Release 10.1A: OpenEdge Application Server:
Administration

Enabling Web services per user and per application

When you install the WSA, you can choose to enable security. In this case, security is preset to allow any user authenticated and authorized by the JSE to access to any deployed Web service application. You can, however, restrict access to Web service applications per user and per application. The technique involves creating a WSA instance for each unique user community, setting the security of each WSA instance to restrict access to a particular user community, and deploying to each WSA instance Web services only for its user community.

For example, suppose the Acme Company wants to deploy as Web services the applications described in Table 7–11.

Table 7–11: Enabling Web services per user and per application

This application ...	Available to ...	Lets its users ...
Accounting (Query Only)	All department managers and their superiors.	Read any record in the Accounting system.
Accounting (Update)	Members of the Accounting department only.	Read, modify, and create records in the Accounting system.
Human Resources	Members of the Human Resources department only.	Read, modify, and create records in the Human Resources system.
Work Tracking	All employees.	Record the time spent on each project.

To enable Web services per user and per application:

Set up the WSA instances, security-constraint URL-patterns, and role names shown in Table 7–12.

Table 7–12: Sample Web service security constraints by application and
role name

Application	WSA instance name	Security-constraint URL-pattern	Role-name
Accounting-Full	accntg	/accntg/	Acctdept
Accounting-Query	accntgquery	/accntgquery/	DeptMgr
Human Resources	Hr	/hr/	Hrdept
Work-Tracking	worktracking	/worktracking/	Users

In the properties of each WSA instance, require user authorization to Web service applications:
If the WSA is local, using Progress Explorer, select the WSA instance, right-click, and select Properties. Select Security to display the Security panel. In the Security panel, add user authorization to Web services.
If the WSA instance is remote, using a text editor, edit the ubroker.properties file. Add user authorization to Web services.
In the JSE’s user database, assign each employee the appropriate role, as shown in Table 7–13.

Table 7–13: Sample Web service user roles

To these employees ...	Assign this role ...
All department managers and their superiors.	DeptMgr
All employees of the company.	Users
All members of the Accounting department.	Acctdept
All members of the Human Resources department.	Hrdept

The resulting web.xml file appears as shown in Table 7–14.

Table 7–14: Possible web.xml file for enabling Web services per user
per application

<?xml version="1.0" encoding="ISO-8859-1"?> <!DOCTYPE web-app   PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.2//EN"   "http://java.sun.com/j2ee/dtds/web-app_2_2.dtd"> <web-app>   <display-name>Web Services Adapter</display-name>

<!-- List all of the servlet definitions here -->   <servlet>     <servlet-name>hr_servlet</servlet-name>     <display-name>Web Services Adapter hr servlet</display-name>     <servlet-class>com.progress.wsa.WsaServlet</servlet-class>     <init-param>       <param-name>InstallDir</param-name>       <param-value>/progress/openedge</param-value>     </init-param>     <init-param>       <param-name>instanceName</param-name>       <param-value>hr</param-value>     </init-param>     <init-param>       <param-name>propertyFileName</param-name>       <param-value>/progress/openedge/properties/ubroker.properties       </param-value>     </init-param>   </servlet>

<servlet>     <servlet-name>worktracking_servlet</servlet-name>     <display-name>Web Services Adapter worktracking servlet     </display-name>     <servlet-class>com.progress.wsa.WsaServlet</servlet-class>     <init-param>       <param-name>InstallDir</param-name>       <param-value>/progress/openedge</param-value>     </init-param>     <init-param>       <param-name>instanceName</param-name>       <param-value>worktracking</param-value>     </init-param>     <init-param>       <param-name>propertyFileName</param-name>       <param-value>/progress/openedge/properties/ubroker.properties       </param-value>     </init-param>   </servlet>

<servlet>     <servlet-name>accntgquery_servlet</servlet-name>     <display-name>Web Services Adapter accounting-query servlet     </display-name>     <servlet-class>com.progress.wsa.WsaServlet</servlet-class>     <init-param>       <param-name>InstallDir</param-name>       <param-value>/progress/openedge</param-value>     </init-param>     <init-param>       <param-name>instanceName</param-name>       <param-value>accntgquery</param-value>     </init-param>     <init-param>       <param-name>propertyFileName</param-name>       <param-value>/progress/openedge/properties/ubroker.properties       </param-value>     </init-param>   </servlet>

<servlet>     <servlet-name>accntg_servlet</servlet-name>     <display-name>Web Services Adapter full accountingservlet     </display-name>     <servlet-class>com.progress.wsa.WsaServlet</servlet-class>     <init-param>       <param-name>InstallDir</param-name>       <param-value>/progress/openedge</param-value>     </init-param>     <init-param>       <param-name>instanceName</param-name>       <param-value>accntg</param-value>     </init-param>     <init-param>       <param-name>propertyFileName</param-name>       <param-value>/progress/openedge/properties/ubroker.properties       </param-value>     </init-param>   </servlet>

<!-- List all of the servlet mappings here -->   <servlet-mapping>     <servlet-name>hr_servlet</servlet-name>     <url-pattern>/hr/*</url-pattern>   </servlet-mapping>   <servlet-mapping>     <servlet-name>worktracking_servlet</servlet-name>     <url-pattern>/worktracking/*</url-pattern>   </servlet-mapping>   <servlet-mapping>     <servlet-name>accntgquery_servlet</servlet-name>     <url-pattern>/accntgquery/*</url-pattern>   </servlet-mapping>   <servlet-mapping>     <servlet-name>accntg_servlet</servlet-name>     <url-pattern>/accntg/*</url-pattern>   </servlet-mapping>

<!-- List all of the security contraints here -->   <security-constraint>     <web-resource-collection>       <web-resource-name>HR Web Services</web-resource-name>       <url-pattern>/hr/</url-pattern>       <http-method>POST</http-method>     </web-resource-collection>     <auth-constraint>       <role-name>Hrdept</role-name>     </auth-constraint>   </security-constraint>

<security-constraint>     <web-resource-collection>       <web-resource-name>Work-Tracking Web Services</web-resource-name>       <url-pattern>/worktracking/</url-pattern>       <http-method>POST</http-method>     </web-resource-collection>     <auth-constraint>       <role-name>Users</role-name>     </auth-constraint>   </security-constraint>

<security-constraint>     <web-resource-collection>       <web-resource-name>Accounting-query Web Services       </web-resource-name>       <url-pattern>/accntgquery/</url-pattern>       <http-method>POST</http-method>     </web-resource-collection>     <auth-constraint>       <role-name>DeptMgr</role-name>     </auth-constraint>   </security-constraint>

<security-constraint>     <web-resource-collection>       <web-resource-name>Accounting Web Services</web-resource-name>       <url-pattern>/accntg/</url-pattern>       <http-method>POST</http-method>     </web-resource-collection>     <auth-constraint>       <role-name>Acctdept</role-name>     </auth-constraint>   </security-constraint>

<login-config>     <auth-method>BASIC</auth-method>     <realm-name>Acme Company Web Services</realm-name>   </login-config> </web-app>