Enable basic authentication and authorization for the gateway

Note: This page applies to WAS Version 5.0.2 and later only.

In addition to the security options described in Enable Web Services Security (WS-Security) for the gateway, you can also use the broader security features of WAS to enable basic authentication and authorization.

For Version 5.0 and Version 5.0.1, the Web services gateway provides a basic authentication and authorization mechanism based upon the broader security features of WAS.

Basic authentication can be applied at two levels, as described in the following topics:

  1. Enable gateway-level authentication.

  2. Enable operation-level authorization.

For gateway-level authentication, you set up a role and realm for the gateway on WAS's Web server and servlet container, and define the userid and password that is used by the gateway to access the role and realm. You also modify the gateway's channel applications so that they only give access to the gateway to service requesters that supply the correct userid and password for that role and realm.

Note: Gateway-level authentication must be enabled before you install any channels.

For operation-level authorization, you apply security to individual methods in a Web service. To do this, you create an enterprise bean with methods matching the Web service operations. These EJB methods perform no operation and are just entities for applying security. Existing WAS authentication mechanisms can be applied to the enterprise bean. Before any Web service operation is invoked, a call is made to the EJB method. If authorization is granted, the Web service is invoked. Your target Web service is protected by wrapping it in an EAR file, and applying role-based authorization to the EAR file.

Notes:

The Web services gateway can also invoke Web services that include https:// in their addresses, if the Java and WebSphere security properties have been configured to allow it.