WAS v8.5 > Develop applications > Develop SCA composites > Specify bindings in an SCA environment > Use HTTP bindings in SCA applications

Secure services exposed by HTTP bindings

We can use an HTTP binding with a wire format of JSON-RPC securely in a SCA application. Use intents to secure services that are exposed by the HTTP binding to remote web browser clients.

JSON-RPC is a remote procedure call (RPC) protocol encoded in the JSON format.

For information about using HTTP bindings in this product, refer to Use HTTP bindings in SCA applications.

Enable administrative and application security, if not done so already. To enforce intents to secure services that are exposed by an HTTP binding, administrative and application security must be enabled.

transition: In v8.0, the default value for the web authentication property webAuthReq is persisting, which enables credential persistence that allows login information to be available to unprotected web clients and enables additional access to user information. Set the webAuthReq property to lazy to prevent unprotected web clients additional access to user information through persisting credentials. For more information, see Security hardening features enablement and migration. We can set webAuthReq to lazy on the dmgr console Web security - General settings page:

  1. Click Security > Global security > Authentication > web and SIP security > General settings.

  2. Select Authenticate only when the URI is protected, which enables lazy authentication.

  3. Click Apply.

For more information, see Web authentication settings. Use the HTTP binding to secure services. To secure services, configure the requires attributes on the binding.http element.

  1. Configure security for the HTTP binding service in an SCA composite definition.

    We can secure services that are exposed over an HTTP binding using intents. The following three intents are valid options for the requires attribute on the binding.http element:

    authentication.transport

    Requires any client invoking the service to provide valid authentication information.

    confidentiality.transport

    Requires any client invoking the service to do so over a secure transport that provides confidentiality of the transport.

    integrity.transport

    Requires any client invoking the service to do so over a secure transport that provides integrity of the transport.

    Edit a composite definition that exposes a Java service over the HTTP binding so the exposed service requires a client to authenticate and communicate over a secure transport; for example:

    <composite>   <service name="EchoService" promote="EchoComponent">     <interface.java interface="echo.Echo"/>
        <tuscany:binding.http uri="/EchoService" requires=“authentication.transport confidentiality.transport"/>
        <tuscany:wireFormat.jsonrpc/>
        </tuscany:binding.http>
      </service> 
      <component name="EchoComponent">     <implementation.java class="echo.EchoComponentImpl"/>
      </component> </composite>

    For information about authorization policy, refer to topics on SCA authorization and security identity policies.

  2. Invoke a secure service that is exposed over an HTTP binding from a web browser.

    We can access the service directly from a JSP file or HTML page using the Dojo toolkit application programming interfaces from a web browser.

    If the service requires confidentiality or integrity, use the HTTPS protocol. If the service requires authentication, configure the client application to prompt the user for valid user name and password. If the default product settings enable SSO and the user has authenticated previously, these credentials are automatically propagated in the request to the service.

Test the service security.


Related concepts:

Enablement and migration considerations of Security hardening features


Related


Use HTTP bindings in SCA applications
Use SCA authorization and security identity policies
Implement single sign-on to minimize web user authentications
Manage Java 2 Connector Architecture authentication data entries for JAAS
Configure new Java 2 Connector authentication data entries using wsadmin
Specify bindings in an SCA environment


Reference:

Web authentication settings
Java 2 Connector authentication data entry settings


+

Search Tips   |   Advanced Search