The HTTP servlet is a J2EE component that handles inbound
HTTP posts. To secure the HTTP servlet, you must first secure the
enterprise bean. You can use HTTP basic authentication to secure the
HTTP servlet. Authorized users, with a valid user name and password
can post an XML transaction to the system.
About this task
To enable HTTP basic authentication, modify the web.xml
file of the Web application:
- Remove the comments from the <security-constraint> section
of the integration servlets. There are three <security-constraint>
sections, one for each type of service: enterprise service, object
structure service, and standard service.
The <web-resource-name> to service mapping is:
<web-resource-name> |
Service |
Enterprise Service Servlet |
Enterprise Service |
App Service Servlet |
Standard Service |
Object Structure Service Servlet |
Object Structure Service |
Procedure
- In the web.xml file, uncomment the security constraint
sections for each service type, as in the following code example:
<!--
<security-constraint>
<web-resource-collection>
<web-resource-name>Enterprise Service Servlet</web-resource-name>
<description>
Enterprise Service Servlet (HTTP POST) accessible by authorized users
</description>
<url-pattern>/es/*</url-pattern>
<url-pattern>/esqueue/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<description>
Roles that have access to Enterprise Service Servlet (HTTP POST)
</description>
<role-name>maximouser</role-name>
</auth-constraint>
<user-data-constraint>
<description>data transmission gaurantee</description>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>App Service Servlet</web-resource-name>
<description>
App Service Servlet (HTTP POST) accessible by authorized users
</description>
<url-pattern>/ss/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<description>
Roles that have access to App Service Servlet (HTTP POST)
</description>
<role-name>maximouser</role-name>
</auth-constraint>
<user-data-constraint>
<description>data transmission gaurantee</description>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>Object Structure Service Servlet</web-resource-name>
<description>
Object Structure Service Servlet (HTTP POST) accessible by authorized users
</description>
<url-pattern>/os/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<description>
Roles that have access to Object Structure Service Servlet (HTTP POST)
</description>
<role-name>maximouser</role-name>
</auth-constraint>
<user-data-constraint>
<description>data transmission gaurantee</description>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
-->
- Verify that the <security-role> section in the web.xml
file is not commented out, as in the following example code:
<security-role>
<description>An Integration User</description>
<role-name>maximouser</role-name>
</security-role>
- Change the value from 0 to 1 in the useAppServerSecurity <env-entry-name>
section, as in the following example:
<description>
Indicates whether to use Application Server security or not
</description>
<env-entry-name>useAppServerSecurity</env-entry-name>
<env-entry-type>java.lang.String</env-entry-type>
<env-entry-value>1</env-entry-value>
</env-entry>
What to do next
You can securely deploy a web service by using a Secure
Socket Layer (SSL) for HTTPS posts. Configure the SSL on the application
server with the appropriate digital certificates.