Password-protecting a web service operation
Password-protect individual operations (methods) in a Web service by creating an enterprise bean with methods matching the Web service operations, then applying WebSphere® Application Server authentication mechanisms to the enterprise bean so that, before a web service operation is invoked, a call is made to the EJB method for authorization.
Before you begin
As well as password-protecting a web service operation as described in this topic, you must also configure the service as either an inbound or outbound service, and select the option to Enable operation-level security as described in Modifying an existing inbound service configuration or Modifying an existing outbound service configuration.
For an application deployed to the service integration bus to use operation-level security, you must set the application server class-loader policy to single.
About this task
For operation-level authorization you create an enterprise bean with methods matching the web service operations. These EJB methods perform no operation and are just entities for applying security. You then apply existing WebSphere Application Server authentication mechanisms to the enterprise bean. Before any web service operation is invoked, a call is made to the EJB method. If authorization is granted, the web service is invoked.
Your target web service is protected by wrapping it in an EAR file (your_webservice.ear), then applying role-based authorization to the EAR file. This process is explained in general terms in Operation-level security: Role-based authorization. The your_webservice.ear file is then imported into the sibwsauthbean.ear file and the sibwsauthbean.ear file is modified to set the roles and assign them to methods. The modified sibwsauthbean.ear file is then deployed in WebSphere Application Server, and users are assigned to the previously-defined roles.
The installation version of the sibwsauthbean.ear file is in the app_server_root/installableApps directory, where app_server_root is the root directory for the installation of WebSphere Application Server.
The sibwsauthbean.ear file contains an EAR file for each web service that you protect. For the first web service that you protect through operation-level authorization, you copy the installation version of the sibwsauthbean.ear file and store your copy outside of the application server file system. For each subsequent web service that you protect, you further modify the same copy of the sibwsauthbean.ear file.
To enable operation-level authorization, you use the sibwsAuthGen command, and an assembly tool. You can only use these tools on a Windows system, so you must copy (in binary) to a Windows system all the files you need for this task, then create and modify the EAR files on the Windows system, then copy (in binary) the modified sibwsauthbean.ear file back to your z/OS® system.
To password-protect web service operations, complete the following steps for each web service that you want to protect: