You can configure the UDDI registry to determine whether users
are allowed access to services, and to determine security of data at the transport
level.
About this task
The UDDI registry exploits two aspects of WebSphere Application
Server security:
- Authorization
- Authorization determines whether users are allowed access to services.
WebSphere Application Server determines authorization by mapping users, or
groups of users, to roles. UDDI makes use of two WebSphere Application Server
special subjects: Everyone (all users are allowed access) and AllAuthenticatedUsers (only
valid WebSphere Application Server registered users are allowed access).
- Data confidentiality
- Data confidentiality determines security at the transport level. Data
confidentiality for WebSphere Application Server services can be either 'none'
(HTTP is used as the transport protocol) or 'confidential' (requiring the
use of SSL; HTTPS is used as the transport protocol).
When WebSphere Application Server security is enabled,
the default settings in the UDDI Version 3 Application and Web deployment
descriptors produce the following results:
- Publish, Custody Transfer and Security services are mapped to the AllAuthenticatedUsers
special subject, and data confidentiality is enforced (HTTPS is used). Authentication
uses the standard WebSphere Application Server security facilities and there
is no separate registration function for the UDDI registry. To use publish
functions, users must supply their WebSphere Application Server user name
and password (unless you have modified the supplied publish role), and must
also be registered UDDI Publishers. By registering users as UDDI Publishers,
you control which users in the AllAuthenticatedUsers subject can update the
UDDI registry.
- Inquiry services are mapped to the Everyone special subject, and data
confidentiality is not enforced (HTTP is used). To use inquiry services, users
do not need to supply a user name or password, and do not need to be registered
UDDI publishers.
We recommend that you use the default settings, as described previously.
However, you can change the defaults by mapping roles to different users or
user groups. If you do this, turn on the Automatically register
UDDI publishers property (see UDDI
node settings) so that you do not need to use two mechanisms to give
access to a subset of users. You can also have a role that is not mapped to any
users or user groups, in which case all access to that role is disabled.
For
more information about UDDI role mappings, and a list of UDDI registry services
and roles, see Access
control for UDDI registry interfaces.
To change the default settings,
use the following steps: