Authorization in web services

Similar Messages

• How can I authenticate and authorize with Web Service on ESB ?

  Hello,
  I want to authenticate and authorize client with Web Service published
  by HTTP/SOAP BC.
  Simply if it is an Web Service as J2EE application, I will use
  Basic Authentication with JAX-RPC and Realm.
  But I think that Web Service published by HTTP/SOAP BC is not belong
  to J2EE Application. Threre is no place to describe security role mapping
  (like web.xml).
  JBI 1.0 the section "5.5.1.1.3 Normalized Message Properties" comments
  JAAS Subject is given in the NM Properties. Really in this package
  com.sun.jbi.internal.security.*
  implements JAAS autentication and authorization (at JaasAuthenticator).
  But I can't see how to configure my Service to use this.
  How can I authenticate and authorize with Web Service on ESB ?
  I referred to the resources.
  Mutual Authentication for Web Services: A Live Example
  http://developers.sun.com/prodtech/appserver/reference/techart/mutual_auth.html
  XML and Web Services Security
  http://java.sun.com/j2ee/1.4/docs/tutorial/doc/Security7.html
  JAAS Authentication Tutorial
  http://java.sun.com/j2se/1.4.2/docs/guide/security/jaas/tutorials/GeneralAcnOnly.html
  Thanks,
  Takurou
  - environment ---------------------------------------------
  OpenESB : Project Open ESB Starter Kit
  AppServer : Sun Java Systems Application Server 9.0 PE
  OS : Windows XP
  I don't assume to use SSL (if It's necessary I will try).
  User information is stored in a LDAP Server.
  -----------------------------------------------------------

  Hello,
  I read this resource.
  SecurityDesign
  http://www.glassfishwiki.org/jbiwiki/Wiki.jsp?page=SecurityDesign
  Then I think [non-ssl and ssl/tls and so on] securing by basic authentication is ongoing feature at this time.
  But I can't see well why this page comments 'HTTP over SSL, TLS'.
  HTTP/SOAP Binding Component Overview
  http://download.java.net/general/open-esb/docs/jbi-components/httpsoap-bc.html
  Does BC support only "SSL server authentication" ?
  Doesn't BC support "SSL client authentication" by username/password ?
  Thanks,
  Takurou

• Authorization and Web Services

  Hello guys,
  I've posted this question on the Identity Management forum, but since I had no answer I'm trying here (since this forum takes question about OWSM).
  I'm taking part in a mission to advise how to protect Web Services with OWSM.
  The authorization to execute a Web Service will be provisioned by the IAM Suite (OIM/OAM/OID etc)
  But before getting into the technical details I'm hoping to find a Best Practices guide for approaches on how to determine/map WHO is authorized to execute which Web Service.
  Since SOA promotes an heterogeneous environment where a Web Service can (and should) be reused by other process, and even other Web Services, I don't see clearly what drives this rules.
  For example, the authorization rules should be based on :
  a) User vs Web Services ?
  b) User Role vs Web Services ?
  c) Apps (or Business Process) vs Web Services ?
  d) All users are authorized to execute all Web Services as long as they are authenticated ?
  e) Something else?
  Thanks for an insight or any direction to papers about this subject.
  Adriano.
  Edited by: user11994311 on 1 oct. 2012 01:08

  You can find more information under this blog.
  https://blogs.oracle.com/owsm/
  I would recommand to go through what OWSM can provide then you can decide what you want.
  https://blogs.oracle.com/owsm/entry/owsm_concepts_11g
  Thanks,
  Vijay

• Web Services Manager Control, SOA Suite, Retrieving Roles from OID

  I am a bit confused about mapping of groups and privileges when it comes to the LDAP (in my case oracle internet directory, OID) and groups defined by Web Services Manager Control.
  I am using Web Services Manager Control->Manage Policies to define a gateway (or agent) for my web services. Through      
  Policy Management > Manage Policies > Policies > Policy
  I have also defined some pipeline steps which require authorization by an LDAP provider.(OID)
  I need two things:
  - First I have such roles and groups here in Web Services Manager:
  Administration > Groups / Roles
  Group Name      Role Name      
  su1-grp      Super User      
  da1-grp      Domain Administrator      
  ca1-grp      Component Administrator      
  ca2-grp      Component Administrator      
  which could be set for view and modification of web services. What is the relation between these groups and user groups in Oracle Internet Directory which I authorize against?
  - Second, my web services are invoked from pages which access to them involves authentication and authorization against OID. I need the username/password to be propagated to the webservice automatically. If the web service is presented as a button on such pages, for example, I don't want the user to be forced to enter username/passwords for each call to the services/
  I appreciate any comments or reference to books and documents.
  Thank you in advance.
  Best Regards,
  Farbod

  Hi Farbod
  Your problem is not new and i have posted in couple of other threads before.
  Roles in OID are for you to authorize the web service message itself. In your case when the user logins to your web application and calls the web service, you have to do two things:
  a) Extract Credentials
  b) AUthenticate against LDAP
  c) Perform authorization against LDAP
  Now the trick part is, you have to have the same username and password. You have to capture and store in session( ugly ugly..from security point of view) and then when you call the web service, you then invoke with the username and password.
  There are other better options available but might require additonal work or infrastructure.
  If your web application is protected by Oracle Access Manager or siteminder, you can pass those cookies.
  Next option is using SAML. You can generate SAML token on behalf of the user, and attach the SAML token to the web service messsage. In OWSM you then configure to validate SAML token and then you have to write custom step to extract the user name and perform any authorization.
  Since anyway you have to write custom step, third option is you can send encrypted cookie ( You web application can create a login session cookie -encrypted after the user signed in ). In OWSM you can write custom step to decrypt the cookie and then perform any validation.
  You have the easiest option of sending the same username and password with a security risk, or a custom development approach.
  Thanks
  Ram

• SSRS web services 401 if you pass "Authorization" http header

  We use both SSRS 2008 R2 and 2012. When i access a report using url access (direct ssrs server hit) and add a "Authorization: Bearer xyzelkalklsjsdfalsjdf" http header, i get a 401 from somewhere in the request pipeline. I have a custom httpmodule
  registered at the top of the chain which does some OAuth related security checks. But when this header is included, the request never reaches the httpmodule. If i change the header slightly ex: "YAuthorization: ljlxzcvc..", then the request reaches
  the httpmodule and everything works. So obviously SSRS is looking for a particular header named "Authorization" and does something with it. Point to note: we have implemented a custom forms authentication module and we are doing some rich authorization
  using the extensible ssrs api. 
  Now my questions are:
  1. What is happening here? Who is acting on my request before my HttpModule registered on top in ssrs\reporting service\web.config gets it?
  2. How do i ensure my httpmodule executes before whatever component is terminating my request with a 401

  Sorry if this sounds like I am new to this but I am.
  So, the extended version is the format that would be used if you were not utilizing the files that the wsdl2java function creates?
  And this is done to when you want more flexibiility for the user to call your service?
  So, you would push to have the stub files used when you want to control how the web service is used?
  thanks for the feedback.

• Error in Web Service when accesing in portal SRT: Authorization denied

  Hello Experts,
  I have created web service in development and creates endpoint in SOAMANAGER than through portal i am able to access the webservice than i transported that web service to quality and again created endpoint in SOAMANAGER but when i access through link created through wsdl through portal there i am getting error SRT: Authorization denied . also i have given sap_all authorization to the user. Can anybody help me to find solution.
  Thanks & Regards,
  Taran

  Please help me on this

• Web services Authorization in CE 7.1 EHP 1

  Hi All,
  We are looking for information on the below mentioned with respect to CE 7.1 EHP 1 pack level.
  1. Web service for adding, updating, deleting and displaying data from ABAP table.
  2. Authorization to be implemented in Web dynpro Java for 2 types of users - one with add/update/delete feature and other with only display feature. (Use of Actions here).
  Thanks for your help.
  Regards,
  Shailesh

  done

• Authorizations for testing of ABAP Web Services

  Can somebody tell me which authorizations/roles I need to assign to a user with SAP WAS 6.40 ABAP so that he will be able to test a simple ABAP Web Service with the Java Service home page of this service?
  I tried this with the roles SAP_BC_DWB_ABAPDEVELOPER and SAP_BC_WEBSERVICE_ADMIN but this seams not to be enough and I could not find a hint on how I could find out what is going wrong.
  The user gets an error message on the top of the service home page when he submitted the service request:
  "An error has occurred. Maybe the request is not accepted by the server:
  Authority check failed"
  The service is configured with standard authentication. On the service test page the user gets a login screen which he passes successfully. The error occurs afterwards when the services test is executed.
  Many thanks!
  Best regards, Birgit

  Hi,
  1. log on to SAP system with user XXX .
  2. Do your steps to call webservice from JAVA Service home page - use the same user id for log on.
  3. As soon as you see the error message as you mentioned
  Run transaction SU53 in the target SAP system . This should tell you the authority object where the failure had happend.
  Hope this helps.
  Regards
  Raja

• How to handle exeptions and authorization management in WEB SERVICES

  Hi all,
  Please send some documents or links on handling exceptions in web services and Authorization management also.
  Useful will be rewarded.
  Regards
  Neslin.

  i suggest to consult the documentation at help.sap.com, use the search function to the left or make your question more specific.
  regards, anton

• Authorization error while consuming web service in SOAP UI

  Hi,
  I am an ABAPer and do not have much knowledge about SOAMANAGER configuration.
  I have created a Web service and configured it using SOAMANAGER. I am trying to consume same web service using SOAP UI.
  But, I am getting an error HTTP-401 unauthorized.
  For authentication, I have selected "Transport level -User ID/Password" checkbox.
  What else, I have to configure, please let me know.
  Error log:
  Login failed
  What happened?
  calling the URL  <URL>.
  The application was running in the system <System> . Here, no credentials were provided.
  What can you do?
  If you still have a user ID , contact your system administrator.
  HTTP 401 - Unauthorized
  Your SAP Internet Communication Framework Team
  Regards,
  Sneha

  Hi Sneha,
  In SOAP UI, after importing WSDL, dig it till Request1, select it and go to Request property.
  Set Below things
  1. Authentication Type = Preemptive
  2. give username
  3 give password
  and send message.
  Regards,
  Mastan
  Message was edited by: mastan vali

• Authorization error while testing Web Service in SOAP UI

  Hello All,
  when i am trying to test my web service in SOAP UI i am getting following error.
  <faultstring xml:lang="e">Authority check failed</faultstring>
        </soap-env:Fault>
  I am providing user id and password of my server also. we are using ECC 6.0 server. please let me know what needs to be checked.
             Kumar.

  Hi Kumar
  Check with this thread for Authority check failed
  Web Service Homepage: Authority check failed
  Regards
  Abhishek

• Authorization error calling a XI web service from Web Dynpro

  Hi all,
  I'm trying to communicate to XI from a Web Dynpro application but I get an Unauthorization error (401).
  I've generated a WSDL in XI and import it to web dynpro as a new Model. But when a I call the web service, the exception "Service call exception; nested exception is: com.sap.engine.services.webservices.jaxrpc.exceptions.InvalidResponseCodeException: Invalid Response Code: (401) Unauthorized." appears.
  I don't know how to pass the right user and password from Web Dynpro, I've tried the web service from SOAP client tools and it works fine.
  I'll apreciate any help.
  Regards,
  Diego.

  Hola mi  nombre es Luis,
  Creyendo que eres español te escribo en tal idioma.
  He visto que a ti también te devolvía un error de autentificación 401, y que lo subsanaste, pero a mi con la solución que te dieron no me vale, ya que implemento el código que te ofrecieron para arreglarlo y ahora me da un fallo de "Server Error" poniendo en usuario y password, los correspondientes a XI.
  +Request_MI_outTurnoverDetailsDisplay_MI_outTurnoverDetailsDisplay req=new Request_MI_outTurnoverDetailsDisplay_MI_outTurnoverDetailsDisplay();
  wdContext.nodeRequest_MI_outTurnoverDetailsDisplay_MI_outTurnoverDetailsDisplay().bind(req);
  req._setUser("username");
  req._setPassword("password");+
  No sé si es que ese usuario y contraseña son otros distintos.
  Si pudieras ayudarme, te lo agradecería.
  Un saludo, Luis

• Web Service SOAP Sender Authorization

  Hi all
  I have been implementing a Web Service (SOAP Sender CC) that should be consumed by an external party. I have been testing it successfully using XMLSpy with the drawback of the authentication box coming up even though I have added sap-user and sap-password to the URL as following:
  http://<host>:50000/XISOAPAdapter/MessageServlet?channel=:SOAP_Service:CC_SOAP_Sender&sap-user=<name>&sap-password=<pass>
  The user that I have created for this has the profile SAP_XI_APPL_SERV_USER assigned.The request is successfully executed when I enter <name> and <pass> in the box. My understanding of it would be that the box does not show up if the login parameters are provided with the URL. Do I have to do any additional settings so that the login information will be taken from the URL parameters automatically instead bringing up the authoritzation box?
  My CC settings are as following:
  Adapter Type: SOAP (SAP BASIS 7.00)
  Sender
  Transport Protocol: HTTP
  Message Protocol: SOAP 1.1
  Adapter Engine: Integration Server
  HTTP Security Level: HTTP
  Conversion Parameters: Keep Headers
  Quality of Service: Best Effort
  Any feedback would be appreciated.
  Thank you,
  Daniel

  Hello Daniel,
  1. You can add username and password to the SOAP URL and expose your XI Interface as a webservice. Just that the URL is different than the one you are using and you do not need a Sender SOAP adapter but the blog I have listed above.
  2. You can turn of Basic authentication on Sender SOAP adapter's but it is not recommended as it would turn off all authentication for SOAP scenarios and it can lead to security risks.
  I have seen a few forum threads describing how to turn of Basic authentication for SOAP adapters but from what I have heard from SAP, they do not recommend using this option.
  Regards
  Bhavesh

• Web Service client authorization error: HTTP status 401

  .NETters,
  My .NET client program is invoking a simple "Hello World" Web Service written in ABAP. Here is the code:
    Z_HWWSDServiceWse svc = new Z_HWWSDServiceWse();
    try {
      string msg = svc.ZHelloworld();
      Console.WriteLine(msg);
    }catch(Exception e) {
      Console.WriteLine(e.Message);
  The code uses WSE 2.0 framework.
  This code works if I edit the properties on WSD service using transaction SICF and specify anonymous login options. However, I would like to pass the user token from the client program itself.
  So I removed anonymous login options and supplied the required information programmatically.
    UsernameToken ut = new UsernameToken("pradeep", "password", PasswordOption.SendPlainText);
    svc.RequestSoapContext.Security.Tokens.Add(ut);
  However, when I run this code, I get an error: "The request failed with HTTP status 401: Unauthorized"
  I then tried supplementing this code with network credentials logic:
    System.Net.CredentialCache cc = new System.Net.CredentialCache();
    cc.Add(new Uri("http://servermachname"), "Basic", new System.Net.NetworkCredential("pradeep", "password", null));
    svc.Credentials = cc;
  The problem still doesn't go away :-(.
  Does anyone have any idea on what is it that I am missing in my code?
  Thank you in advance for your help.
  Pradeep

  In my tests with normal .NET WS client something like the following allways worked:
  WSProxy proxy = new WSProxy();
  proxy.Credentials = new System.Net.NetworkCredential("user", "password");
  proxy.PreAuthenticate = true;
  proxy.CallMethod();
  As your code is very similar, it may be a compatibility  problem between WSE and WAS. I would recommend that you use a network snippen and look what really goes over the wire.
  I have also seen an issue where the settings in SICF where somehow corrupted (e.g. the fixed credentials checkbock was on, but no credentials where specified). The solution was just to "reset" the settings in SICF.

• Web service authorization problem

  Hi everyone,
  I am trying to call a web service that is located in SAP/R3 using XI.
  I do success calling this WS using C#.
  Now I want to use WebDynpro and having some dificulties.
  When I execute the application,I get the following error :
  Service call exception; nested exception is: java.net.ConnectException: Connection refused: connect
  Can someone help with that issue ?
  Thanks in advance.

  Hi David,
  Please check this thread...
  java.net.ConnectException: Connection refused: connect - Web Service
  Hope it helps!
  cheers,
  Prashanth
  P.S Please mark helpful answers