One-Way SSL

The following topic explains how to configure a WebLogic Workshop web application for one-way SSL. 

One-way SSL sets up a secure connection between a web server and client by requiring the server to present a digital certificate to its clients and by encrypting the data passed between the client and server. The main goals of one-way SSL are the integrity and confidentiality provided by the encryption and the authentication of the server provided by the digital certificate. Note that authentication of the client is not a goal of one-way SSL in itself. To achieve authentication of the client, you should supplement one-way SSL with either basic authentication or by configuring your web resource for two-way SSL.

Securing a Web Resource with One-Way SSL

To secure a web resource with one-way SSL, you must (1) obtain a digital certificate from a trusted authority or create your own digital certificate, (2) ensure that the WebLogic Server is SSL enabled, (3) define a web resource as a protected web resource, (4) expose the web resource over an HTTPS enabled server port, and (5) configure WebLogic Server to encrypt the data traffic with the web resource.

1. Digital Certificates

To enable SSL on a production server, you first need to obtain a private-public key pair and a certificate from a trusted third-party certificate authority. For detailed information, see Obtaining Private Keys, Digital Certificates and Trusted Certificate Authorities in the WebLogic Server 8.1 documentation. (As a variation you may also generate your own digital certificates to present to clients, but most web applications use a digital certificate obtained from a third party.) You will also need to store your digital certificate in the appropriate repositories in WebLogic Server. For detailed information see Storing Private Keys, Digital Certificates, and Trusted Certificate Authorities in the WebLogic Server 8.1 documentation.

2. Configuring WebLogic Server

WebLogic Server is by default configured to support one-way SSL. For detailed information see Configuring SSL in the WebLogic 8.1 documentation.

3. Defining a Protected Web Resource

You define a web resource, such as a web application or web service, as a protected resource by placing a security constraint on that resource. Security constraints are specified by <security-constraint> XML elements in the web.xml configuration file in the WEB-INF directory.

Web resources are defined in terms of the URL where they reside. In the following example, the web service HelloWorldSecure.jws is defined as protected because the URL where it resides ("/security/transport/helloWorldSecure/HelloWorldSecure.jws/") is defined as protected.

   	<security-constraint>
        <display-name>
            Security Constraint for HelloWorldSecure.jws
        </display-name>
		<web-resource-collection>
            <web-resource-name>HelloWorldSecure.jws</web-resource-name>
            <description>A web service secured by SLL.</description>
            <!--
            Defines the scope of the web resource to be secured with SSL.
            Secure all methods calls to the HelloWorldSecure web service.
            -->
            <url-pattern>/security/transport/helloWorldSecure/HelloWorldSecure.jws/*</url-pattern>
            <http-method>GET</http-method>
            <http-method>POST</http-method>
		</web-resource-collection>
    </security-constraint>

If you want to protect the whole folder where the HelloWorldSecure web service resides, you would specify the following URL.
    <url-pattern>/security/transport/helloWorldSecure/*</url-pattern>

Using the <url-pattern> element you can restrict access to an entire web application, a folder or a particular file within the web application.

For example, suppose that you have written a web project called myWebProject containing a web service called myWebService containing a method called myWebServiceMethod.

The following <url-pattern> element declares the entire project as protected.

    <url-pattern>/*</url-pattern>

The following <url-pattern> element declares the webservices folder as protected.

    <url-pattern>webservices/*</url-pattern>

The following <url-pattern> element declares that the web service myWebService should be protected.

    <url-pattern>webservices/myWebService.jws</url-pattern>

4. Exposing a Web Resource Over an HTTPS-enabled Port

You configure WebLogic Server to expose your web resource over an HTTPS-enabled port by editing the wlw-config.xml file, found in the WEB-INF directory of the WebLogic Workshop project where your web resource resides; or by editing the wlw-runtime-config.xml file, found in your application's META-INF directory. Note that we generally recommend that you use the wlw-runtime-config.xml file rather than the wlw-config.xml file, since values specified in the wlw-config.xml file because they are hard-coded into the EAR file that is deployed to production servers and cannot be overridden at runtime.

The example, wlw-config.xml file below shows how to expose the HelloWorldSecure web service on the HTTPS port, in this case, specified as port 7002 by the <https-port> element. Note that this does not force your resource to be exposed exclusively on the HTTPS port. Users will be able to access the resource both over the default port, specified by the <protocol> element , and the HTTPS port. You enforce the HTTPS port by placing a <transport-guarantee> element in the resource's security constraint (see step 5 below).

 <http-port>7001</http-port>
 <https-port>7002</https-port>
 <service>
     <class-name>security.transport.helloWorldSecure.HelloWorldSecure</class-name>
     <protocol>https</protocol>
 </service>

In order to expose different services on differently-enabled ports, add a <service> element with child <class-name> and <protocol> elements. The example wlw-config.xml file below specifies that the HelloWorld web service should use the HTTP-enabled port and that the web service HelloWorldSecure should use the HTTPS-enabled port.

 <http-port>7001</http-port>
 <https-port>7002</https-port>
 <service>
     <class-name>HelloWorld</class-name>
     <protocol>http</protocol>
 </service>
 <service>
     <class-name>security.transport.helloWorldSecure.HelloWorldSecure</class-name>
     <protocol>https</protocol>
 </service>

5. Ensuring Encryption of Transmitted Data

To encrypt the traffic with the protected web service by include a <transport-guarantee> element with the value CONFIDENTIAL in the security constraint. This enforces the use of the HTTPS port specified in step 4 above.

   	<security-constraint>
        <display-name>
            Security Constraint for HelloWorldSecure.jws
        </display-name>
		<web-resource-collection>
            <web-resource-name>BasicAuthentication.jws</web-resource-name>
            <description>A web service secured by SLL and basic authentication</description>
            <!--
            Defines the scope of the web resource to be secured with SSL.
            Secure all methods calls to the HelloWorldSecure web service.
            -->
            <url-pattern>/security/transport/helloWorldSecure/HelloWorldSecure.jws/*</url-pattern>
            <http-method>GET</http-method>
            <http-method>POST</http-method>
		</web-resource-collection>
        <!--
        Encrypt the traffic between the client and this web resource.
        -->
        <user-data-constraint> 
            <transport-guarantee>CONFIDENTIAL</transport-guarantee> 
        </user-data-constraint>
	</security-constraint>

For detailed information about the syntax used in a the web.xml configuration file, see web.xml Deployment Descriptor Elements in the WebLogic 8.1 documentation. See especially the documentation for the <security-constraint>.

Related Topics

Transport Security

Security

wlw-config.xml