About this task
New feature: An authorization
policy controls who can access protected SCA components and operations.
A security identity policy declares the security identity under which
an SCA component or operation is executed. You can limit access to
an SCA component or to an operation to particular users or groups.
You can also delegate access to another user when executing an SCA
component or an operation.
newfeat
This topic applies to implementation.widget components
that use implementation.java and implementation.spring.
For components that use implementation.jee, specify
the authorization and security identity policies in the enterprise
application using Java Platform, Enterprise Edition (Java EE) authorization
and security identity mechanisms. Authorization policy and security
identity policies do not apply to implementation.widget components.
Note
the following limitations:
- SCA authorization policy is not supported for composites packaged
in Web application archives (WAR files).
- The definitions.xml file must be packaged in the same
asset as the composites that reference its policy sets.
- Role assignments are scoped to a configuration unit, and are required
for all of the roles used in all of the composites within the configuration
unit. These role assignments are completely independent of any role
assignments made for other configuration units in the same business-level
application.
- The target namespace of the policy set and the name of the policy
set do not contribute to the name of a role. They are used solely
to resolve the policy set reference. This implies that within the
same configuration unit, identically-named roles that are defined
within different policy sets or different name spaces are treated
as the same role.
- If authorization policy is not attached to a given component and
operation, the operation runs unprotected.
- It is possible to create conflicts by specifying multiple policy
sets in the @policySets attribute or by inheriting policy sets across
elements. In this case, the following rules are used:
- The <denyAll> element takes precedence
over <permitAll>, which takes precedence
over <allow>.
- Roles from multiple <allow> elements
are aggregated.
- SCA authorization policy does not support authorizing users in
foreign realms.
Annotations are not supported for implementation.spring components.
Specify the policies in the composite file.
Access to an SCA component is permitted or denied by using
the following steps: