WLS 10.3: Unable to Protect WebLogic JAX-WS Web Services Using Roles
(Doc ID 1072446.1)
Last updated on AUGUST 18, 2023
Applies to:Oracle WebLogic Server - Version 10.3 and later
Information in this document applies to any platform.
WebLogic's JAX-WS 2.1 Webservices implementation provides no way to define access control / authorization on Webservice operations either declaratively or programatically when using Message Level Security (eg. WS-Security username token, password digest or SAML token).
When run on WebLogic, this code only works if using transport-level-security (eg. HTTP Basic Authentication).
However, when using message level security (eg. WS-Security UserToken with username/password in SOAP header), this code doesn't work and WebLogic doesn't seem to populate the roles correctly for the user.
As a result, there appears to be no way for WebLogic JAX-WS based Webservices to have role based access control enforced when using Message Level Security.
To view full details, sign in with your My Oracle Support account.
Don't have a My Oracle Support account? Click to get started!
In this Document