There is no need to secure the Investigate Java control against Internet traffic, because it can only be called directly by other local components. But it is necessary to secure Investigate's communications with other applications across the Internet. In this step you will secure one of those communication routes: the communication route between Investigate and the Credit Card Report web service.
The tasks in this step are:
To Configure CreditCardReport.jws for SSL
You configure a web resource for SSL through the web.xml and weblogic.xml files, located in your application's WEB-INF directory.
By placing the following <security-constraint> element in web.xml, all communication with the resource is encrypted, ensuring the confidentiality of the communication.
<taglib> <taglib-uri>netui-tags-template.tld</taglib-uri> <taglib-location>/WEB-INF/netui-tags-template.tld</taglib-location> </taglib> <security-constraint> <display-name> Security Constraint for the Credit Card Report web service </display-name> <web-resource-collection> <web-resource-name>CreditCardReport.jws</web-resource-name> <description>A web service secured by SSL and basic authentication</description> <url-pattern>/webservice/CreditCardReport.jws</url-pattern> <http-method>GET</http-method> <http-method>POST</http-method> </web-resource-collection> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint> </web-app>
To configure CreditCardReport.jws for basic authentication
Basic authentication requires that clients provide a valid username and password to access a web resource. (The registration processes by which users originally acquire a username and password is an important consideration that is beyond the scope of this tutorial.) Also, the <auth-constraint> element you add below requires that users be members of the RegisteredCreditCardUsers role to access the Credit Card Report web service. Whereas SSL ensures that communications are confidential, basic authentication ensures that you know the identity of your clients. In this case, basic authentication ensures that Credit Card Report knows its client, the Investigate Java control, really is the Investigate Java control, and not another potentially malicious third party.
<taglib> <taglib-uri>netui-tags-template.tld</taglib-uri> <taglib-location>/WEB-INF/netui-tags-template.tld</taglib-location> </taglib> <security-constraint> <display-name> Security Constraint for the Credit Card Report web service </display-name> <web-resource-collection> <web-resource-name>CreditCardReport.jws</web-resource-name> <description>A web service secured by SSL and basic authentication</description> <url-pattern>/webservice/CreditCardReport.jws</url-pattern> <http-method>GET</http-method> <http-method>POST</http-method> </web-resource-collection> <auth-constraint> <role-name>RegisteredCreditCardReportUsers</role-name> </auth-constraint> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint> <security-role> <description>Users who have successfully completed Credit Card Report's registration process and have been given a username and password</description> <role-name>RegisteredCreditCardReportUsers</role-name> </security-role> </web-app>
<weblogic-web-app> <security-role-assignment> <role-name>RegisteredCreditCardReportUsers</role-name> <principal-name>weblogic</principal-name> </security-role-assignment> <jsp-descriptor> <!-- Comment the jspServlet param out to go back to weblogic's jspc --> <jsp-param> <param-name>jspServlet</param-name> <param-value>weblogic.servlet.WlwJSPServlet</param-value> </jsp-param> <jsp-param> <param-name>debug</param-name> <param-value>true</param-value> </jsp-param> </jsp-descriptor> <url-match-map> weblogic.servlet.utils.SimpleApacheURLMatchMap </url-match-map> </weblogic-web-app>
To Edit Investigate to Use the Correct Username and Password to Access CreditCardReport.jws
Now the Credit Card Report web service requires that its clients provide a valid username and password and that those clients be assigned the role of RegisteredCreditCardReportUsers. In this task you will edit Investigate to provide the correct username and password when accessing Credit Card Report.
public void requestCreditReport(String taxID) { m_currentApplicant.taxID = taxID; /* * Retrieve data from the database and store it in the rec object. */ Record rec = bankruptciesDB.checkForBankruptcies(taxID); /* * If the database returns substantial data, then store that data * in the m_currentApplicant object. */ if(rec != null) { m_currentApplicant.firstName = rec.firstname; m_currentApplicant.lastName = rec.lastname; m_currentApplicant.currentlyBankrupt = rec.currentlyBankrupt; /* * Set the username and password necessary to access the Credit * Card Report web service. * Then invoke the getCreditCardData method. * Results from the web service will be provided via a callback. */ creditCardReportControl.setUsername("weblogic"); creditCardReportControl.setPassword("weblogic"); /* * Invoke the Credit Card Report web service. * Results from the web service will be provided via a callback. */ creditCardReportControl.getCreditCardData(taxID); /* * Start the timer. If the credit card report is not * received within 5 minutes, the conversation will be finished * and the client will be notified that * there was a problem. */ creditCardReportTimer.start(); } /* * If the database does not return substantial data, notify the client * that there is a problem. */ else { m_currentApplicant.message = "No data could be found on the applicant. Please call (555) 555-5555 for assistance. "; /* * Send the error message to the client via a callback. */ callback.onCreditReportDone(m_currentApplicant); } }
To Edit the Credit Card Report Control File
If you were to test your Java control now, it would not succeed in invoking the Credit Card Report web service. This is because the Credit Card Report currently listens for clients on the HTTPS port 7002, but the Investigate Java control sends its requests through the HTTP port 7001. In this task you will configure the Credit Card Report control (used by the Investigate Java control) to send communications through port 7002.
/** * @jc:location http-url="https://localhost:7002/CreditCardReport_JCSTutorial/webservice/CreditCardReport.jws" * @jc:wsdl file="#CreditCardReportWsdl" */ public interface CreditCardReportControl extends com.bea.control.ControlExtension, com.bea.control.ServiceControlWhen you try to modify this control file, Workshop will warn you that you are trying to edit an autogenerated file. Click Yes when Workshop asks you if want to edit this file.
To Test the Investigate Java Control
In this task you will perform two tests. First you will test to see if the right password results in successful communication, then you will test to see if the wrong password results in failed communication.
Testing for Successful Communication
Note: Use one of the following (9 digit) taxID's to test your Java control throughout the tutorial:
Testing for Failed Communication
/** * Set the username and password necessary to access the Credit * Card Report web service. * Then invoke the getCreditCardData method. * Results from the web service will be provided via a callback. */ creditCardReportControl.setUsername("weblogic"); creditCardReportControl.setPassword("wrong_password"); /** * Invoke the Credit Card Report web service. * Results from the web service will be provided via a callback. */ creditCardReportControl.getCreditCardData(taxID);
21 Aug 2003 16:38:26,610 ERROR *** Investigate ***: Exception in requestCreditReport: com.bea.control.ServiceControlException: SERVICE FAULT: Code:java.io.FileNotFoundException String:Response: '401: Unauthorized xxx' for url: 'https://weblogic:wrong_password@localhost:7002/CreditCardReport_JCSTutorial/webservice/CreditCardReport.jws' Detail: END SERVICE FAULT [ServiceException]Note that the error is interpreted as a "FileNotFoundException" because the the Investigate Java control thinks of the URL "https://weblogic:wrong_password@localhost:7002/CreditCardReport_JCSTutorial/webservice/CreditCardReport.jws" as a file resource. When the Investigate Java control cannot access the file, it throws a file not found exception, although the real cause of the problem is the wrong password.
Related Topics
Click one of the following arrows to navigate through the tutorial: