Developers Corner Tutorial

An Introduction to Web Services:

Part Three - Web Services Security

Copyright 2003, Systinet Corp. Page 1 of 9

 > Developers Corner: Web Services Security

Contents Contents ................................................................................ 2

Introduction........................................................................... 3
About this tutorial 3
Installing software 3

Security in Action: Authentication and Authorization ........ 4

Configuring Web service security ........................................ 5

Creating a new user 5
Making a service secure 5

Invoking a secure Web service from Java and Microsoft

.NET ....................................................................................... 7

Review................................................................................... 8

Copyright and Disclaimer ..................................................... 9

Copyright 2003, Systinet Corp. Page 2 of 9

Introduction About this tutorial
This is the third in our series of hands-on tutorials designed to explain how
to create and use Web services. In Part One we introduced some basic
concepts, including SOAP and WSDL, and we created and ran a simple Web
service. In Part Two we progressed to handling complex types, error
processing, and remote references.

In this tutorial we introduce and review security and Web services. We also
show how to set up access control on an existing Web service.

NOTE: If you haven't already downloaded the software used to create the
tutorial examples, then please refer to the installing software section
(below.) You will also need to download the tutorial sources. All Java
sources mentioned in the tutorial examples can be found in the src
subdirectory of the unpacked tutorial sources archive. They all reside in the
com.systinet.demos package.

IMPORTANT: Please set the WASP_HOME environment variable to point to

the WASP Server root directory.

Installing software
REQUIREMENTS: We assume that you have a Java 1.4 or later SDK and a
standard HTTP browser installed on your system and the JAVA_HOME
system variable points to the Java root directory.

If you want to follow along with the demo, you'll need to download WASP
Server for Java, 4.5
(http://www.systinet.com/products/wasp_jserve/overview ) from the
Systinet Web site. Unpack the downloaded package to a local disk and run
the install script from the bin subdirectory of the WASP Server installation.
You'll need to agree to the product license and then please answer with
default options to all installation questions (simply press Enter multiple
times).

IMPORTANT: Please set the WASP_HOME environment variable to point to

the WASP Server root directory.

You'll also need to download the tutorial sources

(http://dev.systinet.com/get&dl=dHV0b3JpYWxzLnppcA) and unpack it on
the local disk.

Copyright 2003, Systinet Corp. Page 3 of 9


Security in Action:
Authentication and
Authorization
Copyright 2003, Systinet Corp.
> Developers Corner: Web Services Security
Authentication and Authorization are the main elements of a security
architecture. Let's go through a simple example that shows these concepts.
We'll add security to the stock quote Web service that we deployed in the
first article. The stock quote Web service contains the getAvailableStocks
and getQuote methods.
NOTE: If you haven't already downloaded the software used to create the
tutorial examples, then please refer to the installation instructions at the
beginning of this document. You'll also need to download the tutorial
sources. All Java sources mentioned in the tutorial examples can be found
in the src subdirectory of the unpacked tutorial sources archive. They all
reside in the com.systinet.demos.stock package.
NOTE: We're using MS Windows notation for our command-line
commands. If you have a UNIX-based environment, please use the
appropriate .sh script instead of the Windows .bat version.
We don't need to write any code in order to add security to an existing
Web service, so this tutorial is an exercise in configuration.
The first thing that we need to do is to install WASP Server in secure mode.
To install the server:
1. Make sure that WASP Server for Java is not running.
2. Rerun the distribution .jar. (java -jar wasp4.5.jar).
3. Click past the welcome panel and accept the license
agreement.
4. Check the ‘with security support’ box beneath the server radio
button.
5. Continue with the installation normally. The swing dialog will
notify you of your progress.
During a successful installation the user admin is created with the
password changeit. You will need to provide these values when accessing
restricted areas of the admin-console.
NOTE: When installing WASP in production mode, the password for the
admin user should be altered.
After successful installation:
1. Start WASP Server using the serverstart.bat script located in
the bin subdirectory of the WASP Server installation.
2. Invoke the run.bat deploy_stock and run.bat make_stock
commands in the tutorials bin directory.
These commands compile and deploy the stock quote Web
service and compile its client application.
Use the userid admin and password changeit to authenticate.
Page 4 of 9
Configuring Web service The next step is to configure security via the administration console
http://localhost:6060/admin/console
security
Creating a new user
First we need to create a new user. To do so:

1. Open the administration console in a browser.

2. Log in as admin with the password changeit.

3. Select the Security tab and click the Add User button at the
bottom of the page.

4. Add a new user named tutorial.

5. Once the tutorial user has been added, go to the Database of

Identities page, where there will be a record for this user.

6. Click on the new user's properties link and add a password

property with value changeit.

7. choose Roles from the menu at the top of the Database of

Identities page, and add the role internal.

8. Go back to the Database of Identities page in the Security Menu

and click on the Roles link for the user in the Users Table.

9. Grant the internal role to the tutorial user.

Making a service secure

Next we'll add security to the stock quote Web service.

1. Click on the Web services tab and choose the

StockQuoteService_inst service from the list of service
instances.

2. Press the Set endpoint security button in the Security section.

3. Click on the Custom Security Providers button and check the

Authorization Required and HttpBasic check boxes.

4. Save these changes by pressing the Save Changes button.

5. Return to the main Web service page by clicking on the Back

button.

6. Turn on access control by clicking on the Set endpoint method

ACL button in the Security section.

7. Choose the Set ACL in the row with the asterisk, which
configures access control for all methods in the Web Service.

8. Grant the invocation permission to the internal role on the

following page.

Copyright 2003, Systinet Corp. Page 5 of 9

 > Developers Corner: Web Services Security

WASP Server's authentication and authorization system relies on the

standard Java Authentication and Authorization Service (JAAS) technology,
which can also be configured using policy files.

Copyright 2003, Systinet Corp. Page 6 of 9

Invoking a secure Web
service from Java and
Microsoft .NET
Copyright 2003, Systinet Corp.
Now let's run the client application using the run.bat run_secure_stock
script. Please specify the username tutorial and password changeit. You
should be able to run the stock client application without errors.
You can experiment by specifying an invalid username or password and by
revoking access permission using the WASP administration console.
NOTE: The username, password, and security provider for the client
application are specified with the Java properties wasp.username,
wasp.password and wasp.securityMechanism with respective values
tutorial, changeit and HttpBasic.
If you have the Microsoft .NET Framework SDK
(http://msdn.microsoft.com/downloads/default.asp?url=/downloads/sampl
e.asp?url=/msdn-files/027/000/976/msdncompositedoc.xml) installed on
your computer, run the build_ms.bat script that will compile a C# client
application.
Run the SecureStockQuoteClient.exe application from the tutorials build
directory. You'll need to specify the username tutorial and password
changeit to run it successfully. You can check the C# source code located
in the src\ms.net demo directory.
Our last step is to undeploy the stock quote service using the run.bat
undeploy_stock script (you'll again need to specify the admin username
and changeit password).
NOTE: In the next tutorials we will not use security, so you'll need to set
WASP server to unsecure mode by running the install.bat script again. Stop
the WASP Server (using the serverstop.bat script located in the bin
subdirectory of the WASP Server installation) before running this script,
otherwise the changes made to the configuration files will be lost.
Use all default values for setting up the WASP Server.
Page 7 of 9
 > Developers Corner: Web Services Security

Review In this tutorial we became familiar WASP's basic security architecture. We

then demonstrated authentication and authorization on a Web service. In
the next article we'll look at Web services integration with JNDI and EJBs.

In the meantime we welcome feedback, comments, and ideas. Please email

us at [email protected].

Copyright 2003, Systinet Corp. Page 8 of 9

Copyright and Disclaimer This document and the information contained herein are the property of
Systinet Corporation and shall not be reproduced or copied in whole or in
part without written permission of Systinet Corp.

Copyright © 2003 Systinet Corp. All Rights Reserved.

The information in this document is preliminary and is subject to change

without notice and should not be construed as a commitment by Systinet
Corporation.

SYSTINET CORPORATION SHALL HAVE NO LIABILITY FOR THIS

DOCUMENT, INCLUDING ANY LIABILITY FOR NEGLIGENCE. SYSTINET
CORPORATION MAKES NO WARRANTIES, EXPRESS, IMPLIED, STATUTORY,
OR IN ANY OTHER COMMUNICATION. SYSTINET CORPORATION
SPECIFICALLY DISCLAIMS ANY WARRANTY OF MERCHANTABILITY OR
SATISFACTORY QUALITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE
AND NON-INFRINGEMENT.

Systinet, WASP, "The Web Services Infrastructure Company" and "Web

Services That Work" are trademarks of Systinet Corp.

Java and all Java-based marks are trademarks or registered trademarks of

Sun Microsystems, Inc. in the U.S. and other countries.

Microsoft, Windows and Windows NT and the Windows logo are trademarks
or registered trademarks of Microsoft Corporation in the United States and
other countries.

UNIX is a registered trademark of The Open Group in the United States and
other countries.

Other company, product, and service names mentioned in these

documents may be trademarks or service marks of others.

Systinet Corp.
Five Cambridge Center, 8th Floor
Cambridge, MA 02142
Phone: 1.617.868.2224
www.systinet.com

Copyright 2003, Systinet Corp. Page 9 of 9