How to Secure REST Style Web Services Invocations with WSO2 WSAS
- Ruchith Fernando
- Software Engineer - WSO2
Applies To
WSO2 WSAS/Java/2.0
Setting up the service
Let's use the "echo" sample service that comes with WSO2 WSAS.
First, you should try to invoke the Web service using the following REST like approach:
Download the WSO2 WSAS binary (.zip) distribution, extract it to a preferred location and start it with:
$ sh /your/wsas/home/bin/wso2wsas.sh
or on Windows,
X:\your\wsas\home\bin\wso2wsas.bat
When WSAS has started, you will see the following:
Figure 1: WSO2 WSAS Started
The "echo" service is available by default with the WSAS distribution. To access it RESTfully , point your browser at:
https://localhost:9762/services/echo/echoString?in=WSO2WSASRocks!!!
You will see the following on your browser:
Figure 2: Echo service invoked
This shows how the "echoString" operation of the "echo" service can be accessed in a REST like manner using a simple HTTP GET.
Enable UsernameToken Authentication on the Web Service
You can easily enable UsernameToken authentication on a Web service using the WSAS administration console. First, login to the administration console (default username/password = admin/admin) and select the echo service.
Figure 3: WSO2 WSAS: Service Configuration
Note that the "echo" service can be accessed using both http and https transports. (Figure 3 : #1)
Now select the "Manage Security Configuration" (Figure 3: #2) option and select the "UsernameToken with Timestamp over HTTPS" option (option #1). When you continue on to the next step in the configuration wizard, you will be able to select a user or a group. Select a user that you have already created (WSAS Management Console -> Security -> User Management).
Figure 4: UsernameToken authentication configuration
Thats it! You have successfully enabled UsernameToken authentication on the "echo" service.
Now, when you select the "echo" service in the management console, you will see that the service can be accessed only through the HTTPS transport.
Point your web browser at:
https://localhost:9443/services/echo/echoString?in=WSO2WSASRocks!!!
Unlike before, now you will not be able to see a response right away! Instead WSAS enforces HTTP basic authentication on this GET request. Provide the user name and password for the user you selected and you will be able to see the response from the service like before.
Author
Ruchith Fernando, Senior Software Engineer, WSO2 Inc. ruchith @ wso2