Programmatic Security

WebLogic Workshop supports WebLogic’s security API’s to allow you to change web service behavior based on a user’s group, and other security parameters. The API’s appear in the web service code itself and are executed after a user has passed the servlet’s security gates. The servlet controlled security model is described in Declarative Security.

Authorizing Clients within Web Service Code

Once a client has passed the servlet security gates, you can access the clients group and security permissions with the web service code in order to authorize individual methods and operations, or to otherwise change web service behavior based on the identity of client. Client discovery is accomplished by methods in the JwsContext interface, as shown here:

public interface JwsContext
	{
	public java.security.Principle getCallerPrinciple();
	public Boolean isCallerInRole( String roleName );
	}

You can use getCallerPrinciple() to discover the principle that identifies the caller. Use isCallerInRole() to determine whether a given caller is in a specified role.

Sending Credentials with Outgoing Messages

When you need to send authentication credentials with outgoing method invocations on external web services, you can attach credentials in one of the following three ways:

  1. If your outgoing method invocation is accomplished through a service control, then use the following methods on the ServiceControl interface:

public interface ServiceControl { public void setUsername(String username); public void setPassword(String password); public String getUsername(); public String getPassword(); }

Note: To call a secure service through a service control, you must modify the service CTRL file so that the http-url property of its @jws:location annotation specifies a fully qualified HTTPS url. For example, if you are trying to call the HelloWorldSecure service via a service control, the CTRL file must be modified as below:
@jws:location http-url="https://localhost:7002/samples/HelloWorldSecure.jws"
 

  1. If your outgoing method invocation is accomplished through a callback interface--that is, if your service issues a callback to an external service--then use the following methods on the JwsContext object:

public interface JwsContext { public void setCallbackUsername( String username ); public void setCallbackPassword( String password ); public String getCallbackUsername(); public String getCallbackPassword(); }

  1. You can also specify credentials for outgoing messages by encoding them in the endpoint URL for both service controls and callback interfaces. The format of an URL with credentials is:

<protocol>://<username>:<password>@<host>:<port>/...

Users may call ServiceControl.setEndPoint() and JwsContext.setCallbackURL() with such a URL. When an outgoing method invoking message is packaged, the current username and password will be encoded for the current protocol and sent with the invoking message.

Related Topics

Overview: Security