Authenticate web services clients using HTTP basic authentication
A simple way to provide authentication data for the service client is to authenticate to the protected service endpoint by using HTTP basic authentication, which uses a user name and password to authenticate a service client to a secure endpoint.
We can use either message-level security (WS-Security) or transport-level security:
- Use message-level security if security is essential to the web service application.
HTTP basic authentication uses a user name and password to authenticate a service client to a secure endpoint. The basic authentication is encoded in the HTTP request that carries the SOAP message. When the application server receives the HTTP request, the user name and password are retrieved and verified using the authentication mechanism specific to the server.
- Use transport-level security to enable basic authentication.
Transport-level security can be enabled or disabled independently from message-level security. Transport-level security provides minimal security. We can use this configuration when a web service is a client to another web service.
WAS can have several resources, including web services, protected by a Java EE security model.
HTTP basic authentication is orthogonal to the security support provided by WS-Security or HTTP Secure Sockets Layer (SSL) configuration.
A simple way to provide authentication data for the service client is to authenticate to the protected service endpoint using HTTP basic authentication. The basic authentication is encoded in the HTTP request that carries the SOAP message. When the application server receives the HTTP request, the user name and password are retrieved and verified using the authentication mechanism specific to the server.
Although the basic authentication data is base64-encoded, sending data over HTTPS is recommended. The integrity and confidentiality of the data can be protected by the SSL protocol.
In some cases, a firewall is present using a pass-through HTTP proxy server. The HTTP proxy server forwards the basic authentication data into the Java EE application server. The proxy server can also be protected. Applications can specify the proxy data by setting properties in a stub object.
- Develop and assemble a web services application.
- Deploy the application.
- Configure HTTP authentication for the application.
Subtopics
- Develop and assemble a web services application.
- Deploy the application.
- Configure HTTP authentication for the application.
Related concepts
Development and assembly tools Secure web services Overview of standards and programming models for web services message-level security Deploy web services Configure HTTP basic authentication for JAX-RPC web services with the administrative console Configure HTTP basic authentication for JAX-RPC web services programmatically Configure HTTP basic authentication for JAX-RPC web services with an assembly tool
Secure web services applications at the transport level HTTP basic authentication collection