BPM, Workflow, and Case

BPM, Workflow, and Case

Come for answers. Stay for best practices. All we’re missing is you.

 View Only

  • 1.  Protected Web Service

    Posted 2 days ago

    Hi All,

    Can a consumer of IBM BAW-protected web services pass Basic Authentication credentials in the HTTP header instead of the request body?

    We've exposed a protected web service in IBM BAW. However, our security architect has requested that the username and password not be sent in the body of the request.

    Below is a snippet of the protected web service WSDL where username and password are part of the body:



    ------------------------------
    Manish Poddar
    ------------------------------


  • 2.  RE: Protected Web Service

    Posted yesterday

    This "protection" (checkbox: Protected) it is something very old and left for compatibility with archaic Lombardi versions.  
    Just uncheck this option for Web Service.
     
    On BAW hosted on tWAS - use WebSphere Policy to enable basic authentication.
    BAW from Cloud Pak for Business Automation has Web Services basic authentication enabled by default. 



    ------------------------------
    Sebastian Tylko
    ------------------------------

    Original Message


  • 3.  RE: Protected Web Service

    Posted 23 hours ago

    Thanks, Sebastian, for your quick response.

    I believe the BPMHTTPBasicAuthentication policy set might be the most suitable option for us.

    Do you have any documentation or examples related to WebSphere's BPMHTTPBasicAuthentication configuration?



    ------------------------------
    Manish Poddar
    ------------------------------

    Original Message


  • 4.  RE: Protected Web Service

    Posted 9 hours ago

    No. It is definitely not as easy as choosing predefined policy and policy binding. What is publicly documented is only WS-Security (e.g UsernameToken).

    However, what might be relatively easy (on modern BAW) is changing Target Environment to: Traditional or Container. Then you will lose support for Web Service Policy and also this legacy "Protected" checkbox  -  but you will have Basic Authentication enabled by default in the same way as in Cloud Pak. You don't have to do anything else. And it will work also on traditional WAS.



    ------------------------------
    Sebastian Tylko
    ------------------------------

    Original Message


Related Content