Password-protect a set of inbound services by requiring user authentication
for access to the associated HTTP endpoint listener, or (for JMS) to the associated
JMS queue destination.
Before you begin
This topic covers the two main areas in which you might want to
change the HTTP endpoint listener authentication settings:
- Changing the HTTP endpoint listener security role.
- Mapping the HTTP endpoint listener security role to users or groups.
If you want to change the HTTP endpoint listener security role, do so
before you
install the HTTP endpoint listener application.
For a SOAP over JMS
endpoint listener, you can achieve similar results by securing the underlying destination for each JMS queue.
Why and when to perform this task
When WebSphere Application Server global
security is enabled, clients that access an HTTP endpoint listener
can be prompted for a user ID and password, which are authenticated against
the registry defined within the security configuration. The HTTP endpoint
listeners that are supplied with WebSphere Application Server are configured
with a security role named AuthenticatedUsers. By default
this role is mapped to the special group Everyone, so even if security
is enabled all users can access any inbound service deployed to the HTTP endpoint
listener.
You need not change the default security role. You would only
choose to do so if you wanted to use a role name that is more specific, or
more meaningful in the context of your organization. To change the security
role, you modify the endpoint listener application EAR file before you install the endpoint
listener application.
After you install the endpoint listener application,
you can map the security role to specific users or groups so that, when WebSphere
Application Server global security and service
integration bus security are enabled, access to the HTTP endpoint listener
is restricted. For more information about why you might want to do this, see Endpoint listeners and inbound ports - entry points to the service integration bus.
To
configure HTTP endpoint listener authentication, complete the following steps:
Steps for this task
- Optional: If you want to change the HTTP endpoint listener
security role, use an assembly tool to modify the endpoint listener application
by completing the following steps:
- In the endpoint listener enterprise application, edit the Web
application deployment descriptor to add a new role with a name of your choice.
- Remove the existing role (for example AuthenticatedUsers)
from the authorized roles within the security constraint, then add the role
you created in the previous step.
- Save the modified endpoint listener application.
- Install the HTTP endpoint listener application.
- Map the HTTP endpoint listener security role to users or groups
by completing the following steps:
Note: The default security role AuthenticatedUsers is
mapped to the special group Everyone. That is, even if WebSphere Application
Server global security is enabled all users can
access any inbound service deployed to the HTTP endpoint listener. To restrict
access to just authenticated users, map the role to the special group named All
authenticated.
- Turn on WebSphere Application Server global security.
- Start the WebSphere Application Server administrative server.
- Start the administrative console.
- In the navigation pane, click your_endpoint_listener
where your_endpoint_listener is the name of the
EAR file for this listener. For example soaphttpchannel1.
In the additional properties for this listener, an option to map
security roles to users and groups is displayed.
- Assign users and groups to the security role. For example, map the AuthenticatedUsers role to the All
authenticated group.
- Click OK.
- Save your changes to the master configuration.