Configuration Guides › Policy Server Configuration Guide › Configure Security Policies from WSDL Files Using Applications › Secure Web Service Resources from WSDL Files

Secure Web Service Resources from WSDL Files

After you have created the application object, you generate the following settings required to protect web service resources from their WSDL files:

• Component and resource definitions for the web service resources
• A default role that which denies all access, but which you can associate resources with groups of users
• A policy that binds the default role to resources to define how authorization decisions are made when web service consumers interact with those resources.

To create the web service resources and security policy

1. Click the SOA tab
2. Click Secure Web Services from WSDL.

   The Secure Web Services from WSDL: Select Application pane appears.

3. Select the application to secure from the Choose an Existing Application list.
4. Click Next.

   The Secure Web Services from WSDL: Input WSDL pane appears.

5. Specify whether you want to open a WSDL file that resides on your local system or at a specific URL by selecting the File or URL option, and identifying the file accordingly as follows:
   • If you chose FILE, click Browse and navigate to its location.
   • If you chose URL, type the URL.in the Enter the WSDL URL field. For example,

     http://example.com/WSDL/my-wsdl.wsdl

6. Click Next.

   The Secure Web Services from WSDL: Define Policies pane appears, displaying a selectable table of the web services (ports) defined in the WSDL file.

7. Define the web service or services to protect in the Define Web Service Protection Policy table:
   • Select the web service or services that you want to protect in the Port Name column.
   • Assign the SOA Agent that will protect each protected web service from the Agent list.
   • Assign an authentication scheme to use to protect each web service from the Authentication Scheme list.
   • (Optional) Choose a response to bind to a web service from the Response list.
8. (Optional) Set the Propagate Authentication Scheme of Web Service to all its operations option to apply the authentication scheme you assigned to protect each web service to all of its constituent operations.
9. Click on a web service entry in the Port Name column to drill down to see its constituent operations in the Define Web Service Protection Policy table and select individual operations to protect, authentication schemes to use, and optionally, response bindings.

   (To return to the top-level WSDL view, click the All Web Services link at the top-left corner of the table.)

10. When your policy definitions are complete, click Next.

    The Secure Web Services from WSDL: Summary pane opens, displaying a summary of the components, subcomponents, and resources that will be created according to your selections.

11. If the summary is correct, click Finish.

    The Administrative UI creates component and resource definitions corresponding to your settings for all specified web service ports and operations, a default application role (that defines no user access), and a security policy that binds that default role with resources.

    However, if you assigned different authentication schemes to a web service port and any of its operations, you must manually create a resource definition for that web service port:

    1. Click Policies, Application, Modify Application.

       The Modify Application pane opens

    2. Specify search criteria, and click Search.

       A list of applications that match the search criteria opens.

    3. Select your application from the list, and click Select.

       The Modify Object: Name pane opens.

    4. Click on the Resources Tab.
    5. Choose the appropriate entry for the web service port from the Select a context root pulldown. No resources should be listed.
    6. Click Create.

       The Create Application Resource pane opens.

       Specifiy a name for the resource, accept the default resource filter (/*) and select the ProcessSOAP and ProcessXML Web Agent actions.

    7. Click OK.
    8. Click Submit.

    The web services you chose to protect are now secure. No access requests will be authorized until you modify the default role to define access privileges or create more roles and bind them to resources in the authorization policy.

Note: You can repeat this procedure to add the resources from multiple WSDL files to the same application. However, the Secure Web Services from WSDL operation is only intended for initial generation of policy objects from a particular WSDL file; if a web service changes or you must enable other operations from a previously loaded WSDL file you must delete the previously created application or edit it manually.

More information:

Create an Application

(Optional) Configure Application Responses

Modify the Default Role to Define User Access Rights

Create Additional Roles to Define User Access Rights

Modify Role Assignments in the Application Policy