Show TOC Start of Content Area

Background documentation Web Services Security  Locate the document in its SAP Library structure

Web services offer new possibilities for the integration of business systems in a company’s system landscape. However, due to the openness of the Web services design, you do need to take special care to provide these services in a secure way and not to impose security risks on existing systems.

To secure the transmission and to ensure proper authorizations for processing such documents, there are several mechanisms available on the AS Java, which include securing the communications, authenticating the client, and providing for authorizations.

Communication security

To use a Web service, a user (or other client) sends a document to a server using the Simple Object Access Protocol (SOAP), which is then sent over the network using the HTTP protocol. Therefore, to secure this communication, use the SSL protocol, which is supported by the AS Java. See Configuring the Use of SSL on the AS Java.

Authentication

The following authentication mechanisms are available when using Web services:

·        Basic Authentication (user ID and password)

To use Basic Authentication, the Web service must be set up to authenticate the user using user ID and password. Also, the login module stack for the service must include the module BasicPasswordLoginModule.

·        X.509 client certificates (SSL with mutual authentication)

To use client certificates, the Web service must be set up to use strong authentication. The AS Java must also be configured to support SSL and client certificates for user authentication and the login module stack for the service must include the module ClientCertLoginModule.

The public-key certificates are stored in the AS Java’s keystore.

·        Logon tickets

To use logon tickets, the Web service must be set up to authenticate the user using user ID and password. If the Web service is to create a logon ticket for the user, then its login module stack must include the module CreateTicketLoginModule. If it is to accept logon tickets for user authentication, then the login module stack must contain the module EvaluateTicketLoginModule.

Note

Web services may also be set up as a public services that do not require user authentication.

See also:

Administration Manual

      Authentication on AS Java

      Using Client Certificates for User Authentication

      Using Logon Tickets for Single Sign-On

Development Manual

      Using the Security Protocol

      Web Services and Security

Authorization

The authorization concept used for Web services depends on the type of Web service:

      Enterprise Java Bean (EJB)

If the Web service is an EJB, then you can provide for authorization protection using the AS Java’s security roles. You can assign the security role to the EJB itself or any of its virtual interfaces. Users that are mapped to this security role have access to the EJB and corresponding Web service.

      Java Bean

If the Web service is a Java Bean, then protect the Java Bean’s virtual interfaces using the AS Java’s resource management.

See also:

      Security Roles Management

      Resource Management

      Web Services and Security

 

 

End of Content Area