Secure Web service using ESB as Integration Layer
Security is a critical to web services. Authentication and Authorization are key aspect to a any software system.Security is is even more important for web services because of
most of businesses expect to perform their transactions over the internet those transactions are occur from program to program rather than human consumtions(from human to program.)
more and more business functions are exposed as Web services, the sheer number of participants in a Web services environment will be larger than what we have seen in other environment.
In SOA environment many services are integrated to provide aggregated functionalities.Since those services should always authenticate and authorize the user.There are different level of access roles to the users.those data are stored as policy in a file.System needs to check aginst policy file when it gets user request for different access functionality.This is authorization.
And also system should ensure the user identity before the authorization process.System need to ensure whether request comes from human or impersonal request.
In an SOA environment which most of the time is realized using web services, Username Token and HTTP basic authentication can be used to authenticate the users
WS-security provide different type of standards security techniques
1.user name token,
2.X509 signature based authentication.
3.kerborse token based authentication
In here I use easiest user name token method.
Now I am going to create secure proxy service to secure my OrderProcessing web service which is already deployed in axis2 server.
1. Add a new pass through proxy and specify an endpoint of a running service there.To specify the target end point you have to use your axis service URI.
First start the axis2 server:
[axis2Home]/bin$ sh axis2server.sh
2. Then go to the services list,now you can see OrderProcessingProxy service displays as unsecured.
Click on the service which you want to secure.
Click "Security" in the "Quality of Service Configuration" panel.Then it will redirect to the place where user can enable username password security for the specific webservice.
3. Select usernametoken under the basic scenarios
4. then select the user group who can access the service.
WSO2 ESB admin console will display the service as secured, and we can only invoke this service using https:// endpoint now.
5.Now we can test secured web service using client.I have used SOAP UI as a sample client.I created soap project using OrderProcessingService wsdl.
while requesting the service client need to provide username and password.Since I have given admin as user group i used default username:admin,password:admin to access my secured web service.