Sunday, June 28, 2015

Secure Web service using ESB as Integration Layer

Secure Web service using ESB as Integration Layer


Security is a critical to  web services. Authentication and Authorization are key aspect to a any software system.Security is is even more important for web services because of

most of businesses expect to perform their transactions over the internet those transactions are occur from program to program rather than human consumtions(from human to program.)
more and more business functions are exposed as Web services, the sheer number of participants in a Web services environment will be larger than what we have seen in other environment.

In SOA environment many services are integrated to provide aggregated functionalities.Since those services should always authenticate and authorize the user.There are different level of access roles to the users.those data are stored as policy in a file.System needs to check aginst policy file when it gets user request for  different access functionality.This is authorization.
And also system should ensure the user identity before the authorization process.System need to ensure whether request comes from human or impersonal request.

In an SOA environment which most of the time is realized using web services, Username Token and HTTP basic authentication can be used to authenticate the users
WS-security provide different type of standards security techniques
1.user name token,
2.X509 signature based authentication.
3.kerborse token based authentication

In here I use easiest user name token method.
Now I am going to create secure proxy service to secure my OrderProcessing web service which is already deployed in axis2 server.

1. Add a new pass through proxy  and specify an endpoint of a running service there.To specify the target end point you have to use your axis service URI.
First start the axis2 server:
[axis2Home]/bin$ sh axis2server.sh
 
example:Orderprocessing service
http://localhost:8080/axis2/services/SampleOrderProcessService?wsdl
2. Then go to the  services list,now you can see OrderProcessingProxy  service displays as unsecured.
  




Click on the service which you want to secure.

 







Click "Security" in the "Quality of Service Configuration" panel.Then it will redirect to the place where user can enable username password security for the specific webservice.

3. Select usernametoken under the basic  scenarios

4. then select the user group who can access the service.

 











WSO2 ESB admin console will display the service as secured, and we can only invoke this service using https:// endpoint now.

5.Now we can test secured web service using client.I have used SOAP UI as a sample client.I created soap project using  OrderProcessingService wsdl.


 



while requesting the service client need to provide username and password.Since I have given admin as user group i used default  username:admin,password:admin to access my secured web service.

Friday, June 5, 2015

Create a simple web service with Axis2

Introduction of Axis2

Apache Axis2 is the next generation of the apache web services stack. Apache axis2 was born with experiences of past two generations of apache service stack,Apache SOAP and Axis1.x. Axis2 comes with lots of new features,enhancements and new industry specifications including AXIOM, Asynchronous Web services, MTOM, MEP support and archive based deployment architecture.
Axis2 is mainly a soap processing engine. its main task is to deliver incoming soap messages to target endpoints.

 AXIOM

One of the main goal of introducing axis2 is to provide better xml processing mechanism. Axis used DOM as xml processing mechanism. but there are some of drawbacks,because it needs to keep complete object hierarchy in memory. Therefore Axis2 introduce Axiom(Axis2 object model).All messages in axis2 are represented as object models. 

  • This sample demonstrate the complete process for the deploy web services through a axis2 server.


    1.Run the Axis2 soap engine

    first need to download Axis2 Standard binary distribution here .Distribution includes variety of *.jar 's and scripts that ease development.

    <Axis2_Home>/bin/ directory includes axis2server.sh (axis2server.bat) file that enable start the axis2 server engine.

    ~/Documents/axis2-1.6.2/bin$ sh axis2server.sh

    1.Axis2 Server started



       


    2.Create Order Processing web service

    This is my sample order processing web service. There are three methods

     i    addOrder- allow users to add orders- take argument, return values
  • ii. cancelOrder-allow users to cancel the order- only  argument, no return     values.

    iii. getOrders-allow users to retrieve back only all placed orders-take argument,return value.

    + create web service by using Eclips IDE. First of all create java project as SampleOrderProcessingService.

    + then add

        axiom-api-x.x.xx
        axiom-dom.x.x.xx
        axiom-impl.x.x.xx
        
     as external JAR s to the project. These JARs can be found in <AXIS2_HOME>/lib folder.

    2.jar files

    +add the following service class codes to your own service class

  •     This is my Model.java class

    complete Sample OrderprocessingService class can be download in following link.here

    + need to write service.xml file for deploy above service through Axis2 Server by specifing service operations.
    First create META-INF folder at the root level.Add the services.xml to in it.


    Now our sampleOrderProcessing Service has already deployed in the server.

    SampleOrderProcessing File can download from here:here
    That's all my blog post regarding creating axis2 web service.I expect to post  client program to invoke the above web service in my next post.