WLS 10.3: UNABLE TO PROTECT WEBLOGIC JAX-WS WEB SERVICES USING ROLES (Doc ID 1072446.1)

Last updated on JUNE 09, 2016

Applies to:

Oracle Weblogic Server - Version: 10.3 and later   [Release: and later ]
Information in this document applies to any platform.

Symptoms

WebLogic's JAX-WS 2.1 Webservices implementation provides no way to define access control / authorization on Webservice operations either declaratively or programatically when using Message Level Security (eg. WS-Security username token, password digest or SAML token).
When run on WebLogic, this code only works if using transport-level-security (eg. HTTP Basic Authentication).
However, when using message level security (eg. WS-Security UserToken with username/password in SOAP header), this code doesn't work and Weblogic doesn't seem to populate the roles correctly for the user.
As a result, there appears to be no way for Weblogic JAX-WS based Webservices to have role based access control enforced when using Message Level Security.

Changes

None.

Cause

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms