In this post we are going to see how to secure a Web Service with basic HTTP Auth, in weblogic. We will base in a previous project where we created a very basic WS: Hello World.
In the Security Realm > MyRealm we have to create:
- An user: user/12345678
- A group: TutorialUser
- Add the user to the group
In the Weblogic console as we see on the picture:
In web.xml we have to add the security confs needed (path, basic type,….):
<!-- SECURITY --> <security-constraint> <display-name>Regla01</display-name> <web-resource-collection> <web-resource-name>WSPOST</web-resource-name> <description> <url-pattern>/*</url-pattern> <http-method>POST</http-method> </description> <auth-constraint> <description> <role-name>TutorialUser</role-name> </description> </auth-constraint> <session-config> <session-timeout>5</session-timeout> </session-config> <login-config> <auth-method>BASIC</auth-method> <realm-name>myrealm</realm-name> </login-config> <security-role> <description> <role-name>TutorialUser</role-name> </description> </security-role> </web-resource-collection> </security-constraint>
In weblogic.xml map the application role with server role (it is mandatory):
<wls:security-role-assignment> <wls:role-name>TutorialUser</wls:role-name> <wls:principal-name>TutorialUser</wls:principal-name> </wls:security-role-assignment>
We can test with SoapUI creating a new WS project, with WSDL address (http://localhost:7001/wsc/HelloService?WSDL) and previous Weblogic credentials created:
Good Post.. I have a question on your web.xml
Why do you have role-name enclosed within a description tag?
TutorialUser
Shouldn’t it be like this:
TutorialUser
???
Please explain..
thanks,
Rex
I guess the tags got stripped out.
so my question is why do you have role-name tags enclose within a description tag?
I tried your example.. but when I run the test thru SoapUI I get “10.4.4 403 Forbidden” error.
Can you please explain your method in detailed steps?
thanks,
Rex