Step 7: Transport Security

There is no need to secure the Investigate Java control against Internet traffic, because it can only be called directly by other local components. But it is necessary to secure Investigate's communications with other applications across the Internet. In this step you will secure one of those communication routes: the communication route between Investigate and the Credit Card Report web service.

The tasks in this step are:

To Configure CreditCardReport.jws for SSL

You configure a web resource for SSL through the web.xml and weblogic.xml files, located in your application's WEB-INF directory.

By placing the following <security-constraint> element in web.xml, all communication with the resource is encrypted, ensuring the confidentiality of the communication.

  1. On the Application tab, navigate to the folder JavaControlTutorial/CreditCardReport_JCSTutorial/WEB-INF and open the web.xml file.

  2. Add the following <security-constraint> XML element to web.xml. Make sure that you add the <security-constraint> element after the final </taglib> end tag, but before the final </web-app> end tag. Code to add is shown in red.
        <taglib>
            <taglib-uri>netui-tags-template.tld</taglib-uri>
            <taglib-location>/WEB-INF/netui-tags-template.tld</taglib-location>
        </taglib>
    
        <security-constraint>
            <display-name>
                Security Constraint for the Credit Card Report web service
            </display-name>
            <web-resource-collection>
                <web-resource-name>CreditCardReport.jws</web-resource-name>
                <description>A web service secured by SSL and basic authentication</description>
                <url-pattern>/webservice/CreditCardReport.jws</url-pattern>
                <http-method>GET</http-method>
                <http-method>POST</http-method>
            </web-resource-collection>
            <user-data-constraint> 
                <transport-guarantee>CONFIDENTIAL</transport-guarantee> 
            </user-data-constraint>
        </security-constraint>    
    
    </web-app>
    

To configure CreditCardReport.jws for basic authentication

Basic authentication requires that clients provide a valid username and password to access a web resource. (The registration processes by which users originally acquire a username and password is an important consideration that is beyond the scope of this tutorial.) Also, the <auth-constraint> element you add below requires that users be members of the RegisteredCreditCardUsers role to access the Credit Card Report web service. Whereas SSL ensures that communications are confidential, basic authentication ensures that you know the identity of your clients. In this case, basic authentication ensures that Credit Card Report knows its client, the Investigate Java control, really is the Investigate Java control, and not another potentially malicious third party.

  1. Confirm that web.xml is displayed in the main work area.
  2. Edit the <security-constraint> element so it appears as follows. Also add a <security-role> element immediately after the <security-constraint> element. Code to add appears in red.
  3.     <taglib>
            <taglib-uri>netui-tags-template.tld</taglib-uri>
            <taglib-location>/WEB-INF/netui-tags-template.tld</taglib-location>
        </taglib>
    
        <security-constraint>
            <display-name>
                Security Constraint for the Credit Card Report web service
            </display-name>
            <web-resource-collection>
                <web-resource-name>CreditCardReport.jws</web-resource-name>
                <description>A web service secured by SSL and basic authentication</description>
                <url-pattern>/webservice/CreditCardReport.jws</url-pattern>
                <http-method>GET</http-method>
                <http-method>POST</http-method>
            </web-resource-collection>
            <auth-constraint>
                <role-name>RegisteredCreditCardReportUsers</role-name>
            </auth-constraint> 
            <user-data-constraint> 
                <transport-guarantee>CONFIDENTIAL</transport-guarantee> 
            </user-data-constraint>
        </security-constraint>
        
        <security-role>
            <description>Users who have successfully completed
            Credit Card Report's registration process and have been given a username
            and password</description>
            <role-name>RegisteredCreditCardReportUsers</role-name>
        </security-role>      
    
    </web-app>
  4. Press Ctrl+S to save your work.


  5. Next you grant one user the role of RegisteredCreditCardReportUser. The user, "weblogic", is a preconfigured administrative user in WebLogic Server. The password for this user is "weblogic".
  6. On the Application tab double-click JavaControlTutorial/CreditCardReport_JCSTutorial/WEB-INF/weblogic.xml to open the file. Add the following <security-role-assignment> element immediately after the opening <weblogic-web-app> tag. Code to add appears in red.
  7. <weblogic-web-app>
    
        <security-role-assignment>
            <role-name>RegisteredCreditCardReportUsers</role-name>
            <principal-name>weblogic</principal-name>
        </security-role-assignment>
        
        <jsp-descriptor>
            <!-- Comment the jspServlet param out to go back to weblogic's jspc -->
            <jsp-param>
                <param-name>jspServlet</param-name>
                <param-value>weblogic.servlet.WlwJSPServlet</param-value>
            </jsp-param>
            <jsp-param>
                <param-name>debug</param-name>
                <param-value>true</param-value>
            </jsp-param>
        </jsp-descriptor>
        
        <url-match-map>
           weblogic.servlet.utils.SimpleApacheURLMatchMap
        </url-match-map>
        
    </weblogic-web-app>
    
  8. Press Ctrl+S to save your work.

To Edit Investigate to Use the Correct Username and Password to Access CreditCardReport.jws

Now the Credit Card Report web service requires that its clients provide a valid username and password and that those clients be assigned the role of RegisteredCreditCardReportUsers. In this task you will edit Investigate to provide the correct username and password when accessing Credit Card Report.

  1. On the Application tab, double-click InvestigateImpl.jcs.
  2. Edit the requestCreditReport method so it appears as follows. Code to add is shown in red.
  3.     public void requestCreditReport(String taxID)
        {
            m_currentApplicant.taxID = taxID;
        
            /*
             * Retrieve data from the database and store it in the rec object.
             */
            Record rec = bankruptciesDB.checkForBankruptcies(taxID);
            /*
             * If the database returns substantial data, then store that data
             * in the m_currentApplicant object.
             */
            if(rec != null)
            {
                m_currentApplicant.firstName = rec.firstname;
                m_currentApplicant.lastName = rec.lastname;
                m_currentApplicant.currentlyBankrupt = rec.currentlyBankrupt;
    
                /*
                 * Set the username and password necessary to access the Credit
                 * Card Report web service.
                 * Then invoke the getCreditCardData method.
                 * Results from the web service will be provided via a callback.
                 */
                creditCardReportControl.setUsername("weblogic");
                creditCardReportControl.setPassword("weblogic");
                /*
                 * Invoke the Credit Card Report web service.
                 * Results from the web service will be provided via a callback.
                 */
                creditCardReportControl.getCreditCardData(taxID);
        
                 /*
                  * Start the timer.  If the credit card report is not
                  * received within 5 minutes, the conversation will be finished
                  * and the client will be notified that
                  * there was a problem.
                  */
                 creditCardReportTimer.start(); 
            }
            /*
             * If the database does not return substantial data, notify the client
             * that there is a problem.
             */
            else
            {
                m_currentApplicant.message = "No data could be found on the applicant. Please call (555) 555-5555 for assistance. ";
                /*
                 * Send the error message to the client via a callback.
                 */ 
                callback.onCreditReportDone(m_currentApplicant);
            }
        }
    
  4. Press Ctrl+S to save your work.

To Edit the Credit Card Report Control File

If you were to test your Java control now, it would not succeed in invoking the Credit Card Report web service. This is because the Credit Card Report currently listens for clients on the HTTPS port 7002, but the Investigate Java control sends its requests through the HTTP port 7001. In this task you will configure the Credit Card Report control (used by the Investigate Java control) to send communications through port 7002.

  1. On the Application tab double-click CreditCardReportControl.jcx to display the file.
  2. Click the Source View tab to view the source code for CreditCardReportControl.jcx.
  3. Edit the @jc:location annotation so it appears as follows. Code to edit appears in red.
  4. /**
     * @jc:location http-url="https://localhost:7002/CreditCardReport_JCSTutorial/webservice/CreditCardReport.jws"
     * @jc:wsdl file="#CreditCardReportWsdl"
     */
    public interface CreditCardReportControl extends com.bea.control.ControlExtension, com.bea.control.ServiceControl
    
    When you try to modify this control file, Workshop will warn you that you are trying to edit an autogenerated file. Click Yes when Workshop asks you if want to edit this file.


  5. Press Ctrl+S to save your work and press Ctrl+F4 to close the file.

To Test the Investigate Java Control

In this task you will perform two tests. First you will test to see if the right password results in successful communication, then you will test to see if the wrong password results in failed communication.

Testing for Successful Communication

  1. On the Application tab, double-click InvestigateTest.jws.
  2. Click the Start button, shown here:

    Workshop builds InvestigateTest.jws and launches the Test Browser.
  3. In the Workshop Test Browser, in the taxID field, enter the 9 digit number 555555555 and click the requestCreditReport button.

    Note:  Use one of the following (9 digit) taxID's to test your Java control throughout the tutorial:

    123456789, 111111111, 222222222, 333333333, 444444444, and 555555555.
  4. Click Refresh until callback.onCreditReportDone appears in the Message Log.
  5. When callback.onCreditReportDone appears, click it. Your screen should resemble the following:

Testing for Failed Communication

  1. From the Window menu, select InvestigateImpl.jcs and click the Source View tab.
  2. Edit the relevant portion of the requestCreditReport method to look like the following. Note that you are intentionally providing the wrong password when calling Credit Card Report.
  3.             /**
                 * Set the username and password necessary to access the Credit
                 * Card Report web service.
                 * Then invoke the getCreditCardData method.
                 * Results from the web service will be provided via a callback.
                 */
                creditCardReportControl.setUsername("weblogic");
                creditCardReportControl.setPassword("wrong_password");
                /**
                 * Invoke the Credit Card Report web service.
                 * Results from the web service will be provided via a callback.
                 */
                creditCardReportControl.getCreditCardData(taxID);
  4. From the Window menu, select InvestigateTest.jws to open the file.
  5. Click the Start button, shown here:
  6. Workshop builds InvestigateTest.jws and launches the Test Browser.
  7. In the Workshop Test Browser, in the taxID field, enter the 9 digit number 555555555 and click the requestCreditReport button.
  8. Click Refresh until investigate:creditCardReportControl.getCreditCardData appears in the Message Log. Your screen should resemble the following:



    The red exclamation mark next to the method invocation arrow indicates that an error has occurred. In this case, the getCreditCardData method throws an error because Investigate provided the wrong password to the Credit Card Report web service.
  9. Note the error message in the External Service Response section on the Test Browser

    External Service Response
    Submitted at Friday, Aug 21, 2003 16:38:26 PM PST
    External Service Failure: Response: '401: Unauthorized xxx' for url: 'https://weblogic:wrong_password@localhost:7002/CreditCardReport_JCSTutorial/webservice/CreditCardReport.jws'


    If you check the file BEA_HOME/weblogic81/samples/domains/workshop/workshop.log you will see the following entry.
    21 Aug 2003 16:38:26,610 ERROR *** Investigate ***: Exception in requestCreditReport: com.bea.control.ServiceControlException: SERVICE FAULT:
    Code:java.io.FileNotFoundException
    String:Response: '401: Unauthorized xxx' for url: 'https://weblogic:wrong_password@localhost:7002/CreditCardReport_JCSTutorial/webservice/CreditCardReport.jws'
    Detail:
    END SERVICE FAULT [ServiceException]
    Note that the error is interpreted as a "FileNotFoundException" because the the Investigate Java control thinks of the URL "https://weblogic:wrong_password@localhost:7002/CreditCardReport_JCSTutorial/webservice/CreditCardReport.jws" as a file resource. When the Investigate Java control cannot access the file, it throws a file not found exception, although the real cause of the problem is the wrong password.
  10. Don't forget to open InvestigateImpl.jcs and replace "wrong_password" with the correct password: "weblogic".

Related Topics

Transport Security

Click one of the following arrows to navigate through the tutorial: