Table of Contents

Revision InformationIntroduction

Document PurposeTarget ReadersRemarksDocument Structure

OverviewWhat is Web Service ?SOAPWSDLApache Axis2

Authentication/AuthorizationFunction OverviewSystem OverviewAuthentication ModuleAuthorization Setting for Web Service OperationWeb Service Provider Authentication/Authorization Setting

SOAP Fault Code of Authentication/Authorizationwsse:InvaildRequestwsse:BadRequestwsse:AuthenticationBadElementswsse:ExpiredDatawsse:InvalidSecurityTokenwsse:FailedAuthenticationwsse:RequestFailedwsse:TenantNotResolvedwsse:InvalidLoginGroupIDwsse:TenantIdNotMatchwsse:FailedTenantSwitch

AppendixCreating aar FileAbout Apache Axis2 Administration ConsoleAbout services.xmlDeploying Web ServiceHow to apply Axis2 Module [im_ws_auth]About WSDL in Distributed EnvironmentAdding the Authentication ModuleSOAP Message MonitoringAbout Web Service that does not require Authentication/Authorization

Revision Information

RevisionDate Updated Contents

2013-10-01

Initial Version

2014-04-01

Version 2 Following additions/changes have been made.

Added descriptions about tenant at Web Service execution time to [ System Overview]Added [<wsTenantIdResolveType> Tag ]Added [wsse:TenantNotResolved ]Added [wsse:InvalidLoginGroupID ]Added [wsse:TenantIdNotMatch ]Added [wsse:FailedTenantSwitch ]

Introduction

Document Purpose

This document describes the Web Service and its authentication/authorization function in intra-mart Accel Platform.

Web Service SpecificationsVERSION 2 2014-04-01

intra-mart Accel Platform

1

Followings are described.

Web Service OverviewWeb Service Authentication/Authorization

Target Readers

Followings are the target readers of this document.

Operator who manages Web Service of intra-mart Accel PlatformApplication developers who provide Web Service ProviderApplication developers who use Web Service Client

Remarks

1. There are some limitations in using Web Service. Please refer to [ Release Note Limitations] for details about limitations.

Document Structure

Overview

Web Service overview is described.

Authentication/Authorization

Authentication/Authorization of Web Service deployed on intra-mart Accel Platform is described.

SOAP Fault Code of Authentication/Authorization

SOAP Fault Code that could occur in authentication/authorization function at Web Service execution time isdescribed.

Appendix

Useful information for the management or development of Web Service is presented.

Overview

Topics

What is Web Service ?Web Service Provider and Web Service Client

SOAPSOAP Fault

WSDLXML SchemaWeb Service Operation

Apache Axis2

What is Web Service ?

[Web Service] refers to the technologies that use internet and the services utilizing them. [Web Service] addressed in this documentrefers to Web Service that use SOAP and WSDL.

Web Service Provider and Web Service Client

In this document, [Web Service Provider] is the one that provides Web Service, and [Web Service Client] is the one that utilizes WebService.

intra-mart Accel Platform

2

SOAP

SOAP is a protocol to exchange messages in XML format.Web Service exchanges SOAP XML messages (SOAP Envelope) according to the protocol.

SOAP Envelope is made up of the 2 parts below :

SOAP HeaderAdditional information is saved. It is optional.

SOAP BodyMain information (data) is saved.

SOAP is a protocol for the software to exchange data each other. SOAP Envelope does not have descriptions about communicationprotocol, and therefore can be used in various scenes in common.

Please refer to books or Web sites for details about SOAP. Please refer to [ Web Services Activity ] of W3C for the specifications ofSOAP.

SOAP Fault

In SOAP, if any error occurs in Web Service Provider, the error information would be saved in SOAP Body and can be returned to WebService Client. This error information is called [SOAP Fault].SOAP Fault is made up of error code, error message, and error detail.

WSDL

WSDL(Web Services Description Language) is the XML-based language specification to describe Web Service.Following information necessary for the use of Web Service is stated :

Access point of Web ServiceCommunication protocol of Web ServiceInput information to use Web ServiceExecution result format of Web Service

Web Service Client uses Web Service based on the interface of Web Service stated in WSDL.WSDL is made up of the following elements :

wsdl:definitions

wsdl:types

wsdl:message

wsdl:operation

wsdl:postType

wsdl:binding

wsdl:port

wsdl:service

Please refer to books or Web sites for the detail information about WSDL. Please refer to [Web Services Activity ] of W3C for thespecifications of WSDL.

intra-mart Accel Platform

3

XML Schema

wsdl:types element of WSDL defines the format of XML messages exchanged in Web Service. It uses [XML Schema] as the schemalanguage that defines XML message structure.

Please refer to books or Web sites for the detail information about XML schema. Please refer to [ XML Schema] of W3C for thespecifications of XML schema.

Web Service Operation

Web Service Operation means operations defined in Web Service. Web Service Operation is defined by wsdl:operation element ofWSDL.

Apache Axis2

In intra-mart Accel Platform, [Apache Axis2] is adopted as Web Service engine.

Authentication/Authorization

Topics

Function OverviewAuthenticationAuthorizationLog-in

System OverviewAuthentication/Authorization FlowUser InformationAuthentication Module Execution ClassAuthentication ModuleImplementation Class of Web Service (Web Service Provider)Web Service Client

Authentication ModuleWSSE Authentication ModuleAuthentication Module for Plain Text PasswordAuthentication Module for Unauthenticated UserUsing Original Authentication Module

Authorization Setting for Web Service OperationWeb Service Provider Authentication/Authorization Setting

<authModule> Tag<enablePlainTextPassword> Tag<enableAuthentication> Tag<enableAuthorization> Tag<showSoapFaultDetail> Tag<wsUserInfoArgumentName> Tag<wsTenantIdResolveType> TagAuthentication Module Unique Settings

Function Overview

On intra-mart Accel Platform, authentication/authorization and log-in to intra-mart Accel Platform are performed at Web Serviceexecution time. Web Service‘s that are available from Web Service Client are limited by authentication/authorization.

Authentication

Check if user of received user information can use intra-mart Accel Platform.If the authentication did not work, you cannot execute Web Service.By this, you can perform user-based access control.

Authorization

Check if [Permission] to execute Web Service Operation is given to the user of received user information.By this, you can perform authority-based access control.

Please refer to [Authorization Specifications] for information about authorization.

intra-mart Accel Platform

4

Authorization resource setting to Web Service should be performed by services.xml.Please refer to [Specifying Authorization Resource for services.xml ] for detail.

Please refer to [Authorization Setting for Web Service Operation] for authorization setting method by administrator.

Log-in

Log-in is performed after authentication and authorization are done. By this, Web Service implementer can implement business processwithout considering log-in process.Additionally you will be able to reuse existing business process easily. Specifically, you will be able to utilize the process that usesAccess Context as a business process of Web Service without any change.

Please refer to [Access Context in Script Development Model Programming Guide] or [SAStruts+S2JDBC Programming GuideAccess Context] for the detail information about Access Context.

System Overview

Authentication/Authorization Flow

Authentication/Authorization flow for Web Service is shown below :

Authentication/authorization is performed based on the user information saved in SOAP Body. Please refer to [ AuthenticationModule] for details.

User Information

Uer information is structured by the followings.

Log-in group IDUser IDAuthentication TypePassword

Please refer to Log-in Group ID for the value to be specified to Log-in group ID.Account user code should be specified to User ID.For the Authentication Type Authentication Module to be used in Web Service Provider is specified.Contents to be saved in Password will vary depending on the authentication type.

Log-in Group ID

Subject tenant that executes authentication/authorization and Web Service is specified.Value which should be specified depends on the version or settings of intra-mart Accel Platform.

In case of intra-mart Accel Platform 2013 Winter or earlier

You do not need to specify anything to log-in group ID. (Action of authentication/authorization or Web Service will not be

intra-mart Accel Platform

5

affected by the specified value.)

In case of intra-mart Accel Platform 2014 Spring or later

Tenant ID of the tenant for Web Service execution should be specified to log-in group ID.Behaviors when the log-in group ID is omitted would be as follows :

In case tenant automatic resolution function that uses the request information is used

Authentication/authorization and Web Service would be executed by the tenant that was automaticallyresolved using the request information.However, if wsTenantIdResolveType setting of Web Service Provider Authentication/AuthorizationSetting is strict, it cannot be omitted. (If it is omitted, SOAP Fault wsse:InvalidLoginGroupID will occur.)

In case the tenant automatic resolution function that uses the request information is not used

Authentication/authentication and Web Service would be executed by the default tenant.

Note

Please refer to [Tenant Resolution Function] in Setup Guide for [Tenant Automatic Resolution Functionthat uses Request Information].

About User Information Definition in WSDL

Message format to pass the user information described in User Information should be defined in WSDL.Specifically, WSUserInfo that is defined in the XML schema below should be defined as elemenet name wsUserInfo in the first argument ofWeb Service Operation.

<xs:schema attributeFormDefault="qualified" elementFormDefault="qualified" targetNamespace="http://auth.web_service.foundation.intra_mart.co.jp/xsd"> <xs:complexType name="WSUserInfo"> <xs:sequence> <xs:element minOccurs="0" name="authType" nillable="true" type="xs:string"/> <xs:element minOccurs="0" name="loginGroupID" nillable="true" type="xs:string"/> <xs:element minOccurs="0" name="password" nillable="true" type="xs:string"/> <xs:element minOccurs="0" name="userID" nillable="true" type="xs:string"/> </xs:sequence> </xs:complexType></xs:schema>

Note

Argument element name wsUserInfo is set by <wsUserInfoArgumentName> Tag of Web Service ProviderAuthentication/Authorization Setting.

Note

This shall not apply to the Web Service which requires no authorization/authentication.Please refer to [About Web Service that does not require Authentication/Authorization ] for details.

Authentication Module Execution Class

It is Apache Axis2 handler that implements org.apache.axis2.engine.Handler for Authentication Module execution.This handler delegates authentication/authorization process to Authentication Module specified by the authentication type afteranalyzing the user information sent by Web Service Client.

In intra-mart Accel Platform 2014 Spring or later, Log-in Group ID value of user information is used to switch to the tenant to be to thesubject for authentication/authorization and Web Service execution.

This class is executed for the Web Service to which module_axis2_module| [im_ws_auth] is applied.

Authentication Module

Authentication/Authorization/Log-in are made.Please refer to [Authentication Module] described later for details.

Implementation Class of Web Service (Web Service Provider)

intra-mart Accel Platform

6

It is a class that states the business process to be published as Web Service.

After every process of Authentication Module is finished properly, Web Service Operation requested by Web Service Client will beexecuted. Therefore, implementation class of Web Service can state the business process without consideringauthentication/authorization/log-in.

Log-out is made after Web Service execution. Therefore, user specified by the user information would be logged-in only when WebService is being executed.

In order to do authentication/authorization/log-in of Web Service Operation, following 2 conditions should be met for Web ServiceOperation :

Axis2 Module [im_ws_auth] is appliedArgument to save User Information is given to the first argument

Web Service Client

In Web Service Client, Web Service can be called by creating a stub from WSDL. Message format to pass the user information isdefined in WSDL. (About User Information Definition in WSDL)User information will be subseqently set by Web Service Client based on it.

Authentication Module to be executed in Web Service Provider is determined depending on the authentication type of UserInformation specified by Web Service Client.If authentication type is not set, Authentication Module for Plain Text Password will be used.Please refer to [Authentication Module for Plain Text Password] for more information about Authentication Module for Plain TextPassword.

Warning

If you have specified the authentication type that does not exist in Web Service Provider, SOAP Fault(wsse:BadRequest) will occur.

Authentication Module

In authentication module, authentication, authorization, and log-in are made.Authentication module to be used at Web Service execution time is determined depending on the authentication type of userinformation which was sent from Web Service Client.Process made in authentication, authorization, and log-in will vary depending on the authentication module to be used. Please refer toeach authentication module specifications described later for authentication/authorization and log-in processes.Authentication module is operated using jp.co.intra_mart.foundation.web_service.auth.WSAuthModule interface.Processing of authentication module will be performed in the sequence below :

1. Initialization (WSAuthModule#init(WSUserInfo, MessageContext) is executed.)2. SOAP Message Check (WSAuthModule#check(WSUserInfo, MessageContext) is executed.)3. Authentication (WSAuthModule#authentication(WSUserInfo) is executed.)4. Authorization (WSAuthModule#authorization(WSUserInfo, String, String) is executed.)5. Log-in (WSAuthModule#login(WSUserInfo) is executed.)

This series of process is executed every time the request is made by Web Service Client.Only when all processes such as authentication/authorization were successfully performed, the specified Web Service Operation wouldbe executed.If you fail to perform any of these processes, SOAP Fault that saves error code would be returned to Web Service Client.Please refer to [SOAP Fault Code of Authentication/Authorization] for the details of error code.

Please refer to [API List of WSAuthModule Interface] for the details of WSAuthModule.

In intra-mart Accel Platform, following authentication modules are provided as standard.

AuthenticationType

Module provided Implementation Class Name Summary

WSSE Web ServiceAuthentication/Authorization

WSAuthModule4WSSE Authentication module thatUsernameToken format of WS-Security isadopted as a method to digestpasswords.

PlainTextPassword Web ServiceAuthentication/Authorization

WSAuthModule4PlainTextPassword Authentication module for plain textpasswords.

Anonymous Web ServiceAuthentication/Authorization

WSAuthModule4Anonymous Authentication module forunauthenticated users.

WSSE Authentication Module

intra-mart Accel Platform

7

WSSE Authentication Module is an authentication module that adopts UsernameToken format of WS-Seurity as a method for PasswordDigest.Full qualification class name is jp.co.intra_mart.foundation.web_service.auth.impl.WSAuthModule4WSSE.

Web Service Client creates Password Digest based on the followings :

[Nonce] created by Web Service Client[Created] created by Web Service Client[Password] of authentication subject user managed by Web Service Client

Specific example of character string for authentication in UsernameToken format of WS-Security (hereafter called WSSE AuthenticationString) is shown.

UsernameToken Username="the_who", PasswordDigest="tLDSsdGqfvraHRh8BpqTYRBVy+U=", Nonce="YTBiMWI2OGI2OTE3N2RlZQ==", Created="1966-12-01T12:34:56Z"

In Web Service Provider authentication module, WSSE Authentication String is analyzed and Password Digest will be created based onthe followings :

[Nonce] sent from Web Service Client[Created] sent from Web Service Client[Password] of authentication subject user managed by Web Service Provider server.

Compare Password Digest sent from Web Service Client and Password Digest created in Web Service Provider, it would be judged asthe valid user (successfully authorized) if the results are the same. If they are not the same, it will be considered as an invalid user.

Each item of WSSE Authentication String is as follows :

Topics Description

Username User Name (User Code).

Nonce Character string that has the random value encoded in Base64.

Created Character string that the date and time Nonce was created are stated in ISO-8601 notation.

PasswordDigest Concatenate character strings Nonce, Created, and passwords, and generate the character string by digestingwith SHA-1 algorithm. It is then encoded into Base64 character string.Specifically, it should be created as follows.

PasswordDigest = Base64 ( SHA-1 ( Nonce + Created + Passwords))

Authorization is performed for the user who has user ID specified by the user information.

Note

WSSE Authentication Module does validity period check for Password Digest.If the validity period has expired when compared to Created time, authentication would fail. Initial value of the validityperiod is 5 minutes.

Please refer to [WSSE Authentication Module <expire> Tag] for validity period setting.

Note

Please refer to [Web Service Security / UsernameToken / Profile 1.0 - 3 UsernameToken Extensions ] for thedetails about WSSE Authentication String.

Differences between the specifications above and Password Digest generated by WSSE Authentication Module are :

Nonce and Created are mandatoryNonce encoding type is always Base64

Warning

Please retain Created and Nonce of the received WSSE Authentication String in Web Service Provider until theexpiration date. If you try to authenticate by Created and Nonce that are already retained, authentication will fail. Thischeck should be performed for each cluster.

Warning

Authentication target user should be identified by User Information. Username of WSSE Authentication String shouldnot be used.

intra-mart Accel Platform

8

WSSE Password Digest Generation API

Utility APIs for generating Password Digest for the authentication type WSSE are as follows :

Script Development Model API

WSAuthDigestGenerator4WSSE Object

Java API

jp.co.intra_mart.foundation.web_service.util.impl.WSAuthDigestGenerator4WSSE

These APIa are included in Web Service Authentication and Authorization Client.Please refer to [API List of WSAuthDigestGenerator4WSSE Object] or [API List of WSAuthDigestGenerator4WSSE Class] formore information.

Authentication Module for Plain Text Password

Authentication Module for Plain Text Password is an authentication module to send and receive passwords in plain text.Full qualification class name is jp.co.intra_mart.foundation.web_service.auth.impl.WSAuthModule4PlainTextPassword.

If the password specified by the user information matches with the password of account registered in Web Service Provider server, itwill be considered as the valid user (successfully authenticated).Authorization is performed for the user who has the user ID specified by the user information.

Note

If the authentication type sent from Web Service Client has not been set, this authentication module is used.

Warning

Authentication Module for Plain Text Password cannot be used as standard.It can be used by setting <enablePlainTextPassword> Tag of Web Service Provider Authentication/AuthorizationSetting to true.

Warning

Since passwords are sent in plain text in Authentication Module for Plain Text Password, please be careful aboutspoofing by users who can view contents of SOAP message and network communications.You should not use this authentication module without external secure system such as SSL.

Authentication Module for Unauthenticated User

Authentication Module for Unauthenticated User is an authentication module to execute Web Service in Unauthenticated User.Full qualification class name is jp.co.intra_mart.foundation.web_service.auth.impl.WSAuthModule4Anonymous.Unauthenticated User indicates users who have not logged-in. (it is also called a guest user)

If this authentication type is used, authentication process will not be made.Authorization is performed for Unauthenticated User and not for the specific users.

User ID and password that are saved in user information are ignored.

Warning

Authentication Module for Unauthenticated User cannot be used as standard. Please refer to [ Adding theAuthentication Module] for the setting method.

Using Original Authentication Module

By performing followings, you can use authentication module for yourself.

Create class that implements jp.co.intra_mart.foundation.web_service.auth.WSAuthModule interfaceSet <authModule> tag to %CONTEXT_PATH%/WEB-INF/conf/axis2.xml

Please refer to [API List of WSAuthModule Interface] for details of WSAuthModule.

Please refer to [Web Service Provider Authentication/Authorization Setting] for details of %CONTEXT_PATH%/WEB-INF/conf/axis2.xml.

intra-mart Accel Platform

9

Please refer to [Adding the Authentication Module] for how to set the authentication module you have created.

Authorization Setting for Web Service Operation

In intra-mart Accel Platform, access authority for Web Service Operation is set by the authorization setting.

1. Click [Site Map]→[Tenant Management]→[Authorization].

2. Change resource type to [Web Service].

3. Click [Start Authority Setting] and perform authorization setting.

Please refer to [Setting Authorization in Tenant Administrator Operations Guide] for details of operation method on theauthorization setting screen.

Note

In order to use authorization setting screen, user who meets either one of the following conditions should log in asstandard.

User who has tenant administrator roleUser who has authorization administrator role

Web Service Provider Authentication/Authorization Setting

Authentication/Authorization setting by Web Service Provider is performed in %CONTEXT_PATH%/WEB-INF/conf/axis2.xml.Setting is to be stated as a child element of parameter name jp.co.intra_mart.foundation.web_service.

Note

In IM-Juggling, you can do output from [Axis2 Setting (axis2.xml)] of [Web Service Authentication and Authorization]using the configuration file output function.

Warning

This setting will affect all the Web Service to which Axis2 Module [im_ws_auth] is applied.

Following is the example of the setting.

intra-mart Accel Platform

10

<axisconfig name="AxisJava2.0">

<!-- ================================================= --> <!-- Parameters for intra-mart --> <!-- ================================================= --> <parameter name="jp.co.intra_mart.foundation.web_service">

<enablePlainTextPassword>false</enablePlainTextPassword> <authModule class="jp.co.intra_mart.foundation.web_service.auth.impl.WSAuthModule4WSSE"> <expire>300</expire> </authModule>

<enableAuthentication>true</enableAuthentication> <enableAuthorization>true</enableAuthorization> <showSoapFaultDetail>true</showSoapFaultDetail> <wsUserInfoArgumentName>wsUserInfo</wsUserInfoArgumentName> <wsTenantIdResolveType>standard</wsTenantIdResolveType>

</parameter>

<!-- 省略 -->

</axisconfig>

<authModule> Tag

<authModule class="jp.co.intra_mart.foundation.web_service.util.impl.WSAuthDigestGenerator4WSSE"> <expire>300</expire></authModule>

Mandatory Item X

Multiple Setting O

SettingValue/Contents to beset

None

Unit/Type None

Default Value whenit is omitted

None

Parent Tag parameter

[Attribute]

Attribute Name Description Mandatory Default Value

class It sets the authentication module. It specifies the full qualification class name of theclass that implements WSAuthModule interface.

O None

Note

Child element of authModule is handled as the setting value. Setting value is passed to the argument ofWSAuthModule#setConfiguration(OMElement) method.

<enablePlainTextPassword> Tag

<enablePlainTextPassword>false</enablePlainTextPassword>

Mandatory Item X

Multiple Setting X

SettingValue/Contents to beset

false Authentication Module for Plain Text Password is not used.

true Allows the use of Authentication Module for Plain Text Password.

Unit/Type True/False Value (true/false)

Default Value whenit is omitted

false

Parent Tag parameter

[Attribute]

None

intra-mart Accel Platform

11

<enableAuthentication> Tag

<enableAuthentication>true</enableAuthentication>

Mandatory Item X

Multiple Setting X

SettingValue/Contents to beset

true Authentication is executed before Web Service execution.

false Authentication is not executed before Web Service execution.

Unit/Type True/False Value (true/false)

Default Value whenit is omitted

true

Parent Tag parameter

[Attribute]

None

<enableAuthorization> Tag

<enableAuthorization>true</enableAuthorization>

Mandatory Item X

Multiple Setting X

SettingValue/Contents to beset

true Authorization is executed before Web Service execution.

false Authorization is not executed before Web Service execution.

Unit/Type True/False Value (true/false)

Default Value whenit is omitted

true

Parenet Tag parameter

[Attribute]

None

<showSoapFaultDetail> Tag

<showSoapFaultDetail>true</showSoapFaultDetail>

Mandatory Item X

Multiple Setting X

SettingValue/Contents to beset

true Detail message is included in SOAP Fault when processes in the authentication module failed.

false Detail message is not included in SOAP Fault when processes in the authentication module failed.

Unit/Type True/False Value (true/false)

Default Value whenit is omitted

true

Parent Tag parameter

[Attribute]

None

Warning

This setting of whether to include the detail message in SOAP Fault r not will be valid only for SOAP Fault whichoccured in the authentication module. It does not affect on SOAP Fault which occured in Web Service.

<wsUserInfoArgumentName> Tag

<wsUserInfoArgumentName>wsUserInfo</wsUserInfoArgumentName>

Mandatory Item X

intra-mart Accel Platform

12

Multiple Setting X

SettingValue/Contents to beset

Argument name to save user information.

Unit/Type Character String

Default Value whenit is omitted

wsUserInfo

Parent Tag parameter

[Attribute]

None

<wsTenantIdResolveType> Tag

This setting is available on intra-mart Accel Platform 2014 Spring or later.

<wsTenantIdResolveType>standard</wsTenantIdResolveType>

Mandatory Item X

Multiple Setting X

SettingValue/Contents to beset

It specifies validation mode of Log-in Group ID included in the user information. Followings are the valuesand operations that can be specified.

standard No particular validation will be made.

strict Authentication is allowed only when loginGroupID included in the userinformationand tenant ID automatically resolved do match.If loginGroupID included in the user information and tenant ID automaticallyresolved do not match, SOAP Fault wsse:TenantIdNotMatch will occur.If you prevent Web service execution by unexpected tenant ID for the tenant inaccess destination, this setting is used.Please use this setting only when you are using [Tenant Automatic ResolutionFunction using Request Information].

Unit/Type Character String

Default Value whenit is omitted

standard

Parent Tag parameter

[Attribute]

None

Note

Please refer to [Tenant Resolution Function] for [Tenant Automatic Resolution Function using Request Information].

Authentication Module Unique Settings

Settings that can be used in the authentication module provided as standard on intra-mart Accel Platform are described.

WSSE Authentication Module <expire> Tag

<authModule class="jp.co.intra_mart.foundation.web_service.util.impl.WSAuthDigestGenerator4WSSE"> <expire>300</expire></authModule>

Mandatory Item X

Multiple Setting X

SettingValue/Contents to beset

Validity period of user information that is used for authentication.Compare the system date and time and Created in WSSE Authentication String, and if the date and time sethere has expired, authentication would fail.Created and Nounce in WSSE Authentication String will be retained on the server side for the periodspecified here. If it is authenticated by the existing Created and Nonce, authentication will fail. (Replay AttackCountermeasures)If this setting is [0], validity period check and Created and Nonce retaining will not be made.

intra-mart Accel Platform

13

Unit/Type Numeric Value Type (seconds)

Default Value whenit is omitted

300

Parent Tag (class attribute is jp.co.intra_mart.foundation.web_service.util.impl.WSAuthDigestGenerator4WSSE ) authModule

[Attribute]

None

Topics

SOAP Fault Code of Authentication/Authorizationwsse:InvaildRequestwsse:BadRequestwsse:AuthenticationBadElementswsse:ExpiredDatawsse:InvalidSecurityTokenwsse:FailedAuthentication

Account is not registered.Account license is not registered.Validity period of the account has expied.Account is locked.Password is wrong.

wsse:RequestFailedwsse:TenantNotResolvedwsse:InvalidLoginGroupIDwsse:TenantIdNotMatchwsse:FailedTenantSwitch

SOAP Fault Code of Authentication/Authorization

If error occurs at authentication/authorization and log-in time, SOAP Fault Code corresponding to the error contents is returned to WebService Client.SOAP Fault Code and its causes are described below.

If SOAP Fault Code that is not described below is sent, there may be some errors in the business process.If SOAP Fault Code is not explicitly specified in the business process, SOAP Fault Code will be sent as Receiver defined in the namespace http://www.w3.org/2003/05/soap-envelope.

Note

If <showSoapFaultDetail> Tag of Web Service Provider Authentication/Authorization Setting is set to false, errordetail information would not be notified to Web Service Client.

Warning

Please be aware that the error message contents would vary depending on respective locales.SOAP Fault Code and SOAP Fault Reason Code ([E.IWP.WEBSERVICE.AXIS2.XXXXX] etc) will not be affected by thelocales.

wsse:InvaildRequest

SOAP Fault Code wsse:InvalidRequest

SOAP Fault Reason [E.IWP.WEBSERVICE.AXIS2.00005] request is invalid, or the format is not correct.

SOAP Fault Detail (Example at erroroccurrence)

java.lang.IllegalStateException: [E.IWP.WEBSERVICE.AXIS2.00007] wsUserInfo could notbe found.

java.lang.NullPointerException: [E.IWP.WEBSERVICE.AXIS2.00006] element is null.

It occurs if User Information does not exist in SOAP Body or if the element name in which user information is saved is not of theprescribed character string (wsUserInfo as standard).

If the element name to which User Information is saved is param0, Java class published as Web Service may have been compiledwithout the -g option.

Java class to be published should be compiled to generate debug information. This is a necessary process to obtain the name of userinformation included in SOAP Body by the prescribed character string.

intra-mart Accel Platform

14

Note

In order to generate the debug information, compilation should be performed by using javac command option -g.

Note

Element name of User Information is to be set by <wsUserInfoArgumentName> Tag of Web Service ProviderAuthentication/Authorization Setting.

wsse:BadRequest

SOAP Fault Code wsse:BadRequest

SOAP Fault Reason [E.IWP.WEBSERVICE.AXIS2.00009] Specified RequestSecurityToken could not beunderstood.

SOAP Fault Detail(Example at erroroccurrence)

java.lang.IllegalStateException: [E.IWP.WEBSERVICE.AXIS2.00008] WSAuthModule is notfound. Authentication Type = PlainTextPassword

It occurs when the authentication module corresponding to the authentication type of User Information which was sent from WebService Client does not exist.

Other than that, the error also occurs if you execute Web Service without specifying the authentication type when the setting is not touse Authentication Module for Plain Text Password.

Note

Availability of Authentication Module for Plain Text Password is set in<enablePlainTextPassword> Tag of Web Service Provider Authentication/Authorization Setting.

Note

Corresponding module other than Authentication Module for Plain Text Password is set in<authModule> Tag of Web Service Provider Authentication/Authorization Setting.

wsse:AuthenticationBadElements

SOAP Fault Code wsse:AuthenticationBadElements

SOAP Fault Reason [E.IWP.WEBSERVICE.AXIS2.00010] Required digest element is missing.

SOAP Fault Detail(Example aterror occurrence)

jp.co.intra_mart.foundation.web_service.auth.exception.AuthenticationBadElementsException:[E.IWP.WEBSERVICE.AUTH.00016] WSSE authentication character string is invalid.

java.lang.IllegalStateException: No match found

It occurs when WSSE Authentication String in the authentication type specified in Web Service Client is not correct.For example, if the authentication type is WSSE, this error occurs when sent Password Digest is not correct as WSSE AuthenticationStringExampe) Nonce item does not exist inside WSSE Authentication String etc.

Note

Please refer to [WSSE Authentication Module] for details about WSSE Authentication String.

wsse:ExpiredData

SOAP Fault Code wsse:ExpiredData

SOAP Fault Reason [E.IWP.WEBSERVICE.AXIS2.00003] Request data is not the latest one.

SOAP Fault Detail(Example at erroroccurrence)

jp.co.intra_mart.foundation.web_service.auth.exception.ExpiredDataException:[E.IWP.WEBSERVICE.AUTH.00018] Expiration data has passed.

It occurs when the data sent from Web Service Client has passed the expiration date.For example, if the authentication type is WSSE, system data and time and Created of WSSE Authentication String are compared. Thiserror occurs if the set expiration data has passed.

intra-mart Accel Platform

15

Note

Expiration data of WSSE Authentication String is set inWSSE Authentication Module <expire> Tag of Web Service Provider Authentication/Authorization Setting.

wsse:InvalidSecurityToken

SOAP Fault Code wsse:InvalidSecurityToken

SOAP Fault Reason [E.IWP.WEBSERVICE.AXIS2.00004] Security Token has been rejected.

SOAP Fault Detail(Example at erroroccurrence)

jp.co.intra_mart.foundation.web_service.auth.exception.InvalidSecurityTokenException:[E.IWP.WEBSERVICE.AUTH.00018] Received 2 or more times during the validity period.Created = 1966-12-01T12:34:56Z

It occurs only when the data sent from Web Service Client has been already received.In case the authentication type is WSSE, Created and Nonce of WSSE Authentication String are retained at the server for the period setas the validity period. If you try to authenticate with Created and Nonce that are already retained, this error will occur.

Note

Expiration date of WSSE Authentication String is set byWSSE Authentication Module <expire> Tag of Web Service Provider Authentication/Authorization Setting.

wsse:FailedAuthentication

SOAP Fault Code wsse:FailedAuthentication

SOAP Fault Reason [E.IWP.WEBSERVICE.AXIS2.00001] Authentication has failed.

SOAP Fault Detail(Example at erroroccurrence)

jp.co.intra_mart.foundation.web_service.auth.exception.AuthenticationException:[E.IWP.WEBSERVICE.AUTH.00014] Authentication has failed. User CD = aoyagi...

This error can have several causes. These causes are described as follows :

Account is not registered.

SOAP Fault Detail (Example at erroroccurrence)

jp.co.intra_mart.foundation.web_service.auth.exception.AuthenticationException:[E.IWP.WEBSERVICE.AUTH.00014] Authentication has failed. User CD = aoyagijp.co.intra_mart.foundation.security.exception.AccessSecurityException:[E.IWP.WEBSERVICE.AUTH.00004] Account is not registered. UserCD = aoyagi

It occurs if the account with the user ID specified by the user information does not exist. Please confirm if the user ID is correct.

Account license is not registered.

SOAP Fault Detail(Example at erroroccurrence)

jp.co.intra_mart.foundation.web_service.auth.exception.AuthenticationException:[E.IWP.WEBSERVICE.AUTH.00014] Authentication has failed. User CD = aoyagijp.co.intra_mart.foundation.security.exception.AccessSecurityException:[E.IWP.WEBSERVICE.AUTH.00005] Account license is not registered. User CD = aoyagi

It occurs when there is no account license for the account with user ID specified by the user information.

Validity period of the account has expied.

SOAP Fault Detail(Example at erroroccurrence)

jp.co.intra_mart.foundation.web_service.auth.exception.AuthenticationException:[E.IWP.WEBSERVICE.AUTH.00014] Authentication has failed. User CD = aoyagijp.co.intra_mart.foundation.security.exception.AccessSecurityException:[E.IWP.WEBSERVICE.AUTH.00006] Validity period of the account has expired. User CD =aoyagi

It occurs when the validity period of the account with user ID specified by the user information has expired.

Account is locked.

intra-mart Accel Platform

16

SOAP Fault Detail(Example at erroroccurrence)

jp.co.intra_mart.foundation.web_service.auth.exception.AuthenticationException:[E.IWP.WEBSERVICE.AUTH.00014] Authentication has failed. User CD = aoyagijp.co.intra_mart.foundation.security.exception.AccessSecurityException:[E.IWP.WEBSERVICE.AUTH.00007] Account is locked. UserCD = aoyagi

It occurs when the account with user ID specified by the user information is locked.

Password is wrong.

SOAP Fault Detail(Example at erroroccurrence)

jp.co.intra_mart.foundation.web_service.auth.exception.AuthenticationException:[E.IWP.WEBSERVICE.AUTH.00014] Authentication has failed. User CD = aoyagijp.co.intra_mart.foundation.security.exception.AccessSecurityException:[E.IWP.WEBSERVICE.AUTH.00015] Password is wrong. User CD = aoyagi

It occurs if the password for the user ID specified by the user information and the specified password do not match.

wsse:RequestFailed

SOAP Fault Code wsse:RequestFailed

SOAP Fault Reason [E.IWP.WEBSERVICE.AXIS2.00002] You have failed to run the specified request.

SOAP Fault Detail(Example at erroroccurrence)

jp.co.intra_mart.foundation.web_service.auth.exception.AuthorizationException:[E.IWP.WEBSERVICE.AUTH.00001] There is no access authority. Web service name =MenuService, operation name = getAvailbleMenuTree

It occurs when you are not authorized to execute the specified Web Service Operation.

Note

Please refer to [Authorization Setting for Web Service Operation] for authorization setting method by administrator.

wsse:TenantNotResolved

SOAP Fault Code wsse:TenantNotResolved

SOAP Fault Reason [E.IWP.WEBSERVICE.AXIS2.00018] You have failed to run the specified request.。

SOAP Fault Detail(Example at erroroccurrence)

java.lang.IllegalStateException: [E.IWP.WEBSERVICE.AUTH.00017] Tenant ID cannot beresolved.

It occurs when tenant ID cannot be resolved in the environment where the specified Web Service Operation is called.

wsse:InvalidLoginGroupID

SOAP Fault Code wsse:InvalidLoginGroupID

SOAP Fault Reason [E.IWP.WEBSERVICE.AXIS2.00020] Request is invalid, or the format is not correct.

SOAP Fault Detail(Example at erroroccurrence)

java.lang.IllegalStateException: [E.IWP.WEBSERVICE.AUTH.00019] loginGroupIDparameter is null.

It occurs when log-in group ID is not specified by the user information.

wsse:TenantIdNotMatch

SOAP Fault Code wsse:TenantIdNotMatch

SOAP Fault Reason [E.IWP.WEBSERVICE.AXIS2.00022] Request is invalid, or the format is not correct.

SOAP Fault Detail(Example at erroroccurrence)

java.lang.IllegalStateException: [E.IWP.WEBSERVICE.AUTH.00021] Resolved tenantID(secondary) and tenant ID that is specified in the user information (default) do not match.

It occurs when the resolved tenant ID and log-in group ID specified by the user information do not match in the environment where thespecified Web Service Operation is called.

wsse:FailedTenantSwitch

SOAP Fault Code wsse:FailedTenantSwitch

SOAP Fault Reason [E.IWP.WEBSERVICE.AXIS2.00023] You failed to switch tenant ID(secondary).

SOAP Fault Detail(Example at erroroccurrence)

jp.co.intra_mart.foundation.admin.exception.AdminException:[E.IWP.ADMIN.TENANT.10057] Log-in user cannot switch the tenant.

intra-mart Accel Platform

17

It occurs when the temporary switching of tenant for executing the Web service has failed.

Appendix

Topics

Creating aar FileAbout Apache Axis2 Administration ConsoleAbout services.xml

Specifying Authorization Resource for services.xmlDeploying Web Service

Deployment in Directory FormatDeployment of aar File Format

How to apply Axis2 Module [im_ws_auth]Specifying Axis2 Module [im_ws_auth] by services.xmlSpecifying Axis2 Module [im_ws_auth] by axis2.xmlSpecifying Axis2 Module [im_ws_auth] by Apache Axis2 Administration Console

About WSDL in Distributed EnvironmentAdding the Authentication ModuleSOAP Message Monitoring

Monitoring by TCPMonAbout Web Service that does not require Authentication/Authorization

Creating aar File

A tool to create aar file (Axis2 Archive file) is introduced.Here, Ant task [aarGenerate] is used. This Ant task creates services.xml and aar file including services.xml.Please refer to [Apache Axis2 Web Administrator’s Guide Step 3: Create Archive File] of Axis2 project for aar file structure.

It is assumed that this procedure is performed in the environment that meets the following conditions :

Apache Ant is installed.[Tool for Web Service ] exists.

Directory to which the tool for Web service is expanded will be denoted as %WEBSERVICE_TOOL_HOME% hereafter.

Note

If build tool [Ant] has not been already installed, please install it by looking at the sites below :

Ja-Jakarta Project Ant Installation (Japanese)Apache Ant Manual - Installing Apache Ant (English)

Warning

jar or class cannot be included in aar file in this tool. In order to execute Web Service of aar file, implementation classof Web Service should be placed on a class path of application server.Specifically, please place jar file under %CONTEXT_PATH%/WEB-INF/lib and class under %CONTEXT_PATH%/WEB-INF/classes.

1. Various setting for Web Service to be published would be performed.

1. Edit AarGen.properties.

Edit %WEBSERVICE_TOOL_HOME%/AarGen.properties.Descriptions of each property is as shown below.

Property Name Required DescriptionserviceName O Specify the name to be published as Web Service. This value will become

the aar file name.className O Specify the implementation class of Web Service. Class should be specified

with a full qualified name.destDir O Specify the directory that outputs aar file.moduleRef X Specify the Axis2 Module name to be applied for Web Service.

More than one names can be specified by using , (comma).

wsdlDir X Directory where WSDL or XSD to be included in aar file is placed.If it is not specified, files other than services.xml will not be included in aarfile.

intra-mart Accel Platform

18

serviceAuthzUri X Authorization resource for the service provided by Web Service is specifiedby URI.If it is not specified, authorization resource setting for the service would notbe performed.

opeAuthzUriFile X Specify CSV file with the description of authorization resource setting forWeb Service Operation.If it is not specified, authorization resource setting for Web Service Operationwould not be performed.

verbose X Specify whether to output detail information at Ant task execution time.

Warning

If you are to specify the path in Windows environment, the delimiter character should be / or \.

2. Edit opeAuthzUriFile.csv.

Specify the authorization resource for Web Service Operation provided by Web Service by URI.Edit %WEBSERVICE_TOOL_HOME%/opeAuthzUri.csv. (Edit file with the value specified in opeAuthzUriFile ofAarGen.properties.)If you do not specify the authorization resource for Web Service Operation, you do not need to edit this file.This file should be stated in CSV format. Field delimiter character is , (comma) and record delimiter character is a new line.In the examples below,

URI service://sample/web_service/member_info/add for Web Service Operation add

URI service://sample/web_service/member_info/find for Web Service Operation find

URI service://sample/web_service/member_info/findAll for Web Service Operation findAll

would result.

add,service://sample/web_service/member_info/addfind,service://sample/web_service/member_info/findfindAll,service://sample/web_service/member_info/findAll

Note

If authorization resources are specified for both the service and Web Service Operation, the authorizationresource specified in Web Service Operation is given priority over the other.Please refer to [Specifying Authorization Resource for services.xml ] for details.

Warning

If the authorization resource is specified, following error occurs at Web Service Operation execution time whencorresponding authorization resource does not exist at the specified URI.

[E.IWP.AUTHZ.DECISION.10007] Resource group is not registered.

Please create the authorization resource in advance when you execute Web Service Operation.

Please refer to [Adding Resources] of [Setting Authorization in Tenant Administrator Operations Guide] forhow to add the authorization resource.

3. Specify the environment information to execute AarGen.

Specify the directory to which Apache Ant is installed.Edit %WEBSERVICE_TOOL_HOME%/AarGen.bat (AarGeb.sh for Unix OS).Specify the directory to which Ant is installed for the environment variable [ANT_HOME].

(In case of Windows OS)

REM AarGen.batset ANT_HOME=C:/apache-ant

(In case of Unix OS)

# AarGen.shexport ANT_HOME=/apache-ant

2. Execute AarGen.

Execute the batch file included in the product.

(In case of Windows OS)

intra-mart Accel Platform

19

> %WEBSERVICE_TOOL_HOME%\AarGen.bat

(In case of Unix OS)

$ sh %WEBSERVICE_TOOL_HOME%/AarGen.sh

aar file would be output under the directory specified by destDir of AarGen.properties.

About Apache Axis2 Administration Console

It is a management console provided by Apache Axis2.You can access it by http://<HOST>:<PORT>/<CONTEXT_PATH>/axis2-web/index.jsp.By using this management console, you can view Web Service information deployed via the browser or you can deploy Web Service.

Please refer to [Apache Axis2 Web Administrator’s Guide] for detail of Apache Axis2 management console.

Note

Standard user name is admin and password is axis2. These values can be changed by%CONTEXT_PATH%/conf/axis2.xml.

About services.xml

In Apache Axis2, [services.xml] is provided to set service information such as Web service name or Java class to be published as WebService.

You can deploy Web Service by placing this file to the prescribed folder or to aar file.Please refer to [Deploying Web Service ] for Web Service deployment.

intra-mart Accel Platform

20

<?xml version="1.0" encoding="UTF-8"?><!-- サービスの設定を行います。Webサービス名がSampleServiceであることを指定しています。 --><service name="SampleService"> <!-- Webサービスに対しての説明です。 --> <description>The Web service on the intra-mart.</description>

<!-- このサービスのServiceClassがsample.web_service.provider.SampleServiceであることを指定しています。 --> <parameter name="ServiceClass">sample.web_service.provider.SampleService</parameter>

<!-- このサービスのWebサービス・オペレーション実行時に認証・認可を行うことを指定しています。 --> <module ref="im_ws_auth"/>

<!-- このサービスに対してのメッセージレシーバを指定しています。 --> <messageReceivers> <!-- 返却値が無いメソッドに対してのレシーバを指定しています。 --> <messageReceiver mep="http://www.w3.org/2004/08/wsdl/in-only" class="org.apache.axis2.rpc.receivers.RPCInOnlyMessageReceiver" /> <!-- 何らかの返却を行うメソッドに対してのレシーバを指定しています。 --> <messageReceiver mep="http://www.w3.org/2004/08/wsdl/in-out" class="org.apache.axis2.rpc.receivers.RPCMessageReceiver"/> </messageReceivers>

</service>

Specify attibute value of name attribute of <parameter> tag as ServiceClass and specify the Java’s full qualified name of Web Serviceimplementation class inside the tag. By this, public method of class you have specified will be disclosed as Web Service Operation.Each message receiver is to do mapping between Web Service message of XML and Java object.In addition to it, message receiver to directly handle the XML called [RowXMLxxxxMessageReceiver] is also provided.

Please refer to [Service Configuration] of Axis2 project for details of services.xml.Please refer to API document of Axis2 for details of message receiver.

Specifying Authorization Resource for services.xml

Authorization resource for Web Service Operation is to be specified. The authorization resource is specified in URI format.

Please refer to [Authorization Specification Resource Management] for authorization resource URI.

Authorization resource can be set for services or operations.Authorization resource is specified using <parameter> tag of services.xml. URI of the authorization resource should be specified insidethe <parameter name="auth-uri">.

<?xml version="1.0" encoding="UTF-8"?><service name="SampleService"> <description>The Web service on the intra-mart.</description>

<parameter name="ServiceClass">sample.web_service.provider.SampleService</parameter>

<module ref="im_ws_auth"/>

<messageReceivers> <messageReceiver mep="http://www.w3.org/2004/08/wsdl/in-only" class="org.apache.axis2.rpc.receivers.RPCInOnlyMessageReceiver" /> <messageReceiver mep="http://www.w3.org/2004/08/wsdl/in-out" class="org.apache.axis2.rpc.receivers.RPCMessageReceiver"/> </messageReceivers>

<!-- サービスSampleServiceに対して認可リソースを指定します。 --> <parameter name="authz-uri">service://sample/web_service/sample</parameter> <operation name="foo"> <!-- サービスSampleServiceのオペレーションfooに対しての認可リソースを指定します。 --> <parameter name="authz-uri">service://sample/web_service/sample/foo</parameter> </operation> <operation name="bar"> <!-- サービスSampleServiceのオペレーションbarに対しての認可リソースを指定します。 --> <parameter name="authz-uri">service://sample/web_service/sample/bar</parameter> </operation> <!-- <operation name="baz"> <parameter name="authz-uri">service://sample/web_service/sample/baz</parameter> </operation> -->

</service>

If authorization resources are specified for both service and operation, the one specified for the operation would become valid. For thecase described above, the authorization resource URI for operation bar is service://sample/web_service/sample/bar (using operationauthorization resource), and the authorization resource URI for operation baz is service://sample/web_service/sample (using serviceauthorization resource).

intra-mart Accel Platform

21

Warning

If no authorization resource is specified for the service and the operation, the operation authorization would always be[Permitted].

Warning

Authorization is valid only for Web Service that Axis2 Module [im_ws_auth] is applied.Please refer to [How to apply Axis2 Module [im_ws_auth]] for how to apply Axis2 Module [im_ws_auth].

Warning

Authorization works only when the authorization setting of Web Service Provider is valid.Please refer to [<enableAuthorization> Tag] of [Web Service Provider Authentication/Authorization Setting] fordetails.

Warning

If you specified the authorization resource, following error will occur at Web Service Operation execution time whencorresponding authorization resource does not exist in the specified URI.

[E.IWP.AUTHZ.DECISION.10007] Resource group is not registered.

Please create the authorization resource in advance when you execute Web Service Operation.

Please refer to [Adding Resources] of 「Setting Authorization in Tenant Administrator Operations Guide] for how toadd the authorization resource.

Note

Following format is recommend for URI.

In case setting it for the service

service://%Application ID%/web_service/%Service Name%

In case setting it for Web Service Operation

service://%Application ID%/web_service/%Service Name%/%Operation Name%

Deploying Web Service

How to deploy Web Service is introduced.

Deployment in Directory Format

By placing arbitrary named directory where Web Service materials are stored under %CONTEXT_PATH%/WEB-INF/services directory,you can deploy Web Service.If you save library, class, property files, WSDL file, XSD file, and services.xml related to Web Service under this directory, Web Servicewill be deployed.

Path including [services.xml] is as follows.

%CONTEXT_PATH%/WEB-INF/services/%any name%/META-INF/services.xml

Deployment of aar File Format

By placing aar file (Asix2 Archive file) in %CONTEXT_PATH%/WEB-INF/services directory, you can deploy Web Service.

aar file is a file where library, class, property file, WSDL file, XSD file, and services.xml related to Web Service are saved.Please refer to [Creating aar File] for aar file creation.Please refer to [Apache Axis2 Web Administrator’s Guide Step 3: Create Archive File] of Axis2 project for aar file structure.

How to apply Axis2 Module [im_ws_auth]

How to make Web Service as the subject for authentication/authorization is described.

intra-mart Accel Platform

22

Axis2 Module [im_ws_auth] should be applied to make it as the subject of authentication/authorization for Web Service.Followings are the ways to apply Axis2 Module [im_ws_auth].

Specifying Axis2 Module [im_ws_auth] by services.xmlSpecifying Axis2 Module [im_ws_auth] by axis2.xmlSpecifying Axis2 Module [im_ws_auth] by Apache Axis2 Administration Console

Specifying Axis2 Module [im_ws_auth] by services.xml

By stating <module ref="im_ws_auth"/> inside the <service> tag, you can specify Axis2 Module [im_ws_auth].By stating it inside the <operation> tag, you can also specify it for each Web Service Operation.

Please refer to [About services.xml].

Specifying Axis2 Module [im_ws_auth] by axis2.xml

Edit %CONTEXT_PATH%/WEB-INF/conf/axis2.xml.Remove the comment out of <service> tag shown below.Specify the Web Service name that you want to apply Axis2 Module [im_ws_auth] to <service> tag.If you want to specify multiple services, please state multiple <service> tags.

<listener class="jp.co.intra_mart.foundation.web_service.axis2.observers.EngageModuleAxisObserver"> <parameter name="engageModule"> <module ref="im_ws_auth"> <!-- <service>ExampleWebServiceName</service> --> </module> </parameter></listener>

Specifying Axis2 Module [im_ws_auth] by Apache Axis2 Administration Console

You can also apply Axis2 Module [im_ws_auth] by using administration console function of Apache Axis2.Please refer to [About Apache Axis2 Administration Console] for administration console.

1. Access the one below for the server in operation.

http://<HOST>:<PORT>/<CONTEXT_PATH>/axis2-web/index.jsp

2. Click [Administration].

3. Click [For a service] in Engage module.

intra-mart Accel Platform

23

4. Select [im_ws_auth] in Select a Module:, and select any service in Select a Service:.

5. Click [Engage].

6. Axis2 Module [im_ws_auth] would be applied for the service you specified in the above.

Warning

For the Axis2 Module that uses administration console, settings would be initialized if you restart the application server.

About WSDL in Distributed Environment

End point that is stated in WSDL which was automatically generated by Apache Axis2 depends on the name of the host where cluster isbeing operated.Therefore, if you query WSDL in distributed environment, application server host dispatched by the Web server could be obtained as anend point.In order to avoid this, you should take either one of the following measures :

Stop automatic generation of WSDL.

If you perform Deployment in Directory Format, you should create WSDL in which the end point via Web server isstated in advance, and place it in %CONTEXT_PATH%/WEB-INF/services/%any name%/META-INF/%Web service name%.wsdl.

Change the end point specified by Web Service Client to the one via Web server.

Note

intra-mart Accel Platform

24

If Script Development Model API SOAPClient is used, you should change the URL specified to the endpoint of 4th argument of SOAPClient to the one via Web server.

Note

If you have generated stub from WSDL, please change URL specified as an end point specified bystub constructor to the one via Web server.

Adding the Authentication Module

In order to add authentication module, add <authModule> Tag to axis2.xml.Please refer to [Web Service Provider Authentication/Authorization Setting] for axis2.xml.Shown below is the setting when you want to add Authentication Module for Unauthenticated User(jp.co.intra_mart.foundation.web_service.auth.impl.WSAuthModule4Anonymous) as authentication module, which is not set as standard.

<axisconfig name="AxisJava2.0">

<!-- ================================================= --> <!-- Parameters for intra-mart --> <!-- ================================================= --> <parameter name="jp.co.intra_mart.foundation.web_service">

<enablePlainTextPassword>false</enablePlainTextPassword> <!-- authModuleタグ追加 --> <authModule class="jp.co.intra_mart.foundation.web_service.auth.impl.WSAuthModule4Anonymous" />

<authModule class="jp.co.intra_mart.foundation.web_service.auth.impl.WSAuthModule4WSSE"> <expire>300</expire> </authModule>

<enableAuthentication>true</enableAuthentication> <enableAuthorization>true</enableAuthorization> <showSoapFaultDetail>true</showSoapFaultDetail> <wsUserInfoArgumentName>wsUserInfo</wsUserInfoArgumentName>

</parameter>

<!-- 省略 -->

</axisconfig>

SOAP Message Monitoring

Monitoring method of Web Service messages that are exchanged during Web Service execution is introduced.

Monitoring by TCPMon

How to use message monitoring tool [TCPMon] provided in Apache Web Services Project is introduced.

Please refer to [TCPMon] for the details about TCPMon.

1. TCPMon Download and Decompression

Download TCPMon from [TCPMon Download Page] and decompress the archive. This directory is%TCPMON_HOME%.

1. TCPMon Startup and Setting

Execute %TCPMON_HOME%/build/tcpmon.bat (or tcpmon.sh) and start TCPMon.

Display [Admin] tab and set appropriate port number to Listen Port. When you specify the port number, it should notoverlap with the one of other services.In this document, it is specified to [9999] as an example.

Set the host information where the Eb service is to be deployed to Target Hostname and Target Port.In this document, Target Hostname is [localhost] and Target Port is [8080] as an example.

After that, click [Add].

intra-mart Accel Platform

25

2. Change end point by Web Service Client.

Change the end point port number to be specified by Web Service Client at execution time to Listen Port., which youhave specified before.

Note

If Script Development Model API SOAPClient is used, you should change the port number that you havespecified in the end point of the 4th argument of SOAPClient to the port number of Listen Port.

Note

If you have generated the stub from WSDL, please change the port number specified in the end pointspecified by the stub constructor to the port number of Listen Port.

3. View the SOAP messages from [Port <Port Number of Listen Port>] tab.

About Web Service that does not require Authentication/Authorization

In case you create Web Service that does not require authentication, authorization, or log-in, you do not need to apply Axis2 Module[im_ws_auth].Specifically, by not setting <module ref=”im_ws_auth”/> of set services.xml, corresponding module will not be applied.

intra-mart Accel Platform

26

Other than not applying Axis2 Module [im_ws_auth], you can create it in the same method as Web Service, which is described in thisdocument.Please refer to [How to apply Axis2 Module [im_ws_auth]] for applying Axis2 Module [im_ws_auth].

Note

It is not necessary to receive User Information as an argument for each Web Service Operation either.

Copyright © 2013 NTT DATA INTRAMART CORPORATION

intra-mart Accel Platform

27