WLS 10.3: Unable to Protect WebLogic JAX-WS Web Services Using Roles (Doc ID 1072446.1)

Last updated on AUGUST 18, 2023

Applies to:

Oracle WebLogic Server - Version 10.3 and later
Information in this document applies to any platform.

Symptoms

WebLogic's JAX-WS 2.1 Webservices implementation provides no way to define access control / authorization on Webservice operations either declaratively or programatically when using Message Level Security (eg. WS-Security username token, password digest or SAML token).

When run on WebLogic, this code only works if using transport-level-security (eg. HTTP Basic Authentication).
However, when using message level security (eg. WS-Security UserToken with username/password in SOAP header), this code doesn't work and WebLogic doesn't seem to populate the roles correctly for the user.
As a result, there appears to be no way for WebLogic JAX-WS based Webservices to have role based access control enforced when using Message Level Security.

Changes

None.

Cause

	To view full details, sign in with your My Oracle Support account.
	Don't have a My Oracle Support account? Click to get started!

In this Document

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.

WLS 10.3: Unable to Protect WebLogic JAX-WS Web Services Using Roles (Doc ID 1072446.1)

Applies to:

Symptoms

Changes

Cause

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!