My Oracle Support Banner

WLS 10.3: UNABLE TO PROTECT WEBLOGIC JAX-WS WEB SERVICES USING ROLES (Doc ID 1072446.1)

Last updated on APRIL 14, 2018

Applies to:

Oracle Weblogic Server - Version: 10.3 and later   [Release: and later ]
Information in this document applies to any platform.

Symptoms

WebLogic's JAX-WS 2.1 Webservices implementation provides no way to define access control / authorization on Webservice operations either declaratively or programatically when using Message Level Security (eg. WS-Security username token, password digest or SAML token).
When run on WebLogic, this code only works if using transport-level-security (eg. HTTP Basic Authentication).
However, when using message level security (eg. WS-Security UserToken with username/password in SOAP header), this code doesn't work and Weblogic doesn't seem to populate the roles correctly for the user.
As a result, there appears to be no way for Weblogic JAX-WS based Webservices to have role based access control enforced when using Message Level Security.

Changes

None.

Cause

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!


In this Document
  Symptoms
  Changes
  Cause
  Solution
  References

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.