How can I call a secured 'Web Service Process' with a 'Web Service Call Element'

As mentioned in the answer above, in newer ivy versions (4.3.24, 5.0.14 and 5.1.0 and later) we improved the Web Service Process for Single Sign On Environments. With this change, users which are already authenticated by IIS respectively the ivy web-container (Tomcat) are passed through and taken over by the WS Process.

This is useful, even if you are not in an SSO environment. In this case, you can also configure Tomcat to do 'HTTP Basic Authentication'.

Here is a short description, how to set up Tomcat to do 'HTTP Basic Authentication':

Add following entries to 'webapps/ivy/WEB-INF/web.xml'

<security-constraint>
    <web-resource-collection>
        <web-resource-name>Secured Web Service Process</web-resource-name>
        <!-- With this pattern we secure only the Web Service Processes and not any others -->
        <url-pattern>/ws/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
        <role-name>ivy-ws-role</role-name>
    </auth-constraint>
</security-constraint>

<login-config>
    <auth-method>BASIC</auth-method>
</login-config>
<security-role>
    <role-name>ivy-ws-role</role-name>
</security-role>

Create a users-file and place it to any location of your choice. Its content looks as follows:

<tomcat-users>    
    <role rolename="ivy-ws-role"/>
    <user username="WSUser" password="WSUser" roles="ivy-ws-role"/> 
</tomcat-users>

Add following entriy to 'webapps/ivy/META-INF/context.xml'

<Realm className="org.apache.catalina.realm.MemoryRealm"
       pathname="<path to user file>/tomcat-users.xml"/>

With this, using 'HTTP Basic Authentication' for ivy Web Service Processes will work and you can call it from a Web Service Call Element (with 'HTTP Basic' enabled as authentication method. Note, that in the sample above, you have to maintain the Web Service users redundantly in the Tomcat users-file and in ivy. In a production environment, you may use another realm than the MemoryRealm to receive the users for Tomcat.

The ivy Web Service Call Element supports following authentication methods:

• HTTP Basic
• HTTP Disgest
• NTLM

Whereas, the ivy Web Service Process supports only 'Basic WS Security' (cleartext username and password provided in SOAP header). (Note, that the labels on the inscription mask of the Web Service Process are actually not correct, the radio button which is labeled 'HTTP Basic' should be labeled with 'WS Security'. We will adjust this in future versions of ivy to avoid confusion.)

As you can see, these authentication methods are basically not compatible. But if you are in a Single Sign On Environment (with MS Internet Information Services (IIS) in front of ivy), IIS can do 'HTTP Basic Authentication' in place of the WS Process.

So, you can configure IIS to do one of the desired authentication methods (one of HTTP Basic, HTTP Disgest or NTLM) and configure your Web Service Call Element correspondingly.

For your Web Service Process you simply select the authentication method 'None/Container'.

In this setup, the Web Service Process supports (with help of IIS) 'HTTP Basic Authentication'. Since users are already authenticated by IIS, their requests are passed through and taken over by the WS Process.

Note that SSO authentication is only supported for ivy versions 4.3.24, 5.0.14 and 5.1.0 and newer.