Web services authentication, authorization and secure transport troubleshooting tips
Web services are developed and implemented based on the Web Services for Java™ Platform, Enterprise Edition (Java EE) specification. The are several troubleshooting authentication and authorization considerations when you are securing web services.
These web services are developed and implemented based on the Web Services for Java Platform, Enterprise Edition (Java EE) specification. This topic discusses troubleshooting authentication, authorization, and transport issues to consider when you are securing web services.
Specifying remote WSDL using HTTPS transport protocol
If your Java API for XML-Based Web Services (JAX-WS) client application specifies
a remote address for the WSDL location that requires HTTPS secure
communication, and you do not complete the SSL configuration, then
an exception occurs. When specifying the WSDL URL using HTTPS transport
protocol, you must complete the SSL configuration before the client
instance is created. To configure SSL, set the com.ibm.SSL.ConfigURL
system property as name of the SSL configuration.
@WebServiceClient(name = "SampleService", targetNamespace = "http://jaxws.sample.websphere.ibm.com/",
wsdlLocation = "https://localhost:9443/Sample/SampleServicePort?WSDL")
public class SampleService
extends Service
{
private final static URL SAMPLESERVICE_WSDL_LOCATION;
static {
URL url = null;
try {
url = new URL("https://localhost:9080/Sample/SampleService?WSDL");
} catch (MalformedURLException e) {
e.printStackTrace();
}
SAMPLESERVICE_WSDL_LOCATION = url;
}
...
}
To learn more about setting this system property, read about Setting up the SSL configuration for clients in the ssl.client.props client configuration documentation.
Authentication challenge or authorization failure is displayed
You might encounter an authentication challenge or an authorization failure if a thread switch occurs. For example, an application might create a new thread or a raw socket connection to a servlet might open. A thread switch is not recommended by the Java EE specification because the security context information is stored in thread local. When a thread switch occurs, the authenticated identity is not passed from thread local to the new thread. As a result, WebSphere® Application Server considers the identity to be unauthenticated. If you must create a new thread, you must propagate the security context to the new thread. However, this process is not supported by WebSphere Application Server.
Web Services Security enabled application fails to start
[6/19/03 11:13:02:976 EDT] 421fdaa2 KeyStoreKeyLo E WSEC5156E: An exception while retrieving the key from KeyStore object: java.security.UnrecoverableKeyException: Given final block not properly padded
Applications with Web Services Security enabled cannot interoperate between WebSphere Application Server Version 6.0.x and Version 5.0.2
Applications with Web Services Security enabled cannot interoperate between WebSphere Application Server Version 6.0.x and Version 5.0.2. When applications attempt to interoperate, a "digest mismatch" error is displayed. An error exists in the canonicalization algorithm for XML digital signature, which is fixed in Version 5.1. For Web Services Security to interoperate between WebSphere Application Server Version 6 and Version 5.0.2, you must update your Version 5.0.2 application server. To update your Version 5.0.2 server, access the WebSphere Application Server Support website and download the latest fix pack for WebSphere Application Server, Version 5.0.2.