security7.html

j2eePDF格式的电子书

<div class="pSmartList1"><ol type="1" class="pSmartList1">
<a name="wp129099"> </a><div class="pSmartList1"><li>Set up your system for running the tutorial examples if you haven't done so already by following the instructions in <a  href="WebApp3.html#wp213795">Setting Up To Build and Deploy Tutorial Examples</a>.</li></div>
<a name="wp129115"> </a><div class="pSmartList1"><li>From a terminal window or command prompt, go to the <code class="cCode">&lt;</code><code class="cVariable">INSTALL</code><code class="cCode">&gt;/j2eetutorial14/examples/security/basicauth/</code> directory.</li></div>
<a name="wp142841"> </a><div class="pSmartList1"><li>Build the JAX-RPC service by entering the following at the terminal window or command prompt in the <code class="cCode">basicauth/</code> directory (this and the following steps that use <code class="cCode">asant</code> assume that you have the executable for <code class="cCode">asant</code> in your path: if not, you will need to provide the fully-qualified path to the executable). This command runs the target named <code class="cCode">build</code> in the <code class="cCode">build.xml</code> file.</li></div>
<a name="wp142842"> </a><p class="pBodyRelative">
<code class="cCode">&nbsp;&nbsp;asant build</code>
</p>
<a name="wp395648"> </a><div class="pSmartList1"><li>Change to the <code class="cCode">&lt;</code><code class="cVariable">INSTALL</code><code class="cCode">&gt;/j2eetutorial14/examples/security/basicauthclient/</code> directory. Build the JAX-RPC client by entering the following at the terminal window or command prompt:</li></div>
<a name="wp395649"> </a><p class="pBodyRelative">
<code class="cCode">&nbsp;&nbsp;</code> <code class="cCode">asant build</code>
</p>
</ol></div>
<a name="wp395664"> </a><h5 class="pHeading4">
Package the Basic Authentication Example
</h5>
<a name="wp395665"> </a><p class="pBody">
You can package the basic authentication example using <code class="cCode">deploytool</code>, or just open the Web ARchive (WAR file) located in the <code class="cCode">&lt;</code><code class="cVariable">INSTALL</code><code class="cCode">&gt;/j2eetutorial14/examples/security/provided-wars/basicauth.war</code> file. This section shows the steps you use to package the JAX-RPC service. More detail on packaging JAX-RPC services can be found in <a  href="JAXRPC4.html#wp117438">Packaging the Service</a>.
</p>
<div class="pSmartList1"><ol type="1" class="pSmartList1">
<a name="wp395669"> </a><div class="pSmartList1"><li>Start the Application Server if you haven't already done so. Instructions for starting the Application Server can be found at <a  href="WebApp3.html#wp213803">Starting and Stopping the J2EE Application Server</a>.</li></div>
<a name="wp425475"> </a><div class="pSmartList1"><li>Start <code class="cCode">deploytool</code> if you haven't already done so. Information on starting <code class="cCode">deploytool</code> can be found in <a  href="WebApp3.html#wp213832">Starting the deploytool Utility</a>.</li></div>
<a name="wp395673"> </a><div class="pSmartList1"><li>Select File<span style="font-family: Symbol"><img src="images/arrwrite.gif" border="0" alt="Right Arrow"></span>New<span style="font-family: Symbol"><img src="images/arrwrite.gif" border="0" alt="Right Arrow"></span>Web Component from the <code class="cCode">deploytool</code> menu. The wizard displays the following dialog boxes.</li></div>
<div class="pSmartList2"><ol type="a" class="pSmartList2">
<a name="wp395674"> </a><div class="pSmartList2"><li>Introduction dialog box </li></div>
<div class="pSmartList3"><ol type="1" class="pSmartList3">
<a name="wp395675"> </a><div class="pSmartList3"><li>Read the explanatory text for an overview of the wizard's features. </li></div>
<a name="wp395676"> </a><div class="pSmartList3"><li>Click Next.</li></div>
</ol></div>
<a name="wp395677"> </a><div class="pSmartList2"><li>WAR File dialog box</li></div>
<div class="pSmartList3"><ol type="1" class="pSmartList3">
<a name="wp395678"> </a><div class="pSmartList3"><li>Select the button labeled Create New Stand-Alone WAR Module.</li></div>
<a name="wp395679"> </a><div class="pSmartList3"><li>In the WAR Location field, enter <code class="cVariable">&lt;INSTALL&gt;</code><code class="cCode">/j2eetutorial14/examples/security/basicauth/BasicAuth.war.</code></li></div>
<a name="wp395680"> </a><div class="pSmartList3"><li>In the WAR Display Field, enter <code class="cCode">BasicAuth</code>.</li></div>
<a name="wp395681"> </a><div class="pSmartList3"><li>Click Edit.</li></div>
<a name="wp395682"> </a><div class="pSmartList3"><li>In the tree under Available Files, locate the <code class="cVariable">&lt;INSTALL&gt;</code>/<code class="cCode">j2eetutorial14</code>/<code class="cCode">examples/security/basicauth/</code> directory.</li></div>
<a name="wp395683"> </a><div class="pSmartList3"><li>Select the <code class="cCode">build/</code> subdirectory.</li></div>
<a name="wp395684"> </a><div class="pSmartList3"><li>Click Add. </li></div>
<a name="wp395685"> </a><div class="pSmartList3"><li>Click OK.</li></div>
<a name="wp395686"> </a><div class="pSmartList3"><li>Click Next.</li></div>
</ol></div>
<a name="wp395687"> </a><div class="pSmartList2"><li>Choose Component Type dialog box</li></div>
<div class="pSmartList3"><ol type="1" class="pSmartList3">
<a name="wp395688"> </a><div class="pSmartList3"><li>Select the Web Services Endpoint button.</li></div>
<a name="wp395689"> </a><div class="pSmartList3"><li>Click Next.</li></div>
</ol></div>
<a name="wp395690"> </a><div class="pSmartList2"><li>Choose Service dialog box</li></div>
<div class="pSmartList3"><ol type="1" class="pSmartList3">
<a name="wp395691"> </a><div class="pSmartList3"><li>In the WSDL File combo box, select <code class="cCode">WEB-INF/wsdl/MyBasicHelloService.wsdl</code>.</li></div>
<a name="wp395692"> </a><div class="pSmartList3"><li>In the Mapping File combo box, select <code class="cCode">build/mapping.xml</code>.</li></div>
<a name="wp395693"> </a><div class="pSmartList3"><li>Click Next.</li></div>
</ol></div>
<a name="wp395694"> </a><div class="pSmartList2"><li>Component General Properties dialog box</li></div>
<div class="pSmartList3"><ol type="1" class="pSmartList3">
<a name="wp395695"> </a><div class="pSmartList3"><li>In the Service Endpoint Implementation combo box, select <code class="cCode">basicauth.HelloImpl</code>.</li></div>
<a name="wp395696"> </a><div class="pSmartList3"><li>Click Next.</li></div>
</ol></div>
<a name="wp395697"> </a><div class="pSmartList2"><li>Web Service Endpoint dialog box</li></div>
<div class="pSmartList3"><ol type="1" class="pSmartList3">
<a name="wp395698"> </a><div class="pSmartList3"><li>In the Service Endpoint Interface combo box, select <code class="cCode">basicauth.HelloIF</code>.</li></div>
<a name="wp395699"> </a><div class="pSmartList3"><li>In the Namespace field, select <code class="cCode">urn:Foo</code>.</li></div>
<a name="wp395700"> </a><div class="pSmartList3"><li>In the Local Part field, select <code class="cCode">HelloIFPort</code>.</li></div>
<a name="wp395701"> </a><div class="pSmartList3"><li><code class="cCode">deploytool</code> will enter a default Endpoint Address URI <code class="cCode">HelloImpl</code> in this dialog. This endpoint address <em class="cEmphasis">must</em> be updated in the following steps. </li></div>
<a name="wp395702"> </a><div class="pSmartList3"><li>Click Next.</li></div>
<a name="wp395703"> </a><div class="pSmartList3"><li>Click Finish.</li></div>
<a name="wp395704"> </a><p class="pBodyRelative">
To access <code class="cCode">MyHelloService</code>, the tutorial clients will specify this service endpoint address URI:
</p>
<a name="wp395705"> </a><p class="pBodyRelative">
<code class="cCode">http://localhost:8080/basicauth-jaxrpc/hello</code>
</p>
<a name="wp395706"> </a><p class="pBodyRelative">
The <code class="cCode">/basicauth-jaxrpc</code> string is the context root of the servlet that implements <code class="cCode">MySecureHelloService</code>. The <code class="cCode">/hello</code> string is the servlet alias. 
</p>
</ol></div>
</ol></div>
<a name="wp395707"> </a><div class="pSmartList1"><li>Specify the endpoint address by setting the context root and alias as follows:</li></div>
<div class="pSmartList2"><ol type="a" class="pSmartList2">
<a name="wp395708"> </a><div class="pSmartList2"><li>In <code class="cCode">deploytool</code>, select <code class="cCode">BasicAuth </code>in the tree.</li></div>
<a name="wp395709"> </a><div class="pSmartList2"><li>Select the General tab.</li></div>
<a name="wp395710"> </a><div class="pSmartList2"><li>In the Context Root field, enter <code class="cCode">basicauth-jaxrpc</code>.</li></div>
<a name="wp395711"> </a><div class="pSmartList2"><li>In the tree, select <code class="cCode">HelloImpl</code>.</li></div>
<a name="wp395712"> </a><div class="pSmartList2"><li>Select the Aliases tab.</li></div>
<a name="wp395713"> </a><div class="pSmartList2"><li>In the Component Aliases table, add <code class="cCode">/hello</code>. (Don't forget the forward slash.)</li></div>
<a name="wp395714"> </a><div class="pSmartList2"><li>In the Endpoint tab, select <code class="cCode">hello</code> for the Endpoint Address in the Sun-specific Settings Frame.</li></div>
<a name="wp395715"> </a><div class="pSmartList2"><li>Select File<span style="font-family: Symbol"><img src="images/arrwrite.gif" border="0" alt="Right Arrow"></span>Save.</li></div>
</ol></div>
</ol></div>
<a name="wp395820"> </a><h5 class="pHeading4">
Adding Basic Authentication using deploytool
</h5>
<a name="wp395821"> </a><p class="pBody">
For HTTP basic authentication, the application deployment descriptor, <code class="cCode">web.xml</code>, includes the information on who is authorized to access the application, which URL patterns and HTTP methods are protected, and what type of user authentication method this application uses. This information is added to the deployment descriptor using <code class="cCode">deploytool</code>, and its contents are discussed in more detail in <a  href="Security4.html#wp299872">Web-Tier Security</a> and in the Java Servlet Specification, which can be browsed or downloaded online at <code class="cCode"><a  href="http://java.sun.com/products/servlet/" target="_blank">http://java.sun.com/products/servlet/</a></code>. 
</p>
<div class="pSmartList1"><ol type="1" class="pSmartList1">
<a name="wp395833"> </a><div class="pSmartList1"><li>Select the basic authentication example in the <code class="cCode">deploytool</code> tree. </li></div>
<a name="wp395834"> </a><div class="pSmartList1"><li>Select the Security tabbed pane.</li></div>
<a name="wp395835"> </a><div class="pSmartList1"><li>Select Basic for the User Authentication Method.</li></div>
<a name="wp395836"> </a><div class="pSmartList1"><li>Select Add Constraints to add a Security Constraint.</li></div>
<a name="wp395837"> </a><div class="pSmartList1"><li>Select Add Collection to add a Web Resource Collection.</li></div>
<a name="wp395838"> </a><div class="pSmartList1"><li>Select the Web Resource Collection from the list, then select Edit Collections.</li></div>
<a name="wp395839"> </a><div class="pSmartList1"><li>Select Add URL Pattern. Enter <code class="cCode">/hello</code> in the text field. Click OK.</li></div>
<a name="wp395840"> </a><div class="pSmartList1"><li>Select the HTTP <code class="cCode">GET</code> and <code class="cCode">POST</code> methods.</li></div>
<a name="wp395841"> </a><div class="pSmartList1"><li>Click OK to close the Edit Contents dialog.</li></div>
<a name="wp395842"> </a><div class="pSmartList1"><li>Select Edit Roles on the Security tabbed pane to specify an authorized role for this application.</li></div>
<a name="wp395843"> </a><div class="pSmartList1"><li>Click Edit Roles in the Authorized Roles dialog to add an authorized user to this application. Click Add in the Edit Roles dialog and add the Name of <code class="cCode">admin</code>. Click OK to close this dialog.</li></div>
<a name="wp395844"> </a><div class="pSmartList1"><li>Select admin under the Roles in column, then click Add to add it to the list of authorized roles for this application. Click OK to close the dialog.</li></div>
</ol></div>
<a name="wp395845"> </a><p class="pBody">
Note that the Authorized Roles list specifies <code class="cCode">admin</code>, a group that was specified during installation. For more information on defining and linking roles to users and groups defined on the server, see <a  href="Security3.html#wp79740">Setting up Security Roles</a>.
</p>
<a name="wp300011"> </a><h5 class="pHeading4">
Deploy the Basic Authentication Example
</h5>
<div class="pSmartList1"><ol type="1" class="pSmartList1">
<a name="wp395814"> </a><div class="pSmartList1"><li>Start the Application Server if you have not already done so. </li></div>
<a name="wp299209"> </a><div class="pSmartList1"><li>Deploy the WAR that contains the JAX-RPC service by selecting the <code class="cCode">BasicAuth</code> application in the <code class="cCode">deploytool</code> tree, then select Tools<span style="font-family: Symbol"><img src="images/arrwrite.gif" border="0" alt="Right Arrow"></span>Deploy.</li></div>
</ol></div>
<a name="wp212605"> </a><h5 class="pHeading4">
Running the Basic Authentication Example
</h5>
<div class="pSmartList1"><ol type="1" class="pSmartList1">
<a name="wp395862"> </a><div class="pSmartList1"><li>Run the JAX-RPC client by entering the following at the terminal window or command prompt in the <code class="cCode">basicauthclient/</code> directory:</li></div>
<a name="wp212606"> </a><p class="pBodyRelative">
<code class="cCode">&nbsp;&nbsp;asant run</code>
</p>
</ol></div>
<a name="wp212607"> </a><p class="pBody">
The client should display the following output: 
</p>
<div class="pPreformattedRelative"><pre class="pPreformattedRelative">
<code class="cCode">Buildfile: build.xml

run-secure-client:
&nbsp;&nbsp;&nbsp;[java] username: your_name
&nbsp;&nbsp;&nbsp;[java] password: your_pwd
&nbsp;&nbsp;&nbsp;[java] Endpoint address = http://localhost:8080/basicauth-
jaxrpc/hello
&nbsp;&nbsp;&nbsp;[java] Hello Duke (secure)

BUILD SUCCESSFUL</code><a name="wp129119"> </a>
</pre></div>
<a name="wp129121"> </a><h3 class="pHeading2">
Example: Client-Certificate Authentication over HTTP/SSL with JAX-RPC
</h3>
<a name="wp156952"> </a><p class="pBody">
In this section, we discuss how to configure a simple JAX-RPC-based Web service application for client-certificate authentication over HTTP/SSL. <span style="font-style: italic">Client-certificate authentication </span>uses HTTP over SSL, in which the server and, optionally, the client authenticate one another with Public Key Certificates. If the topic of authentication is new to you, please refer to the section titled <a  href="Security5.html#wp182253">Using Login Authentication</a>.
</p>
<a name="wp153287"> </a><p class="pBody">
This example application starts with the example application in <code class="cCode">&lt;</code><code class="cVariable">INSTALL</code><code class="cCode">&gt;/j2eetutorial14/examples/jaxrpc/helloservice/</code> and adds both client and server authentication to the example. In SSL certificate-based basic authentication, the server presents its certificate to the client, and the client authenticates to the server by sending its user name and password. This type of authentication is sometimes called server authentication. Mutual authentication adds the dimension of client authentication. For mutual authentication, we need both the client's identity, as contained in a client certificate, and the server's identity, as contained in a server certificate inside a keystore file (<code class="cCode">keystore.jks</code>), and we need both of these identities to be contained in a mutual trust-store (<code class="cCode">cacerts.jks</code>) where they can be verified.
</p>
<a name="wp129123"> </a><p class="pBody">
To add mutual authentication to the <code class="cCode">&lt;</code><code class="cVariable">INSTALL</code><code class="cCode">&gt;/j2eetutorial14/examples/jaxrpc/helloservice/</code> example, we need to complete the following steps. In the example application included with this tutorial, many of these steps have been completed for you and are listed here expressly for the purpose of listing what needs to be done should you wish to create a similar application outside of this tutorial.
</p>
<div class="pSmartList1"><ol type="1" class="pSmartList1">
<a name="wp157006"> </a><div class="pSmartList1"><li>Create the appropriate certificates and keystores. For this example, the certificates and keystores are created for a generic <code class="cCode">localhost</code> and are included with the J2EE 1.4 Application Server. See the section <a  href="Security7.html#wp129155">Keystores and Trust-Stores in the Mutual Authentication Example</a> for a discussion of these files. If you are creating a different application, refer to the section <a  href="Security6.html#wp80737">Setting Up Digital Certificates</a> for more information on creating the keystores and certificates and importing the client and server identity into the trust-store.</li></div>
<a name="wp372602"> </a><div class="pSmartList1"><li>Edit the <code class="cCode">build.properties</code> files to add the location and password to the trust-store, and other properties, as appropriate. For a discussion of the modifications that need to be made to <code class="cCode">build.properties</code>, see <a  href="Security7.html#wp153397">Modifying the Build Properties</a>.</li></div>
<a name="wp153348"> </a><div class="pSmartList1"><li>Set security properties in the client code. For the example application, this step has been completed. For a discussion of the security properties that have been set in <code class="cCode">HelloClient</code>, see <a  href="Security7.html#wp153480">Setting Security Properties in the Client Code</a>.</li></div>
<a name="wp159950"> </a><div class="pSmartList1"><li>Add the appropriate security elements using <code class="cCode">deploytool</code>. The security elements are discussed in the section <a  href="Security7.html#wp129183">Enabling Mutual Authentication over SSL</a>.</li></div>
<a name="wp153352"> </a><div class="pSmartList1"><li>Build and package the client and server files, deploy the server, and run the client (see <a  href="Security7.html#wp395388">Build, Package, Deploy, and Run the Mutual Authentication Example</a>). You will use the <code class="cCode">asant</code> tool to compile and <code class="cCode">deploytool</code> to deploy the example application.</li></div>
</ol></div>
<a name="wp129155"> </a><h4 class="pHeading3">
Keystores and Trust-Stores in the Mutual Authentication Example
</h4>