Authenticating Web services clients using HTTP basic authentication
A simple way to provide authentication data for the service client is to authenticate to the protected service endpoint by using HTTP basic authentication. HTTP basic authentication uses a user name and password to authenticate a service client to a secure endpoint. You can use either message-level security (WS-Security) or transport-level security:
- Use message-level security when security is essential to the Web service application. HTTP basic authentication uses a user name and password to authenticate a service client to a secure endpoint. The basic authentication is encoded in the HTTP request that carries the SOAP message. When the appserver receives the HTTP request, the user name and password are retrieved and verified using the authentication mechanism specific to the server.
- Use transport-level security to enable basic authentication. Transport-level security can be enabled or disabled independently from message-level security. Transport-level security provides minimal security. You can use this configuration when a Web service is a client to another Web service.
Overview
WAS can have several resources, including Web services, protected by a J2EE security model.
HTTP basic authentication is orthogonal to the security support provided by WS-Security or HTTP SSL configuration.
A simple way to provide authentication data for the service client is to authenticate to the protected service endpoint using HTTP basic authentication. The basic authentication is encoded in the HTTP request that carries the SOAP message. When the appserver receives the HTTP request, the user name and password are retrieved and verified using the authentication mechanism specific to the server.
Although the basic authentication data is base64-encoded, sending data over HTTPS is recommended. The integrity and confidentiality of the data can be protected by the SSL protocol.
In some cases, a firewall is present using a pass-thru HTTP proxy server. The HTTP proxy server forwards the basic authentication data into the J2EE appserver. The proxy server can also be protected. Applications can specify the proxy data by setting properties in a stub object.
Procedure
- Use the assembly tools that are provided with WAS if you have not deployed the Web services application into the WebSphere product.
- Use the console if you have deployed or installed the Web services application into the WebSphere Application Serve product. If you choose to configure HTTP basic authentication with the administrative console, the Web services security binding information is modified.
- Modify the HTTP properties programmatically if you want the values that are set programmatically to take precedence over the values that are defined in the binding. If you configure HTTP basic authentication programmatically, the properties are configured in the Stub or Call instance. However, you only can programmatically configure HTTP proxy authentication.
Configure HTTP basic authentication with the console
Configure HTTP basic authentication programmatically
Configure HTTP basic authentication with an assembly tool
Related tasks
Securing Web services for V5.x applications based on WS-Security
Securing Web services applications using JAX-RPC at the message level
Securing Web services applications at the transport level
Task overview: Implementing Web services applications
Related Reference
HTTP basic authentication collection