Note
This document focus on web service security for EJBs developed in NetWeaver Java CE >= 7.1. The securing of the WSDL URL and endpoint is shown, not how to secure WSIL.
JEE >= 5 comes with a very easy solution to expose an EJB as a web service: it’s just using annotation. But how to secure the web service? When you go through the documentation available on the Internet about EJB and WS security, this is mentioned only at the end and in most case the explanation is rather short. The example web service used will expose a method that checks if the use is authenticated or not.
@WebService(name=“EjbEndpoint”, targetNamespace=“http://tobias.com/ejb/bean/", portName=“EjbEndpointBeanPort”, serviceName=“EjbEndpointService”)
@Stateless
/*
The following is configurating the requested authentication level during design time. When the line is commented, no authentication level is required. Otherwise, at least BASIC authentication credentials have to be provided.
*/
@AuthenticationDT(authenticationLevel = AuthenticationEnumsAuthenticationLevel.BASIC)
public class EjbEndpointBean implements EjbEndpointLocal {
@WebMethod(exclude=false, operationName="testPerm")
public String testPerm() {
String username = "Guest";
username = myContext.getCallerPrincipal().getName();
try {
IUser user = UMFactory.getUserFactory().getUserByUniqueName(username);
username += user.getName();
} catch (UMException e) {}
return username;
}
SAP Help [1] says about web service authentication:
“You can set an authentication level which the Web service requires from the Web service client during communication. The authentication level verifies the identity of the Web service client before allowing access to the resources provided by the Web service.”
This means that there are 2 places where credentials can be configured:
As the level in the EJB is hardcoded, this cannot be configured later without changing code. It does not matter what the administrator later is going to define: the caller has to provide at least the defined level. What the administrator defines later is more flexible, as a non-secure EJB web service can be secured during configuration of the application and this can later changed without triggering a code change too. This implies that you can write the authentication level into the EJB when you know that this is the minimum requirement (or to ensure your Basis team learns something about security).
Each one of these 2 can be combined.
EJB | NWA | Result |
X | O | Error |
X | X | OK |
0 | 0 | OK |
0 | X | OK |
X = Authenticate
0 = Anonymous
Let's go through each one of these scenarios
EJB | NWA | Result |
0 | 0 | OK |
@WebService(name=“EjbEndpoint”, targetNamespace=“http://tobias.com/ejb/bean/", portName=“EjbEndpointBeanPort”, serviceName=“EjbEndpointService”)
@Stateless
<SOAP-ENV:Envelope xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<SOAP-ENV:Body>
<ns2:testPermResponse xmlns:ns2="http://tobias.com/ejb/bean/">
<return>Guest</return>
</ns2:testPermResponse>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
The username Guest is returned. It is possible to successfully call the web service as an anonymous user.
EJB | NWA | Result |
0 | X | OK |
@WebService(name=“EjbEndpoint”, targetNamespace=“http://tobias.com/ejb/bean/", portName=“EjbEndpointBeanPort”, serviceName=“EjbEndpointService”)
@Stateless
<SOAP-ENV:Envelope xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<SOAP-ENV:Body>
<SOAP-ENV:Fault>
<faultcode>SOAP-ENV:Server</faultcode>
<faultstring>Authentication failed. For details see log entry 361320FB1E26002D00002DD800004B5B004065F4A986227F in security log.</faultstring>
<detail>
<yq1:com.sap.engine.interfaces.webservices.runtime.ProtocolException xmlns:yq1="http://sap-j2ee-engine/client-runtime-error">Authentication failed. For details see log entry 361320FB1E26002D00002DD800004B5B004065F4A986227F in security log.</yq1:com.sap.engine.interfaces.webservices.runtime.ProtocolException>
</detail>
</SOAP-ENV:Fault>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
It is possible to call the WSDL URL, but not to execute the method as an anonymous user. This matches the expected result as BASIC authorization was defined in NWA.
Submitting the credentials requested by the web service, it works:
<SOAP-ENV:Envelope xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<SOAP-ENV:Body>
<ns2:testPermResponse xmlns:ns2="http://vale.com/resopt/bean/">
<return>Tobias </return>
</ns2:testPermResponse>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
Here, the EJB is not demanding any authentication level, but the web service only works when the user provides credentials. The administrator configured a higher security level than the developer expects.
EJB | NWA | Result |
X | O | Error |
@WebService(name=“EjbEndpoint”, targetNamespace=“http://tobias.com/ejb/bean/", portName=“EjbEndpointBeanPort”, serviceName=“EjbEndpointService”)
@AuthenticationDT(authenticationLevel = AuthenticationEnumsAuthenticationLevel.BASIC)
@Stateless
This HTML response shows as the AS Java default 404 page in the browser:
EJB | NWA | Result |
X | X | OK |
@WebService(name=“EjbEndpoint”, targetNamespace=“http://tobias.com/ejb/bean/", portName=“EjbEndpointBeanPort”, serviceName=“EjbEndpointService”)
@AuthenticationDT(authenticationLevel = AuthenticationEnumsAuthenticationLevel.BASIC)
@Stateless
<SOAP-ENV:Envelope xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<SOAP-ENV:Body>
<ns2:testPermResponse xmlns:ns2="http://tobias.com/ejb/bean/">
<return>Tobias</return>
</ns2:testPermResponse>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
[1] Setting an Authentication Levelhttp://help.sap.com/saphelp_nwce71/helpdata/en/46/9c60d058793720e10000000a11466f/content.htm
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
8 | |
5 | |
5 | |
4 | |
4 | |
4 | |
3 | |
3 | |
3 | |
3 |