Chapter 10. Building a Secure Web Service Using BEA s WebLogic Workshop

Chapter 10. Building a Secure Web Service Using BEA's WebLogic Workshop

The WebLogic Workshop Integrated Development Environment (IDE) bundled with BEA WebLogic Server provides an easy-to-use and powerful tool for developing Web services. In Workshop, a Web service is written as a Java Web service (JWS) file, which is simply a Java file with metadata specified in the form of Javadoc annotations.

WebLogic Workshop security works in concert with the WebLogic Security Framework built into WebLogic Server. The WebLogic Security Framework is a powerful, extensible security framework that can be used standalone or integrated with the security environment at your organization. The WebLogic Security Framework is responsible for accepting credentials, mapping those credentials to a user, and then associating that user to a set of roles. In WebLogic Workshop, the focus you have when developing your JWS programs tends to be on roles, whereas administrators typically focus on the WebLogic Server aspects (credential to user to roles) of security policy.

WebLogic Workshop supports three categories of security: HTTP Transport Security, message security, and role-based security. From the JWS program's perspective, transport- and message-based security are perimeter based. They guard the door to the Web services application. The result of using transport- or message-based security is transparent from the Web service program's perspective; the result is that a user is associated with the running thread, and you can determine the roles the current user has. This leads to role-based security, which allows you to declare roles that a user must be associated with to run Web services operations.