Gery Gerena · Dec 11, 2016

How to secure a WS user?


I have a Web Service, and I need that only a specific user can consume the web service. Also, I need that this user can ONLY consume the Web Service and nothing more (no access to management portal).How would you configure it?

I know there should be a way to do it using resources and roles.

Let the url for the web service be this:


And the code for the web is something like this:

Class Test.BS.WSService Extends EnsLib.SOAP.Service

Parameter ADAPTER;

Parameter XMLIGNORENULL = 1;

Method TestConnection() As %String [ WebMethod ]
    Quit 1

0 913
Discussion (3)0
Log in or sign up to continue

Hello Gery,

There are a couple of ways to do this. Ultimately, what you want is to define a Resource (say my_soap_resource) that controls access to the Web Service, or the CSP Application. You can then create a Role to grant access to that Resource, and assign the Role to your user. For more information on Resources and Roles, see the Caché Security Administration Guide.

Once you have created the Resource, you can use it to control access either to the entire Web Application, or to the individual SOAP Service. You would configure this in the CSP Application if you had a set of pages/Web Services, and you wanted to control access to them by the same resource. If you want more granular control, you can configure the individual page to require this resource.

To configure this at the Web Application level, go to the Web Application definition in the Management Portal:

[System Administration]->[Security]->[Applications]->[Web Applications]

and set your resource (my_soap_resource) in the "Resource Required" field.

To configure access for the individual SOAP service, edit the Test.BS.WSService class, and add the following parameter:

Parameter SECURITYRESOURCE = 'my_soap_resource';

Once this is done, only users with access to this resource will be able to access this SOAP Service. Other users will receive the error: "Illegal CSP Request". There are a couple of things to note:

1) Users will need this resource to do anything with this Web Service, including accessing the WSDL.

2) Users with the %All Role will have permissions on all Resources, so they will be able to access the Web Service, even without being assigned to your custom Role.

3) These restrictions only apply when accessing the Web Service through the CSP Gateway (EnableStandardRequests). When accessing the Web Service through the custom Adapter port, these setting will be ignored. (see the documentation for the SOAP adapter settings).

Thank you Sean,

I tried that, however the user still needs a couple of roles in order the Web Service to work:


And with those roles, the user has access to Management Portal.

I need that it doesn't happen. I need that the user can't get into the management portal.

You can configure matching roles in the /csp/ensdemo Web Application for the custom role you created previously. This would allow you to grant additional privileges, only to the users belonging to the custom role, and only when those users are in this CSP Application.

See the documentation for Matching Roles for more details.

I think the only additional resources you should need (by default) are %DB_ENSDEMO, and %Ens_Portal. You need %Ens_Portal because that is the resource required for the /csp/ensdemo application.