Enable operation-level authorization:

Enabling operation-level authorization

Use this task to apply security to individual methods in a Web Service.

Before you begin this task first enable gateway-level authentication.
One can only apply operation-level authorization to a Web service that has already been deployed to the gateway with the check box 'Authorization Policy - Control access to this service' enabled.
This task involves making changes to the file /lib/wsgwauth.ear . To protect the installation version of this file, make a backup copy of it before you change it.
For operation-level authorization you create an enterprise bean with methods matching the Web service operations. These EJB methods perform no operation and are just entities for applying security. Existing WebSphere Application Server authentication mechanisms can be applied to the enterprise bean. Before any Web service operation is invoked, a call is made to the EJB method. If authorization is granted, the Web service is invoked.
Your target Web service is protected by wrapping it in an EAR file, and applying role-based authorization to the EAR file. This process is explained in general terms in Operation-level security - role-based authorization.
The EAR file that now contains your Web service is then imported into wsgwauth.ear (which contains all of the gateway's protected Web services) and wsgwauth.ear is modified to set the roles and assign them to methods. Finally, this modified wsgwauth.ear file is deployed in Websphere Application Server and users are assigned to the previously defined roles.
To enable Web service operation-level authorization, complete the following steps:

To create your_webservice.ear , complete the following steps:

Open a command prompt.
Go to directory /WSGW/scripts/auth
Enter the command WSGWAuthGen location your_webservice where

location is the URL for the gateway (this must include the root context)
your_webservice is the name of the service as deployed in the gateway (this is case-sensitive)
For example WSGWAuthGen http://host:port/wsgw AddressBook where host and port are the host name and port number for the appserver on which the gateway is installed.
Note: The Web service name and operation name can contain characters (such as "-",".",&) that are disallowed in an EJB class name and method name. So these are translated during the generation process of your_webservice.ear . A message appears informing you of the name change.
your_webservice.ear is created in directory /WSGW/scripts . There is also a temporary directory /WSGW/scripts/ejb , which you can delete.
To finish assigning roles and protecting methods, use the WebSphere Application Server Application Assembly Tool (AAT) to complete the following steps:

Start the AAT.
From the File menu select File > Open, and browse to select file /lib/wsgwauth.ear .
To import your_webservice.ear into wsgwauth.ear , complete the following steps:

In the navigation pane, open the pop-up menu for EJB Modules and select Import
Browse to select file /WSGW/scripts/your_webservice.ear . The Select modules to import window opens.
In the Select modules to import window, select your_webservice and click OK.
The Confirm values window opens. Click OK.
In the navigation pane, expand EJB Modules to confirm that your_webservice.ear has been imported.

In the navigation pane, expand EJB Modules > your_webservice.ear and select Security Roles.
For every security role that you want to create, repeat the following steps:

From the pop-up menu for Security Roles, select New.
Type the name and description of the new security role, and click OK.

In the navigation pane, expand EJB Modules > your_webservice.ear and select Method Permissions.
For every defined role that you want to assign to a Web service method, repeat the following steps:

From the pop-up menu for Method Permissions, select New. The New Method Permission window opens.
Type the name of the new method permission, and click ADD for Methods. The Add Methods window opens.
In the Add Methods window, expand the tree for remote methods and select the method to be protected. Click OK. The Add Methods window closes.
In the New Method Permission window, click ADD for Roles. Select a previously defined role from the list then click OK.

To ensure that the authorization enterprise bean can reference the newly-imported enterprise bean, complete the following steps:

In the navigation pane, expand WSGW Authorization group > Session Beans > Authorization and select EJB References.
From the pop-up menu for EJB References, select New. The New EJB Reference window opens.
In the New EJB Reference window, on the General tab, type a name for the reference then use the 'Link' combination box to select the newly-imported EJB (all the other fields on this tab are populated automatically).
In the New EJB Reference window, on the Bindings tab, type the JNDI name as it appears in the bindings tab of the service enterprise bean (this should be in the form websphere/WSGW/Security/your_webservice ).
Click OK. The New EJB Reference window closes.

From the AAT File menu, select File > Generate Code For Deployment.
Make a note of the name of the modified ear file, then click Generate Now.
From the AAT File menu, select File > Save to save the modified copy of wsgwauth.ear .
Close the AAT.

To install the modified copy of Deployed_wsgwauth.ear , complete the following steps:

Start the WebSphere Application Server Administrative Console.
In the navigation pane, select Applications > Install an Application.
Use Install New Application to install Deployed_wsgwauth.ear . Select the users or groups to be assigned to the roles when prompted.

Administering security for the Web services gateway
Enabling gateway-level authentication
Invoking Web services over HTTPS
Web services gateway troubleshooting tips

WebSphere is a trademark of the IBM Corporation in the United States, other countries, or both.

IBM is a trademark of the IBM Corporation in the United States, other countries, or both.