let's talk something about WebServices on Weblogic

sunnyhoo(sunny)

本文发表在 rolia.net 枫下论坛In weblogic,there are two types webservices,one is RPC-baseed,the other is Message-based

Let's focus on the first.

Actually,the backend of weblogic webservices is a stateless session bean,and the frontend is a servlet in
weblogic web server. so If you want to configue security on weblogic.there are two ways:

1.secure service URL

Every client who want to invoke your webservices,no matter Java or VB,VC client,should first access the Service URL
Let's say, https:\\mywebservices\trader
the WSDL address should be https:\\mywebservices\trader?WDSL

So,We can set role constraint,auth-method,transport-guarantee to the URL map in web.xml and weblogic.xml,then map the role to user,group in weblogic console.

you should provide user and credential information if you attempt to invoke the servces.the user and credential you supply should match

the one in the ACL on server side. this is exactly the same as web-layer security of a regular web application.

2. secure backend stateless session bean

This is exactly the same as a standard ejb,you only configure it in ejb-jar.xml and weblogic-ejb-jar.xml
from this,you can control the access at method level or even at user level.for details, go to BEA website

3. specify SSL

(1) set SSL on weblogic console
(2) set Https in web-services.xml

4.invoke the services from a client
(1)java client: Weblogic have supplied jar files,you can use JAX-RPC to invoke including support of SSL
(2)J2ME client: weblogic have a support package for move devices under CLDC and MIDP
(3)MS compatible clinet(.net,vb...),maybe, someone can give idea... (I know little about this)更多精彩文章及讨论，请光临枫下论坛 rolia.net

(#545518@0)
Last Updated: 2002-5-28
This post has been archived. It cannot be replied.

当然有Session了....MS 和 Sun 在Stateful/Stateless上有争议,分别有各自的理由... .NET让使用Session更有效了.... -lazycod(Elite Warrior); 2002-5-27 (#543204@0)

没有成为标准有些麻烦.没有STATE如何进行AUTHENTICATION/AUTHERIZATION? -std(std); 2002-5-27 (#543218@0)

方法太多了, 最早的Cookie就可以干这个用, 还有Querystring上加参数等...现在.NET让使用Session很方便了,可以放心使用就是了. 即使SERVLET中的SESSION的东西使用的也是相同的机制.... -lazycod(Elite Warrior); 2002-5-27 (#543223@0)

我说的是WEB-SERVICE-RPC.不是URLCONNECTION连SERVLET. -std(std); 2002-5-27 (#543227@0)

底层机制是一样的....要不然为什么叫Web Service. -lazycod(Elite Warrior); 2002-5-27 (#543231@0)

是的,但是RPC是定义ENDPOINT INTERFACE没有看到提供GET/SET HTTP HEADER的地方. -std(std); 2002-5-27 (#543238@0)

使用Session不就可以了吗? 不需要编程往HEADER里加信息.... -lazycod(Elite Warrior); 2002-5-27 (#543245@0)

internet 连接本身都是Stateless, 必须借助其它手段来维护State -lazycod(Elite Warrior); 2002-5-27 (#543235@0)

不对. -std(std); 2002-5-27 (#543240@0)

ok let's discuss it. go ahead... give me your opinion please -lazycod(Elite Warrior); 2002-5-27 (#543248@0)
he is right. internet is stateless. just request / response. -mimi888(老猫钓鱼); 2002-5-27 (#543334@0)

"internet is stateless" is not proper,As I know,We can only say HTTP is a stateless protocol -sunnyhoo(sunny); 2002-5-27 {1041} (#543724@0)
本文发表在 rolia.net 枫下论坛as for web services, saop,wsdl,uddi are the three elements which we should know.
SOAP is XML + HTTP or smtp...

If you want to directly send or receive SOAP messages, threre are related APIs according to platform ,for instance, java.net.HttpConnection...... under J2EE.
In your SOAP message you can add a auth_token... and the token is used to authenticate with data in presistence layer.

if you want to use webservices,essentially It's the same as mentioned above ,but you should use WSDL to specify your RPC, you can add something like token. if you want to sign in once,you can use session. but there are many different solutions on different platforms, for example,weblogic has it's own security realm which support a sign-in-once mechinism. of course, session should be enabled.

if you want to authorize under J2EE, there are deployable xml file on web layer and EJB layer ,you can set related permission...

In my opinon,athentication ,athorization is platform-related,
choose platform and discuss the details.....更多精彩文章及讨论，请光临枫下论坛 rolia.net

Thank you for your answer. Can you tell me how i can set /get auth_token within implementation class of end point infterface? That is, how to implement session track in JAVA-XML base RPC?Thanks again! -std(std); 2002-5-27 (#543730@0)
握手，希望多多交流。虽然可以在soap header里加auth_token,但很少有这种server支持。你用的是soap2.2还是axis? -uid(㊣Miracle); 2002-5-27 {111} (#543967@0)
我听说有一个产品叫SOAP Router, 可以加入auth_token,和传输解析这种XML.
Soap虽然支持SSL,但我没用过,不知道好用吗？

觉得web services RPC router基本上都是STATELESS的，每一次invoke 都是separate call。尤其你从client stub的invoke. 不过你可以建立web services的gateway,在那里写自己的handler可以自己建立session机制 -uid(㊣Miracle); 2002-5-27 (#543925@0)

我想你问的是.net的web services吧，它应该和楼上那位说的不是一码事，。web services底层都是用SOAP协议的，它可以被封装到.war file里边接受http请求，但实际上是SOAP协议 -uid(㊣Miracle); 2002-5-27 (#543936@0)

SOAP over HTTP -std(std); 2002-5-27 (#543942@0)

是的SOAP是借助http,和smtp传输的，但实际上是XM。你如果只想做authen / author 你可以把WSDL的implementation class做成session bean, 利用EJB bean container 的安全机制来实现 -uid(㊣Miracle); 2002-5-27 (#543982@0)

A. Web service can support 1. http get/post 2. soap. B. For .net session you can use 1. session with targeting server 2. session storing in database both of these can solve the problem of server farm. -chinatiger(能曾金刚的生神); 2002-5-27 (#543963@0)

对于.net 来说，web service可以接受get/post的条件是限于有限的几个数据类型且必须的by-value parameters. 因为微软.net可以在server端动态创建对象，来call web services. 对一般商用soap 来说， -uid(㊣Miracle); 2002-5-27 {270} (#544044@0)
对.net 来说，web service可以接受get/post但只有有限的数据类型且必须的by-value parameters. 因为微软.net可以在server端动态创建对象，来call web services.

对一般商用soap 来说，支持的数据类型多多，都是client stub调用，每次调用都是一次soap invoke, 怎么定义 http session?

The base class of WebService has 2 collections for holding the state 1.Application 2. Session I think it is pretty same as the ASP.net state management. -chinatiger(能曾金刚的生神); 2002-5-28 (#544396@0)

Web Service要Session干什么？那是给愚笨的浏览器用的，你自己写程序..... -miketany(MIKE老狼); 2002-5-27 (#543969@0)

Basically,there are several ways to trace identification -sunnyhoo(sunny); 2002-5-28 {126} (#545121@0)
1.session
2.cookie
3.URLRewriting
4.hidden form

Could you tell how to write your own code if you don't use one of them?

你能确定我们两人讨论的是同一个问题吗？你在自己应用程序里调用远程Web Service，你自己可以设计一万种方法来跟踪Session。 -miketany(MIKE老狼); 2002-5-28 (#545283@0)

I know what you mean. -sunnyhoo(sunny); 2002-5-28 {274} (#545572@0)
you are right,in your circumstance,we don't need session at all,but you have to send the auth info in your SOAP message every time you invoke a method which is secured by server, becuase HTTP is a stateless protocol.

I thought what we have discussed is a browser client.

there is one thing I am not sure, Is Web Service designed for browser? I use it only in application. If browser client, why not asp,jsp? -miketany(MIKE老狼); 2002-5-28 (#545732@0)

let's discuss the direct use of SOAP on J2EE first -sunnyhoo(sunny); 2002-5-28 {847} (#545022@0)

1.define your own SOAP message API,make sure including auth_token
2.use API for java.net package to POST your SOAP message to server side which is actually a servlet listener
3.at server side, in doPost method of the servlet listener,you parse the SOAP message,wrap it in a java object
4.get auth_token for the wrapper java object
5.you can input your useID and credential from a form at web layer,you can keep them in session,cookie or URLRewriting...This is the same as other web application (basic,digest,credential) SSL
6.get auth_token from persistence according to useID,credential,compare with the token in your SOAP message,this is athentication
7.you can define your ACL in the persistence,then you can implement athorization

next,let's discuss how to implement authentication and authorization under WEBLOGIC webservices

My web service will be called by clients developed by other organizations, even in languages other than Java. What I expect is high level support of session tracking, something specified in WSDL specification. -std(std); 2002-5-28 {84} (#545159@0)
The reason is simple; it is easy for various clients to have the same functionality.

in .NET environment, you just input some stuff in Web.Config -cdr(spiderdog4); 2002-5-28 {252} (#545316@0)

<authentication mode="Forms">
<forms name=".G3EAUTH" loginUrl="Main/Logon.aspx" protection="All">
</forms>
</authentication>

<authorization>
<allow users="*"/>
</authorization>

So, you can handle security same as ASP

let's talk something about WebServices on Weblogic -sunnyhoo(sunny); 2002-5-28 {1665} (#545518@0)

Thank you for your information. Session tracking in XML base RPC is "web service container dependent". -std(std); 2002-5-28 (#545601@0)

maybe,the more generical way to authentication and authorization is -sunnyhoo(sunny); 2002-5-28 {440} (#546191@0)
1.define two SOAP message API,like this
get_AuthToken
discard_AuthToken

2.add authToken infomation to all the SOAP message API which you want to be authenticated

3.describe your SOAP message API in WSDL

4. use get_AuthToken API to get auth token from server.

5.put the token in your SOAP message you want to be authenticated and send to server

6.the server uses it platform-related machanism to authenticate and authorize

My understanding so far -std(std); 2002-5-29 {466} (#546274@0)
1)I will not expect WSDL to support session now . That might be the reason BEA weblogic does not support stateful session bean.
point 2-3 are my speculation about weblogic "session"

2)Add a fillter in front of the servlet to implement ACL/authentication. The auth_token is a parameter in SOAP will be returned by client by default (simillar to cookie in HTTP.)
3)A user database for role based authentication.

I think uid has smillar idea in post #543925

在MSDN的关于Seb Service的安全性的文章里讲述了各种Web Service的安全情况，他们采用的办法是先让客户Logon一次，然后发给客户一个AuthID。 -miketany(MIKE老狼); 2002-5-29 {162} (#546658@0)
每次客户调用时都提供这个AuthID，服务器端用这个AuthID来验证权限。这个AuthID寿命是一天。你的理解我想应该不会错。为了适应性好，不要试图在已有的标准里加入自己的东西。

我想问这问题的老兄是把WEB SERVICE 和WEB SERVER 混为一堂 -nice2002(nice2002); 2002-5-29 {119} (#546631@0)

只要用到WEB SERVER就会有SESSION，当你通过HTTP CALL WEB SERVICE时，安全还是通过WEB SERVER实现，和WEB SERVICE的概念无关。

@Las Vegas

let's talk something about WebServices on Weblogic

Replies, comments and Discussions:

More Topics