BPM, Workflow, and Case

  • 1.  Insufficient authentication data while calling BAW webservice

    Posted Thu August 19, 2021 09:27 AM
    Hi All,

    I created a protected webservice within a BAW application and set the policy set and binding correctly for it. When I call this webservice from soapUI, I get Internal Error response and WAS logs this: CWLLG1510E: The web service is protected but the request did not contain the proper credentials.

    Note: when the webservice is not protected, the call is successful without any authentication of course.

    The application policy set is copy of the BPMHTTPBasicAuthentication (but I tried to create a new from scratch containing http and ssl transport, the result is the same), the General provider policy set binding is new, contains http and ssl transport, the username and password is set for Basic authentication for outbound asynchronous service responses.

    Policy set


    Policy set binding

    At application side the policy set and binding is set for the webservice.


    Calling from soapUI

    Response:

    What's wrong? Why is the call unsuccessful? How could I fix this?

    Thanks,

    ------------------------------
    Laszlo
    ------------------------------


  • 2.  RE: Insufficient authentication data while calling BAW webservice

    Posted Fri August 20, 2021 02:30 AM

    Hi Laszlo,

    a Policy Set cannot be used to require authentication. 
    The HTTP binding you provide specifies credentials that your Web Service will send in asynchronous responses. This is unrelated to expected inbound authentication.
    I would expect this configuration to have no effect and continue to work without authentication.

    However, not in your screenshots, you probably have set some flag in Web Process Designer to protect your Web Service. This message is coming from BAW code, not the WAS policy set:
    https://www.ibm.com/docs/en/baw/20.x?topic=cwllg-cwllg1510e

    I know that enabling the "protected" flag does something completely unexpected: it expects credentials to be sent as part of the SOAP message - may even as part of the payload.
    The old redbook has an example where username and password are added to your WSDL interface description: https://www.redbooks.ibm.com/redbooks/pdfs/sg248027.pdf p.154

    I just gave it a try and the behavior is still the same: two elements are added to your operation's interface

    <element name="username" type="xsd:string"/>
    <element name="password" type="xsd:string"/>






    ------------------------------
    Jens Engelke
    ------------------------------



  • 3.  RE: Insufficient authentication data while calling BAW webservice

    Posted Fri August 20, 2021 04:02 AM

    Hi Jens,

    Thanks for your reply! As you see, this is new for me, and I don't found helpful descriptions and samples (or just for old BPM versions)...
    Really, I turned on protected checkbox for the webservice definition and I supposed policy settings will set the required authentication data.


    But now I have another problem: where can I specify the username and password required to call this webservice? Earlier versions did display fields for this as I remember, but now no option for setting this two data. Can you help me please?

    Thanks,



    ------------------------------
    Laszlo
    ------------------------------



  • 4.  RE: Insufficient authentication data while calling BAW webservice

    Posted Fri August 20, 2021 04:39 AM
    Hi Laszlo,

    https://www.ibm.com/docs/en/baw/20.x?topic=service-creating-web says "If you want to add user name and password security to the operations, enable Protected. The user name and password must be registered at the server and the user name must have at least read access to the process application. "

    BAW will verify correctness of the username/password combination in the user registry.
    If you require additional authorization, your code in the Web service implementation can check usernames, group and team memberships via JS API. There is no configurable authorization.

    ------------------------------
    Jens Engelke
    ------------------------------



  • 5.  RE: Insufficient authentication data while calling BAW webservice

    Posted Fri August 20, 2021 05:43 AM
    Hi Jens, 

    Now I see how it works, many-many thanks!


    ------------------------------
    Laszlo Kertesz
    ------------------------------



  • 6.  RE: Insufficient authentication data while calling BAW webservice

    Posted Fri August 20, 2021 10:05 AM
    Hi Jens,

    Let me ask one more thing: how can we specify a user to access the process application containing the webservice on a test / stage / production environment? There is no such Manage page like the one on the development environment within Process Center, so I don't see where to add at least read access to the user for that bpm application. :(

    Thanks,

    ------------------------------
    Laszlo
    ------------------------------



  • 7.  RE: Insufficient authentication data while calling BAW webservice

    Posted Fri August 20, 2021 10:48 AM
    Hi Laszlo,

    consider the "protected" as authentication only and handle authorization in your application code.
    When the flag is set, the user must be authenticated and your code can find out who the user and in which groups/teams she is. Your code can be configurable per environment to require different group or team membership.

    ------------------------------
    Jens Engelke
    ------------------------------



  • 8.  RE: Insufficient authentication data while calling BAW webservice

    Posted Fri August 20, 2021 11:36 AM
    Edited by Laszlo Kertesz Sat August 21, 2021 03:58 AM
    Hi Jens,

    Yes, that's clear that I have to check the authorization in my code, but how to tell BAW in TEST / STAGE / PROD environments that which user can call the webservice? In development environment it is enough to create a user and give it a read access to the application, but how to do the same in TEST / STAGE / PROD environments, where no Process Center is? In these environments I can create a user, but where to assign read rights to the app?

    Update:
    When there is a snapshot created and activated, BAW do not checks the user rights (at least read right) in DEV environment for that snapshot as I see. The snapshot is callable without any rights given to the user. Is it possible that in TEST / STAGE / PROD environment and for activated snapshots in DEV environment any BAW user is granted automatically to call the webservice, and we have to check the caller user for authorization? As I see, tw.system.user contains the caller user. 

    Thx,

    ------------------------------
    Laszlo
    ------------------------------



  • 9.  RE: Insufficient authentication data while calling BAW webservice

    Posted Mon August 23, 2021 09:31 AM
    Hi Laszlo,

    with the protected checkbox turned on every authenticated user is able to invoke the web service. If you want finer grained authorization you need to handle authorization by using JS APIs. 
    For example, if you want to allow the user John to invoke the web service in Test and the user Claire in Stage then you could add an environment variable "AUTHORIZED_USER" to your process app with the value set to "John" in Test and to "Claire" in Stage.  You could then add a script task to your service flow that is invoked by the web service. Within the script task you would compare the authenticated user (tw.system.user) with the value of the environment variable.
    Alternatively you could also create a team and check the membership of the authenticated user.

    ------------------------------
    Maximilian Tews
    ------------------------------