WAS v8.5 > Secure applications > Authorizing access to resources

Use SCA authorization and security identity policies

Use two SCA declarative policies (authorization and security identity) to protect SCA components and operations and to declare the security identity under which the SCA components or operations are executed.

A user registry must be configured and an SCA component must first have been developed. You must also enable application security. An authorization policy controls who can access protected SCA components and operations. A security identity policy declares the security identity under which an SCA component or operation is executed. We can limit access to an SCA component or to an operation to particular users or groups. We can also delegate access to another user when executing an SCA component or an operation.

Note the following limitations:

Access to an SCA component is permitted or denied using the following steps:

  1. The policy administrator creates one or more policy sets in the file named definitions.xml.

    OSOA example

    <definitions xmlns="http://www.osoa.org/xmlns/sca/1.0"
      targetNamespace="http://smallvilleBank"
      xmlns:sca="http://www.osoa.org/xmlns/sca/1.0">   <policySet name="StaffAuthorizationPolicy"
      appliesTo="sca:implementation.java"
      xmlns="http://www.osoa.org/xmlns/sca/1.0">     <authorization>       <allow roles="staff"/>     </authorization>   </policySet>   <policySet name="SupervisorAuthorizationPolicy"
      appliesTo="sca:implementation.java"
      xmlns="http://www.osoa.org/xmlns/sca/1.0">     <authorization>       <allow roles="supervisor manager specialist"/>     </authorization>     <securityIdentity>       <runAs role="specialist"/>     </securityIdentity>  </policySet> </definitions>

    OASIS example

    <definitions xmlns="http://docs.oasis-open.org/ns/opencsa/sca/200912"
      targetNamespace="http://smallvilleBank"
      xmlns:sca="http://docs.oasis-open.org/ns/opencsa/sca/200912"
      xmlns:tuscany="http://tuscany.apache.org/xmlns/sca/1.1">   <policySet name="StaffAuthorizationPolicy"
           appliesTo="sca:implementation.java"
           provides="authorization">     <tuscany:authorization>        <tuscany:allow roles="staff"/>     </tuscany:authorization>   </policySet>   <policySet name="SupervisorAuthorizationPolicy"
           appliesTo="sca:implementation.java">     <tuscany:authorization>        <tuscany:allow roles="supervisor manager specialist"/>     </tuscany:authorization>     <tuscany:securityIdentity>        <tuscany:runAs role="specialist"/>     </tuscany:securityIdentity>   </policySet> </definitions>
  2. The assembler attaches the policy to the SCA composite.

    OSOA example

    <?xml version="1.0" encoding="UTF-8"?> <composite xmlns="http://www.osoa.org/xmlns/sca/1.0"
      xmlns:bank="http://smallvilleBank"
      name="AccountServices">   <component name="AccountAccess">         <implementation.java class="smallvilleBank.AccountAccessImpl"
                 policySets="bank:StaffAuthorizationPolicy"/>   </component>   <component name="AccountAudit">         <implementation.java class="smallvilleBank.AccountAuditImpl"
                 policySets="bank:SupervisorAuthorizationPolicy"/>   </component> </composite>

    OASIS example

    <?xml version="1.0" encoding="UTF-8"?> <composite xmlns="http://docs.oasis-open.org/ns/opencsa/sca/200912"
      xmlns:bank="http://smallvilleBank"
      name="AccountServices">   <component name="AccountAccess">     <implementation.java class="smallvilleBank.AccountAccessImpl"
           requires="authorization" policySets="bank:StaffAuthorizationPolicy"/>   </component>   <component name="AccountAudit">     <implementation.java class="smallvilleBank.AccountAuditImpl"
           policySets="bank:SupervisorAuthorizationPolicy"/>   </component> </composite>
  3. The deployer assigns users and or groups to the roles that are defined in the composite.
  4. The deployer assigns a user to the runAs roles that are defined in the composite.

Access to the SCA component is permitted or denied according to the authorization policy.


Related


Use the SCA RequestContext.getSecuritySubject() API


Reference:

Map security roles to users or groups collection for SCA composites


+

Search Tips   |   Advanced Search