I have recently created a WSDL 2.0 file that describes a SOAP web service. I would like to enforce a basic authentication to the webservice so that the clients of this web service must always add an HTTP authorization header in their requests.
Is it possible to add something to the WSDL file to achieve this ? Does someone please have an example/extract of such a file ?
I have googled it all this afternoon and I have encountered several posts which led me to think that it was possible ; however I never found any real example nor any mention of it in the wsdl20.xsd specification file.
Thanks,
Theoretically, you could run a SOAP service over any kind of protocol, not just HTTP (although this is almost always the choice). Also, the contract of the SOAP service does not usually change when you change the details of the transport protocol. And since Basic Authentication is a characteristic of the transport protocol, not the SOAP protocol, Basic Authentication is not something you normally describe in the WSDL file.
You can have a service that works over HTTP, that you can then change to work over HTTPS, that then you can change to work with HTTPS + Basic Authentication, etc., and the SOAP web service contract is still the same.
You configure Basic Authentication at the web server level and that's not any different than exposing HTML pages instead of SOAP XML messages. A page you can ask over HTTPS does not change when you replace the call with a HTTPS + Basic Authentication. The way you communicate with the web server is different, but the exchanged resources are the same.
If you want to enforce some simple security, you could go with HTTPS and a WS-Security policy, which you can include in the WSDL as part of the contract, because it's the SOAP service that now needs to handle this. The HTTP Basic Authentication mechanism can be moved to the SOAP service with a Web Services Security UsernameToken policy for example. You can then have a SOAP header (not HTTP header) like:
<wsse:UsernameToken>
<wsse:Username>[email protected]</wsse:Username>
<wsse:Password>p@$$word</wsse:Password>
</wsse:UsernameToken>
If a request comes without this header, you just reject the message. It's basically the same mechanism, but at the SOAP service level, not the HTTP transport level.
Since you mentioned you have a WSDL 2.0, it might be possible to specify such details when binding the service endpoint. See for example Specifying HTTP Access Authentication in the predefined extensions for use in WSDL 2.0. I have never used this extension though and not sure how it will work, or if existing tools even implement it, but like you mentioned in your question, it might be possible.
Not sure if this is a proper answer for your question, but it was too big for a comment, so adding it here instead.
And as a final comment, no matter if you go with Basic Authentication as a HTTP header, or UsernameToken as a SOAP header, in both cases you need to use a secure transport like HTTPS or the username and password will be in clear text during transit. If you want to add security over HTTP, then you will need to move that security at the message level, which usually involves encrypting and signing the SOAP message.