Network Deployment (Distributed operating systems), v8.0 > Secure applications and their environment > Secure web services
Secure WS-Notification
The WS-Notification security implementation requires that a user identity is flowed in requests for WS-Notification services. This identity is used to authenticate the client application and check that the client is authorized to invoke the requested operation, and to access the underlying service integration bus topic spaces and topic resources.
WS-Notification uses the same mechanisms as other Web services to provide an authenticated identity. For example WS-Security or HTTP Basic Authentication.
There are three parts to configuring secure access to WS-Notification:
- Secure the communication channel between the application and the server.
- Authorizing the application to invoke the NotificationBroker.
- Authorizing the application to access the resources of the service integration bus.
If messaging security is enabled, and the WS-Security or HTTP Basic Authentication components are not configured to flow a user identity in WS-Notification requests, then all such requests are treated as unauthenticated and can only access messaging resources that are accessible by the WAS "everyone" group.
Procedure
- Secure the communication between the application and the server:
- Provide security for inbound requests and associated responses by configuring the WS-Notification service point.
- For JAX-WS based v7.0 WS-Notification service points, attach security-enabled policy sets to the application associated with the service point. For JAX-RPC based v6.1 WS-Notification service points, configure security for the inbound ports associated with the service point.
- If you are using SOAP over HTTP as the binding for your WS-Notification service point, modify it to use SOAP over HTTPS as described in Configure secure access to WS-Notification service points by using SOAP over HTTPS.
- If you are using SOAP over JMS as the binding (for v6.1 WS-Notification services), configure the JMS connection factory used by the client application to use a secure communication protocol to communicate with the JMS provider. Exactly how you do this depends upon the JMS provider. If you are using the service integration bus as the JMS provider, configure the client to use SSL to communicate with the server by setting the target inbound transport chain to InboundSecureMessaging as described in How JMS applications connect to a messaging engine on a bus and its related tasks.
- Provide security for outbound requests (for example notifications from the server to subscribed consumers) by configuring the WS-Notification service.
- For JAX-WS based v7.0 WS-Notification services, the steps involved are similar to those for applying security to JAX-WS web service clients except that any binding or configuration created is applied to the WS-Notification service. See Secure JAX-WS web services using message-level security.
- For JAX-RPC based v6.1 WS-Notification services, the steps involved are similar to those for applying security to service integration bus-enabled web services outbound ports except that any binding or configuration created is applied to the WS-Notification service. See Secure bus-enabled web services and its sub-topics, notably Invoke outbound services over HTTPS.
- We can also use WS-Security to sign or encrypt SOAP messages.
- For JAX-WS based v7.0 WS-Notification services, see Signing and encrypting message parts using policy sets.
- For JAX-RPC based v6.1 WS-Notification services, see Configure secure transmission of SOAP messages by using WS-Security.
- Authorize the application to invoke the NotificationBroker:
- Configure the client application to provide an appropriate identity.
To authorize a web service application to communicate with the server, the application must identify itself as running as a particular authenticated identity. The mechanism for doing this depends upon the type of web service binding you are using:
- If you are using SOAP over HTTP web service bindings, use either HTTP Basic Authentication or WS-Security to provide the authenticated identity.
- If you are using SOAP over JMS web service bindings (for Version 6.1 WS-Notification services), use WS-Security to provide an authenticated identity.
- Configure the server to authorize the client application identity to carry out the required operations.
- For JAX-WS based v7.0 WS-Notification services, you can use Web services policy sets such as the "Username WS-I RSP default" or "Username WSSecurity default" policy sets to apply authorization to the Web services that are deployed in the enterprise application associated with a service point. See also the IBM developerWorks article Configure JAX-WS applications with WS-Security for WS-Notification.
- For JAX-RPC based v6.1 WS-Notification services, you can apply authorization to the whole of an inbound service (for example the NotificationBroker endpoint of a WS-Notification service point) as described in Password-protecting inbound services, or configure authorization constraints independently for each Web service operation as described in Password-protecting a web service operation.
- Authorize the application to access the resources of the service integration bus.
Service integration bus security uses role-based authorization. When a user is assigned to a role, the user is granted all of the permissions that the role contains. By administering authorization permissions, you can control user access to a bus and to its resources when messaging security is enabled.
- Authorize the application identity to be able to connect to the service integration bus, as described in Administer the bus connector role.
- When the application can connect to the bus, grant the application access to the appropriate destinations on the bus.
We can determine which service integration bus topic spaces are required, by checking which WS-Notification topic namespaces are used by the application then looking at the appropriate WS-Notification permanent topic namespace to find the service integration bus topic space to which it maps. We can then grant authorization (for example the Sender or Receiver roles) for the authenticated identity to access topic space as described in Administer destination roles.
- After the client application has been authorized to access the appropriate topic space destination, you might also need to authorize the client application to access the individual topics within the topic space destination as described in Administer topic roles.
For general information about configuring access to the service integration bus, see Secure service integration.
WS-Notification
Configure WS-Notification resources by
Configure WS-Notification resources
Use WS-Notification for publish and subscribe messaging for web services
Configure JAX-WS handlers
Load JAX-WS handler classes
Delete JAX-WS handler configurations
Delete JAX-WS handler lists
Modify an existing JAX-WS handler list
Create a new JAX-WS handler list
Modify an existing JAX-WS handler configuration
Create a new JAX-WS handler configuration
List active WS-Notification administered subscribers
List or deleting active WS-Notification pull points
List or deleting active WS-Notification publisher registrations
List or deleting active WS-Notification subscriptions
Interacting at run time with WS-Notification
Publish the WSDL files for a WS-Notification application to a compressed file
Accomplishing common WS-Notification tasks
Configure WS-Notification for reliable notification
Apply a JAX-WS handler list to a WS-Notification service
Migrate a v6.1 WS-Notification configuration from WAS v6.1 to v7.0 or later
Configure a v7.0 WS-Notification service with Web service QoS
Prepare a migrated v6.1 WS-Notification configuration for reliable notification
Design a QoS-partitioned server topology for WS-Notification
Design a server topology for web service qualities of service for WS-Notification
Use a script to get up and running quickly with WS-Notification
Balancing a WS-Notification workload across application servers
Provide highly available (HA) topologies for WS-Notification
Configure a QoS-partitioned server topology for WS-Notification
Provide access for WS-Notification applications to an existing bus topic space
Configure a WS-Notification service for use only by WS-Notification applications
Delete WS-Notification administered subscribers
Modify a WS-Notification administered subscriber
Create a new WS-Notification administered subscriber
Delete WS-Notification services
Modify a v6.1 WS-Notification service
Modify a v7.0 WS-Notification service
Create a new v6.1 WS-Notification service
Create a new v7.0 WS-Notification service
Delete WS-Notification service points
Modify a v6.1 WS-Notification service point
Modify a v7.0 WS-Notification service point
Create a new v6.1 WS-Notification service point
Create a new v7.0 WS-Notification service point
Delete WS-Notification permanent topic namespaces
Create a new WS-Notification permanent topic namespace
Showing the properties of a permanent WS-Notification topic namespace
Delete WS-Notification topic namespace documents
Apply a WS-Notification topic namespace document
Showing the contents of a WS-Notification topic namespace document
Related
WSNotificationCommands command group
getWSN_SIBWSInboundPort command
getWSN_SIBWSInboundService command
deleteJAXWSHandler command
listJAXWSHandlers command
deleteJAXWSHandlerList command
listJAXWSHandlerLists command
modifyJAXWSHandlerList command
createJAXWSHandlerList command
showJAXWSHandlerList command
modifyJAXWSHandler command
createJAXWSHandler command
showJAXWSHandler command
deleteWSNAdministeredSubscriber command
listWSNAdministeredSubscribers command
createWSNAdministeredSubscriber command
showWSNAdministeredSubscriber command
deleteWSNService command
listWSNServices command
createWSNService command
showWSNService command
deleteWSNServicePoint command
listWSNServicePoints command
createWSNServicePoint command
showWSNServicePoint command
deleteWSNTopicNamespace command
listWSNTopicNamespaces command
createWSNTopicNamespace command
showWSNTopicNamespace command
deleteWSNTopicDocument command
listWSNTopicDocuments command
createWSNTopicDocument command
showWSNTopicDocument command
WS-Notification roles and goals
WS-Notification troubleshooting tips
http://www.ibm.com/developerworks/websphere/techjournal/0904_jiang/0904_jiang.html