By default, the bus-enabled web services
component can
access a secure service integration bus. This means that your Web
services clients, if they provide suitable credentials when making
requests, can use bus-enabled web services when bus security is enabled.
You can modify or override the default configuration, for example
by defining an authentication alias that the service integration resource
adapter uses to access the bus.
Note: To use bus-enabled web services when bus security is enabled, your web services clients must provide suitable credentials when making requests. Your clients can provide credentials either by using WS-Security or by using HTTP basic authentication, as described in Authenticating web services clients using HTTP basic authentication. For HTTP basic authentication, application security must also be enabled and, depending on which of these authentication schemes you use, the endpoint listener application must be appropriately configured as described in Password-protecting inbound services. When you use HTTP basic authentication, you map the AuthenticatedUsers role to the special "AllAuthenticatedUsers" group (or to some other suitable authenticated group or user); when you use WS-Security you do not need to map the endpoint listener AuthenticatedUsers role unless Application Security is enabled, in which case you map the AuthenticatedUsers role to the special "Everyone" group. For more information, see Assigning users and groups to roles.
The default configuration that the bus-enabled
web services component uses to access a secure bus is as follows:
- Access to a bus is configured through the bus connector
role. By default, every bus connector role includes a group
called server. Members of this group are authorized to
connect to the bus.
- The service integration resource adapter uses a J2C activation
specification to communicate with the bus. By default, this activation
specification has a Boolean custom property useServerSubject that
is set to true. This property allows the service
integration resource adapter to connect to the bus as a subject (a
member) of the server group.
The server group in the bus connector role
This
group controls whether a user is authorized to connect to the bus.
The server group can be added or removed by using the administrative
console:
This
group can also be set by using the following wsadmin command scripts:
addGroupToBusConnectorRole
removeGroupFromBusConnectorRole
The useServerSubject property
This boolean
property is found in the custom properties panel of the J2C activation
specification associated with the inbound, outbound or gateway service:
This
property can also be set by using wsadmin command scripts.
Disabling and overriding the default configuration
To
disable the default configuration, set the useServerSubject property
to "false" rather than removing the server group,
because the service integration resource adapter is not the only system
resource that uses the server subject. If you remove the server group
from the bus connector role, then no system resources can use the
server subject.
You can also override
the default configuration by defining an authentication alias
that the service integration resource adapter uses to access the bus. Using an authentication alias does not make your configuration more secure. However, you might want to use an alias for consistency of approach if you have other application servers running under WebSphere Application Server Version 6.0.x, or to support your internal business controls for use of IDs and passwords.
If you configure an authentication alias you need not also disable the default configuration. If an authentication alias exists, it overrides the default configuration. However if you subsequently remove the authentication alias from the activation specification, the default configuration will again take control and (if not disabled) will allow the service integration resource adapter to continue to access the bus.
The following
table shows whether the service integration resource adapter can connect
to the secured bus, depending on the state of the different properties:
Table 1. Summary of expected behavior for accessing
a secure service integration bus. The first column of
this table shows whether or not the secure service integration bus
has a valid authentication alias, indicated by Yes or No as appropriate.
The second column indicates whether or not the useServerSubject property
is selected, indicated by Yes or No as appropriate. The third column
shows whether or not the server group has been added to the bus connector
role, indicated by Yes or No as appropriate. The fourth column shows,
for each of the combinations of Yes and No settings given in the first
three columns, whether or not the resource adapter can connect to
the bus, indicated by Yes or No as appropriate.Valid authentication alias |
useServerSubject |
Server
group on bus connector role |
Resource
adapter can connect? |
Yes |
No |
No |
Yes |
No |
Yes |
Yes |
Yes |
No |
No |
Yes |
No |
No |
No |
No |
No |
No |
Yes |
No |
No |
Yes |
Yes |
Yes |
Yes (using
the authentication alias) |