Configure the Atom feed service security in an SCA composite
definition. You can secure services that are exposed
over an Atom binding using intents. Administrative and application
security must be enabled for the intents to be enforced. The following
three intents are valid options for the requires attribute
on the binding.atom element:
- authentication.transport
- Requires any client invoking the service to provide valid authentication
information
- confidentiality.transport
- Requires any client invoking the service to do so over a secure
transport that provides confidentiality of the transport
- integrity.transport
- Requires any client invoking the service to do so over a secure
transport that provides integrity of the transport
Edit a composite definition that exposes a Java™ service over the Atom binding
so that the exposed service requires a client to authenticate and
communicate over a secure transport; for example:
<component name="NewsServiceComponent">
<implementation.java class="test.abdera.NewsServiceImpl"/>
<service name="NewsService">
<t:binding.atom uri="/NewsServiceComponent/newsService"
requires="authentication.transport confidentiality.transport"/>
</service>
</component>
For information about authorization
policy, refer to documentation on SCA authorization and security identity
policies.
Invoke a secure service that is exposed over an Atom binding.
You can access the service directly from a browser or a client
that supports Atom feeds. To access the feed directly, you can use
the uniform resource indicator (URI) that the service specifies.
If
the service requires confidentiality or integrity, use the https protocol.
If the service requires authentication, the user is prompted by the
browser to enter valid credentials. If a Java client is used to access
the service, include the authentication information in the HTTP header.
The
following example invokes a service using a reference URI. If the
service being referenced requires confidentiality or integrity, use
the https protocol.
<reference name="atomFeed">
<tuscany:binding.atom uri="https://localhost:9443/newsService"/>
</reference>
You can also invoke the service using
a reference target:
<reference name="atomFeed" target="NewsServiceComponent/NewsService">
<tuscany:binding.atom/>
</reference>
For this example, the invocation is
secure only if the service specifies the confidentiality.transport or integrity.transport intent.
To
authenticate when invoking a service over an Atom binding, you have
two options:
- Use single sign-on (SSO) to authenticate.
If SSO is enabled
and there has been a successful authentication before, the credentials
are propagated with the request. For information about enabling SSO,
see the topic on implementing single sign-on to minimize Web user
authentications.
- Configure an authentication-alias, and send a specific user name
and password with the request.
You can use this option for references
in implementation.java components. This option is
not supported for references in implementation.widget components.
- Create an authentication-alias using the administrative console
Java 2 Connector (J2C) authentication data entry page or wsadmin commands.
See topics on J2C authentication data entries.
- In the composite definition, define the product SCA namespace
and specify the alias name on the binding.atom element
using the authentication-alias attribute.
<composite xmlns="http://www.osoa.org/xmlns/sca/1.0"
...
xmlns:qos="http://www.ibm.com/xmlns/prod/websphere/sca/1.0/2007/06"
...
<reference name="atomFeed" target="NewsServiceComponent/NewsService">
<tuscany:binding.atom qos:authentication-alias=”AtomAlias"/>
</reference>