XWS-Security Home
XWS-Security Samples

Revised: 6/24/2004

Contents

• Read This Section First
• What This Release Includes
• Current Limitations
• Known Issues

Before you work with this release, make sure that you have installed the required software and are on a supported operating system. You can find this information in the Java^TM Web Services Developer Pack (Java WSDP) home page and Release Notes.

This release includes the following XML and Web Services Security (XWS-Security) features:

• Support for securing JAX-RPC applications and applications that use SAAJ.
• A sample security framework within which a JAX-RPC or SAAJ application developer will be able to secure applications by signing/verifying parts of SOAP messages and/or encrypting/decrypting parts of a SOAP message. The message sender can make claims about the security properties by associating security tokens with the message. An example of a security claim is the identity of the sender, identified using username and password.
• Web Services Security (WSS) interop scenarios. Developers will be able to send and receive messages compliant with the WSS Soap Message Security specification. Developers can use the framework to implement applications which have security requirements similar to those defined in the WSS interop scenarios. More information on the scenarios can be found at Draft Spec for Interop1 (draft 5) and Final Spec for Interop2 (draft 6).
• Command-line tools that provide specialized utilities for keystore management: pkcs12import and keyexport. Also, the addition of the -security option for the wscompile utility to allow specification of a security configuration for a JAX-RPC application.
• Sample programs

The XWS-Security release contents are arranged in the following structure within the Java WSDP release:

This release of XWS-Security includes the following limitations:

• Since the Java Standards for key Web Services Security technologies are still being defined under the Java Community Process, the current APIs in this release are nonstandard and are subject to change in future releases.
• Examples written using an earlier release of XWS-Security APIs will not run on this release of the JWSDP.
• XWS-Security cannot be used for securing message attachments.
• JAX-RPC dynamic proxies are not yet supported, only static stubs work.
• Support allowing the message recipient to enforce security requirements on the messages it receives is not supported.

In this release, the XWS-Security implementation has the following known issues:

• Certificate validation does not check for certificate revocation. The security environment cannot set up a Certificate Revocation List (CRL) corresponding to a certificate authority.
• A timer thread may hang the host process at termination, thus forcing the user to shut down the process manually from the console.
• To correctly run the example applications, you must complete the following steps in addition to those shown in the tutorial:
  1. In the file <jwsdp.home>/xws-security/samples/buildconfig/sjsas-config.xml, change the classpath element so that it resembles this sample:

     <path id="app.classpath">
       <fileset dir="${sjsas.home}/lib/endorsed">
         <include name="dom.jar"/>
       </fileset>
       <fileset dir="${sjsas.home}/lib">
         <include name="*.jar"/>
       </fileset>
        <fileset dir="${javahome}/lib">
         <include name="tools.jar"/>
       </fileset>
     </path>
       

  2. Add the correct permissions to <AppserverInstallRoot>/domains/domain1/config/server.policy, for the simple sample and interop sample respectively:

     // These permissions apply to the simple sample
     grant codeBase "file:${com.sun.aas.instanceRoot}/applications/j2ee-modules/securesimple/WEB-INF/-" {
            permission javax.security.auth.AuthPermission "modifyPrincipals";
            permission javax.security.auth.AuthPermission "modifyPublicCredentials";        
            permission javax.security.auth.AuthPermission "modifyPrivateCredentials";
            permission javax.security.auth.AuthPermission "getSubject";
            permission javax.security.auth.PrivateCredentialPermission "javax.security.auth.x500.X500PrivateCredential * \"*\"","read";
            permission java.security.SecurityPermission "putProviderProperty.BC";
     };
     
     // These permissions apply to the interop sample
     
     grant codeBase "file:${com.sun.aas.instanceRoot}/applications/j2ee-modules/pingservice/WEB-INF/-" {
            permission javax.security.auth.AuthPermission "modifyPrincipals";
            permission javax.security.auth.AuthPermission "modifyPublicCredentials";        
            permission javax.security.auth.AuthPermission "modifyPrivateCredentials";
            permission javax.security.auth.AuthPermission "getSubject";
            permission javax.security.auth.PrivateCredentialPermission "javax.security.auth.x500.X500PrivateCredential * \"*\"","read";
            permission java.security.SecurityPermission "putProviderProperty.BC";
     };