Enabling basic authentication and authorization for the gateway

Why and when to perform this task

[Version 5.0.2 and later]In addition to the security options described in Enabling Web Services Security (WS-Security) through the gateway, you can also use the broader security features of WebSphere Application Server to enable basic authentication and authorization.

[5.0 only][Version 5.0.1]The Web services gateway provides a basic authentication and authorization mechanism based upon the broader security features of WebSphere Application Server.

Basic authentication can be applied at two levels, as described in the following topics:

  1. Enabling gateway-level authentication.
  2. Enabling Web service operation-level authorization.

For gateway-level authentication, you set up a role and realm for the gateway on WebSphere Application Server Web server and servlet container, and define the user ID and password that is used by the gateway to access the role and realm. You also modify the gateway channel applications so that they only give access to the gateway to service requesters that supply the correct user ID and password for that role and realm. This means that gateway-level authentication must be enabled before you install any channels.

For operation-level authorization, you apply security to individual methods in a Web service. To do this, you create an enterprise bean with methods matching the Web service operations. These EJB methods perform no operation and are just entities for applying security. Existing WebSphere Application Server authentication mechanisms can be applied to the enterprise bean. Before any Web service operation is invoked, a call is made to the EJB method. If authorization is granted, the Web service is invoked. Your target Web service is protected by wrapping it in an EAR file, and applying role-based authorization to the EAR file. This process is explained in general terms in Operation-level security - role-based authorization.

Note:

The Web services gateway can also invoke Web services that include https:// in their addresses, if the Java and WebSphere security properties have been configured to allow it. To check your security property settings, see Invoking Web services over HTTPS.

What to do next

For hints on solving security-related problems, see Troubleshooting the Web services gateway.

Related tasks
Securing the Web services gateway
Enabling Web Services Security (WS-Security) for the gateway[Version 5.0.2 and later]
Invoking Web services over HTTPS
Enabling proxy authentication for the gateway[Version 5.0.2 and later]
Troubleshooting the Web services gateway



Searchable topic ID:   twsg_security_basiclevel
Last updated: Jun 21, 2007 8:07:48 PM CDT    WebSphere Business Integration Server Foundation, Version 5.0.2
http://publib.boulder.ibm.com/infocenter/wasinfo/index.jsp?topic=/com.ibm.wasee.doc/info/ee/ae/twsg_security_basiclevel.html

Library | Support | Terms of Use | Feedback