Security considerations for WSRP services

When we use WSRP with the portal, we can configure security and provide authentication using different authentication mechanisms.

We can choose between using Web Services Security (WS-Security) or SSL:

• Authentication of the user using WS-Security (Web services security).

  For example, this can be using Lightweight Third-Party Authentication (LTPA) token forwarding. In this case the Consumer portal passes requests from individual users on to the Producer portal under separate user IDs.

  With the portal we can use all security tokens that IBM WebSphere Application Server supports. For most tokens the Consumer and Producer portals need to share the same user registry, for example, LTPA.

• Authentication of the Consumer portal using Secure Socket Layer Client Certificate Authentication: In this case the Consumer portal channels all requests by its users under the same preset shared user ID and passes them on to the Producer portal. For this option the Consumer and Producer portal can have shared or separate user registries.

1. For both Producer and Consumer portals:

   1. We can use both security configurations independently on the portal, providing security by both WS-Security and SSL client certificate authentication. For more detailed information refer to the URL given in the Related section.

   2. If we use the portal as both a Producer and a Consumer portal, the security configurations for both these roles are independent of each other.

2. For Producer portals:

   1. For a Producer portal, security for WSRP services is optional. Configure it if required, but you do not have to provide security.

   2. When you configure WSRP security for a Producer portal by one of these options, you also need to configure Portal Access Control for that Producer portal and give the users of the Consumer portal access permissions.

   3. To allow a Consumer portal configured for SSL client certificate authentication to be able to consume the WSRP services, configure at least SSL for the Producer portal, but not necessarily client certificate authentication.

3. For Consumer portals:

   1. For a Consumer portal, provide the same security setup for WSRP as the Producer portal from which you consume WSRP services.

   2. On the Consumer portal, the WSRP services that are consumed as remote portlets behave like local portlets. Therefore we can configure Portal Access Control for the WSRP services on the Consumer portal the same way as for local portlets.

When you configure security between the WSRP portals by one of these options, you also need to configure Portal Access Control and assign access rights for the Consumer portal users on the Producer portal. If you do not use either of these two authentication methods, the Producer portal assumes the anonymous user.

Assigning access rights: The Producer needs to assign access rights on the Producer portal based on the authentication information as follows:

• If we use WS-Security, assign access rights on the Producer portal to the actual Consumer portal users.

• If we use SSL client certificate authentication, assign access rights to the shared user ID that the Consumer uses anspecified in the client certificate.

• If we use none of these two authentication methods, assign access rights to the anonymous user. This is necessary because the Producer portal assumes the anonymous user, if no authentication is performed.

For more details and considerations about Portal Access Control, refer to the sections about Configuring security and Managing access, users, and groups.

By default Portal Access Control is enabled for the Producer portal. The section about Disabling and Enabling Portal Access Control for the Producer portal shows you how to disable and enable Portal Access Control on the Producer portal. If you disable Portal Access Control, WSRP does not perform a security check at all.

Parent: Plan for WSRP
Related:
Work with WSRP in the portal
Communication between Producer and Consumer portals
Cookie support