Pages

Monday, May 18, 2009

Weblogic WS policies and Netbeans & Metro (WSIT)

In JDeveloper 11g and in the Weblogic 10.3 Console it is easy to add a security policy on a web service. But calling these services in a web service client is a different story. So far there is no support for these policies in web service proxy client wizard of JDeveloper 11g. Gerard Davison is doing a great job by making a lot of blog items how to do this programmatically in JDeveloper 11g. But lucky for us there is an alternative. With a little help of Netbeans and Metro it is not so difficult to call these webservices with Wssp1.2-2007 policies.
First we start by making a JAX-WS Web Service and adding a policy.
The Helloworld Web Service with HTTPS and plain username policy which I use in this example.

package nl.whitehorses.ws.saml;

import javax.jws.WebService;
import weblogic.jws.Policy;

@WebService(name = "HelloWorldService", portName = "HelloWorldServiceSoapHttpPort")
@Policy(uri = "policy:Wssp1.2-2007-Https-UsernameToken-Plain.xml")
public class HelloWorld {
public HelloWorld() {
}

public String sayHello() {
return "Hello world";
}
}

Deploy this on a Weblogic server and make sure the HTTPS port is working. See the keystore / ssl tab of the Weblogic server configuration.

Now we can download the latest Netbeans ( I use version 6.5.1 ) and Metro 1.5. Install Netbeans and add the latest Metro jars to your Glassfish 2 server. ( use ant & metro-on-glassfish.xml for this ). The Weblogic 2007/02 policies are using 256 bits encryption, so we need to download the Java Cryptography Extension (JCE) files and install this on every JDK we are using. The last install step is add to the wsit demo keystores to the glassfish server.

Step 1 is to download the WSDL of the Helloworld Service.
Save this xml to the HelloworldService.wsdl file and open this in a editor. We have to remove the policy reference in the porttype and add this to the binding

<portType name="HelloWorldService" wsp:PolicyURIs="#Wssp1.2-2007-Https-UsernameToken-Plain.xml">
<operation name="sayHello">
<input message="tns:sayHello"/>
<output message="tns:sayHelloResponse"/>
</operation>
</portType>
<binding name="HelloWorldServiceSoapHttpPortBinding" type="tns:HelloWorldService">
<soap:binding transport="http://schemas.xmlsoap.org/soap/http" style="document"/>
<operation name="sayHello">
<soap:operation soapAction=""/>
<input>
<soap:body use="literal"/>
</input>
<output>
<soap:body use="literal"/>
</output>
</operation>
</binding>

to

<portType name="HelloWorldService">
<operation name="sayHello">
<input message="tns:sayHello" />
<output message="tns:sayHelloResponse" />
</operation>
</portType>
<binding name="HelloWorldServiceSoapHttpPortBinding" type="tns:HelloWorldService">
<ns2:PolicyReference xmlns:ns2="http://www.w3.org/ns/ws-policy" URI="#Wssp1.2-2007-Https-UsernameToken-Plain.xml"/>
<soap:binding transport="http://schemas.xmlsoap.org/soap/http" style="document" />
<operation name="sayHello">
<soap:operation soapAction="" />
<input>
<soap:body use="literal" />
</input>
<output>
<soap:body use="literal" />
</output>
</operation>
</binding>

Else the Netbeans wizard won't detect the policy.

Create a new Web Application in Netbeans
Select the new project and add a new Web Service Client

Select the HelloworldService wsdl

Select the just created web service reference and select "Edit Web Service Attributes" on this reference

Deselect "Use development defaults" and provide a Username / password of a valid Weblogic account.

Select for the private key which will be used in the encryption.


And the select the public key of the Weblogic server certificate.
When we take a look at the META-INF folder in the source folder, we can see that the wizard has created a web service configuration file which will be used by Metro to setup the security to the Weblogic Web Service

To test this web service client, we will add a servlet to the project


Deselect the comment and use the right button to add a web service client reference
At the project properties we can call the servlet by using the servlet url in the relative url ( Run)

That's all , it should be working now. For more policies examples see this url , there are some nice examples about Secure Token Service STS.
I am happy Oracle has bought Sun, let's integrate everything to one IDE.

9 comments:

  1. Hello Edwin

    First of all, than you for great posts on WLS and webservices.

    We've been struggling for a while to get security policy annotations to work on our webswevices with EJB implementation on WLS 10.3

    Even if the following simple webservice
    _________________________________
    package ejbws;

    import javax.ejb.Stateless;
    import javax.jws.WebService;
    import weblogic.jws.Policy;

    @Stateless
    @WebService
    @Policy(uri="policy:Wssp1.2-2007-Https-ClientCertReq.xml")
    public class HelloEjb {

    public String hello(String msg) {
    return "Ejb WS: " + msg;
    }
    }
    _________________________________
    can be deployed the WLS 10.3 container doesn't seem to bother with the seleced security policy annotation. Looking at the Configuration_WSLD tab in the console shows that the policy elements are present in the WSDL, but the Configuration_WS-Policy tab is empty. But most importatn of all - the service can be reached without security and our configured Authentication modue are not being triggered

    Perhaps some kind of WSDL tweeking would be nessecary like the one above?

    Regards
    Tamas Szabo
    tamas.szabo@skatteverket.se

    ReplyDelete
  2. Hi,

    I think the policy you use, says something about the transport and not about the soap message. can you use x509 basic 128 or 256 or usernametoken

    then it show in the wsdl

    thanks

    ReplyDelete
  3. Hello Edwin

    Thanks for the excellent post.

    I am trying to make a web service client for the policy : Wssp1.2-2007-SignBody.xml using NetBeans - Metro, How can I do this?

    Thank you so much.

    ReplyDelete
  4. Hi Edwin

    I am following the below (except that i have exported the OWSM policy from Fusion middleware page and removed oracle_ in front), but still not able to get the custom OWSM policy shown in Jdeveloper. Please help

    The exported policy file from fusion middleware page is this orace_db_assertion_policy (no extension). I removed oracle_ from front

    "Exporting Policies from the MDS Repository for Use in JDeveloper
    In JDeveloper, you can add custom policies to the default policy store location at:

    C:\Documents and Settings\user-dir\ApplicationData\JDeveloper\system11.1.1.2.x.x.x\DefaultDomain\oracle\store\gmds

    Within this directory, Oracle WSM policies files must be included using one of the following directory structures:

    Predefined Oracle WSM policies: owsm/policies/oracle/policy_file

    Custom user policies: owsm/policies/policy_file

    When exporting policy files from the Oracle WSM Metadata Services (MDS) repository for use in JDeveloper, this directory structure is not maintained. You must ensure that when adding the exported policy to the JDeveloper environment that you use the required directory structure noted above. Otherwise, the policies will not be available in the JDeveloper environment."

    Is it neccessary to export from MDS?

    ReplyDelete
  5. Hi Edwin

    I am following the below (except that i have exported the OWSM policy from Fusion middleware page and removed oracle_ in front), but still not able to get the custom OWSM policy shown in Jdeveloper. Please help

    The exported policy file from fusion middleware page is this orace_db_assertion_policy (no extension). I removed oracle_ from front

    "Exporting Policies from the MDS Repository for Use in JDeveloper
    In JDeveloper, you can add custom policies to the default policy store location at:

    C:\Documents and Settings\user-dir\ApplicationData\JDeveloper\system11.1.1.2.x.x.x\DefaultDomain\oracle\store\gmds

    Within this directory, Oracle WSM policies files must be included using one of the following directory structures:

    Predefined Oracle WSM policies: owsm/policies/oracle/policy_file

    Custom user policies: owsm/policies/policy_file

    When exporting policy files from the Oracle WSM Metadata Services (MDS) repository for use in JDeveloper, this directory structure is not maintained. You must ensure that when adding the exported policy to the JDeveloper environment that you use the required directory structure noted above. Otherwise, the policies will not be available in the JDeveloper environment."

    Is it neccessary to export from MDS?

    ReplyDelete
  6. Hi,

    I don't have any problem I copied a existing policy from DefaultDomain\oracle\store\gmds\owsm\policies\oracle ( be aware you copy the right client or server policy -> ws and client -> proxy client ) to the DefaultDomain\oracle\store\gmds\owsm\policies\policy_file folder

    and changed the following attributes of the wsp:Policy element ( top ) to a unique name, so I can see them in jdeveloper

    wsu:Id="edwin_service_policy"
    orawsp:displayName="edwin_service_policy"
    orawsp:description="edwin"
    Name="edwin_service_policy"

    thanks

    ReplyDelete
  7. hello
    plaese help me
    i want implement ecommerce with metro web services

    ReplyDelete
  8. Following your tutorial I'm getting:

    Caused by: com.sun.xml.wss.impl.WssSoapFaultException: WSS1721: Validation of Reference with URI #str_8B6DRCVV0yDaKBWt failed

    In NetBeans 7.2 I had to delete duplicated .

    My used policies are:
    "Wssp1.2-2007-Wss1.0-X509-Basic256.xml"),
    "Wssp1.2-2007-EncryptBody.xml"),
    "Wssp1.2-2007-SignBody.xml").

    I set service alias in trust store and client alias in Keystore.

    How can I resolve this problem?
    I have good version in JDeveloper, but there I had to place a lot of code in client class. I'd like to working version in NetBeans. Could you help me with this problem? I remember I had to place (in JDeveloper project) both certificates in certificate verification (certificateCallback).

    ReplyDelete
    Replies
    1. Hi,

      can you control or change the order of the policies or just do signing first.

      thanks

      Delete