Configuring SSL and Authorized Users

This chapter discusses configuring security for your web service and web service client using the WSIT security mechanisms. Some of these mechanisms require some configuration outside of NetBeans IDE. Depending upon which security mechanism you plan to use, some of the following tasks will need to be completed:

Configuring SSL For Your Applications

This section describes adding the steps to configure your application for SSL. These steps will need to be accomplished for any application that uses one of the mechanisms:

The following steps are generic to any application, but have example configurations that will work with the tutorial examples, in particular, Example: SAML Authorization over SSL (SA) and Example: Transport Security (SSL).

To configure SSL for your application, follow these steps:

  1. Select one of the mechanisms that require SSL. These include Transport Security (SSL), Message Authentication over SSL, and SAML Authorization over SSL.
  2. Server Configuration
    • GlassFish is already configured for SSL. No further SSL configuration is necessary if you are using Transport Security. However, if you are using one of the Message Security mechanisms with SSL, you must update the GlassFish certificates as described in Updating GlassFish Certificates.
    • Configure a user on GlassFish as described in Adding Users to GlassFish.
  3. Client Configuration

    4. For configuring your system for SSL in order to work through the examples in this tutorial, the same keystore and truststore files are used for both the client and the service. This obviates the needs to set system properties to point to the client stores, as both GlassFish and NetBeans are aware of these certificates and point to them by default.

    In general, for the client side of SSL you will not be using the same certificates for the client and the service. In that case, you need to define the client certificate stores by setting the system properties -Djavax.net.ssl.trustStore, -Djavax.net.ssl.keyStore, -Djavax.net.ssl.trustStorePassword, and
    -Djavax.net.ssl.keyStorePassword in the application client container.

    You can specify the environment variables for keystore and truststore by setting the environment variable VMARGS through the shell environment or inside an Ant script, or by passing them in when you start NetBeans IDE from the command line. For example, in the latter case:

    <NETBEANS_HOME>/bin/netbeans.exe
    -J-Djavax.net.ssl.trustStore=
    <    AS_HOME>/domains/domain1/config/cacerts.jks
    -J-Djavax.net.ssl.keyStore=
    <    AS_HOME>/domains/domain1/config/keystore.jks
    -J-Djavax.net.ssl.trustStorePassword=changeit
    -J-Djavax.net.ssl.keyStorePassword=changeit

    Use the hard-coded path to the keystore and truststore files, not variables.

    For the SSL mechanism, The browser will prompt you to accept the server alias s1as.

  4. On the client side, for the Transport Security (SSL) mechanism, you must either use the fully-qualified hostname in the URL for the service WSDL when you are creating the web sercie client, or else you must follow the steps in Transport Security (SSL) Workaround.
  5. Service Configuration

    6. To require the service to use the HTTPS protocol, you have to specify the security requirements in the service's application deployment descriptor. This file is ejb-jar.xml for a web service that is implemented as an EJB endpoint, and web.xml for a web service implemented as a servlet. To specify the security information, follow these steps:

    1. From your web service application expand Web PagesRight ArrowWEB-INF.
    2. Double-click web.xml (or ejb-jar.xml) to open it in the editor.
    3. Select the Security tab.
    4. On the Security Constraints line, click Add Security Constraint.
    5. Under Web Resource Collection, click Add.
    6. Enter a Name for the Resource (for example, CalcWebResource), and enter the URL Pattern to be protected (for example, /*). Select which HTTP Methods to protect, for example, POST. Click OK to close this dialog.
    7. Check the Enable User Data Constraint box. Select CONFIDENTIAL for the Transport Guarantee to specify that the application uses SSL because the application requires that data be transmitted so as to prevent other entities from observing the contents of the transmission.
    8. The IDE looks like this:



Figure 6-4 Deployment Descriptor page

    1. Click the XML tab to display the additions to web.xml. The security constraint looks like this:
      2.     <security-constraint>
      <display-name>Constraint1</display-name>
      <web-resource-collection>
        <web-resource-name>
          CalcWebResource
        </web-resource-name>
        <description/>
        <url-pattern>/*</url-pattern>
        <http-method>POST</http-method>
      </web-resource-collection>
      <user-data-constraint>
        <description/>
        <transport-guarantee>
          CONFIDENTIAL
        </transport-guarantee>
      </user-data-constraint>
    </security-constraint>
    2. When you run this project (right-click, select Run Project), the browser will ask you to accept the server certificate of s1as. Accept this certificate. The WSDL displays in the browser.
  1. Creating a Client

    2. When creating your client application, use the fully-qualified hostname to specify the secure WSDL location (use https://<fully_qualified_hostname>:8181/CalculatorApplication/CalculatorWSService?wsdl, for example, in place of http://localhost:8080/CalculatorApplication/CalculatorWSService?wsdl).

    In some cases, you might get an error dialog telling you that the URL https://<fully_qualified_hostname>:8181/CalculatorApplication/CalculatorWSService?wsdl couldn't be downloaded. However, this is the correct URL, and it does load when you run the service. So, when this error occurs, repeat the steps that create the Web Service Client using the secure WSDL. The second time, the web service reference is created and you can continue creating the client.

Adding Users to GlassFish

The following topics are covered:

Adding Users to GlassFish Using Admin Console

To add users to GlassFish using the Admin Console, follow these steps:

  1. Start GlassFish if you haven't already done so.
  2. Start the Admin Console if you haven't already done so. You can start the Admin Console by starting a web browser and entering the URL http://localhost:4848/asadmin. If you changed the default Admin port during installation, enter the correct port number in place of 4848.
  3. To log in to the Admin Console, enter the user name and password of a user in the admin-realm who belongs to the asadmin group. The name and password entered during installation will work, as will any users added to this realm and group subsequent to installation.
  4. Expand the Configuration node in the Admin Console tree.
  5. Expand the Security node in the Admin Console tree.
  6. Expand the Realms node. Select the file realm.
  7. Click the Manage Users button.
  8. Click New to add a new user to the realm.
  9. Enter the correct information into the User ID, Password, and Group(s) fields. The example applications reference a user with the following attributes:
    1. User ID = wsitUser
    2. Group List = wsit
    3. New Password = changeit
    4. Confirm New Password = changeit
  10. Click OK to add this user to the list of users in the realm.
  11. Click Logout when you have completed this task.

Adding Users to GlassFish From Command Line

To add users to GlassFish from the command line, make sure GlassFish is running, then enter the following command: 

<AS_HOME>/asadmin create-file-user --groups wsit wsitUser

Enter changeit for the password when prompted.