Enable operation-level authorization

Use this task to apply security to individual methods in a Web service.

For information on role-based authorization, see Web service security - role-based authorization.

You can only apply operation-level authorization to a Web service that has already been deployed to the gateway with the check box Authorization Policy - Control access to this service selected.

This task involves making changes to the file /lib/wsgwauth.ear. To protect the installation version of this file, make a backup copy of it before you change it. Copy wsgwauth.ear from /QIBM/ProdData/WebAS5/ND/installableApps to the QIBM/UserData/WebAS5/edition/instance/lib directory, where edition is Base for WAS and ND for WAS Network Deployment and instance is the name of your WAS instance.

For operation-level authorization, you create an enterprise bean with methods matching the Web Service operations. These EJB methods perform no operation and are just entities for applying security. Existing WAS authentication mechanisms can be applied to the enterprise bean. Before any Web service operation is invoked, a call is made to the EJB method. If authorization is granted, the Web service is invoked.

Your target Web service is protected by wrapping it in an EAR file, and applying role-based authorization to the EAR file.

The EAR file that now contains your Web service is then imported into wsgwauth.ear (which contains all of the gateway's protected Web services) and wsgwauth.ear is modified to set the roles and assign them to methods. Finally, this modified wsgwauth.ear file is deployed in WAS, and users are assigned to the previously defined roles.

To enable Web service operation-level authorization, complete these steps:

  1. Enter this command on your OS/400 command prompt: 
    java -Djava.version=1.3
   -cp /QIBM/ProdData/WebAS5/ND/lib/xerces.jar:
/QIBM/ProdData/WebAS5/ND/lib/j2ee.jar:
/QIBM/ProdData/WebAS5/ND/lib/wsif.jar:
/QIBM/ProdData/WebAS5/ND/WSGW/scripts/auth/wsgwauthgen.jar 
-DWAS_HOME= /QIBM/UserData/WebAS5/edition/instance
com.ibm.wsgw.authorization.GenAuth location webservice
    where

    • location is the URL for the gateway. This must include the root context.
    • webservice is the name of the service as deployed in the gateway. This parameter is case-sensitive.
    • edition is Base for WAS and ND for WAS Network Deployment.

    • instance is the name of your WAS instance.

    Note: This command has been wrapped for display purposes. Enter it as one command.

  2. To finish assigning roles and protecting methods, use the WAS Application Assembly Tool (AAT) to complete the following steps:
    1. Start the AAT.
    2. From the File menu select File > Open, and browse to select file /lib/wsgwauth.ear.
    3. To import your_webservice.ear into wsgwauth.ear, complete the following steps:
      1. In the navigation pane, open the pop-up menu for EJB Modules and select Import
      2. Browse to select file /WSGW/scripts/your_webservice.ear. The Select modules to import window opens.
      3. In the Select modules to import window, select your_webservice and click OK.
      4. The Confirm values window opens. Click OK.
      5. In the navigation pane, expand EJB Modules to confirm that your_webservice.ear has been imported.

    4. In the navigation pane, expand EJB Modules > your_webservice.ear and select Security Roles.
    5. For every security role that you want to create, repeat the following steps:
      1. From the pop-up menu for Security Roles, select New.
      2. Type the name and description of the new security role, and click OK.

    6. In the navigation pane, expand EJB Modules > your_webservice.ear and select Method Permissions.
    7. For every defined role that you want to assign to a Web service method, repeat the following steps:
      1. From the pop-up menu for Method Permissions, select New. The New Method Permission window opens.
      2. Type the name of the new method permission, and click ADD for Methods. The Add Methods window opens.
      3. In the Add Methods window, expand the tree for remote methods and select the method to be protected. Click OK. The Add Methods window closes.
      4. In the New Method Permission window, click ADD for Roles. Select a previously defined role from the list then click OK.

    8. To ensure that the authorization enterprise bean can reference the newly-imported enterprise bean, complete the following steps:
      1. In the navigation pane, expand WSGW Authorization group > Session Beans > Authorization and select EJB References.
      2. From the pop-up menu for EJB References, select New. The New EJB Reference window opens.
      3. In the New EJB Reference window, on the General tab, type a name for the reference then use the Link combination box to select the newly-imported EJB (all the other fields on this tab are populated automatically).
      4. In the New EJB Reference window, on the Bindings tab, type the JNDI name as it appears in the bindings tab of the service enterprise bean (this should be in the form websphere/WSGW/Security/your_webservice).
      5. Click OK. The New EJB Reference window closes.

    9. From the AAT File menu, select File > Generate Code For Deployment.
    10. Make a note of the name of the modified ear file, then click Generate Now.
    11. From the AAT File menu, select File > Save to save the modifed copy of wsgwauth.ear.

    12. Close the AAT.

  3. To install the modifed copy of Deployed_wsgwauth.ear, complete the following steps:
    1. Start the WAS Administrative Console.
    2. In the navigation pane, select Applications > Install an Application.
    3. Use Install New Application to install Deployed_wsgwauth.ear. Select the users or groups to be assigned to the roles when prompted.