My Oracle Support Banner

WLS 10.3: Unable to Protect WebLogic JAX-WS Web Services Using Roles (Doc ID 1072446.1)

Last updated on AUGUST 18, 2023

Applies to:

Oracle WebLogic Server - Version 10.3 and later
Information in this document applies to any platform.


WebLogic's JAX-WS 2.1 Webservices implementation provides no way to define access control / authorization on Webservice operations either declaratively or programatically when using Message Level Security (eg. WS-Security username token, password digest or SAML token).

When run on WebLogic, this code only works if using transport-level-security (eg. HTTP Basic Authentication).
However, when using message level security (eg. WS-Security UserToken with username/password in SOAP header), this code doesn't work and WebLogic doesn't seem to populate the roles correctly for the user.
As a result, there appears to be no way for WebLogic JAX-WS based Webservices to have role based access control enforced when using Message Level Security.




To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!

In this Document

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.