weblogic Ws-security policy vs oasis policy

520 views Asked by At

We are trying to configure ws-security on a webservice deployed on Weblogic 10.3.6: the purpose is to permit the execution of the ws only if authenticated.

So, we created an user ("dummy") into the default weblogic realm and communicated the credentials to who develops the client of this webservice.

He has released a test Envelope running by SOAP-UI

<soapenv:Envelope xmlns:sch="http://com.webservices.amm.standalone.key.provider/schema.xsd" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">  
   <soapenv:Header>  
     <wsse:Security soapenv:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">  
     <wsse:UsernameToken wsu:Id="UsernameToken-2">  
          <wsse:Username>dummy</wsse:Username>       
          <wsse:Password Type="**http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest**"><!-- digested password --></wsse:Password>  
          <wsse:Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"><!-- encoding type --></wsse:Nonce>  
          <wsu:Created>2015-06-24T14:42:48.749Z</wsu:Created>  
     </wsse:UsernameToken>  
     </wsse:Security>  
     </soapenv:Header>  
   <soapenv:Body>  
      <sch:searchKeyReq>  
         <sch:KeyProviderInput>  

            <!--Here input attributes:-->  

         </sch:KeyProviderInput>  
      </sch:searchKeyReq>  
   </soapenv:Body>  
</soapenv:Envelope>  

which response is

<?xml version='1.0' encoding='UTF-8'?>  
<S:Envelope xmlns:S="http://schemas.xmlsoap.org/soap/envelope/">  
<S:Body><SOAP-ENV:Fault xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">  
     <faultcode xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">**SOAP-ENV:MustUnderstand**</faultcode>  
      <faultstring>MustUnderstand headers:[{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security] are not understood</faultstring>  
</SOAP-ENV:Fault></S:Body></S:Envelope>  

Obviously, I think, it depends by no configuration on ws-policy of the webservice.

So the questions are:

1) which is the policy we must associate to our webservice by Administration Console or by weblogic @Policy annotation in correspondence of oasis policy we see into the soapenv:Header tag>?

2) the "dummy" user must have some specific role?

Thanks in advance

1

There are 1 answers

0
Ali Abazari On

You can simply add below line to your web service class:

@Policy(uri = "Wssp1.2-2007-Https-UsernameToken-Plain.xml", attachToWsdl=true)

By means of this policy you tell the clients that send their username and password (plain text). There are some other policy that you can choose in order to send encrypted password such as Digest. You can choose this policy also from weblogic console.

And about role of the user, according to my knowledge, defining a new user in security realm just works really well, but in order to manage roles and permissions there should be some roles.