Handlers  Exposing and deploying components as Web services

Chapter 4: Web Services Administration

Security

This section describes how to implement security for Web services.


Roles and security realms

This section contains the procedures for establishing security for your Web services from the WST development tool. Each procedure described in this section requires that you first connect to the server that contains the Web service.

Establishing Web services security is based on roles. For complete information about roles, see the EAServer Security Administration and Programming Guide.


Web services security tutorial

EAServer includes a Web services security tutorial that familiarizes you with establishing different levels of security for a Web service and its methods/operations. See Chapter 10, “Using the Web Services Toolkit Samples” for more information.


Managing security realms and roles

EAServer contains a default security realm. The security realm is a container used to store the roles used to allow, and limit, access to your Web services. When you connect to EAServer from the WST development tool, you see the security realm.

StepsRefreshing a security realm

If you add a role to a security realm or make any other changes, refresh the realm.

  1. Right-click the security realm and then select Refresh


Managing roles

A role can consist of authorized users, authorized digital Ids and authorized operating system users. Create a role in a security realm. Add roles at the Web service or Web service operation level to restrict access to those resources.

NoteWhen you manage roles from the WST development tool, you manipulate the Repository of the server to which you are connected. When you add, delete, or otherwise modify a role, those changes are reflected in EAServer Manager.

StepsCreating a role

  1. Expand the security realm.

  2. Right-click the Roles icon and then select Create role.

  3. Enter a role name and description and click OK.

StepsDeleting an existing role

  1. Expand the security realm.

  2. Expand the roles icon.

  3. Right-click the role and then select Delete.

StepsAllowing a user, group, or digital ID access to a role

Each role can include specific user names and digital IDs. If you use native operation system authentication, you can also include operating system group names; all users in the specified group are affected.

  1. Expand the security realm.

  2. Expand the roles icon.

  3. Expand the role.

  4. Right click one of the following:

  5. Supply the name of the allowed user, group, or ID.


Establishing Web service access

This section describes how to use roles to limit access to Web services and to methods/operations within a Web service.

When you add a role to a Web service or Web service operation, only the allowed users, groups, or digital IDs have access to that resource.

StepsAdding a role to a Web service

  1. Expand the Web service collection.

  2. Expand the Web service.

  3. Right-click Roles and then select Add role.

  4. Select a role from the list of defined roles that meets the security needs of the Web service and click OK. EAServer comes with predefined roles. For example, the “everybody” role allows unlimited access to authenticated users.

StepsAdding a role to a Web service operation

You can further restrict access to a Web service by assigning roles at the Web service operation/method level. For example, you could add the “everybody” role to the Web service, which allows unrestricted access to the Web service, but assign a more restrictive role to those operations that require additional restrictions.

  1. Expand the Web service collection.

  2. Expand the Web service.

  3. Expand the Operations icon.

  4. Expand the operation to which you are adding a role.

  5. Right-click Roles and then select Add role.

  6. Select a role from the list of defined roles that meets the security needs of the Web service operation and click OK.

If you do not assign a role to a Web service or operation, you do not need to provide a user name or password to invoke them. If you do assign a role to the Web service or the operation, you need to provide a valid user name and password for a user within the assigned role.


XML-Security

This section describes how to enable XML-Security for your Web services.

XML-Security provides a digital signature and encryption for the SOAP messages sent to and from the Web services container in EAServer. An implementation of XML Security is available at the Apache Web site.


Configuring EAServer and enabling XML-Security

EAServer must be configured with the necessary JAR files for your XML-Secure enabled Web service to work properly.

StepsEnabling XML-Security

  1. Follow the instructions to locate and download the xml-security-bin-1_0_4.zip file (which contains the following JAR files) from the XML-Security package and install them in either $JAGUAR/java/classes (UNIX), or %JAGUAR%\java\classes (Windows):

  2. Update the EAServer classpath/bootclasspath to use the XML-Security JAR files:

    NoteBy setting the EAS_CLASSPATH_PO variable, you modify the server startup script to place the XML-Security jars in the server classpath/bootclasspath first.

  3. Shutdown and restart EAServer.





Copyright © 2005. Sybase Inc. All rights reserved. Exposing and deploying components as Web services