+

Search Tips   |   Advanced Search

Web services authentication, authorization and secure transport troubleshooting tips

Web services are developed and implemented based on the Web Services for Java EE specification. The are several troubleshooting authentication and authorization considerations when we are securing web services.

These web services are developed and implemented based on the Web Services for Java EE specification. This topic discusses troubleshooting authentication, authorization, and transport issues to consider when we are securing web services.


Specify remote WSDL using HTTPS transport protocol

If our JAX-WS client application specifies a remote address for the WSDL location that requires HTTPS secure communication, and we do not complete the SSL configuration, then an exception occurs. When specifying the WSDL URL using HTTPS transport protocol, complete the SSL configuration before the client instance is created. To configure SSL, set the com.ibm.SSL.ConfigURL system property as name of the SSL configuration.

The following is an example of a web services client that specifics the remote WSDL file location using the HTTPS transport protocol:

@WebServiceClient(name = "SampleService", 
               targetNamespace = "http://jaxws.sample.websphere.ibm.com/", 
	wsdlLocation = "https://localhost:9443/Sample/SampleServicePort?WSDL")

public class SampleService
    extends Service {

    private final static URL SAMPLESERVICE_WSDL_LOCATION;

    static {
        URL url = null;
        try {
            url = new URL("https://localhost:9080/Sample/SampleService?WSDL");
        } catch (MalformedURLException e) {
            e.printStackTrace();
        }
        SAMPLESERVICE_WSDL_LOCATION = url;
    }

    ...
}

To learn more about setting this system property, read about Setting up the SSL configuration for clients in the ssl.client.props client configuration documentation.


Authentication challenge or authorization failure is displayed

We might encounter an authentication challenge or an authorization failure if a thread switch occurs. For example, an application might create a new thread or a raw socket connection to a servlet might open. A thread switch is not recommended by the Java EE specification because the security context information is stored in thread local. When a thread switch occurs, the authenticated identity is not passed from thread local to the new thread. As a result, WebSphere Application Server considers the identity to be unauthenticated. If create a new thread, we must propagate the security context to the new thread. However, this process is not supported by WAS.


Web Services Security enabled application fails to start

When a Web Services Security-enabled application fails to start, we might receive an error message similar to the following:

[6/19/03 11:13:02:976 EDT] 421fdaa2 KeyStoreKeyLo E WSEC5156E: An exception
while retrieving the key from KeyStore object: 
java.security.UnrecoverableKeyException: Given final block not properly padded

The cause of the problem is that the keypass value or password provided for a particular key in the key store is invalid. The key store values are specified in the <KeyLocators> elements of one of following binding files: ws-security.xml, ibm-webservices-bnd.xmi or ibm-webservicesclient-bnd.xmi. Verify that the keypass values for keys specified in the <KeyLocators> elements are correct.

Policy sets can only be used with JAX-WS applications. Policy sets cannot be used for JAX-RPC applications.


Applications with Web Services Security enabled cannot interoperate between WAS v6.0.x and v5.0.2

Applications with Web Services Security enabled cannot interoperate between WAS v6.0.x and v5.0.2. When applications attempt to interoperate, a "digest mismatch" error is displayed. An error exists in the canonicalization algorithm for XML digital signature, which is fixed in v5.1. For Web Services Security to interoperate between WAS v6 and v5.0.2, we must update our v5.0.2 application server. To update our v5.0.2 server, access the WAS Support website and download the latest fix pack for WAS, v5.0.2.

  • ssl.client.props client configuration file
  • Web services specifications and APIs
  • WAS Support website