Securing web services

You can secure integration web services by using HTTP basic authentication in standard J2EE security. These security settings provide access to web services to authorized users with a valid user name and password.

Procedure

  1. Similar to the procedure for securing the HTTP servlet, in the web.xml file, uncomment the <security-constraint> section for the web service invocation, as in the following example 
    <security-constraint>
  <web-resource-collection>
    <web-resource-name>Integration Web Services</web-resource-name>
    <description>
      Integration Web Services accessible by authorized users
    </description>
    <url-pattern>/services/*</url-pattern>  
    <http-method>GET</http-method>
    <http-method>POST</http-method>
  </web-resource-collection>
  <auth-constraint>
    <description>
      Roles that have access to Integration Web Services
    </description>
    <role-name>maximouser</role-name>
  </auth-constraint>
  <user-data-constraint>
    <description>data transmission gaurantee</description>
    <transport-guarantee>NONE</transport-guarantee>
  </user-data-constraint>
</security-constraint>
  2. Verify that the <security-role> section in the web.xml file is not commented out, as in the following example code: 
    <security-role>
  <description>An Integration User</description>
  <role-name>maximouser</role-name>
</security-role>
  3. Change the value from 0 to I in the useAppServerSecurity <env-entry-name> section, as in the following example: 
    <description>
  Indicates whether to use Application Server security or not
</description>
<env-entry-name>useAppServerSecurity</env-entry-name>
<env-entry-type>java.lang.String</env-entry-type>
<env-entry-value>1</env-entry-value>
</env-entry>
  4. For web service invocation, ensure that the client program uses the following user name and password calls in the JAX-RPC Call object: 
    call.setProperty(Call.USERNAME_PROPERTY, username);
call.setProperty(Call.PASSWORD_PROPERTY, password);

What to do next

You can securely deploy a web service by using a Secure Socket Layer (SSL) for HTTPS posts. Configure the SSL on the application server with the appropriate digital certificates.


Feedback