January 16, 2021
Hot Topics:

Securing Web Services in JBoss Application Server with WS-Security

  • By Javid Jamae & Peter Johnson
  • Send Email »
  • More Articles »
This article is based on a chapter from JBoss in Action: Configuring the JBoss Application Server by Javid Jamae and Peter Johnson. It is being reproduced here by permission from Manning Publications. Manning early access books and ebooks are sold exclusively through Manning. For more information, visit www.manning.com/jamae/.

In this article, we show you how to secure a web service using WS-Security. WS-Security is a specification from OASIS (Organization for the Advancement of Structured Information Standards, http://www.oasis-open.org) that describes enhancements to SOAP messaging to provide message integrity and confidentiality. It provides mechanisms that can be used to accommodate a wide variety of security models and encryption technologies. You will use WS-Security to encrypt the web message and sign it. You will do this in two steps, first securing the web service and then adding authentication.

For our example we use JBoss Web Services 2.0.x. JBoss Application Server 4.2.2 and the JBoss Application Server 5.0 beta and release candidate contain this version of JBoss Web Services.

First, you need a web service to secure. Listing 1 provides a simple POJO hello web service.

package org.jbia.ws;
import javax.jws.*;
public class Hello {
   public String sayHello(String name)
   return "Hello " + name;

Listing 1: A simple hello web service

You'll also need a web.xml, provided in listing 2.


Listing 2: The web.xml file for the hello web service

Compile the web service, place it and the web.xml file into a WAR file, and put the WAR file into the server/xxx/deploy directory, where xxx is the configuration directory name, such as default. Once the web service is deployed, you can generate the stubs required for the client by entering the following command:

   –k http://localhost:8080/hello/hello?wsdl

The wsconsume utility places the stubs into a directory named output. Listing 3 provides a client of that web service. Place the client source file in the output/org/jbia/ws directory.

package org.jbia.ws;
public class Client {
   public static void main(String[] args) {
      if (args.length > 0) {
         HelloService svc = new HelloService();
         Hello hello = svc.getHelloPort();
         for (int i = 0; i < args.length; i++) {

Listing 3: A client for the hello web service

Compile the client along with the Java source files generated by the wsconsume utility. Then test the client by running the following command:

   –classpath output org.jbia.ws.Client Javid Peter

You should see this response:

Hello Javid
Hello Peter

Now that you have a working web service and its client, we can show you how to secure it.

Encrypting web messages

If your web service transmits confidential information such as medical records, you'll want to encrypt the message so that the contents can't be monitored during transport. In this section, we show you how to encrypt the hello web service.

One of the unique aspects of encrypting a web service is that it can be done in two different ways. First, you can use SSL to transport messages using HTTPS. The mechanisms used to set this up are much the same as for using SSL with a web application. You can also use WS-Security; the contents of the message are encrypted by the JAX-WS implementation on both the client and the server. These two methods are illustrated in figure 1.

Figure 1: Web service requests and responses go though both the JAX-WS and transport layers, and thus either layer can be used to encrypt and decrypt the requests and responses.

The steps to encrypt the messages are to generate the security certificates and to configure the server and client to use those certificates. We walk you through all the steps to secure the web service, even the steps to generate the certificates.

Page 1 of 5

This article was originally published on February 13, 2009

Enterprise Development Update

Don't miss an article. Subscribe to our newsletter below.

Thanks for your registration, follow us on our social networks to keep up-to-date