I have created web services and trying to add security part of it. I'm using RAD and wondering how to add the username token in the webservices.xml extension tab?

Any help is appreciated.

Thanks.

A comment was added by @parthkansara asking about how to do this for a JAX-WS application. I'm answering that comment as an additional answer to this topic since there aren't enough characters to do so in the comment field.

You can add a WS-Security Policy and Bindings for a JAX-WS application in RAD. However, its not the most straightforward thing. Also, if you apply the policy/bindings with RAD and deploy, then modify them with the admin console, what you did with the admin console won't take effect. This is very confusing behavior and something I would frequently get trouble reports for until I wrote a troubleshooting article about it. If you are going to deploy your app with RAD, I suggest that you apply your policy/bindings with the admin console, NOT with RAD. If you do this, your policy/bindings will stay throughout redeploys; they'll only disappear if you uninstall your app.

I only suggest that you apply policy/bindings using RAD if you intend to export your ear, then install the ear with the admin console, not by deploying directly with RAD.

So, I'm going to give you the instructions for adding a UsernameToken on a RAD deployed application using the admin console.

The first thing that you need to do is make sure that your RAD is using resources on server, not workspace:

1. Window > Show view > Servers
2. In the Servers pane, right click on the server > Open

3. On the right, expand 'Publishing settings for WebSphere Application Server'

   • If it is currently set to 'Run server with resources within the workspace', do the following:
     1. Change the setting to 'Run server with resources on Server'
     2. Click File > Save

   • After changing to 'Run server with resources on Server', you must uninstall, then re-install the application. Just doing a redeploy does not suffice. Do the following:

     1. In the Servers pane, right click on the server > Add and Remove...
     2. In the Configured section on the right, select your application
     3. Click Remove
     4. Click Finish
     5. In the Servers pane, right click on the server > Add and Remove...
     6. In the Available section on the left, select your applicaiton
     7. Click Add
     8. Click Finish

Create a jax-ws custom policy set:

1. In the administrative console, click Services > Policy sets > Application Policy sets.
2. Click New.
3. Specify Name = UntPolicy.
4. Click Apply.
5. Under Policies, click Add > WS-Security.

Edit the custom policy set

1. Remove digital signature, encryption, and timestamp.
   1. In the administrative console, click WS-Security > Main Policy.
   2. Deselect Message level protection.
   3. Click Apply.
2. Add the UsernameToken.
   1. Under Policy details, click Request token policies.
   2. Select Add Token Type.
   3. Select UserName.
   4. Click OK.

Configure the client to use the UntPolicy policy set.

1. In the admin console, click Services > Service clients > (serviceName)
2. Check the Service/Endpoint/Operation to which you want the policy to apply. If you want it to apply to all of them, check only the one at the top.
3. Click Attach Policy Set > UntPolicy

Create a custom binding for the client.

1. Check the resource(s) again.
2. Click Assign Binding
3. Click New Application Specific Binding
4. Specify the bindings configuration name. name: untClientBinding
5. Click Add > WS-Security
6. If the Main Message Security Policy Bindings' panel does not display, select WS-Security.

Edit the custom binding for the client.

1. Click Authentication and Protection
2. Edit the identity token generator to send the identity username.
   1. Click request:myToken.
   2. Click Apply.
   3. Click Callback handler. User name=(yourUserid) Password=(yourPassword)
      • Avoid trouble: This is a userid/password that is valid on the user registry on the provider's system.
3. (Optional) If configuring a UsernameToken, add the following WS-Security custom properties:
   • com.ibm.wsspi.wssecurity.token.username.addNonce=true
   • com.ibm.wsspi.wssecurity.token.username.addTimestamp=true
   • These custom properties are added because they are specified on the UsernameToken consumer default provider general bindings. If we do not specify those properties here, you will either need to remove those properties from the default provider general bindings or create application-specific bindings for the provider that does not include those properties.
4. Click OK.
5. Click Save

Restart the application

• Once an application has been started with a policy attached, if the policy is modified, the app server must be restarted to pick up changes.
• Once an application has been started with a general binding attached, if the general binding is modified, the app server must be restarted to pick up the changes.

Test the application.

To see the inbound/outbound SOAP messages in a trace, do the following

1. Add the following trace spec:

   • com.ibm.ws.webservices.trace.*=all

2. Restart the application server.

3. Test the application.

4. Search the trace in (profileRoot)/logs/(serverName)/trace.log for the following string:

   • bound http
   • This should alternate between inbound and outboud messages.
5. If you have both the client and provider in the same JVM, you'll see all 4 messages:
   • Outbound HTTP SOAP request
   • Inbound HTTP SOAP request
   • Outbound HTTP SOAP response
   • Inbound HTTP SOAP response

Source: These steps were taken from this task in the WebSphere knowledge center:

https://www.ibm.com/support/knowledgecenter/SSAW57_9.0.0/com.ibm.websphere.nd.multiplatform.doc/ae/twbs_stand_alone_security_token.html

In the WebSphere WS-Security troubleshooting guide, there is a page that contains a list of the jax-ws policy/binding examples that are available:

WebSphere WS-Security Examples : JAX-WS Policy/Binding Configuration and Code Samples

There are a lot on that page including, but not limited to:

• UsernameToken
• LTPA
• Signature
• Encryption
• General Bindings
• SAML

I do this all the time, but I use the wizard because doing it manually is error-prone.

You didn't say if you were adding constraints to the client, provider or both. I'll give you instructions for both. I'm using HelloService and HelloSvcClient in my examples:

Add the stand-alone UsernameToken to the client:

1) Switch to the J2EE Perspective

a) Window->Open Perspective->Other->Java EE

b) Ok

2) Select the Services tab on the left

3) Expand JAX-RPC->Clients

4) Right click on HelloSvcClient: service/HelloService ->Secure Web Service Client->Add Stand Alone Security Token

• Token type: Username Token

• Callback handler: (choose one)

  ** NonPromptCallbackHandler (default -- hardcode username/password)

  ** GUIPromptCallbackHandler (to prompt the user for the username/password -- can't run on an app server)

  ** StdinPromptCallbackHandler (to get the uid/pw from stdin -- can't run on an app server)

5) Next

6) User Name and Password

• User ID: (userid)

• Password: (password)

7) Finish

Add the stand-alone UsernameToken to the provider:

1) Select the Services tab on the left

2) Expand JAX-RPC

3) Right click on HelloSvc: HelloService->Secure Web Service->Add Stand Alone Security Token

4) WS-Security Add a Service Side Security Token

• Token type: choose Username Token

• JAAS configuration name: system.wssecurity.UsernameToken

5) Finish

Remove the Caller Part from the Service Configuration if Necessary

If security is not enabled on your server, your service won't be able to authenticate. In this case, in the service consumer configuration, you'll have to remove the caller part for your token so that you don't get an error when you make your request. If you do have security enabled on your server, skip this step.

1) Select the Services tab on the left

2) Expand JAX-RPC

3) Right click on HelloSvc: HelloService->Show->Web Service Extensions Editor

4) Extensions tab

• Request Consumer Service Configuration Details->Caller Part

• If there's only one there, delete it

• If there's more than one there, find the one who's "Local name" entry corresponds to the token type that you added and delete it (for example, http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#UsernameToken for UsernameToken)

Re-Publish the Applications

1) Go to the Servers pane

2) Right click on the desired server->publish