Monday, January 26, 2004

Securing a Web Service - BASIC AUTH

A simple way to secure a Web service is through basic authentication. Given Web services in Oracle's stack translate into a servlet, it can be as simple as configuring the web.xml and orion-web.xml files. Then to invoke it from a Web service client, it is a simple matter of setting the Web service stub's SOAP HTTP properties with the appropriate credentials.

Let's go through the exercise of doing this with the Web service built on December 7 and December 8 last year and alter its configuration to support BASIC authentication. Then we will come back over the next few days/weeks and think about where one would naturally want to go next to get an understanding some of the issues folks run into trying to move forward with this approach.

First, let's fix up the orion-web.xml [1]. This provides a mapping from the physical security roles maintained in OC4J (e.g JAAS principals/realms) to logical J2EE groups/users. Here we have mapped the logical role "GreetingRole" to the real OC4J group "users" - "users" is a default group inside of OC4J that happens to contain the real user "admin" - the OC4J administrator account.

If you want to add new groups and users to OC4J, check out the OC4J Security Guide on adding/deleting roles and users. This documents how to do this with the JAAS XML based provider. If you installed and configured Oracle Internet Directory as your JAAS provider , Enterprise Manager provides a set of GUI screens for similar configuration.

Next, configure web.xml. [2] Here I have just taken the default generated by the Web Services Assembler or JDeveloper Web services wizard and added a <login-config>, <security-role> and <web-resource-collection>  tags so that any user within "GreetingRole" is challenged with BASIC authentication.

Once this is done, then re-deploy this Web service to OC4J and any time you try and access the endpoint you will be challenged for a user id and password. If you come in through the OC4J Web service test page, you can simply enter a valid OC4J user id and password (e.g. in a default install admin/welcome) in the browser popup window.

More normally, you would normally come in from another application via a client that incorporates a Web service stub generated either by the Web Services Assembler or JDeveloper.  In the stub  you will have to set the HTTP properties to include a user id and password as follows - below is the modified constructor a Web service stub for this Web service:

public GreetingServiceStub()
{
System.setProperty("oracle.soap.transport.noHTTPClient", "true");
m_httpConnection = new OracleSOAPHTTPConnection();
m_smr = new SOAPMappingRegistry();
Properties props = new Properties();
props.put(OracleSOAPHTTPConnection.AUTH_TYPE, "basic");
props.put(OracleSOAPHTTPConnection.USERNAME, "admin");
props.put(OracleSOAPHTTPConnection.PASSWORD, "welcome");
m_httpConnection.setProperties(props);
}

Next entry we'll explore the obvious issues that immediately come up with this approach.


[1] orion-web.xml

<?xml version = '1.0' encoding = 'windows-1252'?>
<!DOCTYPE orion-web-app PUBLIC "-//Evermind//DTD Orion Web Application 2.3//EN" "http://xmlns.oracle.com/ias/dtds/orion-web.dtd">
<orion-web-app servlet-webdir="/servlet/">
<security-role-mapping name="GreetingRole" impliesAll="false">
<group name="users"/>
</security-role-mapping>
</orion-web-app>


[2] web.xml

<?xml version = '1.0' encoding = 'windows-1252'?>
<!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN" "http://java.sun.com/dtd/web-app_2_3.dtd">
<web-app>
<description>Empty web.xml file for Web Application</description>
<servlet>
<servlet-name>GreetingService</servlet-name>
<servlet-class>oracle.j2ee.ws.StatelessJavaRpcWebService</servlet-class>
<init-param>
<param-name>class-name</param-name>
<param-value>com.doc.Greeting</param-value>
</init-param>
<init-param>
<param-name>interface-name</param-name>
<param-value>com.doc.IGreetingService</param-value>
</init-param>
</servlet>
<servlet-mapping>
<servlet-name>GreetingService</servlet-name>
<url-pattern>/GreetingService</url-pattern>
</servlet-mapping>
<session-config>
<session-timeout>35</session-timeout>
</session-config>
<mime-mapping>
<extension>html</extension>
<mime-type>text/html</mime-type>
</mime-mapping>
<mime-mapping>
<extension>txt</extension>
<mime-type>text/plain</mime-type>
</mime-mapping>
<welcome-file-list>
<welcome-file>index.jsp</welcome-file>
<welcome-file>index.html</welcome-file>
</welcome-file-list>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>Greeting Service</realm-name>
</login-config>
<security-role>
<role-name>GreetingRole</role-name>
</security-role>
<security-constraint>
<web-resource-collection>
<web-resource-name>Greeting Web Service</web-resource-name>
<url-pattern>*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>GreetingRole</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
</web-app>



comment []
10:54:03 PM    


© Copyright 2004 Mike Lehmann .
Last update: 2/11/2004; 10:41:14 PM .

Click here to visit the Radio UserLand website. Valid CSS! Subscribe to "Lehmann Blogger" in Radio UserLand. Click to see the XML version of this web page. Click here to send an email to the editor of this weblog.