Previous Topic: Configure SiteMinder Policies to Protect JBoss Web ApplicationsNext Topic: Configure the WSS Agent Security Interceptor to Protect Web Services on JBoss 6.x


Configure the WSS Agent Security Interceptor to Protect Web Services on JBoss 5.x

This section contains the following topics:

Configure WSS Agent Security Interceptor Protection for JAX-RPC Web Services Over HTTP Transport

Configure WSS Agent Security Interceptor Protection for JAX-WS Web Services Over HTTP Transport

Configure WSS Agent Security Interceptor Protection for JAX-WS Web Services Over JMS Transport

Configure the WSS Agent Login Module

Restart the JBoss Application Server

Configure WSS Agent Security Interceptor Protection for JAX-RPC Web Services Over HTTP Transport

To configure the WSS Agent Web Interceptor to protect JAX-RPC web services over HTTP transport, configure those services to invoke the WSS Agent JAX-RPC HTTP Handler. You can configure global use of the JAX-RPC Handler for all JAX-RPC HTTP web services or configure it for individual web services, as required.

Configure the WSS Agent JAX-RPC HTTP Handler for all JAX-RPC HTTP Web Services

To configure the WSS Agent JAX-RPC Handler to be invoked for all JAX-RPC HTTP web services, add the WSS Agent JAX-RPC Handler class (com.ca.soa.agent.jaxrpcplugin.JaxrpcHandler) to the standard JAX-RPC endpoint configuration file, standard-jaxrpc-endpoint-config.xml.

By default, the standard-jaxrpc-endpoint-config.xml file is in the following location:

JBOSS_HOME/server/instance_type/deployers/jbossws.deployer/META-INF

instance_type

Specifies the JBoss Application Server instance type (one of default, minimal, production, standard, or web).

Follow these steps:

  1. Navigate to the location of the standard-jaxrpc-endpoint-config.xml file for your JBoss version and instance type.
  2. Open the standard-jaxrpc-endpoint-config.xml file in a text editor.
  3. Add the following javaee:handler element to the "Standard Endpoint" endpoint-config element as the first such element defined.
    <handler>
       <j2ee:handler-name>SM XMLAgentJaxrpc Handler</j2ee:handler-name>
       <j2ee:handler-class>
         com.ca.soa.agent.appserver.jaxrpc.XMLAgentJaxrpcHandler
       </j2ee:handler-class>
    </handler>
    
  4. Save the file and exit the text editor.

The JBoss WSS Agent JAX-RPC Handler will be invoked for all JAX-RPC web services.

Example standard-jaxrpc-endpoint-config.xml file

<jaxrpc-config xmlns="urn:jboss:jaxrpc-config:2.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:j2ee="http://java.sun.com/xml/ns/j2ee"
xsi:schemaLocation="urn:jboss:jaxrpc-config:2.0 jaxrpc-config_2_0.xsd">

<endpoint-config>
  <config-name>Standard Endpoint</config-name>
    <pre-handler-chain>
      <handler-chain-name>SM XMLAgentJaxrpc Handlers</handler-chain-name>
      <handler>
        <j2ee:handler-name>SM XMLAgentJaxrpc Handler</j2ee:handler-name>
        <j2ee:handler-class>
          com.ca.soa.agent.appserver.jaxrpc.XMLAgentJaxrpcHandler
        </j2ee:handler-class>
      </handler>
    </pre-handler-chain>
  </endpoint-config>

</jaxrpc-config>
Configure the WSS Agent JAX-RPC HTTP Handler for a Single Web Service

Configure individual JAX-RPC HTTP web services to invoke the WSS Agent JAX-RPC HTTP Handler by defining the com.ca.soa.agent.appserver.jaxrpc.XMLAgentJaxrpcHandler in the application webservices.xml deployment descriptor.

For example:

<webservices ...>
   <webservice-description>
    ...
    <port-component>
      ...
      <handler>
        <handler-name>SM XMLAgentJaxrpc Handler</handler-name>
        <handler-class>com.ca.soa.agent.appserver.jaxrpc.XMLAgentJaxrpcHandler</handler-class>
      </handler>
    </port-component>
   </webservice-description>
  </webservices>  

The JBoss WSS Agent JAX-RPC HTTP Handler will be invoked only for this web service.

Configure WSS Agent Security Interceptor Protection for JAX-WS Web Services Over HTTP Transport

To configure the WSS Agent Security Interceptor to protect JAX-WS web services over HTTP transport, configure those services to invoke the WSS Agent JAX-WS HTTP Handler. You can configure global use of the JAX-WS Handler for all JAX-WS HTTP web services or configure it for individual web services, as required.

Configure the WSS Agent JAX-WS HTTP Handler for all JAX-WS HTTP Web Services

To configure the WSS Agent JAX-WS HTTP Handler to be invoked for all JAX-WS HTTP web services, add the WSS Agent JAX-WS Handler class (com.ca.soa.agent.jaxwsplugin.JaxWsHandler) to the standard JAX-WS endpoint configuration file, standard-jaxws-endpoint-config.xml.

By default, the standard-jaxws-endpoint-config.xml file is in the following location:

JBOSS_HOME/server/instance_type/deployers/jbossws.deployer/META-INF

instance_type

Specifies the JBoss Application Server instance type (one of default, minimal, production, standard, or web).

Follow these steps:

  1. Navigate to the location of the standard-jaxws-endpoint-config.xml file for your JBoss version and instance type.
  2. Open the standard-jaxws-endpoint-config.xml file in a text editor.
  3. Add the following javaee:handler element to the "Standard Endpoint" endpoint-config element as the first such element defined:
    <javaee:handler>
       <javaee:handler-name>
          JBoss JAX-WS PEP Interceptor
       </javaee:handler-name>
       <javaee:handler-class>
          com.ca.soa.agent.jaxwsplugin.JaxWsHandler
       </javaee:handler-class>
    </javaee:handler>
    
  4. Save the file and exit the text editor.

The JBoss WSS Agent JAX-WS Handler will be invoked for all JAX-WS web services.

Example standard-jaxws-endpoint-config.xml file

<jaxws-config xmlns="urn:jboss:jaxws-config:2.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:javaee="http://java.sun.com/xml/ns/javaee"
xsi:schemaLocation="urn:jboss:jaxws-config:2.0 schema/jaxws-config_2_0.xsd">

<endpoint-config>
    <config-name>Standard Endpoint</config-name>
    <pre-handler-chains>
      <javaee:handler-chain>
        <javaee:protocol-bindings>##SOAP11_HTTP</javaee:protocol-bindings>

        <javaee:handler>
           <javaee:handler-name>
           	JBoss JAX-WS PEP Interceptor
           </javaee:handler-name>
           <javaee:handler-class>
           	com.ca.soa.agent.jaxwsplugin.JaxWsHandler
           </javaee:handler-class>
        </javaee:handler>

        <javaee:handler>
          <javaee:handler-name>Recording Handler</javaee:handler-name>
          <javaee:handler-class>
          	org.jboss.wsf.framework.invocation.RecordingServerHandler
          </javaee:handler-class>
        </javaee:handler>

      </javaee:handler-chain>
    </pre-handler-chains>
</endpoint-config>
Configure the WSS Agent JAX-WS HTTP Handler for a Single JAX-WS HTTP Web Service

Configure individual JAX-WS HTTP web services to invoke the WSS Agent JAX-WS Handler.

Follow these steps:

  1. Create a handler chain configuration file, for example, Services_handler.xml, containing the following text:
    <?xml version="1.0" encoding="UTF-8"?>
    <handler-chains xmlns="http://java.sun.com/xml/ns/javaee">
      <handler-chain>
        <handler>
          <handler-name>JBoss JAX-WS PEP Interceptor</handler-name>
          <handler-class>com.ca.soa.agent.jaxwsplugin.JaxWsHandler</handler-class>
        </handler>
      </handler-chain>
    </handler-chains>
    
  2. Add the following JWS annotation to the web service JWS file:
    @HandlerChain(file = "Services_handler.xml")
    
  3. Verify that the CA SiteMinder® Agent Java class is accessible to the web service.

The JBoss WSS Agent JAX-WS Handler is invoked for the web service.

Configure WSS Agent Security Interceptor Protection for JAX-WS Web Services Over JMS Transport

To configure the WSS Agent Web Interceptor to protect JAX-WS web services over JMS transport, configure those services to invoke the WSS Agent JAX-WS JMS Handler. You can configure global use of the JAX-WS JMS Handler for all JAX-WS JMS web services or configure it for individual web services, as required.

Important! Do not place the WSS Agent JAX-WS HTTP Handler and the WSS Agent JAX-WS JMS Handler in the same handler chain. If you configure either handler in the default handler chain for the container, verify that all JAX-WS web services in the container use the corresponding transport.

Important! Do not place the WSS Agent JAX-WS HTTP Handler and the WSS Agent JAX-WS JMS Handler in the same handler chain. If you configure either handler in the default handler chain for the container, verify that all JAX-WS web services in the container use the corresponding transport.

Configure the WSS Agent JAX-WS JMS Handler for all JAX-WS JMS Web Services

To configure the WSS Agent JAX-WS JMS Handler to be invoked for all JAX-WS JMS web services, add the WSS Agent JAX-WS JMS Handler class (com.ca.soa.agent.jmsplugin.JaxWsJMSHandler) to the standard JAX-WS endpoint configuration file, standard-jaxws-endpoint-config.xml.

The standard-jaxws-endpoint-config.xml file is located in JBOSS_HOME/server/instance_type/deployers/jbossws.deployer/META-INF.

instance_type

Specifies the JBoss Application Server instance type (one of default, minimal, production, standard, or web).

Follow these steps:

  1. Navigate to JBOSS_HOME/server/default/deployers/jbossws.deployer/META-INF.
  2. Open the standard-jaxws-endpoint-config.xml file in a text editor.
  3. Add the following javaee:handler element to the "Standard Endpoint" endpoint-config element as the first such element defined:
    <javaee:handler>
       <javaee:handler-name>
          JBoss JAX-WS PEP Interceptor
       </javaee:handler-name>
       <javaee:handler-class>
          com.ca.soa.agent.jmsplugin.JaxWsJMSHandler
       </javaee:handler-class>
    </javaee:handler>
    
  4. Save the file and exit the text editor.

The JBoss WSS Agent JAX-WS Handler will be invoked for all JAX-WS web services.

Example standard-jaxws-endpoint-config.xml file

<jaxws-config xmlns="urn:jboss:jaxws-config:2.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:javaee="http://java.sun.com/xml/ns/javaee"
xsi:schemaLocation="urn:jboss:jaxws-config:2.0 schema/jaxws-config_2_0.xsd">

<endpoint-config>
    <config-name>Standard Endpoint</config-name>
    <pre-handler-chains>
      <javaee:handler-chain>
        <javaee:protocol-bindings>##SOAP11_HTTP</javaee:protocol-bindings>

        <javaee:handler>
           <javaee:handler-name>
           	JBoss JAX-WS PEP Interceptor
           </javaee:handler-name>
           <javaee:handler-class>
           	com.ca.soa.agent.jmsplugin.JaxWsJMSHandler
           </javaee:handler-class>
        </javaee:handler>

        <javaee:handler>
          <javaee:handler-name>Recording Handler</javaee:handler-name>
          <javaee:handler-class>
          	org.jboss.wsf.framework.invocation.RecordingServerHandler
          </javaee:handler-class>
        </javaee:handler>

      </javaee:handler-chain>
    </pre-handler-chains>
</endpoint-config>
Configure the WSS Agent JAX-WS Handler for a Single JAX-WS JMS Web Service

You can configure individual JAX-WS JMS web services to invoke the WSS Agent JAX-WS JMS Handler.

Follow these steps:

  1. Create a handler chain configuration file, for example, Services_handler.xml, containing the following text:
    <?xml version="1.0" encoding="UTF-8"?>
    <handler-chains xmlns="http://java.sun.com/xml/ns/javaee">
      <handler-chain>
        <handler>
          <handler-name>JBoss JAX-WS PEP Interceptor</handler-name>
          <handler-class>com.ca.soa.agent.jmsplugin.JaxWsJMSHandler</handler-class>
        </handler>
      </handler-chain>
    </handler-chains>
    
  2. Add the following JWS annotation to the web service JWS file:
    @HandlerChain(file = "Services_handler.xml")
    

The JBoss WSS Agent JAX-WS Handler will be invoked only for this web service.

Configure the WSS Agent Login Module

Define a JBoss security domain named system.XMLAgent that configures the WSS Agent Login Module required to authenticate credentials obtained by the WSS Agent Handlers.

You configure the system.XMLAgent by adding an application-policy element to the login-config.xml file located in JBOSS_HOME/server/instance_type/conf.

instance_type

Specifies the JBoss Application Server instance type (one of default, minimal, production, standard, or web).

To configure SiteMinder Agent Authenticators at the global level

  1. Navigate to server/server_name/conf/
  2. Open the login-config.xml file in a text editor.
  3. Add the following application-policy element defining the SiteMinderDomain:
    <application-policy name="system.XMLAgent">
        <authentication>
          <login-module code="com.ca.soa.agent.appserver.jaas.XMLAgentLoginModule"
            flag="required">
            <module-option name="unauthenticatedIdentity">anonymous</module-option>
          </login-module>
        </authentication>
    </application-policy>
    
  4. Save the file and exit the text editor.

Restart the JBoss Application Server

Restart the JBoss Application Server to commit configuration changes you made for the SiteMinder Agent.

To restart the JBoss Application Server

  1. If necessary, stop the JBoss Application Server process.
  2. Open a command window.
  3. Navigate to the JBOSS_HOME/bin directory.
  4. Run the run.bat (Windows) or run.sh (UNIX) script.

The JBoss Application Server restarts with the configuration changes you made for the SiteMinder Agent.