+

Search Tips   |   Advanced Search

Blueprint security and OSGi applications

We can configure bean security so that the methods of the bean can be accessed only by users assigned a specified role.

We configure security by defining one or more <access-constraint> elements, inside the <bean> element for the bean whose security we want to configure, in the Blueprint XML file of our OSGi application. If we do not define an <access-constraint> element, the bean is not secured; this means that all the methods of the bean can be accessed by any user.

For the bean security configuration to be effective, application security must be enabled in WebSphere Application Server.

We can configure bean security at the bean level and at the method level. If we configure security at both bean level and at method level, the method-level configuration takes precedence.

The <access-constraint> element is defined in a Blueprint namespace extension, http://www.ibm.com/appserver/schemas/blueprint/security/v1.0.0. Therefore, specify a namespace prefix for this extension in the <blueprint> element. In the examples that follow, the prefix "sec" is used; this prefix is specified as follows: 

<blueprint
  xmlns="http://www.osgi.org/xmlns/blueprint/v1.0.0"
  xmlns:sec="http://www.ibm.com/appserver/schemas/blueprint/security/v1.0.0">


Configure bean-level security

To configure security at the bean level, include a role attribute in the <access-constraint> element definition. The methods of the bean can be accessed only by users assigned the specified role.

In the following example, the methods of the secureBean1 bean are accessible only by users assigned the role called "ROLE1": 

<bean
  id="secureBean1"
  class="com.ibm.ws.eba.wab.componenttest.blueprint.secure.BlueprintSecureServiceImpl">
  <sec:access-constraint role="ROLE1" />
</bean>


Configure method-level security

To configure security at the method level, include, in addition to the role attribute, a method attribute. The specified method can be accessed only by users assigned the specified role.

In the following example, the getPrice method of the secureBean1 bean is accessible only by users assigned ROLE1. All the other methods of the bean can be accessed by any user. 

<bean
  id="secureBean1"
  class="com.ibm.ws.eba.wab.componenttest.blueprint.secure.BlueprintSecureServiceImpl">
  <sec:access-constraint method="getPrice" role="ROLE1" />
</bean>

In the following example, the getPrice method is accessible only by users assigned ROLE1, and the printReport method is accessible only by users assigned ROLE2. All the other methods can be accessed by users assigned ROLE3. 

<bean
  id="secureBean1"
  class="com.ibm.ws.eba.wab.componenttest.blueprint.secure.BlueprintSecureServiceImpl">
  <sec:access-constraint method="getPrice" role="ROLE1" />
  <sec:access-constraint method="printReport" role="ROLE2" />
  <sec:access-constraint role="ROLE3" />
</bean>


Assigning roles

To assign a role to users or to groups, use the Security role to user or group mapping panel in the WAS administrative console.


Related:

  • Beans and the Blueprint Container
  • Secure OSGi applications




    File name: was307.html

    prettyPrint();