These configuration files contain the pipelineURL parameter settings to configure authentication and authorization security settings for Web services pipelines.
These properties files provide enhanced Web Services security through configurable authentication and authorization settings. The webservices.policy properties file allows you to configure authentication and authorization settings. The webservices.passwd properties file contains users and group along with their passwords.
The location of the files are in the <install_dir>/srd-home/easwsdirectory.
Authentication is the process of confirming a user or computer's identity. Authorization is the operation that verifies the permissions and access rights granted to a user. Using these two independently configured security layers allows the provider of Web Services to control who can access the system and what degree of access they will have. The configuration of authentication and authorization is handled through the “webservices.properties” file. By default, Authentication and Authorization are both disabled for all Webservices.
Most SOAP-clients do not support the HTTP Basic Authentication challenge/response mechanism. However, the Authorization features can still be used.
Policy settings for the authentication level and authorization level can each be independently set to “NEVER”, “REMOTE” or “ALWAYS. By default, both authentication and authorization are set to “NEVER”. The combination of the various settings is described in the use cases section below.
IBM InfoSphere Identity Insight Web Services provide support for HTTP Basic Authentication. HTTP Basic Authentication challenges an HTTP client for credentials by sending a “401 Unauthorized” response when credentials are not provided. The user is prompted for a user name and password in a browser window. Once received, the request is resubmitted with the added credentials in an HTTP header.
HTTP Basic Authentication support provides a "challenge client" setting whereby the server can be configured to expect and attempt to match credentials upon the initial request. If not provided, the server sends a “403 Forbidden” response.
The following tables describe the Authentication and Authorization security settings through use cases.
Keep in mind that the product's Visualizer component leverages Web Services and Visualizer Enterprise Java Beans connect to the Web Services locally. If either authentication or authorization is set to “ALWAYS” then the Visualizer is subject to authentication and authorization restrictions. If set to “NEVER” or “REMOTE” the Visualizer is not affected. Because of this, the “ALWAYS” settings should only be used for EAS Web Services installations that are not used with the Visualizer.
Authentication NEVER, Authorization NEVER | |
---|---|
Description | No security. This is separate from the accessRestriction property which continues to function as before. |
Actors | User, Client System, SOAP Service Provider, Pipeline |
Pre-conditions | Web Services are running. |
Post-conditions | Data was returned or an error code was issued. |
Primary scenario |
|
Alternate | A remote client calls any of the available Web Service methods. |
Error conditions | If the Web Services or the Pipeline are not available an error is returned. |
Authentication REMOTE, Authorization NEVER | |
---|---|
Description | Remote requests must authenticate. Local requests are allowed without authentication. Once authenticated, the remote user can access any Web service operation. Local requests can always execute any Web service operation. |
Actors | User, Client System, SOAP Service Provider, Pipeline |
Pre-conditions | Web Services are running. |
Post-conditions | Data was returned or an error code was issued. |
Primary scenario |
|
Alternate scenario A |
|
Alternate scenario B |
|
Error conditions | If the Web Services or the Pipeline are not available an error is returned. |
Authentication ALWAYS, Authorization NEVER | |
---|---|
Description | All requests must authenticate otherwise either a "401 Unauthorized" response is given to challenge the client (if configured) or a "403 Forbidden" response is given to indicate that user is not permitted to access the operation. Once authenticated, the user can access any Web Service operation, but without authentication, none can be accessed. |
Actors | User, Client System, SOAP Service Provider, Pipeline |
Pre-conditions | Web Services are running. |
Post-conditions | Data was returned or an error code was issued. |
Primary scenario |
|
Alternate scenario |
|
Error conditions | If the Web Services or the Pipeline are not available an error is returned. |
Authentication NEVER, Authorization REMOTE | |
---|---|
Description | No authentication is required and local clients can access any Web Service operation. Remote clients can only access operations for which the policy allows "any group" access. |
Actors | User, Client System, SOAP Service Provider, Pipeline |
Pre-conditions | Web Services are running. |
Post-conditions | Data was returned or an error code was issued. |
Primary scenario |
|
Alternate scenario |
|
Error conditions | If the Web Services or the Pipeline are not available an error is returned. |
Authentication REMOTE, Authorization REMOTE | |
---|---|
Description | All local requests are allowed without authentication or authorization. Remote requests must authenticate. Once authenticated, the remote user can only access Web Service operations for which they are authorized. Local requests are always executed any Web Service operation. |
Actors | User, Client System, SOAP Service Provider, Pipeline |
Pre-conditions | Web Services are running. |
Post-conditions | Data was returned or an error code was issued. |
Primary scenario |
|
Alternate scenario A |
|
Alternate scenario B |
|
Error conditions | If the Web Services or the Pipeline are not available an error is returned. |
Authentication ALWAYS, Authorization REMOTE | |
---|---|
Description | All requests must authenticate. If not, either "401 Unauthorized" is returned to prompt the user for a name and password or "403 Forbidden" is returned to indicate that user is not permitted to access the operation. The 401 response only occurs if configured to challenge clients. Local clients who have authenticated are able to access any Web Service operation. Remote clients are only able to access Web Service operations for which they are authorized. |
Actors | User, Client System, SOAP Service Provider, Pipeline |
Pre-conditions | Web Services are running. |
Post-conditions | Data was returned or an error code was issued. |
Primary scenario |
|
Alternate scenario A |
|
Alternate scenario B |
|
Alternate scenario C |
|
Error conditions | If the Web Services or the Pipeline are not available an error is returned. |
Authentication NEVER, Authorization ALWAYS | |
---|---|
Description | No authentication is required. Clients can only access operations for which the policy allows "any group" access. |
Actors | User, Client System, SOAP Service Provider, Pipeline |
Pre-conditions | Web Services are running. |
Post-conditions | Data was returned or an error code was issued. |
Primary scenario |
|
Alternate scenario |
|
Error conditions | If the Web Services or the Pipeline are not available an error is returned. |
Authentication REMOTE, Authorization ALWAYS | |
---|---|
Description | All local requests are allowed without authentication. Remote clients must be authenticated. Local clients can only access those Web Service operations for which "any group" access is granted. Remote clients can only access Web Service operations for which they are specifically authorized. |
Actors | User, Client System, SOAP Service Provider, Pipeline |
Pre-conditions | Web Services are running. |
Post-conditions | Data was returned or an error code was issued. |
Primary scenario |
|
Alternate scenario A |
|
Alternate scenario B |
|
Error conditions | If the Web Services or the Pipeline are not available an error is returned. |
Authentication ALWAYS, Authorization ALWAYS | |
---|---|
Description | All requests must authenticate. If not, either "401 Unauthorized" is returned to prompt the client for credentials, or "403 Forbidden" is returned to indicate that user is not permitted to access the operation. The "401" response only occurs if configured. Once authenticated, the clients can only access Web Service operations for which they are specifically authorized. Local and remote requests are treated the same way. |
Actors | User, Client System, SOAP Service Provider, Pipeline |
Pre-conditions | Web Services are running. |
Post-conditions | Data was returned or an error code was issued. |
Primary scenario |
|
Alternate scenario |
|
Error conditions | If the Web Services or the Pipeline are not available an error is returned. |