1. INTRODUCTION

This tutorial will explain the configuration and usage of the runtime action "Evaluate HTTP Basic Authentication Action" using CentraSite and webMethods Mediator.

The Evaluate HTTP Basic Authentication runtime policy enforcement will help in the following 

• Identify the consumer application HTTP Basic Authentication making the request for the virtual service if identify attribute is turned ON

• Validate against a set of global or pre-registered consumer applications with the HTTP Basic Authentication in wM Mediator

2. PRE-REQUISITE

• Knowledge in basics of wM Mediator runtime, CentraSite and HTTP basic authentication (BA).
• wM Mediator target should be created in CentraSite
• CentraSite configuration should be done in wM Mediator to verify the result

3. Summary

Steps involved when using of Evaluate HTTP Basic Authentication (BA) action in CentraSite and wM Mediator

1. Create a Consumer Application (eg. MyBasicAuthConsumers) with one or more Identification token(s) and deploy it to wM Mediator. 
2. Create a virtual alias(eg. VS_EchoWS_BasicAuth) in BusinessUI.
3. Configure virtual alias with Evaluate HTTP Basic Authentication action for policy enforcement.
4. Deploy the virtual alias(eg. VS_EchoWS_BasicAuth) to wM Mediator.
5. Invoke the virtual service deployed in wM Mediator using SOAP Client (eg. SOAPUI).

4. CONFIGURATIONS

4.1. Create a Consumer Application with Identification token

1. Login to CentraSite Control UI and Create an asset type of "Application".

Choose "Identification token" as identifier and set the attribute value(s) to the token Eg. "Administrator", "DeveloperJava", "...". 

1. Navigate to Operations -> Deployment and invoke "Deploy Consumers" tab in CentraSite. Select target(s).
2. Invoke "Syncronize" to deploy the Consumer Application to wM Mediator
3. Confirm the status as success
   User can now enforce the restriction of allowing only these consumer applications or identifying the calling applications for virtual services in wM Mediator using the Evaluate HTTP Basic Authentication policy.
   <<IMage

4. Verify deployed consumer application (eg. MyBasicAuthConsumers) with expected attribute in wM Mediator.

   1. Open wM Mediator page, http://<hostname>:5555/WmMediator and click on "Consumers" link.

Look for the deployed Consumer Application listed as in the sample screen below

4.2. Create a virtual alias with Evaluate HTTP basic authentication action

Perform the following steps to create a virtual alias with evaluate HTTP Basic Authentication Policy

1. Login to BusinessUI
2. Open a service details page of the service that needs to be virtualized.
3. Click on "Virtualize" action to get virtualization wizard screen. Provide alias name (eg.VS_EchoWS_BasicAuth) in "Create a New Virtual Alias" input box 
4. Select an endpoint from the list of "Endpoints of <service name> to Virtualize" and click "Next".
   

4.3. Configure Evaluate HTTP basic authentication policy in CentraSite

1. Navigate to "Policy Enforcement" heading -> "Security" -> drag & drop "Evaluate HTTP Basic Authentication" action into "Enforce" message flow. 
2. Click on the configure icon, the icon will appears on mouse over of "Evaluate HTTP Basic Authentication" text in message flow. 

Select one of the following option to identify the consumer(s)

1. "Global Consumers" (relax) - wM Mediator will try to verify the token (sec.4.1.6) against a list of all global consumers available in the Mediator.
2. "Registered Consumers" (strict)- wM Mediator will try to verify the token (sec.4.1.6) against the list of consumer applications which are registered as consumers for this specific API.

3. "Do not identify" (donotidentify) - wM Mediator will not identify consumer(s).  Anonymous access is allowed for this specific API.

   Note

   Icon

   Do not identify – Does not identify the consumer, nevertheless it will evaluate the value presents in the header and the request will be sent to the native service. 
   This policy will fail if the expected value(s) is not present in the request header.

4. Authenticate User - If this option is selected then wM Mediator will identify and authenticate the user begin carried using HTTP basic authentication header

Optional Step: Apply Log Invocation Policy to the virtual service and select CentraSite to send the log data. 
This step is required only to generate and validate the events.

1. Click "Virtualize" to complete the virtualization of the service.

5. DEPLOY AND VALIDATE THE DEPLOYMENT

Deploy the virtual alias (Eg. VS_EchoWS_BasicAuth) to wM Mediator target(s) by clicking "Publish..." option from BusinessUI.

1. Verify deployed service(s) in wM Mediator page
   1. Invoke http://<mediator_host>:5555/WmMediator from a web browser and provide credentials to access the page

Click "Services" link to get list of mediated service(s) in the wM Mediator and find the virtual service (eg.VS_EchoWS_BasicAuth).

1. Verify virtual service definition for the policy in wM Mediator
   1. In the above page, click on the [VSD] link for the virtual service to see the virtual service definition (VSD).

   2. It should be able to find the following entries in the VSD as seen in the below snippet when Global Consumers (relax) and "Authenticate User" (validate="true") is selected.

      VSD of VS_EchoWS_BasicAuth

      1 2 3 4 5 6 7

      <enforcement-actions allow-anon="false">         <expressions>           <expression>             <params identify="relax" type="httpBasicAuth" validate="true" />           </expression>         </expressions>       </enforcement-actions>

   3. If Registered Consumers selected as identify (strict) method then the enforcement action element should have identify attribute set to strict. This is to identify the consumer from the register consumers list. 

   4. If Do not identify selected as identify (donotidentify) method then the enforcement action element should have identify attribute set to donotidentify.

6. EXECUTION AND VERIFICATION OF VIRTUAL SERVICE RUNTIME INVOCATION

1. Get the WSDL by clicking on [WSDL] to invoke the virtual service as stated in step 5.2.b 

2. Execute the virtual service (eg.VS_EchoWS_BasicAuth) from a SOAP Client with the specific user in HTTP Header of Authorization header as below 

   For example, if the user agent uses 'Administratgor' as the username and 'manage' as the password then the header is formed as follows

   Icon

   Authorization = Basic QWRtaW5pc3RyYXRvcjptYW5hZ2U=

3. The sample virtual service request looks like

   Sample Request with Header

   HTTP Header:: Content-Type: text/xml;charset=UTF-8 SOAPAction: "urn:sayHello" Authorization: Basic U0VOVEhJTDptYW5hZ2U= Content-Length: 291     SOAP Request:: <soapenv:Envelope xmlns:soapenv=" xmlns:axis=">    <soapenv:Header/>    <soapenv:Body>       <axis:sayHello>          <axis:name>Software AG!</axis:name>       </axis:sayHello>    </soapenv:Body> </soapenv:Envelope>

   Note

   Icon

   The user which is provided in the HTTP header should be a valid user in wM Mediator if "Authenticate user" flag is selected during the policy configuration. Refer step 4.3.3

4. The sample virtual service response looks like the below for successful consumer identification with HTTP Basic Authentication

   Service Response for Successful Consumer Identification with HTTP BA

   1 2 3 4 5 6 7

   <soapenv:Envelope xmlns:soapenv=">    <soapenv:Body>       <ns:sayHelloResponse xmlns:ns=">          <ns:return>Hello Software AG!</ns:return>       </ns:sayHelloResponse>    </soapenv:Body> </soapenv:Envelope>

   Response for anonymous consumer(s)

   <soapenv:Envelope xmlns:soapenv=">    <soapenv:Body>       <soapenv:Fault>          <faultcode xmlns:ns2=">ns2:Server</faultcode>          <faultstring>Mediator encountered an error:Consumer could not be identified.  Anonymous access is not allowed for this service! while executing operation:{http://ws.apache.org/axis2}sayHello service:VS_EchoWS_BasicAuth at  time:5:38:31 PM on date:Jul 28, 2014. The client ip was:101.260.34.186. The current user:Default.  The consumer application:null </faultstring>       </soapenv:Fault>    </soapenv:Body> </soapenv:Envelope>

5. Verifying the result in log invocation event

   1. View Runtime events after invoking the service as guided in sec. 6.2 and look for Consumer attribute's value as expected (Eg.MyBasicAuthConsumers).

Successful consumer identification for the HTTP Basic Authentication user (eg. Administrator) begin passed in the HTTP Header

Failure consumer identification with the policy violation event

7. TROUBLESHOOTING WITH EVALUATE HTTP BASIC AUTHENTICATION ACTION

Click here to download PDF version of this tutorial.

EvaluateHTTPBasicAuthenticationAction.pdf (244 KB)

image.png1519×431 20.6 KB

image.png1464×207 9.59 KB

image.png1119×212 9.69 KB

image.png1486×595 30 KB

image.png1473×582 27.6 KB

image.png1043×208 7.29 KB

image.png1103×607 41.1 KB

image.png1515×609 44.4 KB