LAB-3410: Learn to Build Reliable and Secure Web Services using JAX-WS and WSIT

Carol McDonald

2

Learn how to develop reliable, secure, interoperable Web Services and clients using Metro and Netbeans

3

Sun’s Web Services Stack

Metro: JAX-WS + WSIT

JAXB = Java Architecture for XML Binding | JAX-WS = Java APIs for XML Web Services

NetBeans JAX-WS Tooling

TransactionsReliable-Messaging

Security

MetadataWSDLPolicy

Core Web Services

HTTP TCP SMTP

JAXB, JAXP, StaX

JAX-WS

WSIT

tools

transport

xml

4

How Hands-on Labs Work

• We will give a brief explanation of each lab exercise and a demo

• You will do the lab exercises on your own by reading the lab document > In the browser , or paper

• Feel free to ask questions, proctors are here to help

5

Lab Format

• “Free form” lab• This lab is for 120 mins• Lab setup• 4 Lab exercises:

> Exercise 1: Creating a Web Service > Exercise 2: Creating a Web Service Client> Exercise 3: Configuring WSIT Reliability in a Web Service> Exercise 4: Configuring WSIT Security in a Web Service

6

Exercise 0: Lab Setup

1. Install Java SE 6

2. Install NetBeans 6 w/ GlassFish

3. Copy 3410_metro.zip and unzip! Will create metro directory = <lab_root>! It contains the following:

! lab document index.html (same as paper)! Exercises, solutions directory

4.Create the database tables

5.Install Security Certificates in GlassFish

7

Agenda

• Exercise 1: Creating a Web Service• Exercise 2: Creating a Web Service Client• Exercise 3: Configuring WSIT Reliability in a Web

Service• Exercise 4: Configuring WSIT Security in a Web

Service

8

Developing a Web Service Starting with a Java class

war or ear

@WebServicePOJO Implementation classServlet-based or Stateless Session EJBOptional handler classes

Packaged application (war/ear file)

You develop

Service contractWSDL

Deploymentcreates JAXB and JAX-WS files needed for the service

9

Example: Servlet-Based Endpoint

@WebService

public class Catalog { public List<Item> getItems(int firstItem, int batchSize) { .... return q.getResultList(); }}

• All public methods become web service operations

• WSDL/Schema generated at deploy time automatically

• Default values for WSDL service name, etc.

10

Service Description default mapping Java mapping -> WSDL:

public class Catalog{ public List<Item> getItems(int firstItem,

int batchSize){ ... }}

<portType name="Catalog"> <operation name="getItems"> <input message="tns:getItems"/> <output message="tns:getItemsResponse"/> </operation></portType> PORT TYPE = ABSTRACT INTERFACE

OPERATION = METHOD

MESSAGE = PARAMETERS AND RETURN VALUES

11

Demo Creating a Web Service

12

Agenda

• Exercise 1: Creating a Web Service• Exercise 2: Creating a Web Service Client• Exercise 3: Configuring WSIT Reliability in a Web

Service• Exercise 4: Configuring WSIT Security in a Web

Service

13

Client-Side Programming

wsimport tool

@WebService

Dynamic Proxy

Service contractWSDL

Generates

You develop Client which calls proxy

14

Example: JSF Managed Bean WS Client

No Java Naming and Directory Interface™ API !

public class ItemController {

@WebServiceRef(wsdlLocation = "http://.../CatalogService?wsdl")

private CatalogService service;

public DataModel getNextItems() {

Catalog port = service.getCatalogPort();

List<Item> result = port.getItems(arg0, arg1);

. . .

}

}

Get Proxy Class

Business Interface

Factory Class

15

WSDL Elements/Java Mapping

Service

Port

PortType Binding

1

..n

11

1..n

Types

1..n

Catalog

Method

Parameters

Operation

Message

Factory ClassCatalogService

CatalogPort

Proxy

Business Interface

16

Demo Creating a Web Service Client

17

Agenda

• Exercise 1: Creating a Web Service• Exercise 2: Creating a Web Service Client• Exercise 3: Configuring WSIT Reliability in a Web

Service• Exercise 4: Configuring WSIT Security in a Web

Service

18

WS-ReliableMessaging

Client Endpoint

RMSource RMDestination

JAX-WS/WCF ServerRuntime

JAX-WS/WCF Client Runtime

Application Message

Ack Protocol Message

bufferbuffer

> RMSource handles sending and re-sending> RMDestination handles reconstructing the stream of messages

19

Configuration with NetBeans

20

Demo Configuring WSIT Reliability in a Web Service

21

Agenda

• Exercise 1: Creating a Web Service• Exercise 2: Creating a Web Service Client• Exercise 3: Configuring WSIT Reliability in a Web

Service• Exercise 4: Configuring WSIT Security in a Web

Service

22

Digital Certificate Identity data signed by a Certification Authority. Provides a

Trusted source of identification.

Version #

Serial #

Signature Algorithm

Issuer Name

Validity Period

Subject Name

Subject Public Key

Issuer Unique ID

Subject Unique ID

Extensions

Digital Signature

X.509 Certificate

Digital ID

• Electronic Proof of Identity

• Issued and signed by Certifying Authority

• Public, Private keys

• Makes security protocols work

•SSL

CA Authorized

23

Encryption

Public

Encryption

Original

DocumentEncrypted

DocumentPrivate

Decryption

Original

DocumentSender Receiver

Receiver

PublicKey

ReceiverPrivateKey

• XML Encryption (data confidentiality)• Only the private key can decrypt

Asymmetric keys

24

Digital Signature

Private

Encryption

XML

dataSignature Public

Decryption

XML

data

Receiver

Transform Transform

Sender

Sender's PrivateKey

Sender's PublicKey

• XML Signature (data integrity)• Bind the sender’s identity to an XML document

25

WS-Security: SOAP Message Security

• WS-Security defines:• Encrypting and signing message

parts: • XML Signature and XML

Encryption in SOAP Header

• How to pass security tokens

• (token=security information identifies the msg sender)• UserName/Password token

• X.509 certificates

• SAML

• Kerberos tickets

SOAP Envelope

SOAP Envelope Header

SOAP Envelope Body

WS-Security Header

SecurityToken

Business Payload

26

WS-security example<?xml version="1.0" encoding="utf-8"?>

<SOAP:Envelope xmlns:SOAP="http://schemas.xmlsoap.org/soap/envelope/"

xmlns:xsd="http://www.w3.org/2001/XMLSchema"

xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">

<SOAP:Header>

<wssec:credentials xmlns:wssec="http://schemas.xmlsoap.org/ws/2001/10/security">

<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="SigningCertificate">

<ds:X509Data>

<ds:X509Certificate>MIIH1zCCBr+gAwIBA...</ds:X509Certificate>

</ds:X509Data>

</ds:KeyInfo>

</wssec:credentials>

<wssec:integrity xmlns:wssec="http://schemas.xmlsoap.org/ws/2001/10/security">

<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">

<ds:SignedInfo>

<ds:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/xml-exc-c14n#"/>

<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>

<ds:Reference URI=""/>

<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>

<ds:DigestValue>j6lwx3rvEPO0vKtMup4NbeVu8nk=</DigestValue>

</ds:Reference>

</ds:SignedInfo>

<ds:SignatureValue>aiYECAxNqK2PivQaRweWajXup5zJa...</ds:SignatureValue>

<ds:KeyInfo> <wsse:SecurityTokenReference>

<wsse:Reference URI="#wssecurity_binary_security_token_id_1603"/>

</wsse:SecurityTokenReference>

</ds:KeyInfo>

</ds:Signature>

</wssec:integrity>

</SOAP:Header>

27

web services client

SOAPclient

signed &encrypted

data

web services server

SOAPserver

SOAPservice

request data

response data

security serversignature validation

authentication authorization

authorization

https/ssl(optional)

dataencryption

digitalcertificate

digitalcertificatetoken

requestdata

datadecryption/encryption

validation

Mutual Certificates Security

authentication

28

• WS-Trust framework for:> Issue, Validate, security tokens used by WS-Security

> Establish and broker trust relationships

Trust

29

• How to Establish a Secure SESSION> For multiple message exchanges

> Create shared symmetric session key

> Optimizes processing

WS-SecureConversationOptimized Security

security context token

Use generated symmetric session key

30

Configuration with NetBeans

31

Demo Configuring WSIT Security in a Web Service

32

Summary

• Metro Integrated with GlassFish Application Server> JAX-WS

!easier to use and more powerful than JAX-RPC

!part of the Java EE 5 and Java SE 6 platforms

!Layered design hides the complexity– Extensible at the protocol and transport level

> WSIT!Makes Metro interoperable with other WS-*

stacks

!No new APIs , easy with NetBeans plugin

33

For More Information

! METRO! http://metro.dev.java.net

! JAX-WS! http://jax-ws.dev.java.net! http://www.netbeans.org/kb/60/websvc/jax-ws.html

! WSIT! http://wsit.dev.java.net! https://wsit-docs.dev.java.net/releases/1-0-

FCS/index.html

! Glassfish! http://glassfish.dev.java.net! http://blogs.sun.com/theaquarium/

! Carol McDonald's blog! http://weblogs.java.net/blog/caroljmcdonald/

34

LAB-3410: Learn to Build Reliable and Secure Web Services using JAX-WS and WSIT

Carol McDonald, Fabian Ritzmann, Martin Grebac