Skip to Content

Note

This document focus on web service security for EJBs developed in NetWeaver Java CE >= 7.1. The securing of the WSDL URL and endpoint is shown, not how to secure WSIL.

JEE >= 5 comes with a very easy solution to expose an EJB as a web service: it’s just using annotation. But how to secure the web service? When you go through the documentation available on the Internet about EJB and WS security, this is mentioned only at the end and in most case the explanation is rather short. The example web service used will expose a method that checks if the use is authenticated or not.

@WebService(name=“EjbEndpoint”, targetNamespace=“http://tobias.com/ejb/bean/", portName=“EjbEndpointBeanPort”, serviceName=“EjbEndpointService”)
@Stateless
/*
The following is configurating the requested authentication level during design time. When the line is commented, no authentication level is required. Otherwise, at least BASIC authentication credentials have to be provided.
*/
@AuthenticationDT(authenticationLevel = AuthenticationEnumsAuthenticationLevel.BASIC)
public class EjbEndpointBean implements EjbEndpointLocal {
@WebMethod(exclude=false, operationName="testPerm")
public String testPerm() {
    String username = "Guest";       
    username = myContext.getCallerPrincipal().getName();
    try {
        IUser user = UMFactory.getUserFactory().getUserByUniqueName(username);
        username += user.getName();
    } catch (UMException e) {}       
    return username;
}

SAP Help [1] says about web service authentication:

“You can set an authentication level which the Web service requires from the Web service client during communication. The authentication level verifies the identity of the Web service client before allowing access to the resources provided by the Web service.”

  • “By using the @AuthenticationDT annotation, you can set any of the authentication levels
  • You set the authentication method for the Web service client when you configure the Web service client in the SAP NetWeaver Administrator.”

This means that there are 2 places where credentials can be configured:

  • At EJB level, where the minimum authentication level is defined during design time, that is: what the user needs to provide at least and
  • At web service configuration during runtime, when the authentication method is defined in NWA, or: what the security standard of the company / environment demands.

As the level in the EJB is hardcoded, this cannot be configured later without changing code. It does not matter what the administrator later is going to define: the caller has to provide at least the defined level. What the administrator defines later is more flexible, as a non-secure EJB web service can be secured during configuration of the application and this can later changed without triggering a code change too. This implies that you can write the authentication level into the EJB when you know that this is the minimum requirement (or to ensure your Basis team learns something about security).

Each one of these 2 can be combined.

EJB

NWA

Result

X

O

Error

X

X

OK

0

0

OK

0

X

OK

X = Authenticate

0 = Anonymous

Let’s go through each one of these scenarios

Calling web service with no authentication level defined and without providing credentials

Test scenario

EJB

NWA

Result

0

0

OK

Java EJB code

@WebService(name=“EjbEndpoint”, targetNamespace=“http://tobias.com/ejb/bean/", portName=“EjbEndpointBeanPort”, serviceName=“EjbEndpointService”)
@Stateless


Security configuration in NWA

/wp-content/uploads/2013/06/wssec1_229859.jpg

Calling web service without providing credentials

/wp-content/uploads/2013/06/wssec2_229860.jpg

Result

<SOAP-ENV:Envelope xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
 <SOAP-ENV:Body>
 <ns2:testPermResponse xmlns:ns2="http://tobias.com/ejb/bean/">
         <return>Guest</return>
 </ns2:testPermResponse>
   </SOAP-ENV:Body>
</SOAP-ENV:Envelope>

The username Guest is returned. It is possible to successfully call the web service as an anonymous user.

Calling web service with no authentication level defined and providing credentials

Test scenario

EJB

NWA

Result

0

X

OK

Java EJB code

@WebService(name=“EjbEndpoint”, targetNamespace=“http://tobias.com/ejb/bean/", portName=“EjbEndpointBeanPort”, serviceName=“EjbEndpointService”)
@Stateless


Configuration web service in NWA

/wp-content/uploads/2013/06/wssec3_229861.jpg

Calling web service without credentials

/wp-content/uploads/2013/06/wssec2_229860.jpg

Result

<SOAP-ENV:Envelope xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
 <SOAP-ENV:Body>
 <SOAP-ENV:Fault>
 <faultcode>SOAP-ENV:Server</faultcode>
 <faultstring>Authentication failed. For details see log entry 361320FB1E26002D00002DD800004B5B004065F4A986227F in security log.</faultstring>
 <detail>
 <yq1:com.sap.engine.interfaces.webservices.runtime.ProtocolException xmlns:yq1="http://sap-j2ee-engine/client-runtime-error">Authentication failed. For details see log entry 361320FB1E26002D00002DD800004B5B004065F4A986227F in security log.</yq1:com.sap.engine.interfaces.webservices.runtime.ProtocolException>
         </detail>
 </SOAP-ENV:Fault>
 </SOAP-ENV:Body>
</SOAP-ENV:Envelope>

It is possible to call the WSDL URL, but not to execute the method as an anonymous user. This matches the expected result as BASIC authorization was defined in NWA.

Calling web service with credentials

Submitting the credentials requested by the web service, it works:

/wp-content/uploads/2013/06/wssec4_229862.jpg

<SOAP-ENV:Envelope xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
 <SOAP-ENV:Body>
 <ns2:testPermResponse xmlns:ns2="http://vale.com/resopt/bean/">
 <return>Tobias </return>
 </ns2:testPermResponse>
 </SOAP-ENV:Body>
</SOAP-ENV:Envelope>

Here, the EJB is not demanding any authentication level, but the web service only works when the user provides credentials. The administrator configured a higher security level than the developer expects.

EJB configured to BASIC level and not providing credentials

Test scenario

EJB

NWA

Result

X

O

Error

Java EJB code

@WebService(name=“EjbEndpoint”, targetNamespace=“http://tobias.com/ejb/bean/", portName=“EjbEndpointBeanPort”, serviceName=“EjbEndpointService”)
@AuthenticationDT(authenticationLevel = AuthenticationEnumsAuthenticationLevel.BASIC)
@Stateless


Configuration web service in NWA

/wp-content/uploads/2013/06/wssec1_229859.jpg

Calling web service without providing credentials

/wp-content/uploads/2013/06/wssec2_229860.jpg

Result

/wp-content/uploads/2013/06/wssec5_229863.jpg

This HTML response shows as the AS Java default 404 page in the browser:

/wp-content/uploads/2013/06/wssec6_229864.jpg

EJB configured to BASIC level and providing credentials

Test scenario

EJB

NWA

Result

X

X

OK

Java EJB code

@WebService(name=“EjbEndpoint”, targetNamespace=“http://tobias.com/ejb/bean/", portName=“EjbEndpointBeanPort”, serviceName=“EjbEndpointService”)
@AuthenticationDT(authenticationLevel = AuthenticationEnumsAuthenticationLevel.BASIC)
@Stateless


Configuration web service in NWA

/wp-content/uploads/2013/06/wssec3_229861.jpg

Calling web service with credentials

/wp-content/uploads/2013/06/wssec4_229862.jpg

Result

<SOAP-ENV:Envelope xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
   <SOAP-ENV:Body>
 <ns2:testPermResponse xmlns:ns2="http://tobias.com/ejb/bean/">
         <return>Tobias</return>
 </ns2:testPermResponse>
 </SOAP-ENV:Body>
</SOAP-ENV:Envelope>

[1] Setting an Authentication Levelhttp://help.sap.com/saphelp_nwce71/helpdata/en/46/9c60d058793720e10000000a11466f/content.htm

To report this post you need to login first.

5 Comments

You must be Logged on to comment or reply to a post.

  1. Gareth Ryan

    Great document Tobias – lots of really useful information on this often vague topic, all in one place.  Definitely something I’ll be referencing in future.

    Gareth.

    (0) 

Leave a Reply