[AIX Solaris HP-UX Linux Windows][z/OS]

Securing data exposed by Atom bindings

You can secure collections of data that are exposed by an Atom binding in a Service Component Architecture (SCA) application. An Atom binding can expose data as an Atom feed or reference existing external Atom feeds.

Before you begin

If you are unfamiliar with the Atom protocol, refer to documentation on the Atom Syndication Format, an XML-based document format that describes web feeds, and the Atom Publishing Protocol, a protocol for publishing and updating web resources.

For information about using Atom bindings in this product, refer to Using Atom bindings in SCA applications.

transition: In Version 8.5, the default value for the web authentication property webAuthReq is persisting, which enables credential persistence that allows login information to be available to unprotected web clients and enables additional access to user information. You must set the webAuthReq property to lazy to prevent unprotected web clients additional access to user information through persisting credentials. For more information, see Security hardening features enablement and migration. You can set webAuthReq to lazy on the administrative console Web security - General settings page:
  1. Click Security > Global security > Authentication > Web and SIP security > General settings.
  2. Select Authenticate only when the URI is protected, which enables lazy authentication.
  3. Click Apply.
For more information, see Web authentication settings.

About this task

Use the Atom binding to work securely with services that provide or consume entries described in the Atom Syndication Format and Atom Publishing Protocol.

Procedure

  1. Configure the Atom feed service security in an SCA composite definition.

    You can secure services that are exposed over an Atom binding using intents. Administrative and application security must be enabled for the intents to be enforced. The following three intents are valid options for the requires attribute on the binding.atom element:

    authentication.transport
    Requires any client invoking the service to provide valid authentication information
    confidentiality.transport
    Requires any client invoking the service to do so over a secure transport that provides confidentiality of the transport
    integrity.transport
    Requires any client invoking the service to do so over a secure transport that provides integrity of the transport

    Edit a composite definition that exposes a Java service over the Atom binding so that the exposed service requires a client to authenticate and communicate over a secure transport; for example:

    <component name="NewsServiceComponent">
      <implementation.java class="test.abdera.NewsServiceImpl"/>
      <service name="NewsService">
        <t:binding.atom uri="/NewsServiceComponent/newsService"
            requires="authentication.transport confidentiality.transport"/>
      </service>
    </component>

    For information about authorization policy, refer to documentation on SCA authorization and security identity policies.

  2. Invoke a secure service that is exposed over an Atom binding.

    You can access the service directly from a browser or a client that supports Atom feeds. To access the feed directly, you can use the uniform resource indicator (URI) that the service specifies.

    If the service requires confidentiality or integrity, use the https protocol. If the service requires authentication, the user is prompted by the browser to enter valid credentials. If a Java client is used to access the service, include the authentication information in the HTTP header.

    The following example invokes a service using a reference URI. If the service being referenced requires confidentiality or integrity, use the https protocol.

    <reference name="atomFeed">
        <tuscany:binding.atom uri="https://localhost:9443/newsService"/>
    </reference>

    You can also invoke the service using a reference target:

    <reference name="atomFeed" target="NewsServiceComponent/NewsService">
        <tuscany:binding.atom/>
    </reference>

    For this example, the invocation is secure only if the service specifies the confidentiality.transport or integrity.transport intent.

    To authenticate when invoking a service over an Atom binding, you have two options:

    • Use single sign-on (SSO) to authenticate.

      If SSO is enabled and there has been a successful authentication before, the credentials are propagated with the request. For information about enabling SSO, see the topic on implementing single sign-on to minimize web user authentications.

    • Configure an authentication-alias, and send a specific user name and password with the request.

      You can use this option for references in implementation.java components. This option is not supported for references in implementation.widget components.

      1. Create an authentication-alias using the administrative console Java 2 Connector (J2C) authentication data entry page or wsadmin commands. See topics on J2C authentication data entries.
      2. In the composite definition, define the product SCA namespace and specify the alias name on the binding.atom element using the authentication-alias attribute.
        <composite xmlns="http://www.osoa.org/xmlns/sca/1.0"
        ...
        xmlns:qos="http://www.ibm.com/xmlns/prod/websphere/sca/1.0/2007/06"
        ...
        <reference name="atomFeed" target="NewsServiceComponent/NewsService">
            <tuscany:binding.atom qos:authentication-alias=AtomAlias"/>
        </reference>

What to do next

Test the service security.

Task topic    

Terms and conditions for information centers | Feedback

Last updated: April 20, 2014 08:46 PM CDT
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=phil&product=was-nd-mp&topic=tsca_atom_binding_security
File name: tsca_atom_binding_security.html