Post on 21-Jan-2021
Table of Contents
Revision InformationIntroduction
Document PurposeTarget ReadersRemarksDocument Structure
OverviewWhat is Web Service ?SOAPWSDLApache Axis2
Authentication/AuthorizationFunction OverviewSystem OverviewAuthentication ModuleAuthorization Setting for Web Service OperationWeb Service Provider Authentication/Authorization Setting
SOAP Fault Code of Authentication/Authorizationwsse:InvaildRequestwsse:BadRequestwsse:AuthenticationBadElementswsse:ExpiredDatawsse:InvalidSecurityTokenwsse:FailedAuthenticationwsse:RequestFailedwsse:TenantNotResolvedwsse:InvalidLoginGroupIDwsse:TenantIdNotMatchwsse:FailedTenantSwitch
AppendixCreating aar FileAbout Apache Axis2 Administration ConsoleAbout services.xmlDeploying Web ServiceHow to apply Axis2 Module [im_ws_auth]About WSDL in Distributed EnvironmentAdding the Authentication ModuleSOAP Message MonitoringAbout Web Service that does not require Authentication/Authorization
Revision Information
RevisionDate Updated Contents
2013-10-01
Initial Version
2014-04-01
Version 2 Following additions/changes have been made.
Added descriptions about tenant at Web Service execution time to [ System Overview]Added [<wsTenantIdResolveType> Tag ]Added [wsse:TenantNotResolved ]Added [wsse:InvalidLoginGroupID ]Added [wsse:TenantIdNotMatch ]Added [wsse:FailedTenantSwitch ]
Introduction
Document Purpose
This document describes the Web Service and its authentication/authorization function in intra-mart Accel Platform.
Web Service SpecificationsVERSION 2 2014-04-01
intra-mart Accel Platform
1
Followings are described.
Web Service OverviewWeb Service Authentication/Authorization
Target Readers
Followings are the target readers of this document.
Operator who manages Web Service of intra-mart Accel PlatformApplication developers who provide Web Service ProviderApplication developers who use Web Service Client
Remarks
1. There are some limitations in using Web Service. Please refer to [ Release Note Limitations] for details about limitations.
Document Structure
Overview
Web Service overview is described.
Authentication/Authorization
Authentication/Authorization of Web Service deployed on intra-mart Accel Platform is described.
SOAP Fault Code of Authentication/Authorization
SOAP Fault Code that could occur in authentication/authorization function at Web Service execution time isdescribed.
Appendix
Useful information for the management or development of Web Service is presented.
Overview
Topics
What is Web Service ?Web Service Provider and Web Service Client
SOAPSOAP Fault
WSDLXML SchemaWeb Service Operation
Apache Axis2
What is Web Service ?
[Web Service] refers to the technologies that use internet and the services utilizing them. [Web Service] addressed in this documentrefers to Web Service that use SOAP and WSDL.
Web Service Provider and Web Service Client
In this document, [Web Service Provider] is the one that provides Web Service, and [Web Service Client] is the one that utilizes WebService.
intra-mart Accel Platform
2
SOAP
SOAP is a protocol to exchange messages in XML format.Web Service exchanges SOAP XML messages (SOAP Envelope) according to the protocol.
SOAP Envelope is made up of the 2 parts below :
SOAP HeaderAdditional information is saved. It is optional.
SOAP BodyMain information (data) is saved.
SOAP is a protocol for the software to exchange data each other. SOAP Envelope does not have descriptions about communicationprotocol, and therefore can be used in various scenes in common.
Please refer to books or Web sites for details about SOAP. Please refer to [ Web Services Activity ] of W3C for the specifications ofSOAP.
SOAP Fault
In SOAP, if any error occurs in Web Service Provider, the error information would be saved in SOAP Body and can be returned to WebService Client. This error information is called [SOAP Fault].SOAP Fault is made up of error code, error message, and error detail.
WSDL
WSDL(Web Services Description Language) is the XML-based language specification to describe Web Service.Following information necessary for the use of Web Service is stated :
Access point of Web ServiceCommunication protocol of Web ServiceInput information to use Web ServiceExecution result format of Web Service
Web Service Client uses Web Service based on the interface of Web Service stated in WSDL.WSDL is made up of the following elements :
wsdl:definitions
wsdl:types
wsdl:message
wsdl:operation
wsdl:postType
wsdl:binding
wsdl:port
wsdl:service
Please refer to books or Web sites for the detail information about WSDL. Please refer to [Web Services Activity ] of W3C for thespecifications of WSDL.
intra-mart Accel Platform
3
XML Schema
wsdl:types element of WSDL defines the format of XML messages exchanged in Web Service. It uses [XML Schema] as the schemalanguage that defines XML message structure.
Please refer to books or Web sites for the detail information about XML schema. Please refer to [ XML Schema] of W3C for thespecifications of XML schema.
Web Service Operation
Web Service Operation means operations defined in Web Service. Web Service Operation is defined by wsdl:operation element ofWSDL.
Apache Axis2
In intra-mart Accel Platform, [Apache Axis2] is adopted as Web Service engine.
Authentication/Authorization
Topics
Function OverviewAuthenticationAuthorizationLog-in
System OverviewAuthentication/Authorization FlowUser InformationAuthentication Module Execution ClassAuthentication ModuleImplementation Class of Web Service (Web Service Provider)Web Service Client
Authentication ModuleWSSE Authentication ModuleAuthentication Module for Plain Text PasswordAuthentication Module for Unauthenticated UserUsing Original Authentication Module
Authorization Setting for Web Service OperationWeb Service Provider Authentication/Authorization Setting
<authModule> Tag<enablePlainTextPassword> Tag<enableAuthentication> Tag<enableAuthorization> Tag<showSoapFaultDetail> Tag<wsUserInfoArgumentName> Tag<wsTenantIdResolveType> TagAuthentication Module Unique Settings
Function Overview
On intra-mart Accel Platform, authentication/authorization and log-in to intra-mart Accel Platform are performed at Web Serviceexecution time. Web Service‘s that are available from Web Service Client are limited by authentication/authorization.
Authentication
Check if user of received user information can use intra-mart Accel Platform.If the authentication did not work, you cannot execute Web Service.By this, you can perform user-based access control.
Authorization
Check if [Permission] to execute Web Service Operation is given to the user of received user information.By this, you can perform authority-based access control.
Please refer to [Authorization Specifications] for information about authorization.
intra-mart Accel Platform
4
Authorization resource setting to Web Service should be performed by services.xml.Please refer to [Specifying Authorization Resource for services.xml ] for detail.
Please refer to [Authorization Setting for Web Service Operation] for authorization setting method by administrator.
Log-in
Log-in is performed after authentication and authorization are done. By this, Web Service implementer can implement business processwithout considering log-in process.Additionally you will be able to reuse existing business process easily. Specifically, you will be able to utilize the process that usesAccess Context as a business process of Web Service without any change.
Please refer to [Access Context in Script Development Model Programming Guide] or [SAStruts+S2JDBC Programming GuideAccess Context] for the detail information about Access Context.
System Overview
Authentication/Authorization Flow
Authentication/Authorization flow for Web Service is shown below :
Authentication/authorization is performed based on the user information saved in SOAP Body. Please refer to [ AuthenticationModule] for details.
User Information
Uer information is structured by the followings.
Log-in group IDUser IDAuthentication TypePassword
Please refer to Log-in Group ID for the value to be specified to Log-in group ID.Account user code should be specified to User ID.For the Authentication Type Authentication Module to be used in Web Service Provider is specified.Contents to be saved in Password will vary depending on the authentication type.
Log-in Group ID
Subject tenant that executes authentication/authorization and Web Service is specified.Value which should be specified depends on the version or settings of intra-mart Accel Platform.
In case of intra-mart Accel Platform 2013 Winter or earlier
You do not need to specify anything to log-in group ID. (Action of authentication/authorization or Web Service will not be
intra-mart Accel Platform
5
affected by the specified value.)
In case of intra-mart Accel Platform 2014 Spring or later
Tenant ID of the tenant for Web Service execution should be specified to log-in group ID.Behaviors when the log-in group ID is omitted would be as follows :
In case tenant automatic resolution function that uses the request information is used
Authentication/authorization and Web Service would be executed by the tenant that was automaticallyresolved using the request information.However, if wsTenantIdResolveType setting of Web Service Provider Authentication/AuthorizationSetting is strict, it cannot be omitted. (If it is omitted, SOAP Fault wsse:InvalidLoginGroupID will occur.)
In case the tenant automatic resolution function that uses the request information is not used
Authentication/authentication and Web Service would be executed by the default tenant.
Note
Please refer to [Tenant Resolution Function] in Setup Guide for [Tenant Automatic Resolution Functionthat uses Request Information].
About User Information Definition in WSDL
Message format to pass the user information described in User Information should be defined in WSDL.Specifically, WSUserInfo that is defined in the XML schema below should be defined as elemenet name wsUserInfo in the first argument ofWeb Service Operation.
<xs:schema attributeFormDefault="qualified" elementFormDefault="qualified" targetNamespace="http://auth.web_service.foundation.intra_mart.co.jp/xsd"> <xs:complexType name="WSUserInfo"> <xs:sequence> <xs:element minOccurs="0" name="authType" nillable="true" type="xs:string"/> <xs:element minOccurs="0" name="loginGroupID" nillable="true" type="xs:string"/> <xs:element minOccurs="0" name="password" nillable="true" type="xs:string"/> <xs:element minOccurs="0" name="userID" nillable="true" type="xs:string"/> </xs:sequence> </xs:complexType></xs:schema>
Note
Argument element name wsUserInfo is set by <wsUserInfoArgumentName> Tag of Web Service ProviderAuthentication/Authorization Setting.
Note
This shall not apply to the Web Service which requires no authorization/authentication.Please refer to [About Web Service that does not require Authentication/Authorization ] for details.
Authentication Module Execution Class
It is Apache Axis2 handler that implements org.apache.axis2.engine.Handler for Authentication Module execution.This handler delegates authentication/authorization process to Authentication Module specified by the authentication type afteranalyzing the user information sent by Web Service Client.
In intra-mart Accel Platform 2014 Spring or later, Log-in Group ID value of user information is used to switch to the tenant to be to thesubject for authentication/authorization and Web Service execution.
This class is executed for the Web Service to which module_axis2_module| [im_ws_auth] is applied.
Authentication Module
Authentication/Authorization/Log-in are made.Please refer to [Authentication Module] described later for details.
Implementation Class of Web Service (Web Service Provider)
intra-mart Accel Platform
6
It is a class that states the business process to be published as Web Service.
After every process of Authentication Module is finished properly, Web Service Operation requested by Web Service Client will beexecuted. Therefore, implementation class of Web Service can state the business process without consideringauthentication/authorization/log-in.
Log-out is made after Web Service execution. Therefore, user specified by the user information would be logged-in only when WebService is being executed.
In order to do authentication/authorization/log-in of Web Service Operation, following 2 conditions should be met for Web ServiceOperation :
Axis2 Module [im_ws_auth] is appliedArgument to save User Information is given to the first argument
Web Service Client
In Web Service Client, Web Service can be called by creating a stub from WSDL. Message format to pass the user information isdefined in WSDL. (About User Information Definition in WSDL)User information will be subseqently set by Web Service Client based on it.
Authentication Module to be executed in Web Service Provider is determined depending on the authentication type of UserInformation specified by Web Service Client.If authentication type is not set, Authentication Module for Plain Text Password will be used.Please refer to [Authentication Module for Plain Text Password] for more information about Authentication Module for Plain TextPassword.
Warning
If you have specified the authentication type that does not exist in Web Service Provider, SOAP Fault(wsse:BadRequest) will occur.
Authentication Module
In authentication module, authentication, authorization, and log-in are made.Authentication module to be used at Web Service execution time is determined depending on the authentication type of userinformation which was sent from Web Service Client.Process made in authentication, authorization, and log-in will vary depending on the authentication module to be used. Please refer toeach authentication module specifications described later for authentication/authorization and log-in processes.Authentication module is operated using jp.co.intra_mart.foundation.web_service.auth.WSAuthModule interface.Processing of authentication module will be performed in the sequence below :
1. Initialization (WSAuthModule#init(WSUserInfo, MessageContext) is executed.)2. SOAP Message Check (WSAuthModule#check(WSUserInfo, MessageContext) is executed.)3. Authentication (WSAuthModule#authentication(WSUserInfo) is executed.)4. Authorization (WSAuthModule#authorization(WSUserInfo, String, String) is executed.)5. Log-in (WSAuthModule#login(WSUserInfo) is executed.)
This series of process is executed every time the request is made by Web Service Client.Only when all processes such as authentication/authorization were successfully performed, the specified Web Service Operation wouldbe executed.If you fail to perform any of these processes, SOAP Fault that saves error code would be returned to Web Service Client.Please refer to [SOAP Fault Code of Authentication/Authorization] for the details of error code.
Please refer to [API List of WSAuthModule Interface] for the details of WSAuthModule.
In intra-mart Accel Platform, following authentication modules are provided as standard.
AuthenticationType
Module provided Implementation Class Name Summary
WSSE Web ServiceAuthentication/Authorization
WSAuthModule4WSSE Authentication module thatUsernameToken format of WS-Security isadopted as a method to digestpasswords.
PlainTextPassword Web ServiceAuthentication/Authorization
WSAuthModule4PlainTextPassword Authentication module for plain textpasswords.
Anonymous Web ServiceAuthentication/Authorization
WSAuthModule4Anonymous Authentication module forunauthenticated users.
WSSE Authentication Module
intra-mart Accel Platform
7
WSSE Authentication Module is an authentication module that adopts UsernameToken format of WS-Seurity as a method for PasswordDigest.Full qualification class name is jp.co.intra_mart.foundation.web_service.auth.impl.WSAuthModule4WSSE.
Web Service Client creates Password Digest based on the followings :
[Nonce] created by Web Service Client[Created] created by Web Service Client[Password] of authentication subject user managed by Web Service Client
Specific example of character string for authentication in UsernameToken format of WS-Security (hereafter called WSSE AuthenticationString) is shown.
UsernameToken Username="the_who", PasswordDigest="tLDSsdGqfvraHRh8BpqTYRBVy+U=", Nonce="YTBiMWI2OGI2OTE3N2RlZQ==", Created="1966-12-01T12:34:56Z"
In Web Service Provider authentication module, WSSE Authentication String is analyzed and Password Digest will be created based onthe followings :
[Nonce] sent from Web Service Client[Created] sent from Web Service Client[Password] of authentication subject user managed by Web Service Provider server.
Compare Password Digest sent from Web Service Client and Password Digest created in Web Service Provider, it would be judged asthe valid user (successfully authorized) if the results are the same. If they are not the same, it will be considered as an invalid user.
Each item of WSSE Authentication String is as follows :
Topics Description
Username User Name (User Code).
Nonce Character string that has the random value encoded in Base64.
Created Character string that the date and time Nonce was created are stated in ISO-8601 notation.
PasswordDigest Concatenate character strings Nonce, Created, and passwords, and generate the character string by digestingwith SHA-1 algorithm. It is then encoded into Base64 character string.Specifically, it should be created as follows.
PasswordDigest = Base64 ( SHA-1 ( Nonce + Created + Passwords))
Authorization is performed for the user who has user ID specified by the user information.
Note
WSSE Authentication Module does validity period check for Password Digest.If the validity period has expired when compared to Created time, authentication would fail. Initial value of the validityperiod is 5 minutes.
Please refer to [WSSE Authentication Module <expire> Tag] for validity period setting.
Note
Please refer to [Web Service Security / UsernameToken / Profile 1.0 - 3 UsernameToken Extensions ] for thedetails about WSSE Authentication String.
Differences between the specifications above and Password Digest generated by WSSE Authentication Module are :
Nonce and Created are mandatoryNonce encoding type is always Base64
Warning
Please retain Created and Nonce of the received WSSE Authentication String in Web Service Provider until theexpiration date. If you try to authenticate by Created and Nonce that are already retained, authentication will fail. Thischeck should be performed for each cluster.
Warning
Authentication target user should be identified by User Information. Username of WSSE Authentication String shouldnot be used.
intra-mart Accel Platform
8
WSSE Password Digest Generation API
Utility APIs for generating Password Digest for the authentication type WSSE are as follows :
Script Development Model API
WSAuthDigestGenerator4WSSE Object
Java API
jp.co.intra_mart.foundation.web_service.util.impl.WSAuthDigestGenerator4WSSE
These APIa are included in Web Service Authentication and Authorization Client.Please refer to [API List of WSAuthDigestGenerator4WSSE Object] or [API List of WSAuthDigestGenerator4WSSE Class] formore information.
Authentication Module for Plain Text Password
Authentication Module for Plain Text Password is an authentication module to send and receive passwords in plain text.Full qualification class name is jp.co.intra_mart.foundation.web_service.auth.impl.WSAuthModule4PlainTextPassword.
If the password specified by the user information matches with the password of account registered in Web Service Provider server, itwill be considered as the valid user (successfully authenticated).Authorization is performed for the user who has the user ID specified by the user information.
Note
If the authentication type sent from Web Service Client has not been set, this authentication module is used.
Warning
Authentication Module for Plain Text Password cannot be used as standard.It can be used by setting <enablePlainTextPassword> Tag of Web Service Provider Authentication/AuthorizationSetting to true.
Warning
Since passwords are sent in plain text in Authentication Module for Plain Text Password, please be careful aboutspoofing by users who can view contents of SOAP message and network communications.You should not use this authentication module without external secure system such as SSL.
Authentication Module for Unauthenticated User
Authentication Module for Unauthenticated User is an authentication module to execute Web Service in Unauthenticated User.Full qualification class name is jp.co.intra_mart.foundation.web_service.auth.impl.WSAuthModule4Anonymous.Unauthenticated User indicates users who have not logged-in. (it is also called a guest user)
If this authentication type is used, authentication process will not be made.Authorization is performed for Unauthenticated User and not for the specific users.
User ID and password that are saved in user information are ignored.
Warning
Authentication Module for Unauthenticated User cannot be used as standard. Please refer to [ Adding theAuthentication Module] for the setting method.
Using Original Authentication Module
By performing followings, you can use authentication module for yourself.
Create class that implements jp.co.intra_mart.foundation.web_service.auth.WSAuthModule interfaceSet <authModule> tag to %CONTEXT_PATH%/WEB-INF/conf/axis2.xml
Please refer to [API List of WSAuthModule Interface] for details of WSAuthModule.
Please refer to [Web Service Provider Authentication/Authorization Setting] for details of %CONTEXT_PATH%/WEB-INF/conf/axis2.xml.
intra-mart Accel Platform
9
Please refer to [Adding the Authentication Module] for how to set the authentication module you have created.
Authorization Setting for Web Service Operation
In intra-mart Accel Platform, access authority for Web Service Operation is set by the authorization setting.
1. Click [Site Map]→[Tenant Management]→[Authorization].
2. Change resource type to [Web Service].
3. Click [Start Authority Setting] and perform authorization setting.
Please refer to [Setting Authorization in Tenant Administrator Operations Guide] for details of operation method on theauthorization setting screen.
Note
In order to use authorization setting screen, user who meets either one of the following conditions should log in asstandard.
User who has tenant administrator roleUser who has authorization administrator role
Web Service Provider Authentication/Authorization Setting
Authentication/Authorization setting by Web Service Provider is performed in %CONTEXT_PATH%/WEB-INF/conf/axis2.xml.Setting is to be stated as a child element of parameter name jp.co.intra_mart.foundation.web_service.
Note
In IM-Juggling, you can do output from [Axis2 Setting (axis2.xml)] of [Web Service Authentication and Authorization]using the configuration file output function.
Warning
This setting will affect all the Web Service to which Axis2 Module [im_ws_auth] is applied.
Following is the example of the setting.
intra-mart Accel Platform
10
<axisconfig name="AxisJava2.0">
<!-- ================================================= --> <!-- Parameters for intra-mart --> <!-- ================================================= --> <parameter name="jp.co.intra_mart.foundation.web_service">
<enablePlainTextPassword>false</enablePlainTextPassword> <authModule class="jp.co.intra_mart.foundation.web_service.auth.impl.WSAuthModule4WSSE"> <expire>300</expire> </authModule>
<enableAuthentication>true</enableAuthentication> <enableAuthorization>true</enableAuthorization> <showSoapFaultDetail>true</showSoapFaultDetail> <wsUserInfoArgumentName>wsUserInfo</wsUserInfoArgumentName> <wsTenantIdResolveType>standard</wsTenantIdResolveType>
</parameter>
<!-- 省略 -->
</axisconfig>
<authModule> Tag
<authModule class="jp.co.intra_mart.foundation.web_service.util.impl.WSAuthDigestGenerator4WSSE"> <expire>300</expire></authModule>
Mandatory Item X
Multiple Setting O
SettingValue/Contents to beset
None
Unit/Type None
Default Value whenit is omitted
None
Parent Tag parameter
[Attribute]
Attribute Name Description Mandatory Default Value
class It sets the authentication module. It specifies the full qualification class name of theclass that implements WSAuthModule interface.
O None
Note
Child element of authModule is handled as the setting value. Setting value is passed to the argument ofWSAuthModule#setConfiguration(OMElement) method.
<enablePlainTextPassword> Tag
<enablePlainTextPassword>false</enablePlainTextPassword>
Mandatory Item X
Multiple Setting X
SettingValue/Contents to beset
false Authentication Module for Plain Text Password is not used.
true Allows the use of Authentication Module for Plain Text Password.
Unit/Type True/False Value (true/false)
Default Value whenit is omitted
false
Parent Tag parameter
[Attribute]
None
intra-mart Accel Platform
11
<enableAuthentication> Tag
<enableAuthentication>true</enableAuthentication>
Mandatory Item X
Multiple Setting X
SettingValue/Contents to beset
true Authentication is executed before Web Service execution.
false Authentication is not executed before Web Service execution.
Unit/Type True/False Value (true/false)
Default Value whenit is omitted
true
Parent Tag parameter
[Attribute]
None
<enableAuthorization> Tag
<enableAuthorization>true</enableAuthorization>
Mandatory Item X
Multiple Setting X
SettingValue/Contents to beset
true Authorization is executed before Web Service execution.
false Authorization is not executed before Web Service execution.
Unit/Type True/False Value (true/false)
Default Value whenit is omitted
true
Parenet Tag parameter
[Attribute]
None
<showSoapFaultDetail> Tag
<showSoapFaultDetail>true</showSoapFaultDetail>
Mandatory Item X
Multiple Setting X
SettingValue/Contents to beset
true Detail message is included in SOAP Fault when processes in the authentication module failed.
false Detail message is not included in SOAP Fault when processes in the authentication module failed.
Unit/Type True/False Value (true/false)
Default Value whenit is omitted
true
Parent Tag parameter
[Attribute]
None
Warning
This setting of whether to include the detail message in SOAP Fault r not will be valid only for SOAP Fault whichoccured in the authentication module. It does not affect on SOAP Fault which occured in Web Service.
<wsUserInfoArgumentName> Tag
<wsUserInfoArgumentName>wsUserInfo</wsUserInfoArgumentName>
Mandatory Item X
intra-mart Accel Platform
12
Multiple Setting X
SettingValue/Contents to beset
Argument name to save user information.
Unit/Type Character String
Default Value whenit is omitted
wsUserInfo
Parent Tag parameter
[Attribute]
None
<wsTenantIdResolveType> Tag
This setting is available on intra-mart Accel Platform 2014 Spring or later.
<wsTenantIdResolveType>standard</wsTenantIdResolveType>
Mandatory Item X
Multiple Setting X
SettingValue/Contents to beset
It specifies validation mode of Log-in Group ID included in the user information. Followings are the valuesand operations that can be specified.
standard No particular validation will be made.
strict Authentication is allowed only when loginGroupID included in the userinformationand tenant ID automatically resolved do match.If loginGroupID included in the user information and tenant ID automaticallyresolved do not match, SOAP Fault wsse:TenantIdNotMatch will occur.If you prevent Web service execution by unexpected tenant ID for the tenant inaccess destination, this setting is used.Please use this setting only when you are using [Tenant Automatic ResolutionFunction using Request Information].
Unit/Type Character String
Default Value whenit is omitted
standard
Parent Tag parameter
[Attribute]
None
Note
Please refer to [Tenant Resolution Function] for [Tenant Automatic Resolution Function using Request Information].
Authentication Module Unique Settings
Settings that can be used in the authentication module provided as standard on intra-mart Accel Platform are described.
WSSE Authentication Module <expire> Tag
<authModule class="jp.co.intra_mart.foundation.web_service.util.impl.WSAuthDigestGenerator4WSSE"> <expire>300</expire></authModule>
Mandatory Item X
Multiple Setting X
SettingValue/Contents to beset
Validity period of user information that is used for authentication.Compare the system date and time and Created in WSSE Authentication String, and if the date and time sethere has expired, authentication would fail.Created and Nounce in WSSE Authentication String will be retained on the server side for the periodspecified here. If it is authenticated by the existing Created and Nonce, authentication will fail. (Replay AttackCountermeasures)If this setting is [0], validity period check and Created and Nonce retaining will not be made.
intra-mart Accel Platform
13
Unit/Type Numeric Value Type (seconds)
Default Value whenit is omitted
300
Parent Tag (class attribute is jp.co.intra_mart.foundation.web_service.util.impl.WSAuthDigestGenerator4WSSE ) authModule
[Attribute]
None
Topics
SOAP Fault Code of Authentication/Authorizationwsse:InvaildRequestwsse:BadRequestwsse:AuthenticationBadElementswsse:ExpiredDatawsse:InvalidSecurityTokenwsse:FailedAuthentication
Account is not registered.Account license is not registered.Validity period of the account has expied.Account is locked.Password is wrong.
wsse:RequestFailedwsse:TenantNotResolvedwsse:InvalidLoginGroupIDwsse:TenantIdNotMatchwsse:FailedTenantSwitch
SOAP Fault Code of Authentication/Authorization
If error occurs at authentication/authorization and log-in time, SOAP Fault Code corresponding to the error contents is returned to WebService Client.SOAP Fault Code and its causes are described below.
If SOAP Fault Code that is not described below is sent, there may be some errors in the business process.If SOAP Fault Code is not explicitly specified in the business process, SOAP Fault Code will be sent as Receiver defined in the namespace http://www.w3.org/2003/05/soap-envelope.
Note
If <showSoapFaultDetail> Tag of Web Service Provider Authentication/Authorization Setting is set to false, errordetail information would not be notified to Web Service Client.
Warning
Please be aware that the error message contents would vary depending on respective locales.SOAP Fault Code and SOAP Fault Reason Code ([E.IWP.WEBSERVICE.AXIS2.XXXXX] etc) will not be affected by thelocales.
wsse:InvaildRequest
SOAP Fault Code wsse:InvalidRequest
SOAP Fault Reason [E.IWP.WEBSERVICE.AXIS2.00005] request is invalid, or the format is not correct.
SOAP Fault Detail (Example at erroroccurrence)
java.lang.IllegalStateException: [E.IWP.WEBSERVICE.AXIS2.00007] wsUserInfo could notbe found.
java.lang.NullPointerException: [E.IWP.WEBSERVICE.AXIS2.00006] element is null.
It occurs if User Information does not exist in SOAP Body or if the element name in which user information is saved is not of theprescribed character string (wsUserInfo as standard).
If the element name to which User Information is saved is param0, Java class published as Web Service may have been compiledwithout the -g option.
Java class to be published should be compiled to generate debug information. This is a necessary process to obtain the name of userinformation included in SOAP Body by the prescribed character string.
intra-mart Accel Platform
14
Note
In order to generate the debug information, compilation should be performed by using javac command option -g.
Note
Element name of User Information is to be set by <wsUserInfoArgumentName> Tag of Web Service ProviderAuthentication/Authorization Setting.
wsse:BadRequest
SOAP Fault Code wsse:BadRequest
SOAP Fault Reason [E.IWP.WEBSERVICE.AXIS2.00009] Specified RequestSecurityToken could not beunderstood.
SOAP Fault Detail(Example at erroroccurrence)
java.lang.IllegalStateException: [E.IWP.WEBSERVICE.AXIS2.00008] WSAuthModule is notfound. Authentication Type = PlainTextPassword
It occurs when the authentication module corresponding to the authentication type of User Information which was sent from WebService Client does not exist.
Other than that, the error also occurs if you execute Web Service without specifying the authentication type when the setting is not touse Authentication Module for Plain Text Password.
Note
Availability of Authentication Module for Plain Text Password is set in<enablePlainTextPassword> Tag of Web Service Provider Authentication/Authorization Setting.
Note
Corresponding module other than Authentication Module for Plain Text Password is set in<authModule> Tag of Web Service Provider Authentication/Authorization Setting.
wsse:AuthenticationBadElements
SOAP Fault Code wsse:AuthenticationBadElements
SOAP Fault Reason [E.IWP.WEBSERVICE.AXIS2.00010] Required digest element is missing.
SOAP Fault Detail(Example aterror occurrence)
jp.co.intra_mart.foundation.web_service.auth.exception.AuthenticationBadElementsException:[E.IWP.WEBSERVICE.AUTH.00016] WSSE authentication character string is invalid.
java.lang.IllegalStateException: No match found
It occurs when WSSE Authentication String in the authentication type specified in Web Service Client is not correct.For example, if the authentication type is WSSE, this error occurs when sent Password Digest is not correct as WSSE AuthenticationStringExampe) Nonce item does not exist inside WSSE Authentication String etc.
Note
Please refer to [WSSE Authentication Module] for details about WSSE Authentication String.
wsse:ExpiredData
SOAP Fault Code wsse:ExpiredData
SOAP Fault Reason [E.IWP.WEBSERVICE.AXIS2.00003] Request data is not the latest one.
SOAP Fault Detail(Example at erroroccurrence)
jp.co.intra_mart.foundation.web_service.auth.exception.ExpiredDataException:[E.IWP.WEBSERVICE.AUTH.00018] Expiration data has passed.
It occurs when the data sent from Web Service Client has passed the expiration date.For example, if the authentication type is WSSE, system data and time and Created of WSSE Authentication String are compared. Thiserror occurs if the set expiration data has passed.
intra-mart Accel Platform
15
Note
Expiration data of WSSE Authentication String is set inWSSE Authentication Module <expire> Tag of Web Service Provider Authentication/Authorization Setting.
wsse:InvalidSecurityToken
SOAP Fault Code wsse:InvalidSecurityToken
SOAP Fault Reason [E.IWP.WEBSERVICE.AXIS2.00004] Security Token has been rejected.
SOAP Fault Detail(Example at erroroccurrence)
jp.co.intra_mart.foundation.web_service.auth.exception.InvalidSecurityTokenException:[E.IWP.WEBSERVICE.AUTH.00018] Received 2 or more times during the validity period.Created = 1966-12-01T12:34:56Z
It occurs only when the data sent from Web Service Client has been already received.In case the authentication type is WSSE, Created and Nonce of WSSE Authentication String are retained at the server for the period setas the validity period. If you try to authenticate with Created and Nonce that are already retained, this error will occur.
Note
Expiration date of WSSE Authentication String is set byWSSE Authentication Module <expire> Tag of Web Service Provider Authentication/Authorization Setting.
wsse:FailedAuthentication
SOAP Fault Code wsse:FailedAuthentication
SOAP Fault Reason [E.IWP.WEBSERVICE.AXIS2.00001] Authentication has failed.
SOAP Fault Detail(Example at erroroccurrence)
jp.co.intra_mart.foundation.web_service.auth.exception.AuthenticationException:[E.IWP.WEBSERVICE.AUTH.00014] Authentication has failed. User CD = aoyagi...
This error can have several causes. These causes are described as follows :
Account is not registered.
SOAP Fault Detail (Example at erroroccurrence)
jp.co.intra_mart.foundation.web_service.auth.exception.AuthenticationException:[E.IWP.WEBSERVICE.AUTH.00014] Authentication has failed. User CD = aoyagijp.co.intra_mart.foundation.security.exception.AccessSecurityException:[E.IWP.WEBSERVICE.AUTH.00004] Account is not registered. UserCD = aoyagi
It occurs if the account with the user ID specified by the user information does not exist. Please confirm if the user ID is correct.
Account license is not registered.
SOAP Fault Detail(Example at erroroccurrence)
jp.co.intra_mart.foundation.web_service.auth.exception.AuthenticationException:[E.IWP.WEBSERVICE.AUTH.00014] Authentication has failed. User CD = aoyagijp.co.intra_mart.foundation.security.exception.AccessSecurityException:[E.IWP.WEBSERVICE.AUTH.00005] Account license is not registered. User CD = aoyagi
It occurs when there is no account license for the account with user ID specified by the user information.
Validity period of the account has expied.
SOAP Fault Detail(Example at erroroccurrence)
jp.co.intra_mart.foundation.web_service.auth.exception.AuthenticationException:[E.IWP.WEBSERVICE.AUTH.00014] Authentication has failed. User CD = aoyagijp.co.intra_mart.foundation.security.exception.AccessSecurityException:[E.IWP.WEBSERVICE.AUTH.00006] Validity period of the account has expired. User CD =aoyagi
It occurs when the validity period of the account with user ID specified by the user information has expired.
Account is locked.
intra-mart Accel Platform
16
SOAP Fault Detail(Example at erroroccurrence)
jp.co.intra_mart.foundation.web_service.auth.exception.AuthenticationException:[E.IWP.WEBSERVICE.AUTH.00014] Authentication has failed. User CD = aoyagijp.co.intra_mart.foundation.security.exception.AccessSecurityException:[E.IWP.WEBSERVICE.AUTH.00007] Account is locked. UserCD = aoyagi
It occurs when the account with user ID specified by the user information is locked.
Password is wrong.
SOAP Fault Detail(Example at erroroccurrence)
jp.co.intra_mart.foundation.web_service.auth.exception.AuthenticationException:[E.IWP.WEBSERVICE.AUTH.00014] Authentication has failed. User CD = aoyagijp.co.intra_mart.foundation.security.exception.AccessSecurityException:[E.IWP.WEBSERVICE.AUTH.00015] Password is wrong. User CD = aoyagi
It occurs if the password for the user ID specified by the user information and the specified password do not match.
wsse:RequestFailed
SOAP Fault Code wsse:RequestFailed
SOAP Fault Reason [E.IWP.WEBSERVICE.AXIS2.00002] You have failed to run the specified request.
SOAP Fault Detail(Example at erroroccurrence)
jp.co.intra_mart.foundation.web_service.auth.exception.AuthorizationException:[E.IWP.WEBSERVICE.AUTH.00001] There is no access authority. Web service name =MenuService, operation name = getAvailbleMenuTree
It occurs when you are not authorized to execute the specified Web Service Operation.
Note
Please refer to [Authorization Setting for Web Service Operation] for authorization setting method by administrator.
wsse:TenantNotResolved
SOAP Fault Code wsse:TenantNotResolved
SOAP Fault Reason [E.IWP.WEBSERVICE.AXIS2.00018] You have failed to run the specified request.。
SOAP Fault Detail(Example at erroroccurrence)
java.lang.IllegalStateException: [E.IWP.WEBSERVICE.AUTH.00017] Tenant ID cannot beresolved.
It occurs when tenant ID cannot be resolved in the environment where the specified Web Service Operation is called.
wsse:InvalidLoginGroupID
SOAP Fault Code wsse:InvalidLoginGroupID
SOAP Fault Reason [E.IWP.WEBSERVICE.AXIS2.00020] Request is invalid, or the format is not correct.
SOAP Fault Detail(Example at erroroccurrence)
java.lang.IllegalStateException: [E.IWP.WEBSERVICE.AUTH.00019] loginGroupIDparameter is null.
It occurs when log-in group ID is not specified by the user information.
wsse:TenantIdNotMatch
SOAP Fault Code wsse:TenantIdNotMatch
SOAP Fault Reason [E.IWP.WEBSERVICE.AXIS2.00022] Request is invalid, or the format is not correct.
SOAP Fault Detail(Example at erroroccurrence)
java.lang.IllegalStateException: [E.IWP.WEBSERVICE.AUTH.00021] Resolved tenantID(secondary) and tenant ID that is specified in the user information (default) do not match.
It occurs when the resolved tenant ID and log-in group ID specified by the user information do not match in the environment where thespecified Web Service Operation is called.
wsse:FailedTenantSwitch
SOAP Fault Code wsse:FailedTenantSwitch
SOAP Fault Reason [E.IWP.WEBSERVICE.AXIS2.00023] You failed to switch tenant ID(secondary).
SOAP Fault Detail(Example at erroroccurrence)
jp.co.intra_mart.foundation.admin.exception.AdminException:[E.IWP.ADMIN.TENANT.10057] Log-in user cannot switch the tenant.
intra-mart Accel Platform
17
It occurs when the temporary switching of tenant for executing the Web service has failed.
Appendix
Topics
Creating aar FileAbout Apache Axis2 Administration ConsoleAbout services.xml
Specifying Authorization Resource for services.xmlDeploying Web Service
Deployment in Directory FormatDeployment of aar File Format
How to apply Axis2 Module [im_ws_auth]Specifying Axis2 Module [im_ws_auth] by services.xmlSpecifying Axis2 Module [im_ws_auth] by axis2.xmlSpecifying Axis2 Module [im_ws_auth] by Apache Axis2 Administration Console
About WSDL in Distributed EnvironmentAdding the Authentication ModuleSOAP Message Monitoring
Monitoring by TCPMonAbout Web Service that does not require Authentication/Authorization
Creating aar File
A tool to create aar file (Axis2 Archive file) is introduced.Here, Ant task [aarGenerate] is used. This Ant task creates services.xml and aar file including services.xml.Please refer to [Apache Axis2 Web Administrator’s Guide Step 3: Create Archive File] of Axis2 project for aar file structure.
It is assumed that this procedure is performed in the environment that meets the following conditions :
Apache Ant is installed.[Tool for Web Service ] exists.
Directory to which the tool for Web service is expanded will be denoted as %WEBSERVICE_TOOL_HOME% hereafter.
Note
If build tool [Ant] has not been already installed, please install it by looking at the sites below :
Ja-Jakarta Project Ant Installation (Japanese)Apache Ant Manual - Installing Apache Ant (English)
Warning
jar or class cannot be included in aar file in this tool. In order to execute Web Service of aar file, implementation classof Web Service should be placed on a class path of application server.Specifically, please place jar file under %CONTEXT_PATH%/WEB-INF/lib and class under %CONTEXT_PATH%/WEB-INF/classes.
1. Various setting for Web Service to be published would be performed.
1. Edit AarGen.properties.
Edit %WEBSERVICE_TOOL_HOME%/AarGen.properties.Descriptions of each property is as shown below.
Property Name Required DescriptionserviceName O Specify the name to be published as Web Service. This value will become
the aar file name.className O Specify the implementation class of Web Service. Class should be specified
with a full qualified name.destDir O Specify the directory that outputs aar file.moduleRef X Specify the Axis2 Module name to be applied for Web Service.
More than one names can be specified by using , (comma).
wsdlDir X Directory where WSDL or XSD to be included in aar file is placed.If it is not specified, files other than services.xml will not be included in aarfile.
intra-mart Accel Platform
18
serviceAuthzUri X Authorization resource for the service provided by Web Service is specifiedby URI.If it is not specified, authorization resource setting for the service would notbe performed.
opeAuthzUriFile X Specify CSV file with the description of authorization resource setting forWeb Service Operation.If it is not specified, authorization resource setting for Web Service Operationwould not be performed.
verbose X Specify whether to output detail information at Ant task execution time.
Warning
If you are to specify the path in Windows environment, the delimiter character should be / or \.
2. Edit opeAuthzUriFile.csv.
Specify the authorization resource for Web Service Operation provided by Web Service by URI.Edit %WEBSERVICE_TOOL_HOME%/opeAuthzUri.csv. (Edit file with the value specified in opeAuthzUriFile ofAarGen.properties.)If you do not specify the authorization resource for Web Service Operation, you do not need to edit this file.This file should be stated in CSV format. Field delimiter character is , (comma) and record delimiter character is a new line.In the examples below,
URI service://sample/web_service/member_info/add for Web Service Operation add
URI service://sample/web_service/member_info/find for Web Service Operation find
URI service://sample/web_service/member_info/findAll for Web Service Operation findAll
would result.
add,service://sample/web_service/member_info/addfind,service://sample/web_service/member_info/findfindAll,service://sample/web_service/member_info/findAll
Note
If authorization resources are specified for both the service and Web Service Operation, the authorizationresource specified in Web Service Operation is given priority over the other.Please refer to [Specifying Authorization Resource for services.xml ] for details.
Warning
If the authorization resource is specified, following error occurs at Web Service Operation execution time whencorresponding authorization resource does not exist at the specified URI.
[E.IWP.AUTHZ.DECISION.10007] Resource group is not registered.
Please create the authorization resource in advance when you execute Web Service Operation.
Please refer to [Adding Resources] of [Setting Authorization in Tenant Administrator Operations Guide] forhow to add the authorization resource.
3. Specify the environment information to execute AarGen.
Specify the directory to which Apache Ant is installed.Edit %WEBSERVICE_TOOL_HOME%/AarGen.bat (AarGeb.sh for Unix OS).Specify the directory to which Ant is installed for the environment variable [ANT_HOME].
(In case of Windows OS)
REM AarGen.batset ANT_HOME=C:/apache-ant
(In case of Unix OS)
# AarGen.shexport ANT_HOME=/apache-ant
2. Execute AarGen.
Execute the batch file included in the product.
(In case of Windows OS)
intra-mart Accel Platform
19
> %WEBSERVICE_TOOL_HOME%\AarGen.bat
(In case of Unix OS)
$ sh %WEBSERVICE_TOOL_HOME%/AarGen.sh
aar file would be output under the directory specified by destDir of AarGen.properties.
About Apache Axis2 Administration Console
It is a management console provided by Apache Axis2.You can access it by http://<HOST>:<PORT>/<CONTEXT_PATH>/axis2-web/index.jsp.By using this management console, you can view Web Service information deployed via the browser or you can deploy Web Service.
Please refer to [Apache Axis2 Web Administrator’s Guide] for detail of Apache Axis2 management console.
Note
Standard user name is admin and password is axis2. These values can be changed by%CONTEXT_PATH%/conf/axis2.xml.
About services.xml
In Apache Axis2, [services.xml] is provided to set service information such as Web service name or Java class to be published as WebService.
You can deploy Web Service by placing this file to the prescribed folder or to aar file.Please refer to [Deploying Web Service ] for Web Service deployment.
intra-mart Accel Platform
20
<?xml version="1.0" encoding="UTF-8"?><!-- サービスの設定を行います。Webサービス名がSampleServiceであることを指定しています。 --><service name="SampleService"> <!-- Webサービスに対しての説明です。 --> <description>The Web service on the intra-mart.</description>
<!-- このサービスのServiceClassがsample.web_service.provider.SampleServiceであることを指定しています。 --> <parameter name="ServiceClass">sample.web_service.provider.SampleService</parameter>
<!-- このサービスのWebサービス・オペレーション実行時に認証・認可を行うことを指定しています。 --> <module ref="im_ws_auth"/>
<!-- このサービスに対してのメッセージレシーバを指定しています。 --> <messageReceivers> <!-- 返却値が無いメソッドに対してのレシーバを指定しています。 --> <messageReceiver mep="http://www.w3.org/2004/08/wsdl/in-only" class="org.apache.axis2.rpc.receivers.RPCInOnlyMessageReceiver" /> <!-- 何らかの返却を行うメソッドに対してのレシーバを指定しています。 --> <messageReceiver mep="http://www.w3.org/2004/08/wsdl/in-out" class="org.apache.axis2.rpc.receivers.RPCMessageReceiver"/> </messageReceivers>
</service>
Specify attibute value of name attribute of <parameter> tag as ServiceClass and specify the Java’s full qualified name of Web Serviceimplementation class inside the tag. By this, public method of class you have specified will be disclosed as Web Service Operation.Each message receiver is to do mapping between Web Service message of XML and Java object.In addition to it, message receiver to directly handle the XML called [RowXMLxxxxMessageReceiver] is also provided.
Please refer to [Service Configuration] of Axis2 project for details of services.xml.Please refer to API document of Axis2 for details of message receiver.
Specifying Authorization Resource for services.xml
Authorization resource for Web Service Operation is to be specified. The authorization resource is specified in URI format.
Please refer to [Authorization Specification Resource Management] for authorization resource URI.
Authorization resource can be set for services or operations.Authorization resource is specified using <parameter> tag of services.xml. URI of the authorization resource should be specified insidethe <parameter name="auth-uri">.
<?xml version="1.0" encoding="UTF-8"?><service name="SampleService"> <description>The Web service on the intra-mart.</description>
<parameter name="ServiceClass">sample.web_service.provider.SampleService</parameter>
<module ref="im_ws_auth"/>
<messageReceivers> <messageReceiver mep="http://www.w3.org/2004/08/wsdl/in-only" class="org.apache.axis2.rpc.receivers.RPCInOnlyMessageReceiver" /> <messageReceiver mep="http://www.w3.org/2004/08/wsdl/in-out" class="org.apache.axis2.rpc.receivers.RPCMessageReceiver"/> </messageReceivers>
<!-- サービスSampleServiceに対して認可リソースを指定します。 --> <parameter name="authz-uri">service://sample/web_service/sample</parameter> <operation name="foo"> <!-- サービスSampleServiceのオペレーションfooに対しての認可リソースを指定します。 --> <parameter name="authz-uri">service://sample/web_service/sample/foo</parameter> </operation> <operation name="bar"> <!-- サービスSampleServiceのオペレーションbarに対しての認可リソースを指定します。 --> <parameter name="authz-uri">service://sample/web_service/sample/bar</parameter> </operation> <!-- <operation name="baz"> <parameter name="authz-uri">service://sample/web_service/sample/baz</parameter> </operation> -->
</service>
If authorization resources are specified for both service and operation, the one specified for the operation would become valid. For thecase described above, the authorization resource URI for operation bar is service://sample/web_service/sample/bar (using operationauthorization resource), and the authorization resource URI for operation baz is service://sample/web_service/sample (using serviceauthorization resource).
intra-mart Accel Platform
21
Warning
If no authorization resource is specified for the service and the operation, the operation authorization would always be[Permitted].
Warning
Authorization is valid only for Web Service that Axis2 Module [im_ws_auth] is applied.Please refer to [How to apply Axis2 Module [im_ws_auth]] for how to apply Axis2 Module [im_ws_auth].
Warning
Authorization works only when the authorization setting of Web Service Provider is valid.Please refer to [<enableAuthorization> Tag] of [Web Service Provider Authentication/Authorization Setting] fordetails.
Warning
If you specified the authorization resource, following error will occur at Web Service Operation execution time whencorresponding authorization resource does not exist in the specified URI.
[E.IWP.AUTHZ.DECISION.10007] Resource group is not registered.
Please create the authorization resource in advance when you execute Web Service Operation.
Please refer to [Adding Resources] of 「Setting Authorization in Tenant Administrator Operations Guide] for how toadd the authorization resource.
Note
Following format is recommend for URI.
In case setting it for the service
service://%Application ID%/web_service/%Service Name%
In case setting it for Web Service Operation
service://%Application ID%/web_service/%Service Name%/%Operation Name%
Deploying Web Service
How to deploy Web Service is introduced.
Deployment in Directory Format
By placing arbitrary named directory where Web Service materials are stored under %CONTEXT_PATH%/WEB-INF/services directory,you can deploy Web Service.If you save library, class, property files, WSDL file, XSD file, and services.xml related to Web Service under this directory, Web Servicewill be deployed.
Path including [services.xml] is as follows.
%CONTEXT_PATH%/WEB-INF/services/%any name%/META-INF/services.xml
Deployment of aar File Format
By placing aar file (Asix2 Archive file) in %CONTEXT_PATH%/WEB-INF/services directory, you can deploy Web Service.
aar file is a file where library, class, property file, WSDL file, XSD file, and services.xml related to Web Service are saved.Please refer to [Creating aar File] for aar file creation.Please refer to [Apache Axis2 Web Administrator’s Guide Step 3: Create Archive File] of Axis2 project for aar file structure.
How to apply Axis2 Module [im_ws_auth]
How to make Web Service as the subject for authentication/authorization is described.
intra-mart Accel Platform
22
Axis2 Module [im_ws_auth] should be applied to make it as the subject of authentication/authorization for Web Service.Followings are the ways to apply Axis2 Module [im_ws_auth].
Specifying Axis2 Module [im_ws_auth] by services.xmlSpecifying Axis2 Module [im_ws_auth] by axis2.xmlSpecifying Axis2 Module [im_ws_auth] by Apache Axis2 Administration Console
Specifying Axis2 Module [im_ws_auth] by services.xml
By stating <module ref="im_ws_auth"/> inside the <service> tag, you can specify Axis2 Module [im_ws_auth].By stating it inside the <operation> tag, you can also specify it for each Web Service Operation.
Please refer to [About services.xml].
Specifying Axis2 Module [im_ws_auth] by axis2.xml
Edit %CONTEXT_PATH%/WEB-INF/conf/axis2.xml.Remove the comment out of <service> tag shown below.Specify the Web Service name that you want to apply Axis2 Module [im_ws_auth] to <service> tag.If you want to specify multiple services, please state multiple <service> tags.
<listener class="jp.co.intra_mart.foundation.web_service.axis2.observers.EngageModuleAxisObserver"> <parameter name="engageModule"> <module ref="im_ws_auth"> <!-- <service>ExampleWebServiceName</service> --> </module> </parameter></listener>
Specifying Axis2 Module [im_ws_auth] by Apache Axis2 Administration Console
You can also apply Axis2 Module [im_ws_auth] by using administration console function of Apache Axis2.Please refer to [About Apache Axis2 Administration Console] for administration console.
1. Access the one below for the server in operation.
http://<HOST>:<PORT>/<CONTEXT_PATH>/axis2-web/index.jsp
2. Click [Administration].
3. Click [For a service] in Engage module.
intra-mart Accel Platform
23
4. Select [im_ws_auth] in Select a Module:, and select any service in Select a Service:.
5. Click [Engage].
6. Axis2 Module [im_ws_auth] would be applied for the service you specified in the above.
Warning
For the Axis2 Module that uses administration console, settings would be initialized if you restart the application server.
About WSDL in Distributed Environment
End point that is stated in WSDL which was automatically generated by Apache Axis2 depends on the name of the host where cluster isbeing operated.Therefore, if you query WSDL in distributed environment, application server host dispatched by the Web server could be obtained as anend point.In order to avoid this, you should take either one of the following measures :
Stop automatic generation of WSDL.
If you perform Deployment in Directory Format, you should create WSDL in which the end point via Web server isstated in advance, and place it in %CONTEXT_PATH%/WEB-INF/services/%any name%/META-INF/%Web service name%.wsdl.
Change the end point specified by Web Service Client to the one via Web server.
Note
intra-mart Accel Platform
24
If Script Development Model API SOAPClient is used, you should change the URL specified to the endpoint of 4th argument of SOAPClient to the one via Web server.
Note
If you have generated stub from WSDL, please change URL specified as an end point specified bystub constructor to the one via Web server.
Adding the Authentication Module
In order to add authentication module, add <authModule> Tag to axis2.xml.Please refer to [Web Service Provider Authentication/Authorization Setting] for axis2.xml.Shown below is the setting when you want to add Authentication Module for Unauthenticated User(jp.co.intra_mart.foundation.web_service.auth.impl.WSAuthModule4Anonymous) as authentication module, which is not set as standard.
<axisconfig name="AxisJava2.0">
<!-- ================================================= --> <!-- Parameters for intra-mart --> <!-- ================================================= --> <parameter name="jp.co.intra_mart.foundation.web_service">
<enablePlainTextPassword>false</enablePlainTextPassword> <!-- authModuleタグ追加 --> <authModule class="jp.co.intra_mart.foundation.web_service.auth.impl.WSAuthModule4Anonymous" />
<authModule class="jp.co.intra_mart.foundation.web_service.auth.impl.WSAuthModule4WSSE"> <expire>300</expire> </authModule>
<enableAuthentication>true</enableAuthentication> <enableAuthorization>true</enableAuthorization> <showSoapFaultDetail>true</showSoapFaultDetail> <wsUserInfoArgumentName>wsUserInfo</wsUserInfoArgumentName>
</parameter>
<!-- 省略 -->
</axisconfig>
SOAP Message Monitoring
Monitoring method of Web Service messages that are exchanged during Web Service execution is introduced.
Monitoring by TCPMon
How to use message monitoring tool [TCPMon] provided in Apache Web Services Project is introduced.
Please refer to [TCPMon] for the details about TCPMon.
1. TCPMon Download and Decompression
Download TCPMon from [TCPMon Download Page] and decompress the archive. This directory is%TCPMON_HOME%.
1. TCPMon Startup and Setting
Execute %TCPMON_HOME%/build/tcpmon.bat (or tcpmon.sh) and start TCPMon.
Display [Admin] tab and set appropriate port number to Listen Port. When you specify the port number, it should notoverlap with the one of other services.In this document, it is specified to [9999] as an example.
Set the host information where the Eb service is to be deployed to Target Hostname and Target Port.In this document, Target Hostname is [localhost] and Target Port is [8080] as an example.
After that, click [Add].
intra-mart Accel Platform
25
2. Change end point by Web Service Client.
Change the end point port number to be specified by Web Service Client at execution time to Listen Port., which youhave specified before.
Note
If Script Development Model API SOAPClient is used, you should change the port number that you havespecified in the end point of the 4th argument of SOAPClient to the port number of Listen Port.
Note
If you have generated the stub from WSDL, please change the port number specified in the end pointspecified by the stub constructor to the port number of Listen Port.
3. View the SOAP messages from [Port <Port Number of Listen Port>] tab.
About Web Service that does not require Authentication/Authorization
In case you create Web Service that does not require authentication, authorization, or log-in, you do not need to apply Axis2 Module[im_ws_auth].Specifically, by not setting <module ref=”im_ws_auth”/> of set services.xml, corresponding module will not be applied.
intra-mart Accel Platform
26
Other than not applying Axis2 Module [im_ws_auth], you can create it in the same method as Web Service, which is described in thisdocument.Please refer to [How to apply Axis2 Module [im_ws_auth]] for applying Axis2 Module [im_ws_auth].
Note
It is not necessary to receive User Information as an argument for each Web Service Operation either.
Copyright © 2013 NTT DATA INTRAMART CORPORATION
intra-mart Accel Platform
27