Using HTTPS to Secure a WebLogic Workshop Web Service
The following topic explains how expose a WebLogic Workshop web service using HTTPS.
Web services built with WebLogic Workshop are deployed to WebLogic Server in the form of web applications. Different services within a single application can be exposed using different transport protocols, secure or insecure, as necessary. Secure an individual service by specifying that it be exposed using HTTPS rather than HTTP. HTTPS encrypts the communication between the client and web service, and it also offers a degree of authentication of the server using a digital certificate, which the server presents to the client. The one-way authentication offered by the server to the client, can be supplemented by two-way authentication, where the client offers a digital certificate to the server, in addition to the certificate offered by the server.
You specify the web service exposure protocol as you prepare to deploy the web service to WebLogic Server. To expose a web service using the HTTPS protocol rather than the HTTP protocol, you must:
Make sure that the WebLogic Server where you deploy the web service is listening on an HTTPS-enabled port. See Configuring the SSL Protocol in the WebLogic Server 7.0 documentation.
Make sure that the web service’s WSDL file advertises that HTTPS-enabled port.
To ensure that your web service’s WSDL directs clients to an HTTPS-enabled port, edit the weblogic-jws-config.xml file, found in the project’s WEB-INF directory. In the weblogic-jws-config.xml file you can set a dedicated HTTP port, a dedicated https port, and set which ports individual web services should use.
The weblogic-jws-config.xml file can include multiple <jws> elements. Inside each <jws> element you specify a web service using the <class-name> element, and the exposer protocol, either HTTP or HTTPS, using the <port> element. Specifying that a web service should use the HTTPS-enabled port causes the web service WSDL to advertise the application’s HTTPS-enabled port.
The example weblogic-jws-config.xml file below shows how to expose the web service MySecureService on the HTTPS port (specified as port 7002). You should recompile the application EAR and redeploy the application each time you change the weblogic-jws-config.xml file, otherwise changes will have no effect on the deployed application.
Note: the settings on the weblogic-jws-config.xml file can be overridden at compile-time by the parameters you specify in the jwsCompile command. For more information see Deploying Web Services and JwsCompile Command.
<config> <protocol>http</protocol> <hostname>localhost</hostname> <http-port>7001</http-port> <https-port>7002</https-port> <jws> <class-name>MySecureService</class-name> <protocol>https</protocol> </jws> ... </config>
In order to expose different services on differently-enabled ports, add a <jws> element with child <class-name> and <protocol> elements. The example weblogic-jws-config.xml file below specifies that the HelloWorld service should use the HTTP-enabled port and the service HelloWorldSecure should use the HTTPS-enabled port.
Note: in the example below, the default <protocol> tag has the value http: this makes it, strictly speaking, redundant to use the jws-specific <protocol> element to specify that HelloWorld should use the http port. HelloWorld's jws-specific <protocol> element is present for the sake of clarity.
<config>
<!-- The global <protocol> element says that any service in the project file should be exposed on http, unless otherwise specified.
-->
<protocol>http</protocol> <hostname>localhost</hostname> <http-port>7001</http-port> <https-port>7002</https-port>
<!--It is, strictly speaking, superfluous to use the jws-specific <protocol tag to declare that the HelloWorld service should be exposed on the http protocol this was accomplished by the global <protocol> element.-->
<jws>
<!-- Recall that JWS files are really Java classes, hence, the element name 'class-name'.
-->
<class-name>HelloWorld</class-name> <protocol>http</protocol> </jws> <jws> <class-name>HelloWorldSecure</class-name> <protocol>https</protocol> </jws>
... </config>