Search code examples
webspherejax-rsrestful-authenticationibm-was

jax-rs only authentication no authorization

I have a JAX-RS web service deployed on IBM WebSphere and I want to secure this WS when it receives the requests (delegated from other server). So I use the basic auth and set the username and password on BasicAuthSecurityHandler object and delegate the request to other server. Now when the other server receives the request I use Federated repository in WAS under Global security and do the authentication.

If I comment out the auth-constraint in the deployment descriptor, the authentication is not taking place. I want to do only authentication and no authorization. I tried using @PermitAll annotation on the Jax-WS method but the authorization is also happening before the Jax-WS method is executed. So is there any way I can skip the authorization and still do the authentication?

I dont have any rules associated to my users, so I want to skip the authorization.

<security-constraint id="SecurityConstraint_1">
  <display-name>RESTSecurity</display-name>
    <web-resource-collection id="WebResourceCollection_1">
      <web-resource-name>DelegateReqComApp</web-resource-name>
      <description>
          Protection area for Rest resource /addresses
      </description>
      <url-pattern>/rest/*</url-pattern>
      <http-method>GET</http-method>
      <http-method>POST</http-method>
    </web-resource-collection>

    <!-- Authorization Constraint commented out  -->
    <auth-constraint id="AuthConstraint_1">
        <description>
                Used to guard resources under this url-pattern
        </description>
        <role-name>iapawas012</role-name>
    </auth-constraint>
</security-constraint>
Solution

  • Create the auth-constraint and map iapawas012 role to the special subject ALL_AUTHENTICATED. It basically says that any user, which successfully authenticates is authorized to invoke your service.
    You can do it either in the web admin console on the Enterprise Application > yourApplication > Security role to user/group mapping or via binding file ibm-application-bnd.xml in the EAR in META-INF folder:

    <?xml version="1.0" encoding="UTF-8"?>
<application-bnd
    xmlns="http://websphere.ibm.com/xml/ns/javaee"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://websphere.ibm.com/xml/ns/javaee http://websphere.ibm.com/xml/ns/javaee/ibm-application-bnd_1_2.xsd"
    version="1.2">

    <security-role name="iapawas012">
        <special-subject type="ALL_AUTHENTICATED_USERS" />
    </security-role>
</application-bnd>