Previous
Next


Secure Hello World Demo  Locate

Overview  Locate

This demo uses slightly modified sources from the original Hello World demo to show the simple use of the SESJ Security API to allow secure authentication of peers and secure communication.

You must have SESJ security features including SSL and Kerberos installed before running this demo.

This HelloWorld service is similar to the HelloWorld service that is implemented by java class demo.secure.hello.HelloWorldImpl. The service is accessible at six endpoints: 

1. WASP_SERVER_URL/secure/hello/basic/
2. WASP_SERVER_URL/secure/hello/digest/
3. WASP_SERVER_URL/secure/hello/wssec/
4. WASP_SERVER_URL/secure/hello/SSL/
5. WASP_SERVER_URL/secure/hello/kerberos/

WASP_SERVER_URL is the URL of the SESJ, for example: http://localhost:6060 Each service endpoint is protected by a different security mechanism: 

1. Http Basic Authentication
2. Http Digest Authentication
3. WS-Security Authentication using UserName token
4. SSL Authentication
5. Kerberos

On the client side, the sample class demo.secure.hello.HelloWorldMain contains one method that tries to authenticate, look up and then invoke HelloWorld services. This method accepts the service URL, user name, password and security mechanism. The code is independent of the security mechanism used.

Demo Package Description  Locate

In addition to the files described in Files and Directories, this demo contains:

File or directoryDescription
src/demo/security/hello/HelloWordIface.java

Interface of the Web Service

src/demo/security/hello/HelloWorldImpl.java

Implementation of the Web Service

src/demo/security/hello/HelloWorldMain.java

Web Service client implementation

dd/package.xml

Deployment descriptor

Prerequisites and Preparatory Steps  Locate

The demo assumes that you have installed the following components: 

Security providers
security_providers.jar         -  on the server side
security_providers_client.jar  -  used by this demo (client side)

Security tools
security_tools.jar             -  on the client side

Building and Running Demos  Locate

You can run the demo using "run.sh" or "run.bat" scripts. Invoking the script without arguments prints out a help message.

  1. Start the SESJ unless it is already running (WASP_HOME/bin/serverstart.bat(.sh)).

  2. You need to do this step in this demo only once for your SESJ installation. Issue the following command to generate identities for this demo: 

    run.bat(sh) create_identities ADMIN_NAME  ADMIN_PASSWORD

    Where ADMIN_NAME is the name of the administrator (you set it when you were installing security. The default name is "admin"). ADMIN_PASSWORD is the administrator's password (default is "changeit").

  3. Run the command from the command line. This should compile the service classes and then create the deployment package. 

    run.bat(sh) make_service

  4. Run the command shown below. This should create WSDLs for all endpoints, then create a deployment package and deploy the service to the SESJ. 

    run.bat(sh) deploy_service ADMIN_NAME  ADMIN_PASSWORD

  5. Run the command below from the command line. This will set "kerberos" as the accepting authentication provider of the "secure/hello/kerberos" Web service endpoint. This command also associates identity to Kerberos service (Kerberos is configured by default to require mutual authentication). 

    run.bat(sh) set_krb_auth ADMIN_NAME  ADMIN_PASSWORD
    [Caution]Caution

    !!! THIS COMMAND MAY NOT WORK ON WINDOWS XP.!!!

  6. Run following command from the command line. This will create compiled client classes. 

    run.bat(sh) make_client

  7. Check whether the HOST variable in the WASP_HOME/demo/env.bat(.sh) is the same as the host name that is in the created certificate for SSLAlias to avoid SSL - hostname verifier error.

  8. Run the command. This should execute the client implementation. As a result, you should see the client repeatedly call the HelloWorld Web Service for all endpoints. 

    run.bat(sh) run_client

Notes  Locate

  • SSL client authentication is performed if and only if the server needs client authentication. The client certificate must be imported as a trusted certificate on the server side. To try SSL client authentication, please change the config/httpsPreferences/needsClientAuth element value in the WASP_HOME/conf/serverconf.xml configuration file to true.

  • You have to set up the Kerberos authentication mechanism on the server side. This authentication mechanism is provided with an implementation coming with JDK1.4, thus you have to use JDK1.4 on both client and server sides.

  • For Windows platforms: because the Sun implementation of Krb5LoginModule searches for the Kerberos configuration file first in "java.home"\lib\security\krb5.conf and then in c:\winnt\krb5.ini, you have to put the Kerberos configuration file into one of these files. If you don't want to test Kerberos authentication, you NEEDN'T run step 4 (set_krb_auth).

  • See ws-security demos for more complex examples about WS-Security.



Previous
Next