Hi Jens,
Yes, that's clear that I have to check the authorization in my code, but how to tell BAW in TEST / STAGE / PROD environments that which user can call the webservice? In development environment it is enough to create a user and give it a read access to the application, but how to do the same in TEST / STAGE / PROD environments, where no Process Center is? In these environments I can create a user, but where to assign read rights to the app?
Update:
When there is a snapshot created and activated, BAW do not checks the user rights (at least read right) in DEV environment for that snapshot as I see. The snapshot is callable without any rights given to the user. Is it possible that in TEST / STAGE / PROD environment and for activated snapshots in DEV environment any BAW user is granted automatically to call the webservice, and we have to check the caller user for authorization? As I see, tw.system.user contains the caller user.
Thx,
------------------------------
Laszlo
------------------------------
Original Message:
Sent: Fri August 20, 2021 10:47 AM
From: Jens Engelke
Subject: Insufficient authentication data while calling BAW webservice
Hi Laszlo,
consider the "protected" as authentication only and handle authorization in your application code.
When the flag is set, the user must be authenticated and your code can find out who the user and in which groups/teams she is. Your code can be configurable per environment to require different group or team membership.
------------------------------
Jens Engelke
Original Message:
Sent: Fri August 20, 2021 10:04 AM
From: Laszlo Kertesz
Subject: Insufficient authentication data while calling BAW webservice
Hi Jens,
Let me ask one more thing: how can we specify a user to access the process application containing the webservice on a test / stage / production environment? There is no such Manage page like the one on the development environment within Process Center, so I don't see where to add at least read access to the user for that bpm application. :(
Thanks,
------------------------------
Laszlo
Original Message:
Sent: Fri August 20, 2021 04:38 AM
From: Jens Engelke
Subject: Insufficient authentication data while calling BAW webservice
Hi Laszlo,
https://www.ibm.com/docs/en/baw/20.x?topic=service-creating-web says "If you want to add user name and password security to the operations, enable Protected. The user name and password must be registered at the server and the user name must have at least read access to the process application. "
BAW will verify correctness of the username/password combination in the user registry.
If you require additional authorization, your code in the Web service implementation can check usernames, group and team memberships via JS API. There is no configurable authorization.
------------------------------
Jens Engelke
Original Message:
Sent: Fri August 20, 2021 04:02 AM
From: Laszlo Kertesz
Subject: Insufficient authentication data while calling BAW webservice
Hi Jens,
Thanks for your reply! As you see, this is new for me, and I don't found helpful descriptions and samples (or just for old BPM versions)...
Really, I turned on protected checkbox for the webservice definition and I supposed policy settings will set the required authentication data.
But now I have another problem: where can I specify the username and password required to call this webservice? Earlier versions did display fields for this as I remember, but now no option for setting this two data. Can you help me please?
Thanks,
------------------------------
Laszlo
Original Message:
Sent: Fri August 20, 2021 02:30 AM
From: Jens Engelke
Subject: Insufficient authentication data while calling BAW webservice
Hi Laszlo,
a Policy Set cannot be used to require authentication.
The HTTP binding you provide specifies credentials that your Web Service will send in asynchronous responses. This is unrelated to expected inbound authentication.
I would expect this configuration to have no effect and continue to work without authentication.
However, not in your screenshots, you probably have set some flag in Web Process Designer to protect your Web Service. This message is coming from BAW code, not the WAS policy set:
https://www.ibm.com/docs/en/baw/20.x?topic=cwllg-cwllg1510e
I know that enabling the "protected" flag does something completely unexpected: it expects credentials to be sent as part of the SOAP message - may even as part of the payload.
The old redbook has an example where username and password are added to your WSDL interface description: https://www.redbooks.ibm.com/redbooks/pdfs/sg248027.pdf p.154
I just gave it a try and the behavior is still the same: two elements are added to your operation's interface
<element name="username" type="xsd:string"/>
<element name="password" type="xsd:string"/>
------------------------------
Jens Engelke
Original Message:
Sent: Thu August 19, 2021 09:26 AM
From: Laszlo Kertesz
Subject: Insufficient authentication data while calling BAW webservice
Hi All,
I created a protected webservice within a BAW application and set the policy set and binding correctly for it. When I call this webservice from soapUI, I get Internal Error response and WAS logs this: CWLLG1510E: The web service is protected but the request did not contain the proper credentials.
Note: when the webservice is not protected, the call is successful without any authentication of course.
The application policy set is copy of the BPMHTTPBasicAuthentication (but I tried to create a new from scratch containing http and ssl transport, the result is the same), the General provider policy set binding is new, contains http and ssl transport, the username and password is set for Basic authentication for outbound asynchronous service responses.
Policy set
Policy set binding
At application side the policy set and binding is set for the webservice.
Calling from soapUI
Response:
What's wrong? Why is the call unsuccessful? How could I fix this?
Thanks,
------------------------------
Laszlo
------------------------------