Securing Web Service with LTPA authentication

AdminRAM
CERTIFIED EXPERT
Published:
Configure Web Service (server application)

I. Configure security for Web Services methods First, we need to protect Session bean which implements the service:

1. Open EJB deployment descriptor (ejb-jar.xml) in the EJB project that contains your bean, go to Assembly tab
2. Add required security roles e.g. AllAuthenticated
3. Configure Method Permissions:
- select role, then select bean, then select appropriate methods that should be protected
4. Save and close file.
5. Open Application Deployment Descriptor (application.xml) in the EAR project
6. Go to Security tab, and click Gather
7. For each role specify bindings - check Users/Groups and type appropriate users, groups or special subject (e.g. All authenticated users).
8. Save and close file.

II. Configure WS-Secutity
Now after we protected EJB, call to the service will require proper authentication. We will configure the service to use LTPA token for authentication.

1. Open webservices.xml file, go to Extensions tab
2. Expand Request Consumer Service Configuration Details > Required Security Token, click Add:
- Name: LTPA
- Token: LTPA Token
- Click OK.

3. Expand Caller Part, click Add
- Name: LTPA_Caller
- Token: LTPAToken
- Click OK.

4. Go to Binding Configuration tab
5.Expand Request Consumer Binding Configuration Details > Token Consumer, click Add
- Token consumer name: LTPA_token_con
- Token consumer class: com.ibm.wsspi.wssecurity.token.LTPATokenConsumer
- Security Token: LTPA
- CHECK Use value Type
- Value Type: LTPA Token
- Callback handler: com.ibm.wsspi.wssecurity.auth.callback.LTPATokenCallbackHandler
- Click OK
6. Save and close file.


III. Configure SSL requirement for Web services (optional)
Sometimes authentication is not enough, and you also require confidentiality of the data passed via the service. To fulfill this requirement you can use XML Encription or SSL (if you have direct connection between the client and the service). This example shows how to enforce SSL access to the service.

1. Open web.xml in the 'Router' web project, and go to Security tab
2. Add new Security Constraint:
- Constraint name: WebServiceSSLConstraint
- Resource name: WebServices
- HTTP methods: GET, POST, HEAD
- Patterns: for each service provide its mapping e.g. /services/MyService
- Click OK.
3. In User Data Constraint select CONFIDENTIAL
4. Save and close the file.

Now, our service is configured to require access via SSL and will authenticate users using LTPA token.
It's time to configure the client application.


Configure Web Service Client (web client application)

For this article the service's client is located in web module (similar configuration would be required, if client was in ejb module).

I. Protect the client application.
To pass LTPA token, user must be authenticated in the client applicaton. This article assumes that the client application is properly secured, but basic steps to configure security are following:

1. Configure Login type (web.xml - Pages tab)
2. Create roles and Security Constraint (web.xml - Security tab)
3. Gather roles and configure bindings (application.xml - Security tab) in the EAR project


II. Configure WS-Secutity
1. Open web.xml (ejb-jar.xml in case of the client in the EJB module), go to WS Extensions tab
2. Expand Request Generator Configuration > Security Token, click Add:
- Name: LTPA
- Token: LTPA Token
- Click OK.

3. Go to WS Binding tab
4.Expand Security Request Generator Binding Configuration > Token Generator, click Add
- Token generator name: LTPA_Token_Gen
- Token generator class: com.ibm.wsspi.wssecurity.token.LTPATokenGenerator
- Security Token: LTPA
- CHECK Use value Type
- Value Type: LTPA Token
- Callback handler: com.ibm.wsspi.wssecurity.auth.callback.LTPATokenCallbackHandler
- Click OK
5. Save and close the file.

III. Configure client access via SSL (optional)
This assumes that on application server SSL repertoire named nodeName/WebServicesClientSSL is configured (configuring SSL for application server is out of scope of this document).
1. Open web.xml (ejb-jar for EJB)
2. Go to WS Binding tab, expand "Port Qualified Name Binding Details"
3. In the HTTP SSL Configuration specify: nodeName/WebServicesClientSSL   // paste form admin console
4. Save and close the file.
0
7,484 Views
AdminRAM
CERTIFIED EXPERT

Comments (1)

CERTIFIED EXPERT

Author

Commented:
1) It is tutorial how to setup.... (Securing Web Service with LTPA authentication)

2) not the  problem or resolution

Steps required more than 300 words.

Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.