Enable basic authentication and authorization for the gateway:

Enabling basic authentication and authorization for the gateway

In addition to the security options described in Enabling Web services Security (WS-Security) through the gateway, you can also use the broader security features of WebSphere Application Server to enable basic authentication and authorization.
The Web services gateway provides a basic authentication and authorization mechanism based upon the broader security features of WebSphere Application Server.
Basic authentication can be applied at two levels, as described in the following topics:

Enabling gateway-level authentication.
Enabling Web service operation-level authorization.

For gateway-level authentication, you set up a role and realm for the gateway on WebSphere Application Server's Web server and servlet container, and define the userid and password that is used by the gateway to access the role and realm. You also modify the gateway's channel applications so that they only give access to the gateway to service requesters that supply the correct userid and password for that role and realm.
Note: This means that gateway-level authentication must be enabled before you install any channels.
For operation-level authorization, you apply security to individual methods in a Web service. To do this, you create an enterprise bean with methods matching the Web service operations. These EJB methods perform no operation and are just entities for applying security. Existing WebSphere Application Server authentication mechanisms can be applied to the enterprise bean. Before any Web service operation is invoked, a call is made to the EJB method. If authorization is granted, the Web service is invoked. Your target Web service is protected by wrapping it in an EAR file, and applying role-based authorization to the EAR file. This process is explained in general terms in Operation-level security - role-based authorization.
Note:

If you want to enable operation-level authorization, first enable gateway-level authentication.
If you want to change the default gateway-level authentication settings, do so before you install any channels.
After gateway-level authentication has been enabled, filters have access to the requester's authentication information.

The Web services gateway can also invoke Web services that include https:// in their addresses, if the Java and WebSphere security properties have been configured to allow it. To check your security property settings, see the following topic:

Invoking Web services over HTTPS

What to do next
For hints on solving security-related problems, see Web services gateway troubleshooting tips.
Administering security for the Web services gateway
Enabling Web Services Security (WS-Security) for the gateway
Invoking Web services over HTTPS
Enabling proxy authentication for the gateway
Web services gateway troubleshooting tips

WebSphere is a trademark of the IBM Corporation in the United States, other countries, or both.

IBM is a trademark of the IBM Corporation in the United States, other countries, or both.