Document Information

Preface

Part I Introduction

1.  Overview

2.  Using the Tutorial Examples

Part II The Web Tier

3.  Getting Started with Web Applications

4.  JavaServerTM Faces Technology

5.  Introduction to Facelets

6.  Unified Expression Language

7.  Using JavaServerTM Faces Technology in Web Pages

8.  Using Converters, Listeners and Validators

9.  Developing With JavaServerTM Faces Technology

10.  Java Servlet Technology

Part III Web Services

11.  Introduction to Web Services

12.  Building Web Services with JAX-WS

13.  Building RESTful Web Services with JAX-RS and Jersey

Part IV Enterprise Beans

14.  Enterprise Beans

15.  Getting Started with Enterprise Beans

16.  Running the Enterprise Bean Examples

Part V Contexts and Dependency Injection for the JavaTM EE Platform

17.  Introduction to Contexts and Dependency Injection for the JavaTM EE Platform

18.  Running the Basic Contexts and Dependency Injection Examples

Part VI Persistence

19.  Introduction to the Java Persistence API

20.  Running the Persistence Examples

21.  The Java Persistence Query Language

22.  Creating Queries Using the Criteria API

Part VII Security

23.  Introduction to Security in the Java EE Platform

24.  Getting Started Securing Enterprise Applications

25.  Getting Started Securing Web Applications

Overview of Web Application Security

Using Deployment Descriptors to Secure Web Applications

Introduction to Web Application Deployment Descriptors

Specifying Security Constraints

Specifying a Web Resource Collection

Specifying an Authorization Constraint

Specifying a Secure Connection

Specifying Separate Security Constraints for Different Resources

Specifying an Authentication Mechanism

HTTP Basic Authentication

Form-Based Authentication

HTTPS Client Authentication

Digest Authentication

Working with Security Roles

Reviewing Security Concepts

Declaring Security Roles

Mapping Security Roles to Enterprise Server Groups

Using Programmatic Security with Web Applications

Authenticating Users Programmatically

Checking Caller Identity Programmatically

Example Code for Programmatic Security

Declaring and Linking Role References

Examples: Securing Web Applications

Setting Up Your System for Running the Security Examples

Example: Basic Authentication with a Servlet

Specifying Security in the Deployment Descriptor

Building, Packaging, and Deploying the Servlet Basic Authentication Example Using NetBeans IDE

Building, Packaging, and Deploying the Servlet Basic Authentication Example Using Ant

Running the Basic Authentication Servlet

Troubleshooting the Basic Authentication Example

Example: Basic Authentication with JAX-WS

Adding Security Elements to the Deployment Descriptor

Building and Deploying helloservice with Basic Authentication Using NetBeans IDE

Building and Deploying helloservice with Basic Authentication Using Ant

Building and Running the helloservice Client Application with Basic Authentication Using NetBeans IDE

Building and Running the helloservice Client Application with Basic Authentication Using Ant

Example: Form-Based Authentication with a Servlet

Creating the Login Form and the Error Page

Specifying Security in the Deployment Descriptor

Building, Packaging, and Deploying the Form-Based Authentication Example Using NetBeans IDE

Building, Packaging, and Deploying the Form-Based Authentication Example Using Ant

Testing the Form-Based Authentication Web Client

Part VIII JavaTM EE Supporting Technologies

26.  Introduction to JavaTM EE Supporting Technologies

27.  Transactions

28.  Resource Connections

Index

  
java.sun.com | docs.sun.com
The Java EE 6 Tutorial, Volume I
Home | Download | PDF | API | FAQ | Search | Feedback | History

Using Message Security with Web Applications

Web Services Security: SOAP Message Security (WS-Security) is an international standard for interoperable Web Services Security that was collaboratively developed in OASIS by all the major providers of web services technology (including Sun Microsystems). WS-Security is a message security mechanism that uses XML Encryption and XML Digital Signature to secure web services messages sent over SOAP. The WS-Security specification defines the use of various security tokens including X.509 certificates, SAML assertions, and username/password tokens to authenticate and encrypt SOAP web services messages. The WS-Security specification can be viewed at http://www.oasis-open.org/committees/download.php/3281/WSS-SOAPMessageSecurity-17-082703-merged.pdf

WS-Security incorporates security features in the header of a SOAP message, working in the application layer. Message security differs from transport layer security (which is what is discussed in this chapter) in that message security can be used to decouple message protection from message transport so that messages remain protected after transmission, ensuring end-to-end security.

Sun's implementation of WS-Security is part of Metro, a web service stack. In the past, web services have relied on transport-based security such as SSL to provide point-to-point security. Metro implements the WS-Security specification to provide interoperable message content integrity and confidentiality, even in the presence of intermediaries. Metro also provides an implementation of the WS-Trust specification as a means for issuing, renewing, and validating security tokens used by WS-Security, and to establish and broker trust relationships. That portion of Metro is known as WSIT (Web Services Interoperability Technologies). Metro's WSIT subsystem is an implementation of a number of open web services specifications to support enterprise features. In addition to security, reliable messaging, and atomic transactions, Metro includes a bootstrapping and configuration technology.

Message security is not part of the Java EE 6 platform, but can be used with and by Java EE 6 applications by following the instructions from the Metro User's Guide at https://metro.dev.java.net/guide/.

The material in The Java EE 6 Tutorial, Volume I is copyright-protected and may not be published in other works without express written permission from Sun Microsystems.