Previous
Next


How-tos  Locate

Securing a Previously Insecure Service  Locate

It is not necessary to change the implementation of an insecure Web service to allow access only to authenticated and authorized users. If you want to change the implementation, see Server-Side Security. To secure a previously insecure service, follow these steps:

Deploy the HelloWorld demo and check the recommend actions online to see how it works. Go to the WASP_HOME/demos/hello directory. Compile service and client sources and deploy the hello world service. That is, issue the following commands:

run make_service
        
run deploy_service
        
run make_client

You will be asked for administrator name and password while performing certain actions; use the same values used during security installation of security. The default admin username and password are admin and changeit.

  1. SSL can be used to access the service and ensure privacy on the transport layer. The client implementation must only change the URL of the service to the address of the SSL version. Also, the trusted certificate of the server must be added to the client key store.

    [Note]Note

    Edit the run script, add the SERVER_URL system variable to contain HTTPS url of the WSO2 SOA Enablement Server. This line should be added before the first GOTO line (Windows) or procedure declaration (UNIX). The line should look like the following:

    Windows: SET SERVER_URL=https://mycomp.com:6443

    UNIX: SERVER_URL=https://mycomp.com:6443

  2. To require authentication for your service, you can change the accepting authentication security provider on the Web service endpoint, using the ProvidersManager tool. Also, some accepting authentication providers can be configured as default for all Web service endpoints that do not explicitly declare their own authentication requirements.

  3. Run the ProvidersManager tool. To do so:

    • From the WASP_HOME/bin directory, run:

      ProvidersManager -t https://mycomp.com:6443 -b /demo/basic/HelloService -a HttpBasic

      Note that mycomp.com is a full computer name; you cannot use localhost here. The Hello World service requires HttpBasic authentication. You must modify the run script to contain security_providers_client.jar.

    • Run:

      run run_client

      This returns an exception signalling authentication failure. Create a user with a password property now.

    • Run:

      UserStoreTool -t https://mycomp.com:6443 -a myuser -p
                        password -v mypassword

      Now edit the line that runs the client in the run script. It must contain the Java properties that carry authentication parameters.

    • Add the following parameters right after the java command:

      -Dwasp.username=myuser -Dwasp.password=mypassword
     -Dwasp.securityMechanism=HttpBasic
     -Djava.security.auth.login.config=%WASP_HOME%\conf\jaas.config

    • To see that it works, run the script again as follows:

      run run_client

  4. If your service contacts another Web service, you can also configure the initiating security provider (see Providers Manager) for the Web service endpoint. This step assures that the first service will be authenticated to the second. You must also associate an identity with the Web service that proves your identity for both incoming and outgoing communication. The service authenticates itself to a client when receiving an incoming request, as is configured in WS-Security security provider by default. You can use the WSO2 SOA Enablement Server Server Administration Console to associate an identity with a Web service.

    Note that this is not the case for our Hello World demo.

  5. It is also possible to enforce authorization checks for invoking clients of your Web services. It is then checked if the invoking client has the WSInvokePermission to invoke a particular Web service endpoint method, according to the operation described in the WSDL file. The WSO2 SOA Enablement Server Administration Console can also be used to turn authorization requirements on or off.

[Note]Note

This step works only if WSO2 SOA Enablement Server Access Controller has been installed. See Access Controller for more details.

  1. Open the WSO2 SOA Enablement Server management console (usually located at http://localhost:6060) in a browser.

  2. Click on the Web Services tab.

  3. Click the /demo/basic/HelloService link on the left side inside the Runtime subtab.

  4. Click the Service Endpoint Security button.

  5. check the Authorization checkbox and save the changes.

  6. Run the client again by issuing the command run run_client.

You will see the message with an error message indicating "insufficient privileges".

Now you will assign "myuser" with invocation privileges for the hello method of the /demo/basic/HelloService endpoint.

  1. Open the WSO2 SOA Enablement Server management console in a browser.

  2. Click on the Web Services tab.

  3. Click the /demo/basic/HelloService link on the left side inside the Runtime subtab.

  4. Identify and click the Set Endpoint ACL button.

  5. Click on the Set ACL link in the row of the hello operation.

  6. click on the grant link in row of "myuser".

  7. Run the client again by issuing the command run run_client.



Previous
Next