Topic
  • 8 replies
  • Latest Post - ‏2011-03-01T21:15:02Z by SystemAdmin
FlorianP.
FlorianP.
9 Posts

Pinned topic SCA Web Service binding and authentication

‏2011-02-28T23:08:17Z |
RSA 8, WAS 7, SCA feature pack
I have an SCA component with a Java implementation and a web service binding.
1) I'd like to have clients to use basic authentication when calling the web service.
2) In my component implementation, I want to have access to the user id that was used during authentication.
I'm using the Web Services Explorer to test the web service.
I've been playing with the SCA intents and WAS policy sets, but I can't get it to work. Thanks for your help!
Updated on 2011-03-01T21:15:02Z at 2011-03-01T21:15:02Z by SystemAdmin
  • SystemAdmin
    SystemAdmin
    126 Posts

    Re: SCA Web Service binding and authentication

    ‏2011-03-01T01:15:18Z  
    This might give you a lead

    http://www.ibm.com/developerworks/forums/thread.jspa?messageID=14586506&tstart=0#14586506
  • kvijai
    kvijai
    2 Posts

    Re: SCA Web Service binding and authentication

    ‏2011-03-01T16:07:06Z  
    Hello,

    On the SCA service you will need to specify the authentication.transport intent in the composite file to require the service to perform basic auth.
    This article talks about configuring that intent:
    http://www14.software.ibm.com/webapp/wsbroker/redirect?version=v701sca&product=was-nd-mp&topic=twbs_sca_wsbind_tran_auth

    Then in the component implementation you can do something like this to get the username:

    import org.osoa.sca.annotations.Context;
    import org.osoa.sca.RequestContext;
    import javax.security.auth.Subject;
    import java.security.Principal;
    import java.util.Iterator;
    import com.ibm.websphere.security.cred.WSCredential;

    @Service(EchoService.class)
    public class EchoServiceWithIdentityComponentImpl implements EchoService
    {
    @Context
    protected RequestContext requestContext;

    public String echo_String(String input)
    {
    try {
    Subject subject = null;
    String securityName = null;

    if (requestContext != null) {
    subject = requestContext.getSecuritySubject();
    }

    if (subject != null) {
    java.util.Set principalSet = subject.getPrincipals();
    if (principalSet != null && principalSet.size() > 0) {
    Iterator principalIterator = principalSet.iterator();
    if (principalIterator.hasNext()) {
    Principal principal = (java.security.Principal) principalIterator.next();
    securityName = principal.getName();
    }
    }
    }
    . . .

    There is more info about this in the Infocenter article below. There is a small bug in the sample code on that page which is addressed in the code snippet above.
    http://publib.boulder.ibm.com/infocenter/wasinfo/fep/index.jsp?topic=/com.ibm.websphere.soafep.multiplatform.doc/info/ae/ae/tsec_authsoa_requestapi.html

    If you are just trying to authorize the user, you could also consider attaching a SCA policy set to the component.
    This article talks about authorization policy:
    http://www14.software.ibm.com/webapp/wsbroker/redirect?version=v701sca&product=was-nd-mp&topic=tsec_authsoa_policy

    Please make sure you have admin and application security enabled to get these functions to work.

    Hope this helps!
    Vijai
  • FlorianP.
    FlorianP.
    9 Posts

    Re: SCA Web Service binding and authentication

    ‏2011-03-01T19:24:08Z  
    • kvijai
    • ‏2011-03-01T16:07:06Z
    Hello,

    On the SCA service you will need to specify the authentication.transport intent in the composite file to require the service to perform basic auth.
    This article talks about configuring that intent:
    http://www14.software.ibm.com/webapp/wsbroker/redirect?version=v701sca&product=was-nd-mp&topic=twbs_sca_wsbind_tran_auth

    Then in the component implementation you can do something like this to get the username:

    import org.osoa.sca.annotations.Context;
    import org.osoa.sca.RequestContext;
    import javax.security.auth.Subject;
    import java.security.Principal;
    import java.util.Iterator;
    import com.ibm.websphere.security.cred.WSCredential;

    @Service(EchoService.class)
    public class EchoServiceWithIdentityComponentImpl implements EchoService
    {
    @Context
    protected RequestContext requestContext;

    public String echo_String(String input)
    {
    try {
    Subject subject = null;
    String securityName = null;

    if (requestContext != null) {
    subject = requestContext.getSecuritySubject();
    }

    if (subject != null) {
    java.util.Set principalSet = subject.getPrincipals();
    if (principalSet != null && principalSet.size() > 0) {
    Iterator principalIterator = principalSet.iterator();
    if (principalIterator.hasNext()) {
    Principal principal = (java.security.Principal) principalIterator.next();
    securityName = principal.getName();
    }
    }
    }
    . . .

    There is more info about this in the Infocenter article below. There is a small bug in the sample code on that page which is addressed in the code snippet above.
    http://publib.boulder.ibm.com/infocenter/wasinfo/fep/index.jsp?topic=/com.ibm.websphere.soafep.multiplatform.doc/info/ae/ae/tsec_authsoa_requestapi.html

    If you are just trying to authorize the user, you could also consider attaching a SCA policy set to the component.
    This article talks about authorization policy:
    http://www14.software.ibm.com/webapp/wsbroker/redirect?version=v701sca&product=was-nd-mp&topic=tsec_authsoa_policy

    Please make sure you have admin and application security enabled to get these functions to work.

    Hope this helps!
    Vijai
    Thanks Vijai, that helped. I had selected the wrong intent on the service binding in RSA. Now I'm stuck a bit further, getting the following error when invoking the service:
    org.osoa.sca.ServiceRuntimeException: CWSOA1020E: This service is available on secure channels only.
    Any clue?
  • SystemAdmin
    SystemAdmin
    126 Posts

    Re: SCA Web Service binding and authentication

    ‏2011-03-01T19:29:48Z  
    • FlorianP.
    • ‏2011-03-01T19:24:08Z
    Thanks Vijai, that helped. I had selected the wrong intent on the service binding in RSA. Now I'm stuck a bit further, getting the following error when invoking the service:
    org.osoa.sca.ServiceRuntimeException: CWSOA1020E: This service is available on secure channels only.
    Any clue?
    Hello Florian.

    Are you runnning against a secure channel, like https, or something like that? Or are you using an unsecured chanel, like http?

    "Software development has been, is, and will remain fundamentally hard"
    - Grady Booch
  • FlorianP.
    FlorianP.
    9 Posts

    Re: SCA Web Service binding and authentication

    ‏2011-03-01T19:31:33Z  
    Hello Florian.

    Are you runnning against a secure channel, like https, or something like that? Or are you using an unsecured chanel, like http?

    "Software development has been, is, and will remain fundamentally hard"
    - Grady Booch
    I'm using http.
  • kvijai
    kvijai
    2 Posts

    Re: SCA Web Service binding and authentication

    ‏2011-03-01T19:46:31Z  
    • FlorianP.
    • ‏2011-03-01T19:24:08Z
    Thanks Vijai, that helped. I had selected the wrong intent on the service binding in RSA. Now I'm stuck a bit further, getting the following error when invoking the service:
    org.osoa.sca.ServiceRuntimeException: CWSOA1020E: This service is available on secure channels only.
    Any clue?
    Would you be able to paste the service definition that you have in the composite file? Do you have any intents specified or policy sets attached on the service or reference side that would require the request to be made over https?

    Thanks.

    Vijai
  • FlorianP.
    FlorianP.
    9 Posts

    Re: SCA Web Service binding and authentication

    ‏2011-03-01T20:49:50Z  
    • FlorianP.
    • ‏2011-03-01T19:31:33Z
    I'm using http.
    I got some more help from Victor and my problem is now solved.
    I updated the port SOAP address in my WSDL file to use https and the correct server port (9443 in my case).
    Thanks!
  • SystemAdmin
    SystemAdmin
    126 Posts

    Re: SCA Web Service binding and authentication

    ‏2011-03-01T21:15:02Z  
    • FlorianP.
    • ‏2011-03-01T20:49:50Z
    I got some more help from Victor and my problem is now solved.
    I updated the port SOAP address in my WSDL file to use https and the correct server port (9443 in my case).
    Thanks!
    To complement Florian's comment:

    The exception org.osoa.sca.ServiceRuntimeException: CWSOA1020E: This service is available on secure channels only was thrown because the runtime needed a secure channel, https in this case. So, the solution is point the endpoint address of the WSDL file to https://<hostname>:<secure port> (in WAS the default port for https is 9443)

    "Software development has been, is, and will remain fundamentally hard"
    - Grady Booch