Igor Kromin |   Consultant. Coder. Blogger. Tinkerer. Gamer.

NOTE: This article is 3 years or older so its information may no longer be relevant. Read on at your own discretion! Comments for this article have automatically been locked, refer to the FAQ for more details.
I've written earlier about adding basic HTTP authentication to a web service. That example forced the user of the web service to authenticate using basic authentication before a request would be served, however the username and password in this case are prone to sniffing and can be retrieved with relative ease. This is easily addressed by setting up your deployment so that WebLogic forces the use of HTTPS/SSL URLs web making requests.

Making this change is almost trivial. Simply change the transport-guarantee element of your web.xml file. There are three possible values for this, NONE, INTEGRAL and CONFIDENTIAL. Both of the latter force SSL.

Here's more information from WebLogic documentation:
Specifies data security requirements for communications between the client and the server.

Range of values:

NONE—The application does not require any transport guarantees.

INTEGRAL—The application requires that the data be sent between the client and server in such a way that it cannot be changed in transit.

CONFIDENTIAL—The application requires that data be transmitted so as to prevent other entities from observing the contents of the transmission.

WebLogic Server establishes a Secure Sockets Layer (SSL) connection when the user is authenticated using the INTEGRAL or CONFIDENTIAL transport guarantee.


In my case, I change the web.xml to something like this:
 web.xml
...
<user-data-constraint>
<description>The application requires that the data be sent between the client and server in such a way that it cannot be changed in transit.</description>
<transport-guarantee>INTEGRAL</transport-guarantee>
</user-data-constraint>
...




Now even when using basic authentication, since SSL is used, the username and password will be encrypted. It is still possible to send a request to the non-SSL URL for the web service however. In this case, WebLogic will respond with the testing page instead of forwarding the request to the web service.
wlssectestpage.png


-i

Skip down to comments...
Hope you found this post useful...

...so please read on! I love writing articles that provide beneficial information, tips and examples to my readers. All information on my blog is provided free of charge and I encourage you to share it as you wish. There is a small favour I ask in return however - engage in comments below, provide feedback, and if you see mistakes let me know.

If you want to show additional support and help me pay for web hosting and domain name registration, donations, no matter how small, are always welcome!

Use of any information contained in this blog post/article is subject to this disclaimer.
 
comments powered by Disqus
Other posts you may like...