Securing services exposed by HTTP bindings

You can use an HTTP binding with a wire format of JSON-RPC securely in a Service Component Architecture (SCA) application. Use intents to secure services that are exposed by the HTTP binding to remote Web browser clients.

Before you begin

JSON-RPC is a remote procedure call (RPC) protocol encoded in the JavaScript Object Notation (JSON) format.

For information about using HTTP bindings in this product, refer to Using HTTP bindings in SCA applications.

Enable administrative and application security, if not done so already. To enforce intents to secure services that are exposed by an HTTP binding, administrative and application security must be enabled.

About this task

Use the HTTP binding to secure services. To secure services, configure the requires attributes on the binding.http element.

Procedure

  1. Configure security for the HTTP binding service in an SCA composite definition.

    You can secure services that are exposed over an HTTP binding using intents. The following three intents are valid options for the requires attribute on the binding.http element:

    authentication.transport
    Requires any client invoking the service to provide valid authentication information.
    confidentiality.transport
    Requires any client invoking the service to do so over a secure transport that provides confidentiality of the transport.
    integrity.transport
    Requires any client invoking the service to do so over a secure transport that provides integrity of the transport.

    Edit a composite definition that exposes a Java service over the HTTP binding so that the exposed service requires a client to authenticate and communicate over a secure transport; for example:

    <composite>
      <service name="EchoService" promote="EchoComponent">
        <interface.java interface="echo.Echo"/>
        <tuscany:binding.http uri="/EchoService" requires=“authentication.transport confidentiality.transport"/>
        <tuscany:wireFormat.jsonrpc/>
        </tuscany:binding.http>
      </service>
    
      <component name="EchoComponent">
        <implementation.java class="echo.EchoComponentImpl"/>
      </component>
    </composite>

    For information about authorization policy, refer to topics on SCA authorization and security identity policies.

  2. Invoke a secure service that is exposed over an HTTP binding from a Web browser.

    You can access the service directly from a JavaServer Pages (JSP) file or HTML page using the Dojo toolkit application programming interfaces from a Web browser.

    If the service requires confidentiality or integrity, use the HTTPS protocol. If the service requires authentication, configure the client application to prompt the user for valid user name and password. If the default product settings enable single sign-on (SSO) and the user has authenticated previously, these credentials are automatically propagated in the request to the service.

What to do next

Test the service security.




In this information ...


IBM Redbooks, demos, education, and more

(Index)

Use IBM Suggests to retrieve related content from ibm.com and beyond, identified for your convenience.

This feature requires Internet access.

Task topic Task topic    

Terms and conditions for information centers | Feedback

Last updatedLast updated: Jun 12, 2013 3:32:32 AM CDT
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=v700osgijpa&product=was-nd-mp&topic=tsca_http_binding_security
File name: tsca_http_binding_security.html