Enabling basic authentication for web services access

You can configure basic authentication for your client applications to access web services.

About this task

If you need to use your web service client application with the basic authentication to access the protected web service resources, the client must provide the user name and password in the request when communicating with the service provider.

1. Enable the jaxws-2.2, servlet-3.0(or servlet-3.1) and appSecurity-2.0 features in the server.xml file.

   <featureManager>
     <feature>jaxws-2.2</feature>
     <feature>servlet-3.0</feature>
     <feature>appSecurity-2.0</feature>
   </featureManager>

2. Configure the login realm in the server.xml file and bind the realm to the service provider.

   <application id="TransportSecurityProvider" name="TransportSecurityProvider"
                location="TransportSecurityProvider.war" type="ear">
           <application-bnd>
               <security-role name="Employee">
                   <user name="employee0" />
                   <group name="employeeGroup" />
               </security-role>        
               <security-role name="Manager">
                   <user name="manager0" />
               </security-role>
               <security-role name="AllAuthenticated">
                   <special-subject type="ALL_AUTHENTICATED_USERS" />
               </security-role>
           </application-bnd>
       </application>
       
       <basicRegistry id="basic" realm="BasicRealm">
           <user name="employee0" password="emp0pwd" />
           <user name="employee1" password="emp1pwd" />
           <user name="manager0" password="mgr0pwd" />
           <group name="employeeGroup">
               <member name="employee0" />
               <member name="employee1" />
           </group>
       </basicRegistry>   

3. Configure the service provider by specifying the web service endpoints.
   1. Create web services.

      @WebService(serviceName = "SayHelloPojoService",
                  portName = "SayHelloPojoPort")
      public class SayHelloPojoService implements SayHelloService {
      	...
      }
      
      @WebService(serviceName = "SayHelloStatelessService",
                  portName = "SayHelloStatelessPort",
                  endpointInterface = "com.ibm.ws.jaxws.transport.server.security.SayHelloService")
      @Stateless(name = "SayHelloSessionBean")
      public class SayHelloStatelessService implements SayHelloLocal {
      	...
      }

   2. Configure the ibm-ws-bnd.xml file for the service provider.

      <?xml version="1.0" encoding="UTF-8"?>
      <webservices-bnd xmlns="http://websphere.ibm.com/xml/ns/javaee" 
      		xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
      		xsi:schemaLocation="http://websphere.ibm.com/xml/ns/javaee http://websphere.ibm.com/xml/ns/javaee/ibm-ws-bnd_1_0.xsd" 
      		version="1.0">
      	<http-publishing>
      		<webservice-security> 
      			<security-constraint>
      				<web-resource-collection>
      					<web-resource-name>Only Managers</web-resource-name>
      					<url-pattern>/manager/*</url-pattern>
      					<http-method>GET</http-method>
      					<http-method>POST</http-method>
      				</web-resource-collection>
      				<auth-constraint id="AuthConstraint_manager">
      					<role-name>Manager</role-name>
      				</auth-constraint>
      			</security-constraint>
      			<security-constraint>
      				<web-resource-collection>
      					<web-resource-name>Employees</web-resource-name>
      					<url-pattern>/employee/*</url-pattern>
      					<http-method>GET</http-method>
      					<http-method>POST</http-method>
      				</web-resource-collection>
      				<auth-constraint id="AuthConstraint_employee">
      					<role-name>Employee</role-name>
      				</auth-constraint>
      			</security-constraint>
      			<!-- SECURITY ROLES -->
      			<security-role id="Staff">
      				<role-name>Employee</role-name>
      				<role-name>Manager</role-name>
      			</security-role>
      			<!-- AUTHENTICATION METHOD: Basic authentication -->
      			<login-config id="LoginConfig">
      				<auth-method>BASIC</auth-method>
      				<realm-name>Authentication</realm-name>
      			</login-config>                    
      		</webservice-security>
      	</http-publishing>
      </webservices-bnd>

      Note:

      • The ibm-ws-bnd.xml file must be in the /WEB-INF directory of a web application, or the /META-INF directory of an EJB-based web service application (JAR archive).
      • The login-config element in the ibm-ws-bnd.xml file takes effect only in an EJB-based web service application (JAR archive). For a web application, the login-config element is ignored and the value of the same element in the web.xml file is used.
4. Configure the service client by specifying the web service endpoints. For example, the client application is a web application named TransportSecurityClient.war.
   1. Configure the client application in the server.xml file.

      <application id="TransportSecurityClient" name="TransportSecurityClient" 
      		location="TransportSecurityClient.war"
      		context-root="TransportSecurityClient" type="war" />

   2. Configure the ibm-ws-bnd.xml file for the client application.

      <?xml version="1.0" encoding="UTF-8"?>
      <webservices-bnd xmlns="http://websphere.ibm.com/xml/ns/javaee" 
      		xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
      		xsi:schemaLocation="http://websphere.ibm.com/xml/ns/javaee http://websphere.ibm.com/xml/ns/javaee/ibm-ws-bnd_1_0.xsd"
      		version="1.0">
      	<!-- POJO service reference binding-->
      	<service-ref name="service/SayHelloPojoService">
      		<port name="SayHelloPojoPort" 
      				namespace="http://ibm.com/ws/jaxws/transport/security/"
      				username="employee1"
      				password="{xor}OjIvbi8oOw=="
      				/>
      	</service-ref>
      	<!-- Stateless service reference binding-->
      	<service-ref name="service/SayHelloStatelessService">
      		<port name="SayHelloStatelessPort" 
      				namespace="http://ibm.com/ws/jaxws/transport/security/"
      				username="employee1"
      				password="{xor}OjIvbi8oOw=="
      				/>
      	</service-ref>
      </webservices-bnd>

      Note:

      • The ibm-ws-bnd.xml file must be in the /WEB-INF directory of the client web application.
      • The values of username and password attributes must match the user name and password of basicRegistry element in server.xml file. The password can be encoded by using the securityUtility command.
   3. Generate the client stubs by using the wsdl location.

      @WebServiceClient(name = "SayHelloPojoService",
                        targetNamespace = "http://ibm.com/ws/jaxws/transport/security/",
                        wsdlLocation = "https://localhost:8020/TransportSecurityProvider/unauthorized/employPojoService?wsdl")
      public class SayHelloPojoService
                      extends Service
      {...}
      
      @WebServiceClient(name = "SayHelloStatelessService",
          targetNamespace = "http://ibm.com/ws/jaxws/transport/security/",
          wsdlLocation = "https://localhost:8020/TransportSecurityProvider/unauthorized/EmployStatelessService?wsdl")
      public class SayHelloStatelessService
                      extends Service
      {...}

   4. Use the @WebServiceRef annotation to inject the web service into the servlet. For example, the TestJaxWsTransportSecurityServlet.

      @WebServiceRef(name = "service/SayHelloPojoService")
      SayHelloPojoService pojoService;
      
      @WebServiceRef(name = "service/SayHelloStatelessService")
      SayHelloStatelessService statelessService;