- Understand Implementing webservice in Websphere Message Broker
- Understand web service security concept
- Understand using LDAP server/client
By default if we create web service, and publish that web service. The service can be accessed publicly. some times there are some service that must be access privately, just certain user can access the service. and how to make it more secure, high integrity, and more confident. There are several type of we service security implementation.
- authentication, implemented using user name and password
- authorization, implemented in user group in user information repository such as user group in LDAP
- integrity, implemented using digital signature
- confidentiality, implemented using encryption
this article we will focus on implementing web security in authentication and authorization. abd the scenario will be explained bellowed.
supposed I have two user in my user directory (user01, and user02). Both user have the same password `testpw`. I have a group named `permitted`. the member of this group is user01 but user02 not. I store all the user information in LDAP (IBM Tivoli Directory Server). I develop BookOrderService, this service is only can be accessed by registered user from my LDAP, and must be member of permitted group.
- authentication: can be accessed by registered user.
- authorization: must be member of permitted group.
So, while some service consumer invoke the BookService, the SOAP header must be contained username, and password.
<soapenv:Header> <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"> <wsse:UsernameToken> <wsse:Username xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="unt_907818524">user01</wsse:Username> <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">testpw</wsse:Password> </wsse:UsernameToken> </wsse:Security> </soapenv:Header>
All issues above can be implemented in Websphere Message Broker using policy set, policy binding, and security profile. First we must define set of security that will be implemented such as user name password, digital signature, and encryption in policy set. after that we create a policy binding for previous policy set. Policy binding is used for binding the policy set to message broker and the service implementation. with policy set, policy binding and security profile, we doesn’t need to implement authentication and authorization logic in our web service because the broker will do it for you. And you can also reuse the security set, and bind it to your new service implementation.
Now .., let’s try to implement service authentication and authorization in websphere message broker.
- Websphere Message Broker (wmb), Websphere Message Broker Toolkit, Websphere Message Queue. I use version 7 for all these websphere product
- LDAP, I use IBM Tivoli Direcotry Server Installed in my VMWare
- LDAP client, I use apache directory studio.
Create LDAP user and group like picture above :
I use AddressBook example for our web service implementation, you can add and deployed the project to your wmb toolkit by clicking Import and deploy the sample in WebSphere Message Broker Version 22.214.171.124 > Product overview > Samples > Technology Samples > Web services , from your wmb toolkit. Open mqsi command console, and execute script above.
security profile name
mqsicreateconfigurableservice MB7BROKER -c SecurityProfiles -o LDAP -n authentication,authorization,propagation,authenticationConfig,authorizationConfig -v "LDAP,LDAP,TRUE,\"ldap://vmware:389/cn=users, cn=pot, O=IBM,C=US\",\"ldap://vmware:389/cn=permitted, cn=users, cn=pot, O=IBM,C=US\"" mqsireportproperties MB7BROKER -c SecurityProfiles -o LDAP -r
I host ldap in my vmware, ldap://vmware:389/cn=users, cn=pot, O=IBM,C=US is used for authentication uri.and ldap://vmware:389/cn=permitted, cn=users, cn=pot, O=IBM,C=US is used for authorization uri, based on permitted group.
set the policy set named `fnerble`
mqsicreateconfigurableservice MB7BROKER -c PolicySets -o fnerble mqsichangeproperties MB7BROKER -c PolicySets -o fnerble -n ws-security -p "C:\Program Files\ibm\MQSI\7.0\classes\policy.xml" mqsireportproperties MB7BROKER -c PolicySets -o fnerble -r
after that set policy binding named `fnerbleBindings`
mqsicreateconfigurableservice MB7BROKER -c PolicySetBindings -o fnerbleBindings mqsichangeproperties MB7BROKER -c PolicySetBindings -o fnerbleBindings -n ws-security -p "C:\Program Files\ibm\MQSI\7.0\classes\bindings.xml" mqsireportproperties MB7BROKER -c PolicySetBindings -o fnerbleBindings -r
Open message broker explorer to view security profile. click Brokers > right click MB7BROKER > properties > select security > click security profiles > select LDAP. The LDAP security profile will be same like LDAP security profile that we have executed above. After that, close security profile window.
Click policy sets > expands policy set and select expands fnerbleBindings > set associated policy set become fnerble. close the message broker explorer, and go to the message broker toolkit again.
click your project name in project explorer, and then create new Broker Arcive > click your bar file you have created before > select manage type > expand AddressBookProviderFlow.cmf > right click SOAP Input > configure.
- Set policy set : fnerble
- Set policy binding: fnerbleBindings
- Set security profile: LDAP
Deploy the BAR file to the broker.
Open AddressBookProviderFlow, right click SOAP input > test.
Open Configuration tab > select I will deploy the specified broker archived manually > browse bar file.
While some service consumer want to consume the service, the broker will check the user name and password. So you must add user/password data in your soap header.
Come back to event tab, add security user name password header to the soap header:
<soapenv:Header> <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"> <wsse:UsernameToken> <wsse:Username xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="unt_907818524">username</wsse:Username> <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">pass</wsse:Password> </wsse:UsernameToken> </wsse:Security> </soapenv:Header>
- Set user name : user01, pass: testpwx error occurred, because user not authenticated
- Set user name : user01, pass: testpw message return perfectly without error message user authenticated and authorized
- Set user name : user02, pass: testpw error occurred, because user not authorized