Authorization

The authorization concept used for Web services depends on the type of Web service:

EJBs

Web service operations of an EJB can be protected by roles.  The roles can be checked in one of two places: Either for the virtual interface or – in accordance with the J2EE specification – for the methods of the EJB. It is also possible to execute the check at both places.

·         Authorization check for the virtual interface: Calling methods of virtual interfaces can be limited to users with one or several roles. If there are several virtual interfaces for an EJB (possibly with different predefined parameters), different roles can be checked for each virtual interface. This authorization check takes place for all WS calls.

·        Authorization check for the EJB methods: The roles are checked using the EJB container -  that is, the check is executed for direct calls to EJB (P4 protocol) as well as for WS calls.

The security roles are checked in the server in the SOAP runtime. The authorization check for the methods of the virtual interface takes place in the security protocol in the SOAP runtime. The EJB methods are checked in the EJB container.

To limit access to the operations of an EJB, proceed as follows:

·        Choose the Features tab in the Web Service Definition. Choose Authorization and Select Feature.

·        Open the ejb-jar.xml descriptor. Choose the Assembly tab and add security roles.

·        Configure the authorization check for virtual interface authorizations in the WS Deployment Descriptor. Choose a configuration under Web Service Configurations in the Web service perspective. In the tree under the configuration name choose Security.

·        Configure authorization checks for the operations.

·        Map the security roles to users in the Visual Administrator (see: Mapping Users and Groups).

To maintain the roles in the Visual Administrator choose Security Provider. Under Components search for providername/EAR project*JAR-File. (The name of the provider can be changed in the file application.xml).

Java Classes

The authorization check for Java classes takes place for the virtual interface methods. In this way, access to methods exposed as Web services are limited through the use of J2EE security roles.

The security roles are checked on the server in the SOAP runtime. Before a Java class method is called, the system checks in the security protocol whether the user is assigned to a particular security role.

To limit access to the operations of a Java class, proceed as follows:

·        Configure the authorization check for virtual interface authorizations in the WS Deployment Descriptor. Choose a configuration under Web Service Configurations in the Web service perspective. In the tree under the configuration name choose Security Roles to add security roles.

·        Configure authorization checks for the operations under the node Security of the Web service configuration.

·        Map the security roles to users in the Visual Administrator (see: Mapping Users and Groups).

To maintain the roles in the Visual Administrator choose Security Provider. Under Components search for providername/Java project*Name of Web service_Name of configuration.

See also:

Security Roles Management