A simple JAX-WS Web Service with (Galileo) Eclipse

Here's a good tutorial from Grégory Le Bonniec's blog

http://java-soa.blogspot.com/2008/07/simple-jax-ws-web-service-with-eclipse.html

The tutorial is posted two years ago, so I made some adjustment using GALILEO Eclipse for Microsoft Windows now with Apache Tomcat 6.0 as the target runtime server.

Ignore the JAXWS_ROOT, the wsimport executable file can be found in your JDK bin folder. In my case it's: C:\Program Files\Java\jdk1.6.0_18\bin\wsimport.exe

You also need to download the following JAR files (www.jarfinder.com) and save these in your project's WEB-INF/lib folder:

jaxb-impl-2.1.8.jar
jaxws-rt-2.1.4.jar
stax-ex-1.2.jar
streambuffer-0.8.jar

Happy coding =)

Web Services Tutorial from SUN

http://java.sun.com/webservices/docs/2.0/tutorial/doc/

The Java Web Services Tutorial addresses the following technology areas:

The Java Architecture for XML Web Services (JAX-WS)
The Java Architecture for XML Binding (JAXB)
The StAX APIs and the Sun Java Streaming XML Parser implementation
SOAP with Attachments API for Java (SAAJ)
The Java Architecture for XML Registries
XML Digital Signature
Security in the Web Tier

WS Security Configuration

Reference : http://www.netbeans.org/kb/60/websvc/wsit.html

• Security Mechanism. Specifies the approach used for securing the web service. Here, Username Authentication with Symmetric Keys is selected. The Username Authentication with Symmetric Keys mechanism protects your application for integrity and confidentiality. Symmetric key cryptography relies on a single, shared secret key that is used to both sign and encrypt a message. Symmetric keys are usually faster than public key cryptography.

  For this mechanism, the client does not possess any certificate/key of his own, but instead sends its username/password for authentication. The client shares a secret key with the server. The shared, symmetric key is generated at runtime and encrypted using the service's certificate. The client must specify the alias in the truststore by identifying the server's certificate alias. The other security mechanisms are explained later in this tutorial.

  
  

  • Mutual Certificates Security. The Mutual Certificates Security mechanism adds security via authentication and message protection that ensures integrity and confidentiality. When using mutual certificates, a keystore and truststore file must be configured for both the client and server sides of the application.
  • Transport Security (SSL). The Transport Security mechanism protects your application during transport using SSL for authentication and confidentiality. Transport-layer security is provided by the transport mechanisms used to transmit information over the wire between clients and providers, thus transport-layer security relies on secure HTTP transport (HTTPS) using Secure Sockets Layer (SSL). Transport security is a point-to-point security mechanism that can be used for authentication, message integrity, and confidentiality. When running over an SSL-protected session, the server and client can authenticate one another and negotiate an encryption algorithm and cryptographic keys before the application protocol transmits or receives its first byte of data. Security is "live" from the time it leaves the consumer until it arrives at the provider, or vice versa. The problem is that it is not protected once it gets to its destination. For protection of data after it reaches its destination, use one of the security mechanisms that uses SSL and also secures data at the message level.

    Digital certificates are necessary when running secure HTTP transport (HTTPS) using Secure Sockets Layer (SSL). The HTTPS service of most web servers will not run unless a digital certificate has been installed. Digital certificates have already been created for GlassFish, and the default certificates are sufficient for running this mechanism, and are required when using Atomic Transactions. However, the message security mechanisms require a newer version of certificates than is available with GlassFish. You can download valid keystore and truststore files for the client and server as described in Updating GlassFish Certificates.

  • Message Authentication over SSL. The Message Authentication over SSL mechanism attaches a cryptographically secured identity or authentication token with the message and use SSL for confidentiality protection.
  • SAML Authorization over SSL. The SAML Authorization over SSL mechanism attaches an authorization token with the message and uses SSL for confidentiality protection. In this mechanism, the SAML token is expected to carry some authorization information about an end user. The sender of the token is actually vouching for the credentials in the SAML token.
  • Endorsing Certificate. This mechanism uses secure messages using symmetric key for integrity and confidentiality protection, and uses an endorsing client certificate to augment the claims provided by the token associated with the message signature. For this mechanism, the client knows the service's certificate, and requests need to be endorsed/authorized by a special identity. For example, all requests to a vendor must be endorsed by a purchase manager, so the certificate of the purchase manager should be used to endorse (or counter sign) the original request.
  • SAML Sender Vouches with Certificates. This mechanism protects messages with mutual certificates for integrity and confidentiality and with a Sender Vouches SAML token for authorization. The Sender Vouches method establishes the correspondence between a SOAP message and the SAML assertions added to the SOAP message. The attesting entity provides the confirmation evidence that will be used to establish the correspondence between the subject of the SAML subject statements (in SAML assertions) and SOAP message content. The attesting entity, presumed to be different from the subject, vouches for the verification of the subject. The receiver has an existing trust relationship with the attesting entity. The attesting entity protects the assertions (containing the subject statements) in combination with the message content against modification by another party.

    For this mechanism, the SAML token is included as part of the message signature as an authorization token and is sent only to the recipient. The message payload needs to be signed and encrypted. The requestor is vouching for the credentials (present in the SAML assertion) of the entity on behalf of which the requestor is acting.

    The initiator token, which is an X.509 token, is used for signature. The recipient token, which is also an X.509 token, is used for encryption. For the server, this is reversed, the recipient token is the signature token and the initiator token is the encryption token. A SAML token is used for authorization.

  • SAML Holder of Key. This mechanism protects messages with a signed SAML assertion (issued by a trusted authority) carrying client public key and authorization information with integrity and confidentiality protection using mutual certificates. The Holder-of-Key (HOK) method establishes the correspondence between a SOAP message and the SAML assertions added to the SOAP message. The attesting entity includes a signature that can be verified with the key information in the confirmation method of the subject statements of the SAML assertion referenced for key info for the signature.

    Under this scenario, the service does not trust the client directly, but requires the client to send a SAML assertion issued by a particular SAML authority. The client knows the recipient's public key, but does not share a direct trust relationship with the recipient. The recipient has a trust relationship with the authority that issues the SAML token. The request is signed with the client's private key and encrypted with the server certificate. The response is signed using the server's private key and encrypted using the key provided within the HOK SAML assertion.

• Use Development Defaults. Select this option to import certificates into the GlassFish keystore and truststore, so that they can be used immediately for development. Because the default certificates are not in an appropriate format to be used in this context, this import is done for you, so that you do not need to do this manually yourself. In addition to importing certificats, a default user is created in the "file" realm, with username "wsitUser". In a production environment, you will probably want to provide your own certificates and user settings, however, in a development environment you may find these defaults useful.

Definition of Terms

1. DOM - Document Object Model.
   
2. EJB - Enterprise JavaBean
   
3. JAX-WS - Java API for XML Web Services
   
4. JAXB - Java Architecture for XML Binding
   
5. JAXP - Java API for XML Processing
   
6. JAXR - Java API for XML Registries
   
7. JMS - Java Message Service
   
8. JSON - JavaScript Object Notation
   
9. REST - Representational State Transfer
   
10. SAAJ - SOAP with Attachments API for Java
    
11. SAML - Security Assertion Markup Language
    
12. SAX - Simple API for XML
    
13. SOAP - Simple Object Access Protocol
    
14. StAX - Streaming API for XML
    
15. UDDI - Universal Description Discovery and Integration. UDDI is a directory service where businesses can register and search for Web services. It is a platform-independent framework for describing services, discovering businesses, and integrating business services by using the Internet.
    
16. WCF - Windows Communication Foundation
    
17. WS-I - Web Services Interoperability
    
18. WSDL - Web Services Description Language. WSDL is an XML-based language for describing Web services and how to access them.
    
19. WSIT- Web Services Interoperability Technology
    
20. XACML - eXtensible Access Control Markup Language
    
21. XKMS - XML Key Management Specification
    
22. XML - Extensible Markup Language
    
23. XSLT - Extensible Stylesheet Language Transformations
    

Section 12: Endpoint Design and Architecture

12.1 Given a scenario, design Web Service applications using information models that are either procedure-style or document-style.

12.2 Describe the function of the service interaction and processing layers in a Web service.

12.3 Design a Web service for an asynchronous, document-style process and describe how to refactor a Web Service from a synchronous to an asynchronous model.

12.4 Describe how the characteristics, such as resource utilization, conversational capabilities, and operational modes, of the various types of Web service clients impact the design of a Web service or determine the type of client that might interact with a particular service.

Section 11: General Design and Architecture

11.1 Describe the characteristics of a Service Oriented Architecture (SOA) and how Web services fit to this model.

11.2 Given a scenario, design a Java EE web service using Web Services Design Patterns (Asynchronous Interaction, JMS Bridge, Web Service Cache, Web Service Broker), and Best Practices.

11.3 Describe how to handle the various types of return values, faults, errors, and exceptions that can occur during a Web service interaction.

11.4 Describe the role that Web services play when integrating data, application functions, or business processes in a Java EE application.

Section 10: Web Services Interoperability Technologies

10.1 Describe WSIT, the features of each WSIT technology and the standards that WSIT Implements for each technology and how it works.

10.2. Describe how to create a WSIT client from a Web Service Description Language (WSDL) file.

10.3 Describe how to configure web service providers and clients to use message optimization.

10.4 Create a Microsoft Windows Communication Foundation (WCF) client that accesses a Java web service.

10.5 Describes the best practices for production and consumption of data interoperability between WCF web services and Java web service clients or between Java web services and WCF web service clients.