How to Secure REST Style Web Services Invocations with WSO2 WSAS

Archived Content
This article is provided for historical perspective only, and may not reflect current conditions. Please refer to relevant product page for more up-to-date product information and resources.
  • By Ruchith Fernando
  • 18 Dec, 2007

Applies To

WSO2 WSAS/Java/2.0

Setting up the service

Let's use the "echo" sample service that comes with WSO2 WSAS.

First, you should try to invoke the Web service using the following REST like approach:

Download the WSO2 WSAS binary (.zip) distribution, extract it to a preferred location and start it with:

$ sh /your/wsas/home/bin/

or on Windows,


When WSAS has started, you will see the following:

Figure 1: WSO2 WSAS Started

The "echo" service is available by default with the WSAS distribution. To access it RESTfully , point your browser at:


You will see the following on your browser:

Figure 2: Echo service invoked

This shows how the "echoString" operation of the "echo" service can be accessed in a REST like manner using a simple HTTP GET.


Enable UsernameToken Authentication on the Web Service

You can easily enable UsernameToken authentication on a Web service using the WSAS administration console. First, login to the administration console (default username/password = admin/admin) and select the echo service.

Figure 3: WSO2 WSAS: Service Configuration

Note that the "echo" service can be accessed using both http and https transports. (Figure 3 : #1)

Now select the "Manage Security Configuration" (Figure 3: #2) option and select the "UsernameToken with Timestamp over HTTPS" option (option #1). When you continue on to the next step in the configuration wizard, you will be able to select a user or a group. Select a user that you have already created (WSAS Management Console -> Security -> User Management).

Figure 4: UsernameToken authentication configuration

Thats it! You have successfully enabled UsernameToken authentication on the "echo" service.

Now, when you select the "echo" service in the management console, you will see that the service can be accessed only through the HTTPS transport.

Point your web browser at:


Unlike before, now you will not be able to see a response right away! Instead WSAS enforces HTTP basic authentication on this GET request. Provide the user name and password for the user you selected and you will be able to see the response from the service like before.


Ruchith Fernando, Senior Software Engineer, WSO2 Inc. ruchith @ wso2