Creating an Authentication Service on the SecureSpan SOA Gateway

Credential based access control (authentication) is the most common security requirement encountered during the deployment of a services based infrastructure. Features inherent in the SecureSpan SOA Gateway make it an ideal location for deploying a common service for authentication that can be leveraged by other applications that require authentication services. In this tutorial we will create a SOAP based authentication service on the Gateway.

The simplest form of an authentication service requires the username and password to be embedded in the body of the request message and will return a true or false response message. We will define these requirements using the Create WSDL wizard in the SecureSpan Manager to generate the WSDL.

Step 1: Create the Service

1. Log in with the SecureSpan Manager and click the Create WSDL button on the Home Page. This will start the Create WSDL Wizard
2. Click the Next button until you are at the Definition page. Fill in the Name and Target Namespace fields to reflect your requirements then click the Next button:

   

3. In the Messages page define a new message called AuthenticationRequest with username and password as message parts and an AuthenticationResponse messages with result as the only element then click the Next button:

   

4. In the Port Type and Operations page set the name and add a single operation called AuthenticateCredentials that uses the defined request and response messages then click the Next button:

   

5. In the Port Type Binding page set the Name and confirm the Style is set to rpc then click the Next button:

   

6. In the Service page set the Name and the Port then set the Address to reflect the eventual location of the service then click the Finish button:

   

Step 2: Modify the Service Properties and Retrieve the WSDL

By default the newly created service will be disabled and listening at the /ssg/soap path. These need to be modified through the Service Properties interface.

1. Right-mouse-click on the service listed in the Services window and select Service Properties to launch the Published Service Properties dialogue.
2. In the General tab click the Enabled radio button:

   

3. Select the HTTP/FTP tabe and change the Service Resolution to Custom resolution path then enter the value that was used for the Address when creating the WSDL earlier then click the OK button to finish:

   

4. To retrieve the WSDL for the new service point a browser to the service's path with ?wsdl added (e.g. http://ssg.l7tech.com:8080/AuthenticationService?wsdl) and save the file.

Step 3: Create the Policy

The policy for the authentication service will enforce basic security requirements to ensure that only allowed users are securely submitting the credentials for authentication, validate the credentials against a preconfigured LDAP Identity Provider then return a template response for success or failure.

1. Create the following policy by dragging the various assertions into the policy editing window:

   

   When defining the policy:

   • Make sure you select the property identity providers for the authentication steps. Using policy logic it is possible to authenticate multiple groups and users against different providers if necessary.
   • You will be required to add the tns prefix to the namespaces for the Require XPath Credentials assertion:

     

   • For the success template use the following:
     

       <?xml version="1.0" encoding="UTF-8"?>
     
     <soapenv:Envelope
         soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"
         xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
         xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
         <soapenv:Header/>
     
         <soapenv:Body>
             <ns1:AuthenticationResponse xmlns:ns1="http://www.layer7tech.com/Tutorials/AuthenticationService">
                 <result>OK</result>
             </ns1:AuthenticationResponse>
         </soapenv:Body>
     
     </soapenv:Envelope>
     

   • For the failure template use the following:
     

       <?xml version="1.0" encoding="UTF-8"?>
     <soapenv:Envelope
         soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"
     
         xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
         xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
         <soapenv:Header/>
         <soapenv:Body>
     
             <ns1:AuthenticationResponse xmlns:ns1="http://www.layer7tech.com/Tutorials/AuthenticationService">
                 <result>FAIL</result>
             </ns1:AuthenticationResponse>
         </soapenv:Body>
     </soapenv:Envelope>
     

Testing the Authentication Service

The simplest way to test the Authentication Service is to send a unit test from a tool like soapUI.

1. Configure a new test service in soapUI using the Authentication Service WSDL
2. Add username and password to authenticate the request and set the end point url to use SSL
3. Add the username and password that are to be validated to the request message and send it to the SecureSpan.
    
4. It should return OK:

   

5. Change the password for the credentials to be validated and send again. It should return FAIL:

   

Recap

In this tutorial we demonstrated how an authentication service can be easily and rapidly deployed at the SecureSpan Gateway. The techniques used in this demonstration can be extended to create many end point type services (E.g. Schema validation service, XML transformation service, Auditing service, etc) using the SecureSpan Gateway.