Securing REST service created using WEF

In the Exposing REST + JSON endpoint using WEF i blogged about how to create a REST + JSON endpoint using WEF, but problem with that service is it is not protected. Anyone can call that service if you know the URL. So i wanted to protect the service and once the service is protected i can get the logged in user's information in the service. I followed these steps to secure the service
  • First i changed the HelloWorldService.sayHello() method so that instead of asking user for name it reads the current logged in users name and returns it in Hello name format
    
    package com.webspherenotes.wef;
    
    import com.bowstreet.webapp.WebAppAccess;
    
    public class HelloWorldService {
    
      public String sayHello(WebAppAccess webAppAccess){
        System.out.println("Entering HelloWorldService.sayHello()");
        String userId = webAppAccess.getUserInfo().getUserID();
        System.out.println("Value of userId " + userId); 
        return "Hello " + userId;
      }
    }
    
  • If you look at the web.xml file of your WEF project you will notice that it has 3 servlets, out of that WebEngineServlet is the one that is used to expose REST service,
  • In order to protect the REST service, you will want to protect the WebEngineServlet , if you look into web.xml file generated by web.xml it has 4 security constraints in it, you can use one of them to protect the WebEngineServlet. This is how the out of box SecurityConstraint_4 looks like
    
    <security-constraint id="SecurityConstraint_4">
       <web-resource-collection id="WebResourceCollection_4">
          <web-resource-name>ProtectedSampleModels</web-resource-name>
          <url-pattern>/webengine/factory/samples/protectedSamples/*</url-pattern>
       </web-resource-collection>
        <auth-constraint id="AuthConstraint_4">
             <description>Roles allowed to execute sample protected models under
            factory/samples/protectedSamples</description>
             <role-name>IBMAdministrators</role-name>
             <role-name>AllAuthenticatedUsers</role-name>
        </auth-constraint>
    </security-constraint>
    
    I want to change it so that it protects /webengine/* URL instead of only protectedSamples, but if i make chanes in web.xml directly they will get overwritten during regeneration. Instead if you want to make any changes that would be included in generated web.xml you should make those changes in \WebContent\WEB-INF\bin\deployment\standalone.web.xml file
  • Open the \WebContent\WEB-INF\bin\deployment\standalone.web.xml file, and change SecurityConstraint_4 look like this
    
    <security-constraint id="SecurityConstraint_4">
       <web-resource-collection id="WebResourceCollection_4">
          <web-resource-name>ProtectedSampleModels</web-resource-name>
          <url-pattern>/webengine/*</url-pattern>
       </web-resource-collection>
        <auth-constraint id="AuthConstraint_4">
             <description>Roles allowed to execute sample protected models under
            factory/samples/protectedSamples</description>
             <role-name>IBMAdministrators</role-name>
             <role-name>AllAuthenticatedUsers</role-name>
        </auth-constraint>
    </security-constraint>
    
  • After saving your changes deploy them on server
  • Once your application is deployed you will have to map the roles using WAS Admin Console before it actually get secured, so login into the WAS admin console and find the application that you want to secure and go to its Security Role to user/group mapping page and map AllAuthenticatedUser to All Authenticated in Applications's Realm group like this
  • After saving your changes restart the application.
Now if you take the service URL and paste it in new browser window, it will redirect you to login page like this
Login on this page, In my case only user i have is wpsadmin so use it to login and then you can get the service page like this

No comments: