Mediations security
When bus security is enabled, authorization permissions are required to ensure that mediations can run, and undertake messaging operations securely on a service integration bus. There are mechanisms for mediations security, and implications for running mediations on a bus that spans multiple security domains.
When bus security is enabled, the messaging engine must be authorized to access the mediation. Authorization is granted by using a mediations authentication alias or an LTPA token, depending on the version of the bus member:
- A WAS v7 or later bus member uses an LTPA token for messaging engine authentication. If an authentication alias is specified, it is used but a password is not required.
- A WAS v6 bus member requires an authentication alias to ensure that the mediation can be called. For more information, see Configure the bus to access secured mediations.
When an application sends a message to the bus, the identity of the sender application is associated with the message. The message is sent to the next destination in the forward routing path providing the message originator has Sender authority for that destination. If a mediation processes the message in some way at the target destination, the identity associated with the message is preserved by default. We can program the mediation to reset the message identity to the identity under which the mediation code runs. For example, if the mediated destination represents the boundary between two security domains, the sender application is not authorized to access the mediated destination. By translating different identities into a single user identity, we can control access between security domains. For more information about programming mediations, see Mediation programming. For more information about using the resetIdentity() method, see SIMediationSession.
When you install a mediation for use when bus security is enabled, you must ensure that the identity used by the bus to call the mediation can access the mediation. By default, a mediation is unauthenticated. We can configure it to use the mediations authentication alias by specifying a RunAs role using the assembly tools. For more information, see Configure an alternative mediation identity for a mediation handler.
If bus security is enabled, and a mediation is sending messages to a destination, the mediation identity requires authority to access the destination. For more information, see Administer authorization permissions. Any new messages sent by the mediation are sent using the mediation identity.
If administrative security is disabled, an identity is not configured for the mediation. If bus security is enabled, and administrative security is disabled, the mediation is not authenticated to access bus destinations.
Use mediations in multiple security domains
We can run mediations successfully in a bus topology where the members of a bus span multiple security domains. The bus security configuration provides an option, called addUserServerIdForMediations, to allow mediations to run under a server identity. In this case, a mediation authentication alias is not required.
Mediations are deployed as applications, and run in the domain used by the application server, not the bus domain. Because the mediation authentication alias applies to the whole bus, if you run a mediation on multiple servers in different domains, you must ensure that the user identity in the mediation authentication alias exists in the configuration for each domain. Alternatively, we can choose to use the server identity option. We can use this option even if multiple domains are not in use.
Related concepts
Mediations Service integration security planning
Related tasks
Secure mediations Configure the bus to access secured mediations Configure a bus to run mediations in a multiple security domain environment Configure an alternative mediation identity for a mediation handler