You can secure integration web services by using HTTP basic
authentication in standard J2EE security. These security settings
provide access to web services to authorized users with a valid user
name and password.
Procedure
- Similar to the procedure for securing the HTTP servlet,
in the web.xml file, uncomment the <security-constraint> section
for the web service invocation, as in the following example
<security-constraint>
<web-resource-collection>
<web-resource-name>Integration Web Services</web-resource-name>
<description>
Integration Web Services accessible by authorized users
</description>
<url-pattern>/services/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<description>
Roles that have access to Integration Web Services
</description>
<role-name>maximouser</role-name>
</auth-constraint>
<user-data-constraint>
<description>data transmission gaurantee</description>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
- Verify that the <security-role> section in the web.xml
file is not commented out, as in the following example code:
<security-role>
<description>An Integration User</description>
<role-name>maximouser</role-name>
</security-role>
- Change the value from 0 to I in the useAppServerSecurity <env-entry-name>
section, as in the following example:
<description>
Indicates whether to use Application Server security or not
</description>
<env-entry-name>useAppServerSecurity</env-entry-name>
<env-entry-type>java.lang.String</env-entry-type>
<env-entry-value>1</env-entry-value>
</env-entry>
- For web service invocation, ensure that the client program
uses the following user name and password calls in the JAX-RPC Call
object:
call.setProperty(Call.USERNAME_PROPERTY, username);
call.setProperty(Call.PASSWORD_PROPERTY, password);
What to do next
You can securely deploy a web service by using a Secure
Socket Layer (SSL) for HTTPS posts. Configure the SSL on the application
server with the appropriate digital certificates.