Web Service Using Apache Axis Jan 18, 2012 Version 0.

1 Author - Vishal Joshi

Web services security guidelines

There are six important security considerations for a comprehensive security framework and those are as follows:

1. Authentication: This guarantees that the service is accessible for anyone

with verified identity.

2. Authorization: This guarantees that the only authenticated person has right
to access the service or data.

3. Confidentiality: This guarantees that the data pass between the requester
and provider are protected from eavesdroppers.

4. Integrity: This offers that the message was not modified in its path from
requester to provider.

5. Non-repudiation: It guarantees that the sender of message cannot deny

that user sent it at a later point in time.

6. Accessibility: This ensures that the service is always accessible and that it is
not impaired by attacks.

Web services today

Web services security is still in its infancy (i.e. security is ongoing process). New standards and applications are being continually developed and deployed. Web services security as of today can be achieved at two levels:

1. Security @ transport level

Security at the transport level uses the inbuilt security features of transport technologies like HTTP, IBM WebSphare MQseries, etc. Here we get to know that how the inbuilt security features of HTTP can be used to secure the web services transactions.

2. Security @ the SOAP/Messaging level

This level is currently being extensively researched and specifications are being developed by groups like OASIS (OASIS is another important standards organization that is developing a formal model/specification for providing more robust and scalable web services security). This involves usage of digital

signatures, certificates, etc., at the XML document level. This will be discussed in more detail in the second part of this series.

Securing web services with HTTP

Web services transactions over HTTP can be secured by using the following: HTTP basic authorization HTTPS (HTTP Secure) or HTTP with secured socket layer (SSL). HTTP basic authorization + HTTPS

However, HTTP security does not address all the web services security guidelines, listed earlier. The best possible configuration is to use HTTPS with HTTP basic authorization, which addresses all aspects of web service security except nonrepudiation and accessibility.

HTTP basic authorization

HTTP basic authorization (BASIC-AUTH) is a simple mechanism used in HTTP. Using this mechanism we can protect web resources from unauthorized access. To access resources protected using HTTP BASIC-AUTH, a user has to provide a username and password. The web site administrator configures the web server with a list of valid users and resources that a user can access. Since web services invocation over HTTP is the same as accessing a URL (endpoint URL) we can make use of BASIC-AUTH to restrict web services access. In this section, we will see how to setup BASIC-AUTH for a web service deployed in Apache Axis running on the Apache Jakarta Tomcat Web Server. Step 1: Writing and deploying a web service We shall begun by writing a simple Hello Service. The Hello Service is a simple java class. Create the simple java class named as HelloService.java

Public class HelloService { Public String sayHello(String name){ return Hello, +name; } } To deploy the program as a service, just copy it into '%TOMCAT_HOME %\webapps\axis' and rename it as HelloService.jws'. That is all there is to it, and you have deployed your first web service. Start the tomcat server and now your simple web service can be accessed from the URL http://localhost:8080/axis/ HelloService.jws?wsdl. But the service is not yet secure. In order to secure it, create a directory named 'protected' (or any name of your choice) inside '%TOMCAT_HOME%\webapps\axis' and move HelloService.jws' into this directory. Now the web service URL becomes http://localhost:8080/axis/protected/ HelloService.jws?wsdl. Step 2: Define user credential To add new user credentials, edit 'tomcat-users.xml' in '%TOMCAT_HOME%\conf' and add a new user as shown below: <?xml version='1.0' encoding='utf-8'?> <tomcat-users> <role rolename="tomcat"/> <role rolename="wsuser"/> <role rolename="role1"/> <user username="tomcat" password="tomcat" roles="tomcat"/> <user username="both" password="tomcat" roles="tomcat,role1"/> <user username="wsuser" password="wspwd" roles="wsuser"/> <user username="role1" password="tomcat" roles="role1"/> </tomcat-users> This step simply defines a new user and the role the user plays. In the next step we will show you how to associate a security constraint to a particular user role.

Step 3: Add a security constraint to the web service URL In order to add a security constraint, edit 'web.xml' in '%TOMCAT_HOME %\webapps\axis\WEB-INF' and insert the lines shown below: @See: immediately before the end of the element <web-app>. <security-constraint> <web-resource-collection> <web-resource-name>Protected</web-resource-name> <!-- specify the directory for restricted web Services application --> <url-pattern>/protected/*</url-pattern> </web-resource-collection> <auth-constraint> <!-- specify the role name of the new user added in step 2 --> <role-name>wsuser</role-name> </auth-constraint> </security-constraint>

<!-- Define the Login Configuration for this Application --> <login-config> <auth-method>BASIC</auth-method> <realm-name>Protected Web Services</realm-name> </login-config> Restart the Tomcat server so that the settings take effect. Try accessing the WSDL by going to the URL http://localhost:8080/axis/protected/ HelloService.jws?wsdl. The browser will request you to authenticate yourself by entering your username and password. Step 4: Writing a java client program to access the web service. Here we are creating a sample java client program.

import org.apache.axis.client.Call; import org.apache.axis.client.Service; import javax.xml.namespace.QName; public class HelloServiceClient { public static void main(String [] args) { try { String endpoint = "http://localhost:8080/axis/protected/HelloService.jws"; Service service = new Service(); Call call = (Call) service.createCall(); call.setTargetEndpointAddress( new java.net.URL(endpoint) ); call.setOperationName(new QName("sayHello ")); call.setUsername("wsuser"); call.setPassword("wspwd"); String ret = (String) call.invoke( new Object[] { "Hello!" } ); System.out.println("Sent 'Hello!', got '" + ret + "'"); } catch (Exception e) { System.err.println(e.toString()); } } }

HTTP secure (HTTPS)

Secure socket layer (SSL), is a technology which allows web browsers and web servers to communicate over a secured connection. This means that the data being sent are encrypted by one side, transmitted, and decrypted by the other side before processing. This is a two-way process, meaning that both the server and the browser encrypt all traffic before sending out data. The following sections show how to developing a secure web services application using Axis and HTTPS.

Step 1: Configuring a web server for SSL Here we show how to configure Apache Jakarta Tomcat to use SSL. Before you start, ensure you have Java JDK v1.4.0 or above. If not, you need to have Java Secure Socket Extension (JSSE) downloaded and installed on your system. First, create the SSL certificate which will be used for authenticating and encrypting data. This can be created using the 'keytool' utility provided with J2SE 1.4+. The tool can be found in the '%JAVA_HOME%\bin' directory. Execute the following from the terminal command line: %JAVA_HOME%\bin\keytool -genkey -alias tomcat -keyalg RSA This command will create a new file, in the home directory of the user under which you run it, named '.keystore'. In Windows 2000, if the user is an Administrator, the file can be found in 'C:\Documents and Settings\Administrator'. After executing this command, you will first be prompted for the keystore password. The default password used by Tomcat is 'changeit' (all lower case), although you can specify a custom password if you like. However for the purpose of this demo we will use the default password. Second, edit the 'server.xml' file located in the '%TOMCAT_HOME%\conf' directory. Look for a commented connector element defined in XML. <!-- Define a SSL HTTP/1.1 Connector on port 8443 --> <Connector port="8443" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" disableUploadTimeout="true" acceptCount="100" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" />

Remove the comment tags around the Connector element. After completing the above configuration, restart the Apache Tomcat web server. You should now be able to access web applications supported by Apache Tomcat via SSL.

Step 2: Writing and deploying a web service. We use the same HelloService' example used earlier. Copy HelloService.jws' into '%TOMCAT_HOME%\webapps\axis'. Access the WSDL URL for the service, but specify the transport protocol as https instead of http and port as 8443 instead of 8080 (port 8443 is the default port for HTTPS in the Apache Jakarta web server). Therefore, the WSDL URL for the 'Hello Service' will be https://localhost:8443/axis/HelloService.jws?wsdl. Step 3: Create a SSL certificate for a client. If you are running the server and client on the same machine, then you can use the same certificate that you created for the server in Step 1. However, if the client and the server are running on different machines, then create a new certificate for the client using the 'keytool' utility as explained above in Step 1. Step 4: Writing a java client program to access the web service. Here we are writing a simple java program with two major entry: HTTPS Set the path and filename of the client SSL certificate.

import org.apache.axis.client.Call; import org.apache.axis.client.Service; import javax.xml.namespace.QName; public class HelloServiceClient { public static void main(String [] args) { try { String endpoint = "https://localhost:8443/axis/HelloService.jws"; System.setProperty("javax.net.ssl.trustStore", "C:\\Documents and Settings\\Administrator\\.keystore"); Service service = new Service(); Call call = (Call) service.createCall(); call.setTargetEndpointAddress( new java.net.URL(endpoint) ); call.setOperationName(new QName("sayHello "));

String ret = (String) call.invoke( new Object[] { "Hello!" } ); System.out.println("Sent 'Hello!', got '" + ret + "'"); } catch (Exception e) { System.err.println(e.toString()); } } }

Step 5: Run the client Compile and run the program and you should be able to see your string echoed back from the server with concatenated Hello word. The difference this time is that the data have been sent encrypted and received encrypted.

HTTP basic authorization + HTTP secure

HTTPS provides excellent security to web services transactions. HTTPS also provides an authorization mechanism for a user by means of signed certificates. However, if a duplicate of the certificate is available, anyone can impersonate the participating agent. So the best form of security can be derived by a hybrid of HTTP BASIC-AUTH and HTTPS. This also satisfies the first four aspects of WS-Security listed earlier as well as providing a better degree of protection from Repudiation. The following steps will explain how to configure your web services application to take advantage of it. Step 1: Configure web server for HTTPS Follow Step 1 from the section "HTTP secure" to configure the web server for HTTPS. If you have already configured the server, then it need not be configured again Step 2: Write and deploy a web service with BASIC-AUTH Again here we are taking the same example Hello Service to demonstrate HTTPS + HTTP BASIC-AUTH. Follow Steps 1 to 3 to write and deploy the web service application from the section "HTTP basic authorization." The WSDL address for the Hello Service is now available at the URL https://localhost:8443/axis/protected/HelloService.jws?wsdl.

Step 3: Creating SSL certificate for client Follow step 3 from the section "HTTP secure" to create an SSL certificate for the client. Step 4: Writing a java client program to access the web service Here we are creating a simple java client program for our web service with integration of SSL and Basic Authentication. import org.apache.axis.client.Call; import org.apache.axis.client.Service; import javax.xml.namespace.QName; public class HelloServiceClient { public static void main(String [] args) { try { String endpoint = "https://localhost:8443/axis/HelloService.jws"; System.setProperty("javax.net.ssl.trustStore", "C:\\Documents and Settings\\Administrator\\.keystore"); Service service = new Service(); Call call = (Call) service.createCall(); call.setTargetEndpointAddress( new java.net.URL(endpoint) ); call.setOperationName(new QName("sayHello")); call.setUsername("wsuser"); call.setPassword("wspwd"); String ret = (String) call.invoke( new Object[] { "Hello!" } ); System.out.println("Sent 'Hello!', got '" + ret + "'"); } catch (Exception e) { System.err.println(e.toString()); } } }

Step 5: Run the client Compile and run the program and you should be able to see your string echoed back from the server with concatenated word HELLO. The difference this time is that the web service data have been authenticated as well as encrypted. Required configuration SOAP client/server: Apache Axis JDK: 1.4 + Web server: Apache Jakarta Tomcat v4.02

Environment Variables: JAVA_HOME: specify your java path TOMCAT_HOME: specify your tomcat web server path AXIS_HOME: specify your axis path CATALINA_HOME: specify your tomcat web server path

Configuration: Place your axis folder under %TOMCAT_HOME%/webapps/