl.org

if your appServer is implementing SSL at the transport level then:
"To configure SSL for your application, follow these steps:

Select one of the mechanisms that require SSL. These include
Transport Security (SSL),
Message Authentication over SSL, and
SAML Authorization over SSL. Server Configuration GlassFish is
already configured for SSL. No further SSL configuration is necessary if
you are using Transport Security.However, if you are using one of the
Message Security mechanisms with SSL, you must update the GlassFish
certificates as described in Updating GlassFish Certificates. Configure a user on GlassFish as described in Adding Users to GlassFish. Client Configuration
For configuring your system for SSL in order to work through the
examples in this tutorial, the same keystore and truststore files are
used for both the client and the service. This obviates the needs to set
system properties to point to the client stores, as both GlassFish and
NetBeans are aware of these certificates and point to them by default. ..."</snip>example and tutorial is located at:
http://download.oracle.com/docs/cd/E17802_01/webservices/webservices/reference/tutorials/wsit/doc/WSIT_Security5.html
if your webservice is securing the messages individually then implement the Rampart Module
http://axis.apache.org/axis2/java/rampart/
to be engaged on Axis2 web-services
http://axis.apache.org/axis2/java/core/
feel feel free to ping me offline for implementation and/or coding details
Martin Gainty
______________________________________________
Jogi �s Bizalmass�gi kinyilatkoztat�s/Verzicht und Vertraulichkeitanmerkung/Note de d�ni et de confidentialit�
Ez az
�zenet bizalmas. Ha nem �n az akinek sz�nva volt, akkor k�rj�k, hogy
jelentse azt nek�nk vissza. Semmif�le tov�bb�t�sa vagy m�solat�nak
k�sz�t�se nem megengedett. Ez az �zenet csak ismeret cser�t szolg�l �s
semmif�le jogi alkalmazhat�s�ga sincs. Mivel az electronikus �zenetek
k�nnyen megv�ltoztathat�ak, ez�rt minket semmi felel�s�g nem terhelhet
ezen �zenet tartalma miatt.

Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung fuer den Inhalt uebernehmen.
Ce message est confidentiel et peut �tre privil�gi�. Si vous n'�tes pas le destinataire pr�vu, nous te demandons avec bont� que pour satisfaire informez l'exp�diteur. N'importe quelle diffusion non autoris�e ou la copie de ceci est interdite. Ce message sert � l'information seulement et n'aura pas n'importe quel effet l�galement obligatoire. �tant donn� que les email peuvent facilement �tre sujets � la manipulation, nous ne pouvons accepter aucune responsabilit� pour le contenu fourni.

Subject: Glassfish - Webservice security
Date: Wed, 4 May 2011 16:51:39 +0200
From: Matthieu.VINCENT_at_cpexterne.org
To: users_at_glassfish.java.net

Hi everyone,

I�m trying to develop an
application exposing some webservices.

I�d like to secure them with ws-security, does
anyone already done this kind of things because I�m quite stucked on the
subject.

I�ve successfully do it with Basic
authentication, but I�ve to do it with ws-security and configuration (of
sun-web.xml I suppose?) is not so intuitive and I cannot find any good example
on the web

I�m using glassfish v2.1.

Some precision: I would prefer to expose my
webservices not using EJB pattern, if possible�

Thanks in advance

Regards,

Matthieu