Web-services Security using Weblogic

I recently worked on creating and deploying a  REST based web-service in Weblogic.  The requirement was to secure the web-service and i spent quiet some time in gettting this to work.  In this article i am going to narrate the steps in detail for securing a web-service in weblogic.

To secure a web-service we need to update the following 2 files of the web-service which is part of the war file.

  1. web.xml
  2. weblogic.xml

First identify the role which you are using for securing the web-service. Either you can create a new role and assign few users to those role.  The policy can be defined as only those users who belong to the role can be privileged to access the web-service. Else you can use an existing role that is already under a specific realm in the weblogic.

I have decided to use the weblogic “Administrator” role to secure this web-service.Also make sure that the Authenticator to which it belong to is configured for your deployment.  In my deployment the “Administrator’ role under myRealm(default realm) is configured against “DefaultAuthenticator”.

 

I am using user “weblogic” to test the web-service. Note “weblogic” user belong to Administrator role and it also belongs to “DefaultAuthenticator” provider.

Contents of weblogic.xml

First add the following entry in the weblogic.xml file

<wls:security-role-assignment>
<wls:role-name>Admin</wls:role-name>   ——>  This name is referred in web.xml
<wls:principal-name>Administrators</wls:principal-name> — Protected using  Administrator Role
</wls:security-role-assignment>

Contents of web.xml

Add the below contents

<security-constraint>
<web-resource-collection>
<web-resource-name>securedService</web-resource-name>  –> Name defined under @PATH param in webservice
<url-pattern>/securedServicet/*</url-pattern>  –>The URL of the web-service
<http-method>POST</http-method>   –> Supported HTTP Method
</web-resource-collection>
<auth-constraint>
<role-name>Admin</role-name>   –> Name defined in weblogic.xml above
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>default</realm-name>
</login-config>
<security-role>
<role-name>Admin</role-name>   –> Name defined in weblogic.xml above
</security-role>

Thats it .  Now the webservice is secured using “Administrator” Role of the default realm – “myRealm” of the weblogic.  Now we are all set.  Lets test this using the postman

When you hit the URL through postman or any REST client you will now see

Error 401–Unauthorized

To overcome this now set the Authorisation Header as below and also be careful on choosing the right Authentication Type which is defined in web.xml.  In my example i have declared the authentication type as “BASIC”. Hence in the image below i have chosen the type as “BasicAuth”

authz

 

and now in the body we should see the expected response.

 

 

Advertisements

Cheat Sheet To JAVA Latest Technology

%d bloggers like this: