Developing Secure Java Web

Services, Java EE 6

Student Guide

DWS-4120-EE6 Rev B

D66105GC10
Edition 1.0
June 2010
D67630
Copyright © 2010, Oracle and/or its affiliates. All rights reserved.

Disclaimer

This document contains proprietary information, is provided under a license agreement containing restrictions on use and
disclosure, and is protected by copyright and other intellectual property laws. You may copy and print this document solely for
your own use in an Oracle training course. The document may not be modified or altered in any way. Except as expressly
permitted in your license agreement or allowed by law, you may not use, share, download, upload, copy, print, display,
perform, reproduce, publish, license, post, transmit, or distribute this document in whole or in part without the express
authorization of Oracle.

The information contained in this document is subject to change without notice. If you find any problems in the document,
please report them in writing to: Oracle University, 500 Oracle Parkway, Redwood Shores, California 94065 USA. This
document is not warranted to be error-free.

Sun Microsystems, Inc. Disclaimer

This training manual may include references to materials, offerings, or products that were previously offered by Sun
Microsystems, Inc. Certain materials, offerings, services, or products may no longer be offered or provided. Oracle and its
affiliates cannot be held responsible for any such references should they appear in the text provided.

Restricted Rights Notice

If this documentation is delivered to the U.S. Government or anyone using the documentation on behalf of the U.S.
Government, the following notice is applicable:

U.S. GOVERNMENT RIGHTS

The U.S. Government’s rights to use, modify, reproduce, release, perform, display, or disclose these training materials are
restricted by the terms of the applicable Oracle license agreement and/or the applicable U.S. Government contract.

Trademark Notice

Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective
owners.
This page intentionally left blank.
This page intentionally left blank.
Contents

How to Use Course Materials . . . . . . . . . . . . . . . . . . . . . . . . xxviii

Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxviii

The Traveller Project . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxxi

The Auction Project . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxxvi

1 Introduction to Security 1-1

Web Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2

Web Services Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-11

Security Strategies and Technologies . . . . . . . . . . . . . . . . . . . . 1-16

2 Web Services Security Threats and Countermeasures 2-1

Additional Reading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-2

Principles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-3

Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-7

3 Securing JavaTM Web Services Using JavaEE 3-1

Underlying Technologies . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-2

Transport-Layer Security . . . . . . . . . . . . . . . . . . . . . . . . 3-2

Authentication and Authorization . . . . . . . . . . . . . . . . . . 3-7

JavaEE Technologies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-10

Web Tier Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-16

v
CONTENTS CONTENTS

Securing a JAX-WS Web Service Using Web-Tier Security . . . . . 3-24

Securing a JAX-RS Web Service Using Web-Tier Security . . . . . 3-32

4 Introduction to WS-* Extensions 4-1

Additional Reading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-2

Securing Communications . . . . . . . . . . . . . . . . . . . . . . . . . . 4-3

Web Services Extensions . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-6

WS-Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-7

WS-Addressing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-9

WS-Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-13

WS-ReliableMessaging . . . . . . . . . . . . . . . . . . . . . . . . . 4-23

Other WS Extensions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-26

Using WS Extensions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-30

5 Web Services Security with JAX-WS and Project Metro 5-1

Additional Reading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-2

JAX-WS and Metro . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-3

WS-Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-8

WS-Addressing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-12

WS-Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-20

Security Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-21

WS-ReliableMessaging . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-46

WS-AtomicTransactions . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-49

6 Authentication in JAX-WS 6-1

Additional Reading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-2

SAAJ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-3

vi Developing Secure JavaTM Web Services

Copyright 2010 Sun Microsystems, Inc. All rights reserved. DWS-4120-EE6 Rev. B.0
CONTENTS CONTENTS

JAAS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-11

JAX-WS Handler Framework . . . . . . . . . . . . . . . . . . . . . . . . 6-20

WSIT Authentication Framework . . . . . . . . . . . . . . . . . . . . . . 6-31

7 Identity Management and OpenSSO 7-1

Identity and Identity Management . . . . . . . . . . . . . . . . . . . . . 7-2

OpenSSO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-11

A Introduction to SAML A-1

Additional Reading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-2

Distributed Identity Frameworks . . . . . . . . . . . . . . . . . . . . . . A-3

SAML . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-7

B Alternative Technologies B-1

C Using JAX-WS C-1

Additional Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . C-2

Overview of JAX-WS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . C-3

Creating a Web Service Using JAX-WS . . . . . . . . . . . . . . . . . . . C-9

Creating a Web Service Using JAX-WS: Bottom-Up . . . . . . . . . C-9

Customizing the JAX-WS Web Service . . . . . . . . . . . . . . . . C-17

Creating a Web Service Using JAX-WS: Top-Down . . . . . . . . . . . . C-22

Writing a WSDL Description of a Service . . . . . . . . . . . . . . C-24

Generating JAX-WS Artifacts . . . . . . . . . . . . . . . . . . . . . C-27

Schema Validation . . . . . . . . . . . . . . . . . . . . . . . . . . . C-34

Comparing Development Approaches . . . . . . . . . . . . . . . . . . . C-35

Strong Typing for Web Services . . . . . . . . . . . . . . . . . . . . C-35

Benefits and Costs of Starting from a Java Development ApproachC-36

- vii
Copyright 2010 Sun Microsystems, Inc. All rights reserved. DWS-4120-EE6 Rev. B.0
CONTENTS CONTENTS

Benefits and Costs of Starting from WSDL Development ApproachC-37

Deploying POJO Web Service Providers . . . . . . . . . . . . . . . . . . C-38

Debugging Web Service Interactions . . . . . . . . . . . . . . . . . C-39

D RESTful Web Services: JAX-RS D-1

Mapping REST Principles to JAX-RS Constructs . . . . . . . . . . . . . D-2

Deploying a JAX-RS Web Service Provider . . . . . . . . . . . . . . . . . D-9

E Code Listings E-1

viii Developing Secure JavaTM Web Services

Copyright 2010 Sun Microsystems, Inc. All rights reserved. DWS-4120-EE6 Rev. B.0
List of Figures

1 Course Map . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxiv

2 Use Cases for Traveller Project . . . . . . . . . . . . . . . . . . . . xxxii

3 Domain Types for Traveller Project . . . . . . . . . . . . . . . . . . xxxii

4 Application Services for the Traveller Project . . . . . . . . . . . . xxxiv

5 DAO Classes for the Traveller Project . . . . . . . . . . . . . . . . xxxv

6 Use Cases for Auction System . . . . . . . . . . . . . . . . . . . . xxxvi

7 Domain Types for Auction System . . . . . . . . . . . . . . . . . . xxxix

1.1 Service-Oriented Architecture . . . . . . . . . . . . . . . . . . . . . 1-2

1.2 Loosely Coupled Services . . . . . . . . . . . . . . . . . . . . . . . 1-3

1.3 SOA Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-4

1.4 Characteristics of a Service . . . . . . . . . . . . . . . . . . . . . . . 1-6

1.5 Technologies for SOA . . . . . . . . . . . . . . . . . . . . . . . . . . 1-7

1.6 Web Services Architecture . . . . . . . . . . . . . . . . . . . . . . . 1-8

1.7 Application Security Features . . . . . . . . . . . . . . . . . . . . . 1-12

1.8 Cryptography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-20

1.9 Symmetric-Key Cryptography . . . . . . . . . . . . . . . . . . . . . 1-21

1.10 Asymmetric-Key Cryptography . . . . . . . . . . . . . . . . . . . 1-23

1.11 Digital Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-24

1.12 Session-Key Cryptography . . . . . . . . . . . . . . . . . . . . . . 1-26

ix
LIST OF FIGURES LIST OF FIGURES

1.13 Crypto Mechanisms and Network Layers . . . . . . . . . . . . . . 1-29

1.14 Message Digests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-30

1.15 Digital Signatures . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-32

1.16 The Process of Digital Signing . . . . . . . . . . . . . . . . . . . . . 1-33

1.17 Kerberos . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-35

1.18 LDAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-36

2.1 Web Services Security Issues . . . . . . . . . . . . . . . . . . . . . . 2-7

2.2 Web Services Security Vulnerabilities . . . . . . . . . . . . . . . . 2-10

2.3 Web Services Security Model . . . . . . . . . . . . . . . . . . . . . 2-19

2.4 Message-Layer Security . . . . . . . . . . . . . . . . . . . . . . . . 2-21

2.5 Transport-Layer vs Message-Layer . . . . . . . . . . . . . . . . . . 2-23

3.1 Transport-Layer Security . . . . . . . . . . . . . . . . . . . . . . . 3-2

3.2 TLS Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-4

3.3 TLS Session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-5

3.4 HTTPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-6

3.5 Securing Web Services Using TLS . . . . . . . . . . . . . . . . . . 3-7

3.6 Java Authentication and Authorization Service . . . . . . . . . . . 3-8

3.7 JAAS Framework . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-9

3.8 End-to-End Security Model . . . . . . . . . . . . . . . . . . . . . . 3-10

3.9 JavaEE Technologies . . . . . . . . . . . . . . . . . . . . . . . . . . 3-12

3.10 JavaEE Web Services Security . . . . . . . . . . . . . . . . . . . . . 3-14

3.11 Mapping Roles to Users and Groups . . . . . . . . . . . . . . . . . 3-15

3.12 Basic Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . 3-18

3.13 Form-Based Authentication . . . . . . . . . . . . . . . . . . . . . . 3-20

3.14 Client Certificate Authentication . . . . . . . . . . . . . . . . . . . 3-21

x Developing Secure JavaTM Web Services

Copyright 2010 Sun Microsystems, Inc. All rights reserved. DWS-4120-EE6 Rev. B.0
LIST OF FIGURES LIST OF FIGURES

3.15 Propagating Security Identity . . . . . . . . . . . . . . . . . . . . . 3-23

3.16 Simple Approach to Deploying a JAX-RS Web Service . . . . . . 3-33

4.1 Point-to-Point Message Transport . . . . . . . . . . . . . . . . . . 4-3

4.2 Message Transport through Relays . . . . . . . . . . . . . . . . . . 4-4

4.3 Transport- vs Message-Level Security . . . . . . . . . . . . . . . . 4-4

4.4 Specifying Policies in WSDL . . . . . . . . . . . . . . . . . . . . . 4-8

4.5 Transport-Dependent Properties – HTTP Properties . . . . . . . . 4-10

4.6 Transport Neutrality – Message Addressing Properties . . . . . . 4-11

4.7 WS-MetadataExchange . . . . . . . . . . . . . . . . . . . . . . . . 4-12

4.8 WS-Security and SOAP Envelope . . . . . . . . . . . . . . . . . . 4-13

4.9 WS-Trust . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-14

4.10 Securing SOAP Messages . . . . . . . . . . . . . . . . . . . . . . . 4-16

4.11 Security-Related SOAP Headers . . . . . . . . . . . . . . . . . . . 4-18

4.12 WS-SecureConversation Handshake . . . . . . . . . . . . . . . . . 4-19

4.13 WS-SecureConversation . . . . . . . . . . . . . . . . . . . . . . . . 4-21

4.14 Authorization via XACML . . . . . . . . . . . . . . . . . . . . . . 4-22

4.15 WS-ReliableMessaging . . . . . . . . . . . . . . . . . . . . . . . . . 4-23

4.16 WS-ReliableMessaging – Conversation . . . . . . . . . . . . . . . 4-24

4.17 SOAP and MTOM . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-26

4.18 MTOM - Binary Payload Optimization . . . . . . . . . . . . . . . 4-27

4.19 WS-AtomicTransaction . . . . . . . . . . . . . . . . . . . . . . . . 4-29

4.20 End-to-End Security . . . . . . . . . . . . . . . . . . . . . . . . . . 4-30

5.1 JAX-WS Runtime Architecture . . . . . . . . . . . . . . . . . . . . 5-3

5.2 WSIT Web Services Stack . . . . . . . . . . . . . . . . . . . . . . . 5-5

5.3 WSIT Programming Model – Server-Side Model . . . . . . . . . . 5-6

- xi
Copyright 2010 Sun Microsystems, Inc. All rights reserved. DWS-4120-EE6 Rev. B.0
LIST OF FIGURES LIST OF FIGURES

5.4 WSIT Programming Model – Client-Side Model . . . . . . . . . . 5-7

5.5 Specifying Policies – Embedded . . . . . . . . . . . . . . . . . . . 5-10

5.6 Specifying Policies – Referenced . . . . . . . . . . . . . . . . . . . 5-11

5.7 Message Addressing Properties . . . . . . . . . . . . . . . . . . . 5-13

5.8 Enabling WS-Addressing – Using WSDL Extensions . . . . . . . 5-17

5.9 Enabling WS-Addressing – Using Policy . . . . . . . . . . . . . . 5-18

5.10 WS-Addressing – Sample SOAP Message . . . . . . . . . . . . . . 5-19

5.11 Specifying Signed Elements – SignedParts . . . . . . . . . . . . . 5-22

5.12 Specifying Signed Elements via SignedElements . . . . . . . . . . 5-24

5.13 Specifying Encrypted Elements via EncryptedParts . . . . . . . . 5-26

5.14 Specifying Encrypted Elements via EncryptedElements . . . . . . 5-28

5.15 Syntax of Symmetric Binding Policy Assertion . . . . . . . . . . . 5-30

5.16 Syntax of Asymmetric Binding Policy Assertion . . . . . . . . . . 5-31

5.17 Syntax for Transport Binding Assertion . . . . . . . . . . . . . . . 5-33

5.18 Syntax for Specifying Algorithm Suite . . . . . . . . . . . . . . . . 5-34

5.19 WS-Security – Sample SOAP Message: Signature . . . . . . . . . 5-35

5.20 Sample SOAP Message: Before Encryption . . . . . . . . . . . . . 5-36

5.21 Sample SOAP Message: After Encryption . . . . . . . . . . . . . . 5-37

5.22 Syntax for SupportingTokens Elements . . . . . . . . . . . . . . . 5-38

5.23 UsernameToken Syntax . . . . . . . . . . . . . . . . . . . . . . . . . 5-39

5.24 Enabling WS-Security in NetBeans – Security Dialog . . . . . . . 5-42

5.25 A Sample SecurityContextToken . . . . . . . . . . . . . . . . . . 5-43

5.26 Enabling WS-SecureConversation – WSDL Policy Assertion . . . 5-44

5.27 Enabling WS-SecureConversation – NetBeans Dialog . . . . . . . 5-45

5.28 Enabling WS-ReliableMessaging . . . . . . . . . . . . . . . . . . . 5-47

5.29 WS-ReliableMessaging – Sample SOAP Message . . . . . . . . . . 5-48

xii Developing Secure JavaTM Web Services

Copyright 2010 Sun Microsystems, Inc. All rights reserved. DWS-4120-EE6 Rev. B.0
LIST OF FIGURES LIST OF FIGURES

6.1 SAAJ Representation . . . . . . . . . . . . . . . . . . . . . . . . . . 6-4

6.2 A SOAP Message in SAAJ . . . . . . . . . . . . . . . . . . . . . . . 6-4

6.3 SAAJ API . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-6

6.4 SAAJ and DOM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-7

6.5 Attachments in SAAJ . . . . . . . . . . . . . . . . . . . . . . . . . . 6-9

6.6 SOAP Faults in SAAJ . . . . . . . . . . . . . . . . . . . . . . . . . . 6-9

6.7 JAAS Framework . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-11

6.8 JAAS Application API . . . . . . . . . . . . . . . . . . . . . . . . . 6-13

6.9 JAAS Callback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-17

6.10 JAX-WS Runtime Architecture . . . . . . . . . . . . . . . . . . . . 6-20

6.11 JAX-WS Handler Types . . . . . . . . . . . . . . . . . . . . . . . . 6-21

6.12 Executing JAX-WS Handlers . . . . . . . . . . . . . . . . . . . . . 6-21

6.13 A More Complex Handler Chain Configuration. . . . . . . . . . . 6-27

6.14 WSIT Client Programming Model . . . . . . . . . . . . . . . . . . 6-34

6.15 WSIT Server Programming Model . . . . . . . . . . . . . . . . . . 6-37

6.16 Implementing PasswordValidator . . . . . . . . . . . . . . . . . . 6-39

7.1 Identity Challenges . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-5

7.2 Need for Identity Management . . . . . . . . . . . . . . . . . . . . 7-6

7.3 Transformation of Identity Data . . . . . . . . . . . . . . . . . . . 7-8

7.4 Identity Management Solution . . . . . . . . . . . . . . . . . . . . 7-9

7.5 Identity Management Technologies . . . . . . . . . . . . . . . . . 7-10

7.6 OpenSSO Architecture . . . . . . . . . . . . . . . . . . . . . . . . . 7-12

7.7 Centralized Access Control . . . . . . . . . . . . . . . . . . . . . . 7-14

7.8 OpenSSO Components . . . . . . . . . . . . . . . . . . . . . . . . 7-16

7.9 Web Single Sign On . . . . . . . . . . . . . . . . . . . . . . . . . . 7-20

- xiii
Copyright 2010 Sun Microsystems, Inc. All rights reserved. DWS-4120-EE6 Rev. B.0
LIST OF FIGURES LIST OF FIGURES

7.10 Authentication Using OpenSSO . . . . . . . . . . . . . . . . . . . 7-21

7.11 Authorization Using OpenSSO . . . . . . . . . . . . . . . . . . . . 7-23

7.12 Policy Agents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-24

7.13 Cross-Domain Single-Sign-On . . . . . . . . . . . . . . . . . . . . 7-27

A.1 Essential Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-4

A.2 Identity Data Flow . . . . . . . . . . . . . . . . . . . . . . . . . . . A-5

A.3 Components of SAML . . . . . . . . . . . . . . . . . . . . . . . . . A-9

A.4 Sample SAML Assertion . . . . . . . . . . . . . . . . . . . . . . . . A-11

A.5 SAML Assertion Syntax . . . . . . . . . . . . . . . . . . . . . . . . A-12

A.6 SAML Subject Syntax . . . . . . . . . . . . . . . . . . . . . . . . . A-13

A.7 Sample SAML Authentication Element . . . . . . . . . . . . . . . A-14

A.8 SAML Authentication Syntax . . . . . . . . . . . . . . . . . . . . . A-15

A.9 Sample SAML Attribute Element . . . . . . . . . . . . . . . . . . . A-16

A.10 SAML Attribute Syntax . . . . . . . . . . . . . . . . . . . . . . . . A-17

A.11 Web SSO Use Case . . . . . . . . . . . . . . . . . . . . . . . . . . . A-21

A.12 SSO Scenarios – SP-initiated flow with redirect and POST bind-
ings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-22

A.13 SSO Scenarios – IdP-initiated flow with POST binding . . . . . . A-24

A.14 SSO Scenarios – SSO Using ECPs . . . . . . . . . . . . . . . . . . . A-25

A.15 Identity Federation Use Case . . . . . . . . . . . . . . . . . . . . . A-26

A.16 Identity Federation – Out-of-Band Federation . . . . . . . . . . . A-28

A.17 Identity Federation – Using Persistent Pseudonyms . . . . . . . . A-29

A.18 Identity Federation – Using Transient Pseudonyms . . . . . . . . A-30

A.19 SAML Authorization . . . . . . . . . . . . . . . . . . . . . . . . . . A-31

B.1 Java Security APIs . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-2

xiv Developing Secure JavaTM Web Services

Copyright 2010 Sun Microsystems, Inc. All rights reserved. DWS-4120-EE6 Rev. B.0
LIST OF FIGURES LIST OF FIGURES

B.2 Java Secure Sockets Extension . . . . . . . . . . . . . . . . . . . . B-5

B.3 Java Generic Security Services . . . . . . . . . . . . . . . . . . . . B-6

B.4 Java GSS-API . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-7

B.5 Java SASL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-8

B.6 Using SASL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-9

B.7 Simple and Protected GSS-API Negotiation Mechanism . . . . . B-9

C.1 JAXWS Artifacts . . . . . . . . . . . . . . . . . . . . . . . . . . . . C-5

C.2 Starting From a Java Class . . . . . . . . . . . . . . . . . . . . . . . C-10

C.3 Sample SOAP Request for AirportManager . . . . . . . . . . . . . C-15

C.4 Sample SOAP Response from AirportManager . . . . . . . . . . . C-15

C.5 Raw SOAP/HTTP Request . . . . . . . . . . . . . . . . . . . . . . C-16

C.6 Raw SOAP/HTTP Response . . . . . . . . . . . . . . . . . . . . . C-17

C.7 Target Namespace for Application Elements . . . . . . . . . . . . C-21

C.8 Starting From a WSDL Description . . . . . . . . . . . . . . . . . . C-23

C.9 Structure of a WSDL file . . . . . . . . . . . . . . . . . . . . . . . . C-23

C.10 Definition of a Service Using WSDL . . . . . . . . . . . . . . . . . C-25

- xv
Copyright 2010 Sun Microsystems, Inc. All rights reserved. DWS-4120-EE6 Rev. B.0
LIST OF FIGURES LIST OF FIGURES

xvi Developing Secure JavaTM Web Services

Copyright 2010 Sun Microsystems, Inc. All rights reserved. DWS-4120-EE6 Rev. B.0
List of Tables

1 Prefixes and XML Namespaces used in this course . . . . . . . . xxx

1.1 Comparison of Crypto Schemes . . . . . . . . . . . . . . . . . . . 1-28

2.1 Requirements and Technologies . . . . . . . . . . . . . . . . . . . 2-26

4.1 Support for WS-* Standards – July 2008 . . . . . . . . . . . . . . . 4-31

5.1 Possible Header Layouts . . . . . . . . . . . . . . . . . . . . . . . 5-29

5.2 JavaEE vs WS-AtomicTransaction . . . . . . . . . . . . . . . . . . 5-51

C.1 WSDL-to-Java Technology Component Translations . . . . . . . . C-6

xvii
LIST OF TABLES LIST OF TABLES

xviii Developing Secure JavaTM Web Services

Copyright 2010 Sun Microsystems, Inc. All rights reserved. DWS-4120-EE6 Rev. B.0
List of Code Examples

3.1 A Secured Web Service . . . . . . . . . . . . . . . . . . . . . . . . . 3-25

3.2 Configuring web.xml to secure a JAX-WS web service . . . . . . . 3-26

3.3 Configuring Login Options in web.xml . . . . . . . . . . . . . . . 3-26

3.4 Configuring sun-web.xml . . . . . . . . . . . . . . . . . . . . . . . 3-27

3.5 Retrieving Security Information in a Servlet . . . . . . . . . . . . 3-28

3.6 Retrieving Security Information via Dependency Injection . . . . 3-29

3.7 Logging Callers in a Servlet . . . . . . . . . . . . . . . . . . . . . . 3-30

3.8 Simple POJO WS Client . . . . . . . . . . . . . . . . . . . . . . . . 3-30

3.9 Authenticating POJO WS Client . . . . . . . . . . . . . . . . . . . 3-31

3.10 A Secured JAX-RS Web Service . . . . . . . . . . . . . . . . . . . . 3-32

3.11 JAX-RS Deployment: Alternative Approach #1 . . . . . . . . . . . 3-34

3.12 JAX-RS Deployment: Alternative Approach #2 . . . . . . . . . . . 3-35

3.13 Additional Features: Logging in JAXRS . . . . . . . . . . . . . . . 3-36

3.14 Securing Web Service URLs . . . . . . . . . . . . . . . . . . . . . . 3-37

3.15 Dependency Injection in JAXRS . . . . . . . . . . . . . . . . . . . 3-38

3.16 Logging Callers in JAX-RS . . . . . . . . . . . . . . . . . . . . . . 3-39

3.17 Simple Jersey Client . . . . . . . . . . . . . . . . . . . . . . . . . . 3-39

3.18 Authenticating Jersey Client . . . . . . . . . . . . . . . . . . . . . 3-40

5.1 Sample Web Service Policy . . . . . . . . . . . . . . . . . . . . . . 5-9

5.2 Enabling WS-Addressing – Using Annotations . . . . . . . . . . . 5-15

xix
LIST OF CODE EXAMPLES LIST OF CODE EXAMPLES

5.3 Enabling WS-Addressing – Specifying Actions Explicitly Using

Annotations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-16

5.4 Sample Authentication Policy . . . . . . . . . . . . . . . . . . . . . 5-40

5.5 Enabling WS-AtomicTransaction – Using Policy Assertions . . . 5-50

5.6 Enabling WS-AtomicTransaction – Using Annotations . . . . . . 5-50

5.7 Enabling WS-AtomicTransaction – Using JTA Transactions . . . . 5-51

6.1 Obtaining a LoginContext . . . . . . . . . . . . . . . . . . . . . . . 6-12

6.2 LoginModule Configuration . . . . . . . . . . . . . . . . . . . . . . 6-15

6.3 LoginModule Configuration File . . . . . . . . . . . . . . . . . . . 6-15

6.4 LoginModule Configuration File Example . . . . . . . . . . . . . . 6-16

6.5 A Trivial CallbackHandler . . . . . . . . . . . . . . . . . . . . . . 6-18

6.6 A Hardcoded CallbackHandler . . . . . . . . . . . . . . . . . . . . 6-19

6.7 A Sample LoginModule . . . . . . . . . . . . . . . . . . . . . . . . . 6-19

6.8 Interface javax.xml.ws.handler.Handler . . . . . . . . . . . . . . 6-22

6.9 Annotations on JAX-WS Handlers . . . . . . . . . . . . . . . . . . 6-22

6.10 Types of JAX-WS Handler . . . . . . . . . . . . . . . . . . . . . . . 6-23

6.11 An Authentication Handler . . . . . . . . . . . . . . . . . . . . . . 6-26

6.12 Sample Handler Chain Specification . . . . . . . . . . . . . . . . . 6-27

6.13 A Web Service Associated to a HandlerChain . . . . . . . . . . . . 6-28

6.14 Using a WSDL Customization File . . . . . . . . . . . . . . . . . . 6-29

6.15 Programmatic Configuration of Handlers for a JAX-WS Client . . 6-29

6.16 A Sample HandlerResolver . . . . . . . . . . . . . . . . . . . . . . 6-30

6.17 Sample Authentication Policy . . . . . . . . . . . . . . . . . . . . . 6-32

6.18 Retrieving Authentication Data. . . . . . . . . . . . . . . . . . . . 6-33

6.19 Specifying a CallbackHandler . . . . . . . . . . . . . . . . . . . . 6-35

6.20 Static UsernameToken Configuration . . . . . . . . . . . . . . . . . 6-35

xx Developing Secure JavaTM Web Services

Copyright 2010 Sun Microsystems, Inc. All rights reserved. DWS-4120-EE6 Rev. B.0
LIST OF CODE EXAMPLES LIST OF CODE EXAMPLES

6.21 Specifying Validators . . . . . . . . . . . . . . . . . . . . . . . . . . 6-38

C.1 A Simple Service: AirportManager . . . . . . . . . . . . . . . . . . C-11

C.2 A Simplest Web Service . . . . . . . . . . . . . . . . . . . . . . . . C-11

C.3 Sample ant task for apt . . . . . . . . . . . . . . . . . . . . . . . . C-13

C.4 Generated WSDL for AirportManager Class . . . . . . . . . . . . C-13

C.5 XML Schema Generated for AirportManager . . . . . . . . . . . . C-14

C.6 Custom WSDL Description: Class NamedAirportManager . . . . . C-18

C.7 Customized Generated WSDL . . . . . . . . . . . . . . . . . . . . C-18

C.8 Customized Generated XML Schema . . . . . . . . . . . . . . . . C-19

C.9 Capturing Overloaded Methods . . . . . . . . . . . . . . . . . . . C-20

C.10 Generated WSDL – Overloaded Operations . . . . . . . . . . . . C-20

C.11 Custom WSDL Description: Custom Namespace . . . . . . . . . C-21

C.12 UserDirectory portType . . . . . . . . . . . . . . . . . . . . . . . C-26

C.13 XML Schema Type for addPassenger . . . . . . . . . . . . . . . . . C-26

C.14 WSDL Bindings for PassengerManager . . . . . . . . . . . . . . . C-27

C.15 Generated Java SEI . . . . . . . . . . . . . . . . . . . . . . . . . . . C-29

C.16 Service Implementation Class . . . . . . . . . . . . . . . . . . . . . C-30

C.17 Embedded Customization: Package . . . . . . . . . . . . . . . . . C-31

C.18 Embedded Customization: Class . . . . . . . . . . . . . . . . . . . C-32

C.19 Embedded Customization: Method . . . . . . . . . . . . . . . . . C-32

C.20 Class Generated From Customized WSDL . . . . . . . . . . . . . C-33

C.21 How to Enable Schema Validation . . . . . . . . . . . . . . . . . . C-34

C.22 Simple Standalone Server . . . . . . . . . . . . . . . . . . . . . . . C-38

C.23 Finer Control over Standalone Server . . . . . . . . . . . . . . . . C-39

D.1 JAX-RS IDs – Simple Path . . . . . . . . . . . . . . . . . . . . . . . D-3

D.2 JAX-RS Path with Embedded Parameters . . . . . . . . . . . . . . D-4

- xxi
Copyright 2010 Sun Microsystems, Inc. All rights reserved. DWS-4120-EE6 Rev. B.0
LIST OF CODE EXAMPLES LIST OF CODE EXAMPLES

D.3 JAX-RS Path with Form Parameters . . . . . . . . . . . . . . . . . D-5

D.4 Use Standard HTTP Methods: GET . . . . . . . . . . . . . . . . . D-6

D.5 Use Standard HTTP Methods: POST . . . . . . . . . . . . . . . . . D-6

D.6 JAX-RS Support for Multiple Representations . . . . . . . . . . . D-7

D.7 JAX-RS Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . D-8

D.8 Explicit Declaration of Root Resources . . . . . . . . . . . . . . . . D-9

D.9 Runtime Retrieval of Root Resources . . . . . . . . . . . . . . . . D-10

D.10 Deploying Within a Java VM . . . . . . . . . . . . . . . . . . . . . D-10

xxii Developing Secure JavaTM Web Services

Copyright 2010 Sun Microsystems, Inc. All rights reserved. DWS-4120-EE6 Rev. B.0