Password-protect a set of inbound services by requiring user authentication
for access to the associated HTTP endpoint listener, or (for JMS) to the associated
JMS queue destination.
This topic covers the two main areas in which you might want to
change the HTTP endpoint listener authentication settings:
- Changing the HTTP endpoint listener security role.
- Mapping the HTTP endpoint listener security role to users or groups.
If you want to change the HTTP endpoint listener security role,
do so before you install the HTTP endpoint listener application.
For
a SOAP over JMS endpoint listener, you can achieve similar results by securing the underlying
destination for each JMS queue.
When WebSphere Application Server global security is
enabled, clients that access an HTTP endpoint listener can be prompted for
a user ID and password, which are authenticated against the registry defined
within the global security configuration. The HTTP endpoint listeners that
are supplied with WebSphere Application Server are configured with a security
role named AuthenticatedUsers. By default this role is mapped
to the special group Everyone, so even if global security
is enabled all users can access any inbound service deployed to the HTTP endpoint
listener.
You need not change the default security role. You would only
choose to do so if you wanted to use a role name that is more specific, or
more meaningful in the context of your organization. To change the security
role, you modify the endpoint listener application EAR file before you install
the endpoint listener.
After you install the endpoint listener
application, you can map the security role to specific users or groups so
that, when global security and service integration bus security are enabled,
access to the HTTP endpoint listener is restricted. For more information about
why you might want to do this, see Endpoint listeners and inbound ports - entry points to the service integration bus.
To configure HTTP endpoint listener authentication,
complete the following steps:
- Optional: If you want to change the HTTP endpoint listener
security role, use an assembly tool such as the Application Server
Toolkit (AST) or Rational Web Developer to modify the endpoint listener application
by completing the following steps:
Note: If you want to change
the security role, do so before you install the endpoint listener.
- In the endpoint listener enterprise application, edit the Web
application deployment descriptor to add a new role with a name of your choice.
- Remove the existing role (for example AuthenticatedUsers)
from the authorized roles within the security constraint, then add the role
you created in the previous step.
- Save the modified endpoint listener application.
- Install the HTTP endpoint listener application.
- Map the HTTP endpoint listener security role to users or groups
by completing the following steps:
Note: The default security role AuthenticatedUsers is
mapped to the special group Everyone. That is, even if global security
is enabled all users can access any inbound service deployed to the
HTTP endpoint listener. To restrict access to just global security authenticated
users, map the role to the special group named All authenticated.
- Turn on global security.
- Start the WebSphere Application Server administrative server.
- Start the administrative console.
- In the navigation pane, click your_endpoint_listener
where your_endpoint_listener is the name of the
EAR file for this listener. For example soaphttpchannel1.
In the additional properties for this listener, an option to map
security roles to users and groups is displayed.
- Assign users and groups to the security role. For example, map the AuthenticatedUsers role to the All
authenticated group.
- Click OK.
- Save your changes to the master configuration.