The security implications of the new Service Component Architecture (SCA) are detailed.
The service component architecture is the standard for developing, deploying and administering applications in WebSphere Process Server. SCA componentizes applications into services. These services can be individually updated, simplifying upgrades of application modules.
If you are using security to make your WebSphere Process Server information safe, there are several implications of the SCA model. Most important is the fact that each service within an SCA application module, is furnished with the authentication of the original call. That is if you invoke an application, which in turn invokes a service A, the user identification that you used to invoke the application will be propagated on to service A. Consequently, you must ensure that the user identification with which you invoke SCA module has the security authorization to invoke, not only the application, but any subsequent services that may be called.
These considerations are most important when developing applications in the WebSphere Integration Developer environment, since application developers can ensure that no later service, requiring higher levels of authentication are encountered by an application user. However, WebSphere Process Server users should be aware of the security issues of SCA so that they can avoid problems of authentication.
SCA supports two security qualifiers, SecurityIdentity and SecurityPermission. These policy types specify the identity in which a particular component will run as well as the role required for the execution of a particular SCA component method/operation.
The SecurityPermission is a core qualifier and is an example of the InterfaceQualifier class. The InterfaceQualifier class represents a qualifier that can be used to annotate an Interface. The qualifier will be applied to all SCA interactions going through the Interface. InterfaceQualifier can also be used to annotate an InterfaceSet (in this case it applies to all the interfaces in the set) or a single Operation (in this case it applies only to the annotated operation). When an application developer adds the qualifier to an application, then a role is added to the deployment descriptor and the administrator must associate a user to that role in order for that user to be able to invoke the application.
The SecurityIdentity is a core qualifier and is an example of the ImplementationQualifier class. The ImplementationQualifier class represents a qualifier that can be used to annotate a component Implementation. The qualifier will be applied to all SCA interactions targeting the component implementation.
These policies are set as part of normal SCA policy setting (e.g., assembly). For more information on setting policy during assembly, refer to the WebSphere Integration Developer information center.
For more details of the service component architecture see Overview of service component architecture.
For more details on security see the WebSphere Application Server Information Center.
Last updated:
Copyright IBM Corporation 2005.
This information center is powered by Eclipse technology (http://www.eclipse.org)