| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| Web Service Producer |
« View previous topic :: View next topic » |
| Author |
Message
|
| eugene |
 Posted: Fri Jul 23, 2010 3:27 am Post subject: Web Service Producer |
 |
|
Novice
Joined: 02 Mar 2010
Posts: 18
|
Hello,
here is my question : we have exposed some functionality from Message Broker as Web Services - a couple of methods. Everything works fine, now what we have to do next is provide a User/Pass security for this Web Services. I looked all other IBM documentation and could not find something valuable - there are documents but non can really help me in a good way. I mean a clear and strong explanation.  Can some of you suggest some main directions I should be looking into? I have killed myself looking into Policy Sets and Bindings - it created more confusion then answers.
Thank you! |
|
| Back to top |
|
 |
| Gaya3 |
| Posted: Fri Jul 23, 2010 5:28 am Post subject: Re: Web Service Producer |
|
|
Jedi
Joined: 12 Sep 2006
Posts: 2493
Location: Boston, US
|
| eugene wrote: |
now what we have to do next is provide a User/Pass security for this Web Services. I looked all other IBM documentation and could not find something valuable - there are documents but non can really help me in a good way. I mean a clear and strong explanation. Can some of you suggest some main directions I should be looking into? I have killed myself looking into Policy Sets and Bindings - it created more confusion then answers.
Thank you! |
yes, search this forum, we have discussed this earlier, i'm sure you will get some information from here..... 
then we will further discuss about it ,
http://www.mqseries.net/phpBB2/viewtopic.php?t=47347&highlight=http+userid
_________________
Regards
Gayathri
-----------------------------------------------
Do Something Before you Die |
|
| Back to top |
|
|
| mqjeff |
| Posted: Fri Jul 23, 2010 5:37 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
So usually the web service consumer needs to package a username and password into the web service request.
There are a few different ways this can be done.
Then the webservice producer needs to receive these credentials, and unpackage them.
The webservice producer then needs to *authenticate* those credentials against some credential store.
These are separate tasks, and can be handled in different ways in Broker.
You need to identify first which way the credentials are going to be packaged in the web service request.
Then you need to identify how the credentials are going to be authenticated and what the credential store is or will be.
Then you can go backwards from that and look at the Security Profiles and functions in Broker that can assist you. |
|
| Back to top |
|
|
| Gaya3 |
| Posted: Fri Jul 23, 2010 5:46 am Post subject: |
|
|
Jedi
Joined: 12 Sep 2006
Posts: 2493
Location: Boston, US
|
is this issue is something different from SSL authentication, seems like he has to use some repository for keeping the credentials.
_________________
Regards
Gayathri
-----------------------------------------------
Do Something Before you Die |
|
| Back to top |
|
|
| eugene |
| Posted: Sat Jul 24, 2010 2:45 am Post subject: |
|
|
Novice
Joined: 02 Mar 2010
Posts: 18
|
First, thank you for your responses.
So, form what I understand, in case I want to protect my Web Services with a user/pass - Http Basic Authentication, on the producer side I have to decode the value of the HttpRequestHeader.Authorization header, on the Consumer Side I have to send the user/pass in base64 encoding.
Then of course on the Producer side there has to be a store of user/passwords - either a Database, LDAP, file - whatever, where I read the user and password combinations, check them... I think the idea is pretty easy here.
But in my opinion, this goes a bit "out of the broker". I mean this is not exactly what I had in mind..
What I wanted to do is not go beyond the SOAPInput node - so that all the checking of the user/pass would be done in the SOAPInput through some Policy Sets or Bindigs, etc. To be even more clear, I would like to implement something like @RolesAllowed in Java, which for example in Glassfish is "easy money" and works great. I do understand the fact that the WMB still needs a store of some type for user/pass, but from I read it is not that hard to create them.
What if I want to implement WS-Security Authentication through Policy Sets and Policy Bindings, is the authentication going to be performed in the SOAPInput node?
And the last question , really should have started with this one : Considering your level of experience in this questions, what in your opinion is the "best approach" in making a web service secured?
Thank you again,
Eugene. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Sat Jul 24, 2010 8:12 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
You can use Security Profiles to handle HTTP Basic Auth, without having to explicitly code it yourself.
You can likewise use Security Profiles to handle WS-Security, without having to explicitly code it yourself.
This handling includes extraction of the identity from the inbound message , authentication of the inbound identity against a credential store,mapping to an alternate identity, authorization of an identity against function, and propagation of an identity.
Again, without doing anything in your code. I don't really know what @RolesAllowed does - I don't do enterprise java stuff, just enterprise stuff and java stuff - but the security profiles really should cover your needs.
And, yes, all of this will be performed at the SOAPInput node, before it gets to your code. The SOAPInput node specifically will handle all security exceptions and respond back to the consumer - other input nodes will allow you to decide if you want to handle security exceptions yourself.
As for "best approach" - "it depends on your requirements". If you're doing SOAP, you likely want to use WS-Security over HTTP Authorizations. But again, the best approach is the one that makes the most sense in your environment. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Sat Jul 24, 2010 8:15 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
But again my point is, if you don't know whether you're using HTTP Basic Auth or WS-Security, and you don't know where you are storing users and passwords and defining security roles for those users and passwords...
There's very little use in fussing with Security Profiles yet. |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
