Google Git
Sign in
apache / openejb / refs/heads/old-website / . / html / securing-a-web-service.html
blob: 56ddd3419407f003470749202c91d45c636c6ada [file] [log] [blame]
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<HTML>
<HEAD>
<!-- $PAGETITLE -->
<TITLE>OpenEJB - Securing a Web Service</TITLE>
<LINK href="http://openejb.apache.org/all.css" rel="stylesheet" type="text/css">
<!--[if IE]><link rel="stylesheet" type="text/css" media="screen, projection" href="openejb.apache.org/ie.css"><![endif]-->
<LINK rel="SHORTCUT ICON" href="http://openejb.apache.org/images/favicon.ico">
<META http-equiv="Content-Type" content="text/html;charset=UTF-8">
<SCRIPT language="javascript" src="http://ajax.googleapis.com/ajax/libs/jquery/1.3.1/jquery.min.js" type="text/javascript"></SCRIPT>
<SCRIPT language="javascript" src="http://openejb.apache.org/tweet/jquery.tweet.js" type="text/javascript"></SCRIPT>
<SCRIPT type="text/javascript">
$(document).ready(function(){
$(".tweet").tweet({
avatar_size: 32,
count: 4,
fetch:25,
username: "openejb",
list: "contributors",
template:"{avatar}{text}",
filter: function(t){ return /openejb/i.test(t["tweet_raw_text"]); },
loading_text: "loading list..."
});
});
</SCRIPT>
</HEAD>
<BODY>
<!-- Delay the loading of the external javascript file needed for labels (as it takes too long to load and visibly holds loading of the page body) -->
<!-- To do this without javascript errors over undefined functions, we need to declare stubs here (that are overrided later by the proper implementations) -->
<SCRIPT language="JavaScript" type="text/javascript">
function doAddLabel(hideTextfieldAfterAddParam)
{
// stub
}
function onAddLabel()
{
// stub
}
function showLabelsInput()
{
// stub
}
</SCRIPT>
<A name="top"></A>
<TABLE class="frameTable" cellpadding="0" cellspacing="0" border="0">
<TR class="Row1">
<TD class="Col1"><IMG alt="" src="http://openejb.apache.org/images/dotTrans.gif"></TD>
<TD class="Col2"><IMG alt="" src="http://openejb.apache.org/images/dotTrans.gif"></TD>
<TD class="Col3"><IMG alt="" src="http://openejb.apache.org/images/dotTrans.gif"></TD>
<TD class="Col4"><IMG alt="" src="http://openejb.apache.org/images/dotTrans.gif"></TD>
<TD class="Col5"><IMG alt="" src="http://openejb.apache.org/images/dotTrans.gif"></TD>
</TR>
<TR class="Row2">
<TD class="Col1"><IMG alt="" src="http://openejb.apache.org/images/dotTrans.gif"></TD>
<TD class="Col2">&nbsp;</TD>
<TD class="Col3" id="breadcrumbs">
<!-- $TOP_NAV_BAR -->
<A href="index.html" title="Index">Home</A> | <A href="news.html" title="News">News</A> | <A href="faq.html" title="FAQ">FAQ</A> | <A href="download.html" title="Download">Download</A> | <A href="mailing-lists.html" title="Mailing Lists">Lists</A> | <A href="http://issues.apache.org/jira/browse/OPENEJB" class="external-link" rel="nofollow">Issues</A>
</TD>
<TD class="Col4"><IMG alt="" src="http://openejb.apache.org/images/dotTrans.gif"></TD>
<TD class="Col5">&nbsp;</TD>
</TR>
<TR class="Row3">
<TD class="Col1"><IMG alt="" class="Row3Img" id="thinLine" src="http://openejb.apache.org/images/line_sm.gif"></TD>
<TD class="Col2"><IMG alt="" class="Row3Img" src="http://openejb.apache.org/images/dotTrans.gif"></TD>
<TD class="Col3"><IMG alt="" class="Row3Img" src="http://openejb.apache.org/images/dotTrans.gif"></TD>
<TD class="Col4"><IMG alt="" src="http://openejb.apache.org/images/dotTrans.gif"></TD>
<TD class="Col5"><IMG alt="" class="Row3Img" src="http://openejb.apache.org/images/dotTrans.gif"></TD>
</TR>
<TR class="Row4">
<TD class="Col1">
<SPAN id="Navigation">
<H3><A name="Navigation-Overview"></A>Overview</H3>
<UL class="alternate" type="square">
<LI><A href="index.html" title="Index">Home</A></LI>
<LI><A href="news.html" title="News">News</A></LI>
<LI><A href="faq.html" title="FAQ">FAQ</A></LI>
<LI><A href="download.html" title="Download">Download</A></LI>
<LI><A href="../OPENEJBx30/index.html" title="Index">Documentation</A></LI>
<LI><A href="examples.html" title="Examples">Examples</A></LI>
<LI><A href="http://cwiki.apache.org/confluence/display/OPENEJB/Lightening%20Demos" class="external-link" rel="nofollow">Lightning Demos</A></LI>
<LI><A href="mailing-lists.html" title="Mailing Lists">Mailing Lists</A></LI>
<LI><A href="source-code.html" title="Source Code">Source Code</A></LI>
<LI><A href="http://blogs.apache.org/openejb" class="external-link" rel="nofollow">Project Blog</A></LI>
</UL>
<H3><A name="Navigation-Servers"></A>Servers</H3>
<UL class="alternate" type="square">
<LI><A href="local-server.html" title="Local Server">Local</A></LI>
<LI><A href="remote-server.html" title="Remote Server">Remote</A></LI>
</UL>
<H3><A name="Navigation-Integrations"></A>Integrations</H3>
<UL class="alternate" type="square">
<LI><A href="../OPENEJBx30/tomcat.html" title="Tomcat">Tomcat</A></LI>
<LI><A href="geronimo.html" title="Geronimo">Geronimo</A></LI>
<LI><A href="webobjects.html" title="WebObjects">WebObjects</A></LI>
</UL>
<H3><A name="Navigation-Community"></A>Community</H3>
<UL class="alternate" type="square">
<LI><A href="team.html" title="Team">Team</A></LI>
<LI><A href="articles.html" title="Articles">Articles</A></LI>
<LI><A href="http://webchat.freenode.net/?channels=openejb" class="external-link" rel="nofollow">IRC</A></LI>
</UL>
<H3><A name="Navigation-RelatedProjects"></A>Related Projects</H3>
<UL class="alternate" type="square">
<LI><A href="http://activemq.apache.org/" class="external-link" rel="nofollow">ActiveMQ</A></LI>
<LI><A href="http://openjpa.apache.org/" class="external-link" rel="nofollow">OpenJPA</A></LI>
<LI><A href="http://cxf.apache.org/" class="external-link" rel="nofollow">CXF</A></LI>
</UL>
<H3><A name="Navigation-Index"></A>Index</H3>
<UL class="alternate" type="square">
<LI><A href="space-index.html" title="Space Index">Site Index</A></LI>
<LI><A href="../OPENEJBx30/space-index.html" title="Space Index">Doc Index</A></LI>
</UL>
<H3>
<A name="Navigation-Feeds"></A>
Feeds
</H3>
<UL class="feeds">
<LI>
<A href="http://cwiki.apache.org/confluence/spaces/rss.action?key=OPENEJB&newPages=false">
<IMG src="http://openejb.apache.org/images/rss.gif"></A>
<A class="feedsText" href="http://cwiki.apache.org/confluence/spaces/rss.action?key=OPENEJB&newPages=false">Site</A>
</LI>
<LI><A href="http://cwiki.apache.org/confluence/spaces/blogrss.action?key=OPENEJB">
<IMG src="http://openejb.apache.org/images/rss.gif"></A>
<A class="feedsText" href="http://cwiki.apache.org/confluence/spaces/blogrss.action?key=OPENEJB">News</A>
</LI>
</UL>
</SPAN>
</TD>
<TD class="Col2">&nbsp;</TD>
<TD class="Col3">
<TABLE id="PageHeader" border="0" width="100%">
<TR>
<TD>
<A href="http://openejb.org/">
<IMG hspace="0" src="http://openejb.apache.org/images/logo_openejb.gif" vspace="0">
</A>
</TD>
<TD align="right">
<A href="http://www.apache.org/">
<IMG src="http://www.apache.org/images/asf-logo.gif" width="258" height="66">
</A>
</TD>
</TR>
<TR>
<TD id="page_title">
<!-- $TITLE -->
Securing a Web Service
</TD>
<TD align="right">
<BR><BR>
<!-- Google CSE Search Box Begins -->
<FORM id="searchbox_010475492895890475512:_t4iqjrgx90" action="http://www.google.com/cse">
<INPUT type="hidden" name="cx" value="010475492895890475512:_t4iqjrgx90">
<INPUT type="hidden" name="cof" value="FORID:0">
<INPUT name="q" type="text" size="25">
<INPUT type="submit" name="sa" value="Search">
</FORM>
<SCRIPT type="text/javascript" src="http://www.google.com/coop/cse/brand?form=searchbox_010475492895890475512:_t4iqjrgx90"></SCRIPT>
<!-- Google CSE Search Box Ends -->
</TD>
</TR>
</TABLE>
<P>
<!-- $BODY -->
<DIV id="PageContent">
<P>Web Services are a very common way to implement a Service Oriented Architecture (SOA).</P>
<P>There are lots of web service standards/specifications (XML, SOAP, WSDL, UUDI, WS-*, ...) coming from organizations like W3C, OASIS, WS-I, ...<BR>
And there are java web service standards like JAX-WS 1.x (JSR 181), JAX-WS 2.0 (JSR 224). </P>
<P>OpenEJB provides a standard way to implement web services transport protocol throughout the JAX-WS specification.<BR>
Java basic standards for web services (JAX-WS) do lack some features that are required in most real world applications, e.g. standard ways for handling security and authentication (there is no java specification for Oasis's WS-Security specification).</P>
<P>OpenEJB provides two mechanisms to secure webservices - HTTP authentication and WS-Security: </P>
<UL>
<LI>HTTPS : works at the transport level, enables a point-to-point security. It has no impact on developments. It allows you to:
<OL>
<LI>To secure data over the network with data encrypted during transport</LI>
<LI>To identify the end user with SSLv3 with client certificate required</LI>
<LI>OpenEJB supports BASIC authentication over HTTP(S), using the configured JAAS provider. This will honour any EJB security roles you have setup using @RolesAllowed. See the webservice-security example in the OpenEJB codebase <A href="http://svn.apache.org/repos/asf/openejb/trunk/openejb3/examples/" class="external-link" rel="nofollow">http://svn.apache.org/repos/asf/openejb/trunk/openejb3/examples/</A></LI>
</OL>
</LI>
</UL>
<DIV class="panelMacro"><TABLE class="warningMacro"><COLGROUP><COL width="24"><COL></COLGROUP><TR><TD valign="top"><IMG src="https://cwiki.apache.org/confluence/images/icons/emoticons/forbidden.gif" width="16" height="16" align="absmiddle" alt="" border="0"></TD><TD><B>Warning</B><BR>Currently only BASIC is the only HTTP authentication mechanism available when running OpenEJB standalone or in a unit test, but we hope to support DIGEST in the future.</TD></TR></TABLE></DIV>
<UL>
<LI>WS-Security: works at the message (SOAP) level, enables a higher-level security,<BR>
Nowadays, SOAP implementations use other protocols than just HTTP so we need to apply security to the message itself and not only at the transport layer. Moreover, HTTPS can only be used for securing point-to-point services which tend to decrease with Enterprise Service Bus for example. </LI>
</UL>
<P>The Oasis organization has defined a standard (part of well-known WS-*) which aims at providing high level features in the context of web services: WS-Security. It provides a standard way to secure your services above and beyond transport level protocols such as HTTPS. WS-Security relies on other standards like XML-Encryption. Main features are:</P>
<UL>
<LI>Timestamp a message,</LI>
<LI>Pass credentials (plain text and/or ciphered) between services,</LI>
<LI>Sign messages,</LI>
<LI>Encrypt messages or part of messages.</LI>
</UL>
<P>Again, JAX-WS doesn't standardize security for web services. OpenEJB provides a common and highly configurable way to configure WS-Security in association with the JAX-WS usage without vendor dependence. Internally, OpenEJB integrates Apache WSS4J as the WS-Security implementation. To use the integration, you will need to configure WSS4J using the <TT>openejb-jar.xml</TT>.</P>
<DIV class="panelMacro"><TABLE class="warningMacro"><COLGROUP><COL width="24"><COL></COLGROUP><TR><TD valign="top"><IMG src="https://cwiki.apache.org/confluence/images/icons/emoticons/forbidden.gif" width="16" height="16" align="absmiddle" alt="" border="0"></TD><TD><B>Warning</B><BR>the proposed WS-Security integration is only used at server side. Currently, WS-Security client configuration is not managed by OpenEJB. You can use the JAX-WS API to create a stub and then rely on the implementation to set up WS-Security properties.</TD></TR></TABLE></DIV>
<P>This configuration file lets you set up incoming and outgoing security parameters. Incoming and outgoing configuration is independent so that you can configure either one or the other or both. You can decide to check client credentials for incoming messages and sign outgoing messages (response).</P>
<H1><A name="SecuringaWebService-Configurationprinciples"></A>Configuration principles</H1>
<P>The configuration is made in the <TT>openejb-jar.xml</TT>. Each endpoint web service can provide a set of properties to customize WS-Security behavior through the &lt;properties&gt; element. The content of this element is consistent with the overall structure of <TT>openejb.xml</TT>. The format for properties is the same as if you would use a common java property file.</P>
<DIV class="code panel" style="border-width: 1px;"><DIV class="codeContent panelContent">
<PRE class="code-xml">
[...]
<SPAN class="code-tag">&lt;properties&gt;</SPAN>
wss4j.in.action = UsernameToken
wss4j.in.passwordType = PasswordDigest
wss4j.in.passwordCallbackClass=org.superbiz.calculator.CustomPasswordHandler
<SPAN class="code-tag">&lt;/properties&gt;</SPAN>
[...]
</PRE>
</DIV></DIV>
<P>In order to recover WSS4J properties both for input and output, we use naming conventions.<BR>
Each property is made of </P>
<BLOCKQUOTE>
<P><TT>&lt;wss4j&gt;.&lt;in|out&gt;.&lt;wss4j property name&gt;=&lt;wss4j property value&gt;</TT></P></BLOCKQUOTE>
<P>For example : <TT>wss4j.in.action = UsernameToken</TT></P>
<H1><A name="SecuringaWebService-UsernameToken%28Passworddigest%29example"></A>Username Token (Password digest) example</H1>
<H4><A name="SecuringaWebService-Excerptfrom%7B%7Bopenejbjar.xml%7D%7D."></A>Excerpt from <TT>openejb-jar.xml</TT>.</H4>
<DIV class="code panel" style="border-width: 1px;"><DIV class="codeContent panelContent">
<PRE class="code-xml">
<SPAN class="code-tag">&lt;openejb-jar xmlns=<SPAN class="code-quote">&quot;http://openejb.apache.org/xml/ns/openejb-jar-2.2&quot;</SPAN>&gt;</SPAN>
<SPAN class="code-tag">&lt;enterprise-beans&gt;</SPAN>
...
<SPAN class="code-tag">&lt;session&gt;</SPAN>
<SPAN class="code-tag">&lt;ejb-name&gt;</SPAN>CalculatorImpl<SPAN class="code-tag">&lt;/ejb-name&gt;</SPAN>
<SPAN class="code-tag">&lt;web-service-security&gt;</SPAN>
<SPAN class="code-tag">&lt;security-realm-name/&gt;</SPAN>
<SPAN class="code-tag">&lt;transport-guarantee&gt;</SPAN>NONE<SPAN class="code-tag">&lt;/transport-guarantee&gt;</SPAN>
<SPAN class="code-tag">&lt;auth-method&gt;</SPAN>WS-SECURITY<SPAN class="code-tag">&lt;/auth-method&gt;</SPAN>
<SPAN class="code-tag">&lt;properties&gt;</SPAN>
wss4j.in.action = UsernameToken
wss4j.in.passwordType = PasswordDigest
wss4j.in.passwordCallbackClass=org.superbiz.calculator.CustomPasswordHandler
<SPAN class="code-tag">&lt;/properties&gt;</SPAN>
<SPAN class="code-tag">&lt;/web-service-security&gt;</SPAN>
<SPAN class="code-tag">&lt;/session&gt;</SPAN>
...
<SPAN class="code-tag">&lt;/enterprise-beans&gt;</SPAN>
<SPAN class="code-tag">&lt;/openejb-jar&gt;</SPAN>
</PRE>
</DIV></DIV>
<H4><A name="SecuringaWebService-Requestsentbytheclient."></A>Request sent by the client. </H4>
<P>This request contains SOAP headers to manage security. You can see <TT>UsernameToken</TT> tag from the WS-Security specification.</P>
<DIV class="code panel" style="border-width: 1px;"><DIV class="codeContent panelContent">
<PRE class="code-xml">
POST /CalculatorImplUsernameTokenHashedPassword HTTP/1.1
Content-Type: text/xml; charset=UTF-8
SOAPAction: &quot;&quot;
Accept: *
Cache-Control: no-cache
Pragma: no-cache
User-Agent: Java/1.5.0_05
Host: 127.0.0.1:8204
Connection: keep-alive
Transfer-Encoding: chunked
524
<SPAN class="code-tag">&lt;soap:Envelope <SPAN class="code-keyword">xmlns:soap</SPAN>=<SPAN class="code-quote">&quot;http://schemas.xmlsoap.org/soap/envelope/&quot;</SPAN>&gt;</SPAN>
<SPAN class="code-tag">&lt;soap:Header&gt;</SPAN>
<SPAN class="code-tag">&lt;wsse:Security <SPAN class="code-keyword">xmlns:wsse</SPAN>=<SPAN class="code-quote">&quot;http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd&quot;</SPAN> soap:mustUnderstand=<SPAN class="code-quote">&quot;1&quot;</SPAN>&gt;</SPAN>
&lt;wsse:UsernameToken <SPAN class="code-keyword">xmlns:wsu</SPAN>=<SPAN class="code-quote">&quot;http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd&quot;</SPAN>
wsu:Id=<SPAN class="code-quote">&quot;UsernameToken-22402238&quot;</SPAN>
<SPAN class="code-keyword">xmlns:wsse</SPAN>=<SPAN class="code-quote">&quot;http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd&quot;</SPAN>&gt;
<SPAN class="code-tag">&lt;wsse:Username <SPAN class="code-keyword">xmlns:wsse</SPAN>=<SPAN class="code-quote">&quot;http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd&quot;</SPAN>&gt;</SPAN>jane<SPAN class="code-tag">&lt;/wsse:Username&gt;</SPAN>
&lt;wsse:Password Type=<SPAN class="code-quote">&quot;http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest&quot;</SPAN>
<SPAN class="code-keyword">xmlns:wsse</SPAN>=<SPAN class="code-quote">&quot;http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd&quot;</SPAN>&gt;tf7k3a4GREIt1xec/KXVmBdRNIg=<SPAN class="code-tag">&lt;/wsse:Password&gt;</SPAN>
<SPAN class="code-tag">&lt;wsse:Nonce <SPAN class="code-keyword">xmlns:wsse</SPAN>=<SPAN class="code-quote">&quot;http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd&quot;</SPAN>&gt;</SPAN>cKhUhmjQ1hGYPsdOLez5kA==<SPAN class="code-tag">&lt;/wsse:Nonce&gt;</SPAN>
<SPAN class="code-tag">&lt;wsu:Created <SPAN class="code-keyword">xmlns:wsu</SPAN>=<SPAN class="code-quote">&quot;http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd&quot;</SPAN>&gt;</SPAN>2009-04-14T20:16:26.203Z<SPAN class="code-tag">&lt;/wsu:Created&gt;</SPAN>
<SPAN class="code-tag">&lt;/wsse:UsernameToken&gt;</SPAN>
<SPAN class="code-tag">&lt;/wsse:Security&gt;</SPAN>
<SPAN class="code-tag">&lt;/soap:Header&gt;</SPAN>
<SPAN class="code-tag">&lt;soap:Body&gt;</SPAN>
<SPAN class="code-tag">&lt;ns1:sum <SPAN class="code-keyword">xmlns:ns1</SPAN>=<SPAN class="code-quote">&quot;http://superbiz.org/wsdl&quot;</SPAN>&gt;</SPAN>
<SPAN class="code-tag">&lt;arg0&gt;</SPAN>4<SPAN class="code-tag">&lt;/arg0&gt;</SPAN>
<SPAN class="code-tag">&lt;arg1&gt;</SPAN>6<SPAN class="code-tag">&lt;/arg1&gt;</SPAN>
<SPAN class="code-tag">&lt;/ns1:sum&gt;</SPAN>
<SPAN class="code-tag">&lt;/soap:Body&gt;</SPAN>
<SPAN class="code-tag">&lt;/soap:Envelope&gt;</SPAN>
</PRE>
</DIV></DIV>
<H4><A name="SecuringaWebService-Theresponsereturnedfromtheserver."></A>The response returned from the server.</H4>
<DIV class="code panel" style="border-width: 1px;"><DIV class="codeContent panelContent">
<PRE class="code-xml">
HTTP/1.1 200 OK
Content-Length: 200
Connection: close
Content-Type: text/xml; charset=UTF-8
Server: OpenEJB/??? (unknown os)
<SPAN class="code-tag">&lt;soap:Envelope <SPAN class="code-keyword">xmlns:soap</SPAN>=<SPAN class="code-quote">&quot;http://schemas.xmlsoap.org/soap/envelope/&quot;</SPAN>&gt;</SPAN>
<SPAN class="code-tag">&lt;soap:Body&gt;</SPAN>
<SPAN class="code-tag">&lt;ns1:sumResponse <SPAN class="code-keyword">xmlns:ns1</SPAN>=<SPAN class="code-quote">&quot;http://superbiz.org/wsdl&quot;</SPAN>&gt;</SPAN>
<SPAN class="code-tag">&lt;return&gt;</SPAN>10<SPAN class="code-tag">&lt;/return&gt;</SPAN>
<SPAN class="code-tag">&lt;/ns1:sumResponse&gt;</SPAN>
<SPAN class="code-tag">&lt;/soap:Body&gt;</SPAN>
<SPAN class="code-tag">&lt;/soap:Envelope&gt;</SPAN>
</PRE>
</DIV></DIV>
<H1><A name="SecuringaWebService-JAASwithWSSecurity"></A>JAAS with WS-Security</H1>
<P>@RolesAllowed doesn't work straight off with WS-Security, but you can add calls to the OpenEJB SecurityService to login to a JAAS provider to a CallbackHandler. Once you have done this, any permissions configured with @RolesAllowed should be honoured.</P>
<P>Here is a snippet from the webservice-ws-security example demonstrating this:</P>
<DIV class="code panel" style="border-width: 1px;"><DIV class="codeContent panelContent">
<PRE class="code-java">
<SPAN class="code-keyword">public</SPAN> class CustomPasswordHandler <SPAN class="code-keyword">implements</SPAN> CallbackHandler {
<SPAN class="code-keyword">public</SPAN> void handle(Callback[] callbacks) <SPAN class="code-keyword">throws</SPAN> IOException, UnsupportedCallbackException {
WSPasswordCallback pc = (WSPasswordCallback) callbacks[0];
<SPAN class="code-keyword">if</SPAN>(pc.getUsage() == WSPasswordCallback.USERNAME_TOKEN) {
<SPAN class="code-comment">// TODO get the password from the users.properties <SPAN class="code-keyword">if</SPAN> possible
</SPAN> pc.setPassword(<SPAN class="code-quote">&quot;waterfall&quot;</SPAN>);
} <SPAN class="code-keyword">else</SPAN> <SPAN class="code-keyword">if</SPAN>(pc.getUsage() == WSPasswordCallback.DECRYPT) {
pc.setPassword(<SPAN class="code-quote">&quot;serverPassword&quot;</SPAN>);
} <SPAN class="code-keyword">else</SPAN> <SPAN class="code-keyword">if</SPAN>(pc.getUsage() == WSPasswordCallback.SIGNATURE) {
pc.setPassword(<SPAN class="code-quote">&quot;serverPassword&quot;</SPAN>);
}
<SPAN class="code-keyword">if</SPAN> ((pc.getUsage() == WSPasswordCallback.USERNAME_TOKEN)
|| (pc.getUsage() == WSPasswordCallback.USERNAME_TOKEN_UNKNOWN)) {
SecurityService securityService = SystemInstance.get()
.getComponent(SecurityService.class);
<SPAN class="code-object">Object</SPAN> token = <SPAN class="code-keyword">null</SPAN>;
<SPAN class="code-keyword">try</SPAN> {
securityService.disassociate();
token = securityService.login(pc.getIdentifer(), pc.getPassword());
securityService.associate(token);
} <SPAN class="code-keyword">catch</SPAN> (LoginException e) {
e.printStackTrace();
<SPAN class="code-keyword">throw</SPAN> <SPAN class="code-keyword">new</SPAN> SecurityException(<SPAN class="code-quote">&quot;wrong password&quot;</SPAN>);
} <SPAN class="code-keyword">finally</SPAN> {
}
}
}
}
</PRE>
</DIV></DIV>
<H1><A name="SecuringaWebService-Examples"></A>Examples</H1>
<P>A full example (webservice-ws-security) is available with OpenEJB Examples.</P>
</DIV>
</P>
</TD>
<TD class="Col4"><IMG src="http://openejb.apache.org/images/dotTrans.gif"></TD>
<TD class="Col5">
</TD>
</TR>
<TR class="Row5">
<TD class="Col1">&nbsp;</TD>
<TD class="Col2">&nbsp;</TD>
<TD class="Col3">
<BR>
<BR>
<IMG width="100%" height="1" src="http://openejb.apache.org/images/line_light.gif">
<TABLE width="100%">
<TR>
<TD>
<SPAN class="bodyGrey">
<SMALL>
<NOTICE><!-- $FOOTER -->
Apache OpenEJB is an project of The Apache Software Foundation (ASF)
</NOTICE>
<BR>
Site Powered by
<A href="http://atlassian.com/">Atlassian</A>
<A href="http://atlassian.com/confluence/">Confluence</A>
.
</SMALL>
</SPAN>
</TD>
<TD align="right">
<A style="color:#999;font-size:small;font-weight:normal;" href="https://cwiki.apache.org/confluence/pages/editpage.action?spaceKey=OPENEJB&title=Securing%20a%20Web%20Service">[ edit ]</A>
</TD>
</TR>
</TABLE>
<BR>
</TD>
<TD class="Col4"><IMG src="http://openejb.apache.org/images/dotTrans.gif"></TD>
<TD class="Col5">&nbsp;</TD>
</TR>
</TABLE>
<!-- Needed for composition plugin -->
<!-- delay the loading of large javascript files to the end so that they don't interfere with the loading of page content -->
<SPAN style="display: none">
<SCRIPT type="text/javascript" language="JavaScript" src="http://cwiki.apache.org/confluence/labels-javascript"></SCRIPT>
<SCRIPT src="http://www.google-analytics.com/urchin.js" type="text/javascript">
</SCRIPT>
<SCRIPT type="text/javascript">
_uacct = "UA-2717626-1";
urchinTracker();
</SCRIPT>
</SPAN>
</BODY>
</HTML>