Web service security
Note
This document focus on web service security for EJBs developed in NetWeaver Java CE >= 7.1. The securing of the WSDL URL and endpoint is shown, not how to secure WSIL.
JEE >= 5 comes with a very easy solution to expose an EJB as a web service: it’s just using annotation. But how to secure the web service? When you go through the documentation available on the Internet about EJB and WS security, this is mentioned only at the end and in most case the explanation is rather short. The example web service used will expose a method that checks if the use is authenticated or not.
@WebService(name=“EjbEndpoint”, targetNamespace=“http://tobias.com/ejb/bean/", portName=“EjbEndpointBeanPort”, serviceName=“EjbEndpointService”)
@Stateless
/*
The following is configurating the requested authentication level during design time. When the line is commented, no authentication level is required. Otherwise, at least BASIC authentication credentials have to be provided.
*/
@AuthenticationDT(authenticationLevel = AuthenticationEnumsAuthenticationLevel.BASIC)
public class EjbEndpointBean implements EjbEndpointLocal {
@WebMethod(exclude=false, operationName="testPerm")
public String testPerm() {
String username = "Guest";
username = myContext.getCallerPrincipal().getName();
try {
IUser user = UMFactory.getUserFactory().getUserByUniqueName(username);
username += user.getName();
} catch (UMException e) {}
return username;
}SAP Help [1] says about web service authentication:
“You can set an authentication level which the Web service requires from the Web service client during communication. The authentication level verifies the identity of the Web service client before allowing access to the resources provided by the Web service.”
- “By using the @AuthenticationDT annotation, you can set any of the authentication levels
- You set the authentication method for the Web service client when you configure the Web service client in the SAP NetWeaver Administrator.”
This means that there are 2 places where credentials can be configured:
- At EJB level, where the minimum authentication level is defined during design time, that is: what the user needs to provide at least and
- At web service configuration during runtime, when the authentication method is defined in NWA, or: what the security standard of the company / environment demands.
As the level in the EJB is hardcoded, this cannot be configured later without changing code. It does not matter what the administrator later is going to define: the caller has to provide at least the defined level. What the administrator defines later is more flexible, as a non-secure EJB web service can be secured during configuration of the application and this can later changed without triggering a code change too. This implies that you can write the authentication level into the EJB when you know that this is the minimum requirement (or to ensure your Basis team learns something about security).
Each one of these 2 can be combined.
|
EJB |
NWA |
Result |
|
X |
O |
Error |
|
X |
X |
OK |
|
0 |
0 |
OK |
|
0 |
X |
OK |
X = Authenticate
0 = Anonymous
Let’s go through each one of these scenarios
Calling web service with no authentication level defined and without providing credentials
Test scenario
|
EJB |
NWA |
Result |
|
0 |
0 |
OK |
Java EJB code
@WebService(name=“EjbEndpoint”, targetNamespace=“http://tobias.com/ejb/bean/", portName=“EjbEndpointBeanPort”, serviceName=“EjbEndpointService”)
@StatelessSecurity configuration in NWA
Calling web service without providing credentials
Result
<SOAP-ENV:Envelope xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<SOAP-ENV:Body>
<ns2:testPermResponse xmlns:ns2="http://tobias.com/ejb/bean/">
<return>Guest</return>
</ns2:testPermResponse>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>The username Guest is returned. It is possible to successfully call the web service as an anonymous user.
Calling web service with no authentication level defined and providing credentials
Test scenario
|
EJB |
NWA |
Result |
|
0 |
X |
OK |
Java EJB code
@WebService(name=“EjbEndpoint”, targetNamespace=“http://tobias.com/ejb/bean/", portName=“EjbEndpointBeanPort”, serviceName=“EjbEndpointService”)
@StatelessConfiguration web service in NWA
Calling web service without credentials
Result
<SOAP-ENV:Envelope xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<SOAP-ENV:Body>
<SOAP-ENV:Fault>
<faultcode>SOAP-ENV:Server</faultcode>
<faultstring>Authentication failed. For details see log entry 361320FB1E26002D00002DD800004B5B004065F4A986227F in security log.</faultstring>
<detail>
<yq1:com.sap.engine.interfaces.webservices.runtime.ProtocolException xmlns:yq1="http://sap-j2ee-engine/client-runtime-error">Authentication failed. For details see log entry 361320FB1E26002D00002DD800004B5B004065F4A986227F in security log.</yq1:com.sap.engine.interfaces.webservices.runtime.ProtocolException>
</detail>
</SOAP-ENV:Fault>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>It is possible to call the WSDL URL, but not to execute the method as an anonymous user. This matches the expected result as BASIC authorization was defined in NWA.
Calling web service with credentials
Submitting the credentials requested by the web service, it works:
<SOAP-ENV:Envelope xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<SOAP-ENV:Body>
<ns2:testPermResponse xmlns:ns2="http://vale.com/resopt/bean/">
<return>Tobias </return>
</ns2:testPermResponse>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>Here, the EJB is not demanding any authentication level, but the web service only works when the user provides credentials. The administrator configured a higher security level than the developer expects.
EJB configured to BASIC level and not providing credentials
Test scenario
|
EJB |
NWA |
Result |
|
X |
O |
Error |
Java EJB code
@WebService(name=“EjbEndpoint”, targetNamespace=“http://tobias.com/ejb/bean/", portName=“EjbEndpointBeanPort”, serviceName=“EjbEndpointService”)
@AuthenticationDT(authenticationLevel = AuthenticationEnumsAuthenticationLevel.BASIC)
@StatelessConfiguration web service in NWA
Calling web service without providing credentials
Result
This HTML response shows as the AS Java default 404 page in the browser:
EJB configured to BASIC level and providing credentials
Test scenario
|
EJB |
NWA |
Result |
|
X |
X |
OK |
Java EJB code
@WebService(name=“EjbEndpoint”, targetNamespace=“http://tobias.com/ejb/bean/", portName=“EjbEndpointBeanPort”, serviceName=“EjbEndpointService”)
@AuthenticationDT(authenticationLevel = AuthenticationEnumsAuthenticationLevel.BASIC)
@StatelessConfiguration web service in NWA
Calling web service with credentials
Result
<SOAP-ENV:Envelope xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<SOAP-ENV:Body>
<ns2:testPermResponse xmlns:ns2="http://tobias.com/ejb/bean/">
<return>Tobias</return>
</ns2:testPermResponse>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>[1] Setting an Authentication Levelhttp://help.sap.com/saphelp_nwce71/helpdata/en/46/9c60d058793720e10000000a11466f/content.htm
Great document Tobias - lots of really useful information on this often vague topic, all in one place. Definitely something I'll be referencing in future.
Gareth.
Awesome Doc Tobias. Very well explained really helped me explaining Webservice authentication.
Thanks
Rohit Raja
Good to hear my doc helped you.
Hi Tobias,
Your document was really helpful in fixing an authorisation issue in a WS.
Thank you very much!
Regards,
Anoop MT
Thank you very much too!