+

Search Tips   |   Advanced Search

Password-protecting inbound services

Password-protect a set of inbound services by requiring user authentication for access to the associated HTTP endpoint listener, or (for JMS) to the associated JMS queue destination.

This topic covers the two main areas in which we might want to change the HTTP endpoint listener authentication settings:

To change the HTTP endpoint listener security role, do so before you create the HTTP endpoint listener configuration.

For a SOAP over JMS endpoint listener, we can achieve similar results by securing the underlying destination for each JMS queue.

When WAS administrative security is enabled, clients that access an HTTP endpoint listener can be prompted for a user ID and password, which are authenticated against the registry defined within the security configuration. The HTTP endpoint listeners that are supplied with WAS are configured with a security role named AuthenticatedUsers. By default this role is mapped to the special group Everyone, so even if security is enabled all users can access any inbound service deployed to the HTTP endpoint listener.

You need not change the default security role. We would only choose to do so if we wanted to use a role name that is more specific, or more meaningful in the context of our organization. To change the security role, we modify the endpoint listener application EAR file before configuring the endpoint listener.

After configuring the endpoint listener application, we can map the security role to specific users or groups so that, when WAS security and service integration bus security are enabled, access to the HTTP endpoint listener is restricted. For more information about why we might want to do this, see Endpoint listeners and inbound ports: Entry points to the service integration bus.

To configure HTTP endpoint listener authentication:


Tasks

  1. Optional: To change the HTTP endpoint listener security role, use an assembly tool to modify the endpoint listener application by completing the following steps:

    1. In the endpoint listener enterprise application, edit the Web application deployment descriptor to add a new role with a name of our choice.

    2. Remove the existing role (for example AuthenticatedUsers) from the authorized roles within the security constraint, then add the role we created in the previous step.

    3. Save the modified endpoint listener application.

  2. Create the HTTP endpoint listener configuration.
  3. Map the HTTP endpoint listener security role to users or groups by completing the following steps:

    The default security role AuthenticatedUsers is mapped to the special group Everyone. That is, even if WAS security is enabled all users can access any inbound service deployed to the HTTP endpoint listener. To restrict access to just authenticated users, map the role to the special group named All authenticated.

    1. Enable WAS security.

    2. Start the WAS appservers administrative server.

    3. Start the administrative console.

    4. In the navigation pane, click...

              Applications -> Application Types -> WebSphere enterprise applications -> application_name

      where application_name is the name of the EAR file for this listener. For example soaphttpchannel1.

      In the additional properties for this listener application, an option to map security roles to users and groups is displayed.
    5. Assign users and groups to the security role. For example, map the AuthenticatedUsers role to the All authenticated group.

    6. Click OK.

    7. Save changes to the master configuration.

  • Bus-enabled web services troubleshooting tips
  • Password-protecting a web service operation
  • Invoking a password-protected outbound service
  • Accessing a password-protected proxy server