There are many potential end to end security scenarios. Each of these might involve differing security steps. Several typical scenarios, with the necessary security options, are presented.
Classic integration scenario - inbound and outbound adapters
An inbound request comes in from a WebSphere Business Integration Adapter. The service component architecture (SCA) invokes an interface map based on the SCA export. The request flows through a process component, a second interface map and is then passed on to a second EIS (B), via a WebSphere Adapter. These are SCA invocations, with one component invoking a method on the next component.
There is no authentication mechanism for the inbound adapter. You can establish the security context by defining the SecurityIdentity qualifier on the first component - in this instance, the first interface map component. From that point, SCA will propagate the security context from each component to the next. Access control for each component is defined by use of the SecurityPermission qualifier.
Inbound Web service request to WebSphere Process Server
In this scenario a Web service client invokes a WebSphere Process Server component. The request passes through several components in the WebSphere Process Server environment before being passed to an EIS by an adapter.
You can authenticate the Web service client as a SSL client, using HTTP Basic authentication or using WS-Security authentication. When the client is authenticated, access control is applied based on the SecurityPermission qualifier. Between the client and the WebSphere Process Server instance, you can secure the data integrity and privacy using SSL or WS-Security. SSL secures the entire pipe, whereas with WS-Security you can encrypt or digitally sign parts of the SOAP message. For Web services, WS-Security is the preferred standard.
Outbound Web service request from WebSphere Process Server
In this scenario the inbound request can be from an adapter, a Web service client, or a HTTP client. WebSphere Process Server a component (for instance a BPEL component) invokes an external Web service.
As for the inbound Web service request, you can authenticate with the external Web service as a SSL client, using HTTP Basic authentication or using WS-Security authentication. Use LTPACallBackHandler as the callback mechanism to extract the usernameToken from the current RunAs subject. Between WebSphere Process Server and the target Web service, you can ensure data privacy and integrity using WS-Security.
Web application - HTTP inbound request to WebSphere Process Server
Last updated: Tue 24 Oct 2006 22:01:09
(c) Copyright IBM Corporation 2005, 2006.
This information center is powered by Eclipse technology (http://www.eclipse.org)