HTTP Binding Component User Guide

Contents

• HTTP Binding Component User Guide
• About the HTTP Binding Component
• HTTP/SOAP Binding Architecture
• HTTP Binding Component Features
• HTTP Binding Component Example Scenario
• SOAP Processing
• HTTP Processing
• HTTP GET and POST Processing
• HTTP Binding Component Runtime Properties
• Configuring Quality of Service (QOS) Features
• Using the Tango Web Service Features with the HTTP Binding Component
• Configuring Web Service Attributes
• Configuring Security Mechanisms
• Using Basic Authentication with the HTTP Binding Component
  • Basic Authentication Supported Features
  • Authentication Mechanisms for Consumer Endpoints
• Using Application Variables to Define Name/Value Pairs
• Using Application Configuration to Configure Connectivity Parameters
• Enhanced Logging
• Statistics Monitoring
• Using WS-Transaction
• Clustering Support for the HTTP Binding Component
• Common User Scenarios

Using Basic Authentication with the HTTP Binding Component

Basic authentication allows you to require credentials, in the form of a username and password, to make a transaction. These credentials are transmitted as plaintext. The username and password are encoded as a sequence of base-64 characters before transmission to ensure privacy. So, for example, the user name “Fred” and password “Dinosaur” are combined as “Fred:Dinosaur”, and when encoded in base-64 is equivalent to “RnJlZDpEaW5vc2F1cg0K”.

For a Provider webservice, a request message from a client contains the user name and password fields in the request header.

For a Consumer webservice, invoking a webservice with basic authentication enabled, the user name and password are appended to the request headers for authentication.

For more information on basic authentication protocol see RFC 1945 (Hypertext Transfer Protocol HTTP/1.0), RFC 2616 (Hypertext Transfer Protocol HTTP/1.1), and RFC 2617 (HTTP Authentication: Basic and Digest Access Authentication).

Basic Authentication Supported Features

Basic authentication is supported by specifying a policy in the WSDL. A basic authentication policy can be added to the WSDL either manually or by using the WS-Policy Attachment window accessed from CASA and provided through Tango (WSIT). A basic authentication policy is specified at the root level of the WSDL and a reference to the policy is made in the WSDL Port type section, binding the policy to the endpoint.

To support basic authentication, the HTTP Binding Component defines the following WSDL elements:

• MustSupportBasicAuthentication: This element has an attribute called on which can be used to turn authentication on or off. This attribute accepts the values: true or false. The MustSupportBasicAuthentication element within a policy is required to enable basic authentication in the endpoint.
  

• UsernameToken: This element specifies the user name and password fields to either:
  
  • Authenticate the request (when the endpoint is a provider)
    
  • Invoke a webservice with basic authentication enabled. (when the configured endpoint is a consumer)
    

The user name and password fields can be either specified as plain text in the WSDL, or specified as tokens in the WSDL and configured at runtime.

Authentication Mechanisms for Consumer Endpoints

Three types of authentication mechanisms are supported for webservice consumer endpoints.

A consumer endpoint can be configured to use one of these mechanisms by adding it, as a child element, to the MustSupportBasicAuthentication element of the endpoints Policy.

• WssTokenCompare: Compares the username and password, extracted from the HTTP Authorization request header with the username and password specified in the Policy's WssUsernameToken10 and WssPassword elements.

• AccessManager: Configures the consuming endpoint to use the Sun Access Manager to authenticate the HTTP client's credentials.

• Realm: Configures the consuming endpoint to use the Sun Realm security to authenticate the HTTP client's credentials.
  

The following sections describe these mechanisms in more detail.

WssTokenCompare

To use WssTokenCompare, the Policy element must be present, and specify the username and password that are used for authentication. The username and password, extracted from the HTTP Authorization request header, are compared with the username and password specified in the Policy's WssUsernameToken10 and WssPassword elements.
The following sample WSDL contains the policy and its reference to use WssTokenCompare.. Note that an application variable token is used for the password so that the password is not exposed in the WSDL. The value of the password can be specified in the component's Using Application Variables to Define Name/Value Pairs property in NetBeans.

<wsdl:service name="echoService">
    <wsdl:port name="echoPort" binding="tns:echoBinding">
        <soap:address location="http://pponnala-tecra-xp.stc.com:18181/
         echoService/echoPort"/>
        <wsp:PolicyReference URI="#HttpBasicAuthBindingBindingPolicy"/>
    </wsdl:port>
</wsdl:service>

<wsp:Policy wsu:Id="HttpBasicAuthBindingBindingPolicy">
    <mysp:MustSupportBasicAuthentication on="true">
        <mysp:BasicAuthenticationDetail>
           <mysp:WssTokenCompare/>
        </mysp:BasicAuthenticationDetail>
    </mysp:MustSupportBasicAuthentication>
    <mysp:UsernameToken mysp:IncludeToken="http://schemas.xmlsoap.org/ws/
     2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
       <wsp:Policy>
            <sp:WssUsernameToken10>wilma</sp:WssUsernameToken10>
            <sp:WssPassword>${pass_token}</sp:WssPassword>
       </wsp:Policy>
  </mysp:UsernameToken>
</wsp:Policy>

Note - The code displayed above is wrapped for display purposes.

AccessManager

To use AccessManager, a consuming endpoint is configured to use the Sun Access Manager to authenticate the HTTP client's credentials. The HTTP Binding Component SOAP Binding integrates seamlessly with Sun Access Manager, to authenticate the HTTP client's credentials (username and password extracted from the HTTP Authorization header) against the user's credentials in the Sun Access Manager's database.

Before authentication with Sun Access Manager can be used, an additional Binding Component configuration is required to configure the HTTP SOAP BC to use the Access Manager. This configuration is called Sun Access Manager Configuration Directory and its value is the directory where the Sun Access Manager's AMConfig.properties file can be found.

To configure the Sun Access Manager Configuration Directory, do the following:

1. Access the HTTP Binding Component Properties from the NetBeans Services window. Right-click sun-http-binding under Servers > GlassFish V2 > JBI > Binding Components, and select Properties from the popup menu.
2. Configure the Sun Access Manager Configuration Directory property to specify the location of the Sun Access Manager's AMConfig.properties file.

The following sample WSDL contains the policy and its reference to use AccessManager.

<wsdl:service name="echoService">
    <wsdl:port name="echoPort" binding="tns:echoBinding">
        <soap:address location="http://pponnala-tecra-xp.stc.com:18181/
         echoService/echoPort"/>
        <wsp:PolicyReference URI="#HttpBasicAuthBindingBindingPolicy"/>
    </wsdl:port>
</wsdl:service>

<wsp:Policy wsu:Id="HttpBasicAuthBindingBindingPolicy">
    <mysp:MustSupportBasicAuthentication on="true">
        <mysp:BasicAuthenticationDetail>
           <mysp:AccessManager/>
        </mysp:BasicAuthenticationDetail>
    </mysp:MustSupportBasicAuthentication>
</wsp:Policy>

Note - The code displayed above is wrapped for display purposes.

For a tutorial demonstrating how to secure communications between a service's client and server using the Sun Java System Access Manager, see: Securing Communications In Open ESB with Sun Access Manager

Realm

To use Realm element, a consuming endpoint is configured to use Sun Realm security to authenticate the HTTP client's credentials. When the Realm element is used, a consuming endpoint is configured to utilize Sun Realm security to authenticate the HTTP client's credentials. The HTTP SOAP Binding Component integrates with Sun Realm security to authenticate the HTTP client's credentials (username and password extracted from the HTTP Authorization header) against the user's credentials in the specified Realm.
The name of the realm is specified using the Realm element's attribute, called realmName. For example, your GlassFish installation comes with a pre-configured file realm which is essentially a file-based user database. See: Admin Console Tasks for Realms for information or creating and adding users to realms.
The following sample WSDL contains the policy and its reference to use Realm.

<wsdl:service name="echoService">
   <wsdl:port name="echoPort" binding="tns:echoBinding">
        <soap:address location="http://pponnala-tecra-xp.stc.com:18181/
         echoService/echoPort"/>
        <wsp:PolicyReference URI="#HttpBasicAuthBindingBindingPolicy"/>
    </wsdl:port>
</wsdl:service>

<wsp:Policy wsu:Id="HttpBasicAuthBindingBindingPolicy">
    <mysp:MustSupportBasicAuthentication on="true">
        <mysp:BasicAuthenticationDetail>
           <mysp:Realm realmName="file"/>
        </mysp:BasicAuthenticationDetail>
    </mysp:MustSupportBasicAuthenti</wsp:Policy>

Previous Next

This page (revision-4) was last changed on 22-Sep-08 10:24 AM, -0700 by rjacobus.
This page was created on 11-Sep-08 14:04 PM, -0700 by rjacobus.

More info...