Software AG Infrastructure 10.5 | Working with Web Services | Configuring Web Service Security | Setting Up Transport-Level Security | Configuring HTTP Basic Authentication
 
Configuring HTTP Basic Authentication
With basic HTTP authentication, the server asks the client to provide its credentials in an HTTP authorization header. The enforcement of the basic HTTP authentication request can be delegated to the servlet container or can be left to the Web Services Stack security module (that is, Rampart).
The Rampart security module validates the usage of basic HTTP authentication. Rampart does not authenticate the user credentials sent in the HTTP header and only asserts whether the credentials are available. To authenticate successfully, you can use JAAS integration in Web Services Stack (see Configuring Client Authentication).
To avoid malfunction of the functionality, Web Services Stack must be running inside a servlet container or a server such as Integration Server. This is required because Rampart must be able to interact with the actual transport layer by accessing the transport level credentials and sending authorization request in case the basic HTTP authentication header is missing.
To validate basic HTTP authentication, Rampart must be informed that the service is secured by WS-SecurityPolicy. The following code sample denotes the basic HTTP authentication requirement:
<service name="ExampleService" ...>...<wsp:Policy
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-
wss-wssecurity-utility-1.0.xsd" wsu:Id="user">
<wsp:ExactlyOne>
<wsp:All>
<sp:TransportBinding xmlns:sp="http://docs.oasis-open.org/ws-sx/
ws-securitypolicy/200702">
<wsp:Policy>
<sp:TransportToken>
<wsp:Policy>
<sp:HttpsToken>
<wsp:Policy>
<sp:HttpBasicAuthentication />
</wsp:Policy>
</sp:HttpsToken>
</wsp:Policy>
</sp:TransportToken><sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic256 />
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Lax />
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp />
</wsp:Policy>
</sp:TransportBinding>...
</wsp:All>
</wsp:ExactlyOne>
</wsp:policy>
</service>
The sp:HttpBasicAuthentication assertion can appear only inside an sp:HttpsToken assertion, which means that the server also requires the use of HTTPS transport. To use this feature, you must engage Rampart for your web service by adding these lines to the service descriptor in the services.xml file:
<service name="ExampleService" ...>...
<module ref="rampart"/>
</service>
Add a policy that contains the sp:HttpBasicAuthentication assertion to your web service. Below is an example.
<service name="ExampleService" ...>...
<sp:HttpsToken>
<wsp:Policy>
<sp:HttpBasicAuthentication />
</wsp:Policy>
</sp:HttpsToken>...
</service>
To configure your web service client to use HTTP basic authentication, supply the HttpTransportProperties.Authenticator object in your client Java code, and specify a user name and a password. Set this configuration as an option of the web service client. Below is an example web service client implementation that uses HTTP basic authentication.
IWSStaxClient client =
(IWSStaxClient)WSClientFactory.newClient( WSClientConstants.STAX_WSCLIENT,
"C:/ut_asym_xpath.wsdl", null, null, "C:/Software AG/WS-Stack/repository");
HttpTransportProperties.Authenticator auth =
new HttpTransportProperties.Authenticator();
auth.setUsername ("wssuser");auth.setPassword("password");
auth.setPreemptiveAuthentication (true);
IWSOptions options = client.getWSOptions();
options.setProperty(org.apache.axis2.transport.http.HTTPConstants.
AUTHENTICATE,auth);