WAS v8.5 > Secure applications > Secure web services > Secure bus-enabled web services > Work with password-protected componentsPassword-protecting inbound services
Password-protect a set of inbound services by requiring user authentication for access to the associated HTTP endpoint listener, or (for JMS) to the associated JMS queue destination.
This topic covers the two main areas in which you might want to change the HTTP endpoint listener authentication settings:
- Change the HTTP endpoint listener security role.
- Mapping the HTTP endpoint listener security role to users or groups.
To change the HTTP endpoint listener security role, do so before you create the HTTP endpoint listener configuration.
For a SOAP over JMS endpoint listener, we can achieve similar results by securing the underlying destination for each JMS queue. When WAS administrative security is enabled, clients that access an HTTP endpoint listener can be prompted for a user ID and password, which are authenticated against the registry defined within the security configuration. The HTTP endpoint listeners that are supplied with WAS are configured with a security role named AuthenticatedUsers. By default this role is mapped to the special group Everyone, so even if security is enabled all users can access any inbound service deployed to the HTTP endpoint listener.
You need not change the default security role. You would only choose to do so if you wanted to use a role name that is more specific, or more meaningful in the context of your organization. To change the security role, you modify the endpoint listener application EAR file before you configure the endpoint listener.
After you configure the endpoint listener application, we can map the security role to specific users or groups so that, when WAS security and service integration bus security are enabled, access to the HTTP endpoint listener is restricted. For more information about why you might want to do this, see Endpoint listeners and inbound ports: Entry points to the service integration bus.
To configure HTTP endpoint listener authentication...
- Optional: To change the HTTP endpoint listener security role, use an assembly tool to modify the endpoint listener application by completing the following steps:
- In the endpoint listener enterprise application, edit the Web application deployment descriptor to add a new role with a name of your choice.
- Remove the existing role (for example AuthenticatedUsers) from the authorized roles within the security constraint, then add the role you created in the previous step.
- Save the modified endpoint listener application.
- Create the HTTP endpoint listener configuration.
- Map the HTTP endpoint listener security role to users or groups by completing the following steps:
The default security role AuthenticatedUsers is mapped to the special group Everyone. That is, even if WAS security is enabled all users can access any inbound service deployed to the HTTP endpoint listener. To restrict access to just authenticated users, map the role to the special group named All authenticated.
- Enable WAS security.
- Start the WAS administrative server.
- Start the dmgr console.
- In the navigation pane, click Applications -> Application Types -> WebSphere enterprise applications -> application_name
where application_name is the name of the EAR file for this listener. For example soaphttpchannel1. In the additional properties for this listener application, an option to map security roles to users and groups is displayed.
- Assign users and groups to the security role. For example, map the AuthenticatedUsers role to the All authenticated group.
- Click OK.
- Save your changes to the master configuration.
Reference:
Bus-enabled web services troubleshooting tips
Related information:
Password-protecting a web service operation
Invoking a password-protected outbound service
Access a password-protected proxy server