Protecting decision services with basic authentication

The REST and SOAP patterns are used to invoke decision services. They can be protected by adding a new role that is dedicated to calling the APIs, and by configuring the web.xml file for the decision service WAR file for WebSphere® Liberty (DecisionService.war).

Before you begin

Deprecated feature:

Deprecation icon Execution using SOAP and WSDL (HTDS) is deprecated in V8.11.1. See Deprecated features for migration details. Note that SOAP 1.1 is supported and not later versions of SOAP.

Procedure

See the following example of web.xml: 
<security-constraint>
    <web-resource-collection>
         <web-resource-name>Decision Service REST API</web-resource-name>
         <url-pattern>/rest/*</url-pattern>
         <url-pattern>/ws/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
        <role-name>resAdministrators</role-name>
        <role-name>resMonitors</role-name>
        <role-name>resDeployers</role-name>
        <role-name>resServiceUsers</role-name>
     </auth-constraint>
     <user-data-constraint>
          <transport-guarantee>CONFIDENTIAL</transport-guarantee>
     </user-data-constraint>
</security-constraint>
<login-config>
     <auth-method>BASIC</auth-method>
     <realm-name>Default</realm-name>
</login-config>
The example grants permissions to two URL patterns and four roles:
  • Three predefined roles are required because the test user interface in the Rule Execution Server console invokes the REST (/rest/) and SOAP (/ws/) APIs internally:
    • resAdministrators
    • resMonitors
    • resDeployers
  • A new role resServiceUsers dedicated for the API calls

It is a good idea to create the new role resServiceUsers. This new role is authorized to invoke decision services so that you can implement the basic authentication protection. To make it work, the incoming HTTP request must have a basic authentication header, and the user in the basic authentication must have the resServiceUsers role.

You can specify several security-constraint tags in a single web.xml file so that you can protect different sets of URLs and use the same or different roles.

The login-config tag can be used only once in each web.xml file. In this tag, you specified BASIC for basic authentication:
<auth-method>BASIC</auth-method>
The following table shows possible values for auth-method:
auth-method value Description
BASIC For basic authentication.
FORM For form-based authentication. This value is not suitable for API.
CLIENT-CERT Client certificate
DIGEST Digest authentication
Although it is possible to use CLIENT-CERT or DIGEST as an alternative way to protect the API, basic authentication is the simplest and the most convenient method of securing your decision services.