I have quite simple task to accomplish - I have to set up the security for web services ( basic authentication with hardcoded in WLES user id and password). I set the web.xml (see code fragment below) but I have tough time configuring WebLogic. I added IdentityAssertionAuthenticator Authentication Provider, set it as Required, modified DefaultAuthenticator as Optional and I went to deployed application's security and set the role to "thisIsUser" and at some point it worked, but not anymore (I redeployed war file and set web service security the same way but no avail.) I'd greatly appreciate for all your help. web.xml

    <?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xmlns="http://java.sun.com/xml/ns/javaee" xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
    xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
    id="PC3-WS" version="2.5">
    <display-name>PC3-WS</display-name>
     <session-config>
        <session-timeout>30</session-timeout>
    </session-config>
    <security-constraint>
        <display-name>SecurityConstraint</display-name>
        <web-resource-collection>
             <web-resource-name>PC3-WS</web-resource-name>
            <url-pattern>/PC3-WS</url-pattern>

        </web-resource-collection>

        <auth-constraint>
            <role-name>basicGroup</role-name>
        </auth-constraint>
        <user-data-constraint>
            <transport-guarantee>NONE</transport-guarantee>
        </user-data-constraint>

    </security-constraint>

    <security-role>
        <role-name>basicGroup</role-name>
    </security-role>

    <login-config>
        <auth-method>BASIC</auth-method>
        <realm-name>myrealm</realm-name>
    </login-config>
</web-app>

weblogic.xml:

    <?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xmlns="http://java.sun.com/xml/ns/javaee" xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
    xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
    id="PC3-WS" version="2.5">
    <display-name>PC3-WS</display-name>
     <session-config>
        <session-timeout>30</session-timeout>
    </session-config>
    <security-constraint>
        <display-name>SecurityConstraint</display-name>
        <web-resource-collection>
             <web-resource-name>PC3-WS</web-resource-name>
            <url-pattern>/PC3-WS</url-pattern>

        </web-resource-collection>

        <auth-constraint>
            <role-name>basicGroup</role-name>
        </auth-constraint>
        <user-data-constraint>
            <transport-guarantee>NONE</transport-guarantee>
        </user-data-constraint>

    </security-constraint>

    <security-role>
        <role-name>basicGroup</role-name>
    </security-role>

    <login-config>
        <auth-method>BASIC</auth-method>
        <realm-name>myrealm</realm-name>
    </login-config>
</web-app>

The list of authenticators:

• DefaultAuthenticator
• DefaultIdentityAssert

Now I have exception:

WS spec-version:2.5], request: weblogic.servlet.internal.ServletRequestImpl@23e1aca[
GET /PC3-WS/MetadataService?WSDL HTTP/1.1
User-Agent: Java1.6.0_22
Accept: text/html, image/gif, image/jpeg, */*; q=.2
Connection: Keep-Alive

]] Root cause of ServletException.
java.lang.NullPointerException
    at weblogic.wsee.jaxws.JAXWSDeployedServlet.init(JAXWSDeployedServlet.java:45)
    at javax.servlet.GenericServlet.init(GenericServlet.java:241)
    at weblogic.servlet.internal.StubSecurityHelper$ServletInitAction.run(StubSecurityHelper.java:283)
    at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
    at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:121)
    Truncated. see log file for complete stacktrace
> 
java.lang.RuntimeException: weblogic.testclient.WsdlParseFailedException: Unable to parse WSDl at: http://192.168.1.3:7001/PC3-WS/MetadataService?WSDL
    at weblogic.testclient.ConnectionState.createWsdl(ConnectionState.java:69)
    at Controller.refreshWsdl(Controller.java:641)
    at Controller.begin(Controller.java:451)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
    at java.lang.reflect.Method.invoke(Method.java:597)
    at org.apache.beehive.netui.pageflow.FlowController.invokeActionMethod(FlowController.java:879)
    at org.apache.beehive.netui.pageflow.FlowController.getActionMethodForward(FlowController.java:809)
    at org.apache.beehive.netui.pageflow.FlowController.internalExecute(FlowController.java:478)
    at org.apache.beehive.netui.pageflow.PageFlowController.internalExecute(PageFlowController.java:306)
    at org.apache.beehive.netui.pageflow.FlowController.execute(FlowController.java:336)
    at org.apache.beehive.netui.pageflow.internal.FlowControllerAction.execute(FlowControllerAction.java:52)
    at org.apache.struts.action.RequestProcessor.processActionPerform(RequestProcessor.java:431)
    at org.apache.beehive.netui.pageflow.PageFlowRequestProcessor.access$201(PageFlowRequestProcessor.java:97)
    at org.apache.beehive.netui.pageflow.PageFlowRequestProcessor$ActionRunner.execute(PageFlowRequestProcessor.java:2044)
    at org.apache.beehive.netui.pageflow.interceptor.action.internal.ActionInterceptors.wrapAction(ActionInterceptors.java:91)
    at org.apache.beehive.netui.pageflow.PageFlowRequestProcessor.processActionPerform(PageFlowRequestProcessor.java:2116)
    at org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:236)
    at org.apache.beehive.netui.pageflow.PageFlowRequestProcessor.processInternal(PageFlowRequestProcessor.java:556)
    at org.apache.beehive.netui.pageflow.PageFlowRequestProcessor.process(PageFlowRequestProcessor.java:853)
    at org.apache.beehive.netui.pageflow.AutoRegisterActionServlet.process(AutoRegisterActionServlet.java:631)
    at org.apache.beehive.netui.pageflow.PageFlowActionServlet.process(PageFlowActionServlet.java:158)
    at org.apache.struts.action.ActionServlet.doGet(ActionServlet.java:414)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:707)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:820)
    at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227)
    at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125)
    at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:300)
    at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:183)
    at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.doIt(WebAppServletContext.java:3683)
    at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3650)
    at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
    at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:121)
    at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2268)
    at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2174)
    at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1446)
    at weblogic.work.ExecuteThread.execute(ExecuteThread.java:201)
    at weblogic.work.ExecuteThread.run(ExecuteThread.java:173)
Caused by: weblogic.testclient.WsdlParseFailedException: Unable to parse WSDl at: http://192.168.1.3:7001/PC3-WS/MetadataService?WSDL
    at weblogic.testclient.ConnectionState.createWsdlFromHttpUrl(ConnectionState.java:199)
    at weblogic.

testclient.ConnectionState.createWsdl(ConnectionState.java:60) ... 38 more

This is the way to secure a Web Service with basic HTTP Auth, in WLES 10.3.3.

In WLES Admin Console go to Security Realm --> MyRealm and create:

New user: user/12345678 New group: basicGroup Add the user to the group

In web.xml add the security settings (path, basic type):

<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xmlns="http://java.sun.com/xml/ns/javaee" xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
    xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
    id="PC3-WS" version="2.5">
    <display-name>PC3-WS</display-name>
     <session-config>
        <session-timeout>30</session-timeout>
    </session-config>
    <security-constraint>
        <display-name>SecurityConstraint</display-name>
        <web-resource-collection>
             <web-resource-name>PC3-WS</web-resource-name>
            <url-pattern>/PC3-WS</url-pattern>
        </web-resource-collection>
        <auth-constraint>
            <role-name>basicGroup</role-name>
        </auth-constraint>
        <user-data-constraint>
            <transport-guarantee>NONE</transport-guarantee>
        </user-data-constraint>
    </security-constraint>
    <security-role>
        <role-name>Authenticated</role-name>
    </security-role>

    <login-config>
        <auth-method>BASIC</auth-method>
        <realm-name>myrealm</realm-name>
    </login-config>
</web-app>

In weblogic.xml map the application role with server role (it is mandatory):

<?xml version="1.0" encoding="UTF-8"?>
<wls:weblogic-web-app
    xmlns:wls="http://xmlns.oracle.com/weblogic/weblogic-web-app"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd http://xmlns.oracle.com/weblogic/weblogic-web-app http://xmlns.oracle.com/weblogic/weblogic-web-app/1.1/weblogic-web-app.xsd">
    <wls:weblogic-version>10.3.3</wls:weblogic-version>
    <wls:context-root>PC3-WS</wls:context-root>
    <wls:security-role-assignment>
        <wls:role-name>Authenticated</wls:role-name>
        <wls:principal-name>users</wls:principal-name>
    </wls:security-role-assignment>
</wls:weblogic-web-app>

Build and deploy application. Restart WLES. You can test with SoapUI, passing userId and password in lower section called "Authentication and Security-related settings" Go to File-->Preferences and in "HTTP Settings" check "Authenticate Preemptively" Now you can run your web services from soapUI.

1. Can you provide the complete web.xml & weblogic.xml files?
2. Why do you have to configure IdentityAssertionAuthenticator if you just doing BASIC authentication?
3. Also can you provide what authenticator's you have in the Summary of Servers >myrealm >Providers (from console)

Finally you can enable the debugs to trace if authentication is getting trigged

On the console navigate to

Summary of Servers > %your_server% > Debug

expand weblogic > security and enable

• DebugSecurity
• atn > DebugSecurityAtn

Just ensure you have the logs in DEBUG mode. Test the app and have look at server log it should provide details on what's happening.