You can use an HTTP binding with a wire format of JSON-RPC
securely in a Service Component Architecture (SCA) application. Use
intents to secure services that are exposed by the HTTP binding to
remote web browser clients.
Before you begin
JSON-RPC is a remote procedure call (RPC) protocol encoded
in the JavaScript Object
Notation (JSON) format.
For information about using HTTP bindings
in this product, refer to Using HTTP bindings in SCA applications.
Enable administrative and application security,
if not done so already. To enforce intents to secure services that
are exposed by an HTTP binding, administrative and application security
must be enabled.
transition: In Version
8.0, the default value for the web authentication property
webAuthReq is
persisting,
which enables credential persistence that allows login information
to be available to unprotected web clients and enables additional
access to user information. You must set the
webAuthReq property
to
lazy to prevent unprotected web clients additional
access to user information through persisting credentials. For more
information, see Security hardening features enablement and migration.
You can set
webAuthReq to lazy on the administrative
console Web security - General settings page:
- Click .
- Select Authenticate only when the URI is protected,
which enables lazy authentication.
- Click Apply.
For more information, see Web authentication settings.
About this task
Use the HTTP binding to secure services. To secure services,
configure the requires attributes on the binding.http element.
Procedure
- Configure security for the HTTP binding service in an SCA
composite definition.
You can secure services that are
exposed over an HTTP binding using intents. The following three intents
are valid options for the requires attribute on the binding.http element:
- authentication.transport
- Requires any client invoking the service to provide valid authentication
information.
- confidentiality.transport
- Requires any client invoking the service to do so over a secure
transport that provides confidentiality of the transport.
- integrity.transport
- Requires any client invoking the service to do so over a secure
transport that provides integrity of the transport.
Edit a composite definition that exposes a Java service over the HTTP binding
so that the exposed service requires a client to authenticate and
communicate over a secure transport; for example:
<composite>
<service name="EchoService" promote="EchoComponent">
<interface.java interface="echo.Echo"/>
<tuscany:binding.http uri="/EchoService" requires=“authentication.transport confidentiality.transport"/>
<tuscany:wireFormat.jsonrpc/>
</tuscany:binding.http>
</service>
<component name="EchoComponent">
<implementation.java class="echo.EchoComponentImpl"/>
</component>
</composite>
For information about authorization
policy, refer to topics on SCA authorization and security identity
policies.
- Invoke a secure service that is exposed over an HTTP binding
from a web browser.
You can access the service directly
from a JavaServer Pages (JSP) file or HTML page using the Dojo toolkit
application programming interfaces from a web browser.
If the
service requires confidentiality or integrity, use the HTTPS protocol.
If the service requires authentication, configure the client application
to prompt the user for valid user name and password. If the default
product settings enable single sign-on (SSO) and the user has authenticated
previously, these credentials are automatically propagated in the
request to the service.
What to do next
Test the service security.