WebSphere WebSphere Application Server Network Deployment, Version 6.0.x Operating Systems: AIX, HP-UX, Linux, Solaris, Windows

Password-protecting a Web service operation

Password-protect individual operations (methods) in a Web service by creating an enterprise bean with methods matching the Web service operations, then applying WebSphere Application Server authentication mechanisms to the enterprise bean so that, before a Web service operation is invoked, a call is made to the EJB method for authorization.

As well as password-protecting a Web service operation as described in this topic, you must also configure the service as either an inbound or outbound service, and select the option to Enable operation-level security as described in Modifying an existing inbound service configuration and Modifying an existing outbound service configuration.

For operation-level authorization you create an enterprise bean with methods matching the Web service operations. These EJB methods perform no operation and are just entities for applying security. You then apply existing WebSphere Application Server authentication mechanisms to the enterprise bean. Before any Web service operation is invoked, a call is made to the EJB method. If authorization is granted, the Web service is invoked.

Your target Web service is protected by wrapping it in an EAR file (your_webservice.ear), then applying role-based authorization to the EAR file. This process is explained in general terms in Operation-level security - role-based authorization. The your_webservice.ear file is then imported into the sibwsauthbean.ear file and the sibwsauthbean.ear file is modified to set the roles and assign them to methods. The modified sibwsauthbean.ear file is then deployed in WebSphere Application Server, and users are assigned to the previously-defined roles.

The installation version of the sibwsauthbean.ear file is in the install_root/installableApps directory, where install_root is the root directory for the installation of IBM WebSphere Application Server.

The sibwsauthbean.ear file contains an EAR file for each Web service that you protect. For the first Web service that you protect through operation-level authorization, you copy the installation version of the sibwsauthbean.ear file and store your copy outside of the application server file system. For each subsequent Web service that you protect, you further modify the same copy of the sibwsauthbean.ear file.

To password-protect Web service operations, complete the following steps for each Web service that you want to protect:

  1. For the first Web service that you protect, make your own copy of the install_root/installableApps/sibwsauthbean.ear file in a convenient location outside of the application server file system.
  2. To create the your_webservice.ear file, complete the following steps:
    1. Open a command prompt.
    2. Go to the install_root/util directory.
    3. Enter the following command:
      sibwsAuthGen location your_webservice
      where:
      • location is the Web address for the service integration bus. This must include the root context.
      • your_webservice is the name of the service as configured for the service integration bus. This is case-sensitive.
      For example
      sibwsAuthGen http://host:port/sibws/wsdl AddressBook
      where host and port are the host name and port number for the application server on which the service integration bus is installed.

      The Web service name and operation name can contain characters (such as a dash (-), period (.) and ampersand (&)) that are disallowed in an EJB class name and method name. Therefore these are translated during the generation process of the your_webservice.ear file. A message is displayed informing you of any name changes.

    The your_webservice.ear file is created in the current directory. There is also a temporary directory current_directory/ejb that you can delete.
  3. To finish assigning roles and protecting methods, complete the steps given in the topic Using assembly tools to Password-protect a Web service operation.
  4. To install the modified copy of the sibwsauthbean.ear file, complete the following steps:
    1. Check that the modified sibwsauthbean.ear file is stored in the convenient location outside of the application server file system that you chose in step 1. Keep the sibwsauthbean.ear file in this location for subsequent reuse and further modification.
    2. Start the WebSphere Application Server administrative console.
    3. In the navigation pane, select Applications > Install an Application.
    4. Use Install New Application to install the modified copy of the sibwsauthbean.ear file. Select the users or groups to assign to the roles when prompted.
Related concepts
Operation-level security - role-based authorization
Related information
Tips for troubleshooting the SIBWS

Task topic

Terms of Use | Feedback

Last updated: 5 Oct 2005
http://publib.boulder.ibm.com/infocenter/ws60help/index.jsp?topic=/com.ibm.websphere.pmc.nd.doc\tasks\tjw_security_wslevel.html

© Copyright IBM Corporation 2004, 2005. All Rights Reserved.
This information center is powered by Eclipse technology. (http://www.eclipse.org)