JAX-RPC doesn't mandate the support for HTTPS. However it is possible to configure the Tomcat to accept HTTPS connections in the same way as for a Web application. It is also possible to configure mandatory client authentication through the client certificate, resulting in mutual authentication. We have already described the required configuration details in Chapter 9 and do not repeat them here. Instead, we go through the steps in configuring and running the previous example to use HTTPS.
Web service client programs can use HTTPS by simply setting appropriate system properties and using address URLs with scheme https in place of http, to access the service. The relevant system properties for Sun's implementation of J2SE v1.4.x are described in Chapter 6, Securing the Wire.
Let us go through the steps of running the example service StringEchoPort1 and the client so that SOAP messages are exchanged over an HTTPS connection with mutual authentication. For this purpose, we create self-signed certificates for both the client program and the Tomcat server. These certificates and the corresponding private keys are stored in respective keystore files. Then we populate the client's truststore with the server's certificate and the server's truststore with the client's certificate. As the main ideas behind these steps have already been covered in previous chapters, we skip the explanations and simply show the steps with the relevant commands and configuration changes.
A point worth noting is that we resorted to changing the URL in the client program. For Web applications, one could simply rely on making the appropriate changes in the deployment descriptor file web.xml and the Web container would redirect requests for SSL-protected URLs to the corresponding HTTPS URLs. One could do this for Web services as well and the Web container will faithfully issue HTTP redirect messages. However, the client library of Axis-1.1RC2 implementing HTTP is not capable of handling HTTP redirects and fails.
This makes it hard to protect only certain services within a Web container with HTTPS and let others be accessed with plain HTTP. You must have all services deployed within a particular Web container accepting an HTTPS connection or none. It is also not possible to have separate Web service-specific server certificates.
3.21.247.16