WebSphere WebSphere Application Server Network Deployment, Version 6.1.x Operating Systems: AIX, HP-UX, i5/OS, Linux, Solaris, Windows, z/OS

Securing WS-Notification

The WS-Notification security implementation requires that a user identity is flowed in requests for WS-Notification services. This identity is used to authenticate the client application and check that the client is authorized to invoke the requested operation, and to access the underlying service integration bus topic spaces and topic resources.

About this task

WS-Notification uses the same mechanisms as other Web services to provide an authenticated identity. For example WS-Security or HTTP Basic Authentication.

There are three parts to configuring secure access to WS-Notification:
  • Securing the communication channel between the application and the server.
  • Authorizing the application to invoke the NotificationBroker.
  • Authorizing the application to access the resources of the service integration bus.

If messaging security is enabled, and the WS-Security or HTTP Basic Authentication components are not configured to flow a user identity in WS-Notification requests, then all such requests are treated as unauthenticated and they can only access messaging resources that are accessible by the WebSphere Application Server "everyone" group.

To configure access to a WS-Notification service point in a secure environment, complete the following steps:

Procedure

  1. Secure the communication between the application and the server:
    1. Configure security for inbound requests and associated responses through one or more of the inbound ports associated with the WS-Notification service point:
      • If you are using SOAP over HTTP as the binding for your WS-Notification service point, modify the application to use SOAP over HTTPS as described in Configuring secure access to a WS-Notification service using SOAP over HTTPS.
      • If you are using SOAP over JMS as the binding, configure the JMS connection factory used by the client application to use a secure communication protocol to communicate with the JMS provider. Exactly how you do this depends upon the JMS provider. If you are using the service integration bus as the JMS provider, configure the client to use SSL to communicate with the server by setting the target inbound transport chain to InboundSecureMessaging as described in Connecting applications to a service integration bus and its related tasks.
    2. Configure security for outbound requests (for example notifications from the server to subscribed consumers) through the WS-Notification service.

      The steps involved are similar to those for applying security to service integration bus (SIBus) Web services outbound ports except that any binding, configuration or handler list created is applied to the WS-Notification service. For more information, see Securing Web services through service integration technologies and its sub-topics, notably Invoking outbound services over HTTPS.

    3. You can also use WS-Security to sign or encrypt SOAP messages transmitted over HTTP or JMS bindings as described in Configuring secure transmission of SOAP messages using WS-Security.
  2. Authorize the application to invoke the NotificationBroker:
    1. Configure the client application to provide an appropriate identity.
      To authorize a Web service application to communicate with the server, the application must identify itself as running as a particular authenticated identity. The mechanism for doing this depends upon the type of Web service binding you are using:
      • If you are using SOAP over JMS Web service bindings, use WS-Security to provide an authenticated identity.
      • If you are using SOAP over HTTP Web service bindings, use either HTTP Basic Authentication or WS-Security to provide the authenticated identity.
    2. Configure the server to authorize the client application identity to carry out the required operations.

      You can apply authorization to the whole of an inbound service (for example the NotificationBroker endpoint of a WS-Notification service point) as described in Password-protecting inbound services, or configure authorization constraints independently for each Web service operation as described in Password-protecting a Web service operation.

  3. Authorize the application to access the resources of the service integration bus.

    Service integration bus security uses role-based authorization. When a user is assigned to a role, the user is granted all of the permissions that the role contains. By administering authorization permissions, you can control user access to a bus and to its resources when messaging security is enabled.

    1. Authorize the application identity to be able to connect to the service integration bus, as described in Administering bus connector roles.
    2. When the application can connect to the bus, grant the application access to the appropriate destinations on the bus.

      You can determine which service integration bus topic spaces are required, by checking which WS-Notification topic namespaces are used by the application then looking at the appropriate WS-Notification permanent topic namespace to find the service integration bus topic space to which it maps. You can then grant authorization (for example the Sender or Receiver roles) for the authenticated identity to access that topic space as described in Administering destination roles through the command line.

    3. After the client has been authorized to access the appropriate topic space destination, you might also need to authorize the client to access the individual topics within the topic space destination as described in Administering topic roles through the command line.
    For general information about configuring access to the service integration bus, see Administering messaging security.
Related tasks
WS-Notification - publish and subscribe messaging for Web services
Learning about WS-Notification
Related reference
WS-Notification troubleshooting tips

Task topic

Terms of use | Feedback


Timestamp icon Last updated: 26 February 2009
http://publib.boulder.ibm.com/infocenter/wasinfo/v6r1/index.jsp?topic=/com.ibm.websphere.pmc.nd.multiplatform.doc/tasks/tjwsn_sec.html

Copyright IBM Corporation 2004, 2009. All Rights Reserved.
This information center is powered by Eclipse technology. (http://www.eclipse.org)