Configure security on the Producer portal
We can configure security for the producer portal and the provided portlets. If we enable security, the producer processes the WSRP requests from the consumer under the user identity associated with the WSRP request the Consumer sent. This user identity is represented by a security credential that is included in the WSRP request message. The security credential is provided by the consumer. Normally, it represents the identity of the user who is logged in to the Consumer Portal.
For the producer, security for WSRP services is optional. We can configure it if required, but we do not have to provide security. If you provide security for the WSRP services, the consumer must be configured to use the same security mechanism as the producer from which the Consumer consumes portlets. We can configure security for the producer using either of the following two authentication mechanisms:
- HTTP-cookie-based single sign-on
- This security option is newly available with WebSphere Portal v8.5. To authenticate and identify the user and establish the security context for processing the WSRP request, the producer uses LTPA V2 HTTP cookies the consumer sends as part of the WSRP request messages. The producer receives the cookie and establishes the corresponding security context on the Producer side. This option requires configuration of the consumer to forward HTTP cookies. It has the following advantages:
- Does not require configuration of the WSRP web services. It makes it possible for the producer to accept and process both unauthenticated and authenticated requests.
- The Producer processes unauthenticated requests that do not contain an LTPA V2 cookie without establishing an individual security context.
- Web Service Security
- We can configure the WSRP web service providers for Web Service Security according to the WS-Security standard. The consumer sends a header that complies with the WS-Security standard as part of the WSRP request messages. The header contains credentials that identify and authenticate the user. For example, we can configure the Consumer portal to include Lightweight Third-Party Authentication (LTPA) version 1 or version 2 tokens or Username tokens in the WS-Security header. For this option, both the consumer and the producer must be configured for Web Services Security.
- The Web Service Security configuration is based on policy sets. IBM WebSphere Portal provides a set of default policy sets and provider policy set bindings that can be attached to the WSRP service providers. If we configure the producer for WS-Security, the Producer accepts and processes only authenticated requests. It rejects unauthenticated requests that do not contain a WS-Security compliant header.
For both security setup options, the producer and the consumer must be configured for Single Sign-On (SSO). The requirements for SSO depend on the authentication method used. For example, if we use LTPA version 1 or version 2, the consumer and the producer must use the same user registry or use the same realm. In addition, the producer and the WSRP Consumer must exchange shared keys used to sign the security credentials.
If we use the Web Services Security option, the producer accepts only authenticated request messages and rejects request messages that do not contain a suitable security header. In contrast, if we use the HTTP-cookie-based single sign-on security option, the producer accepts both authenticated and unauthenticated request messages. If the message does not contain a security credential, the producer does not establish a security context for processing the request. By default, the producer performs access control for provided portlets.
We can choose to not set up security for the producer and Consumer portals. In this case, the WSRP Producer does not process the WSRP requests from the Consumer under a specific user identity. Instead, the Producer processes the WSRP requests anonymously. In this case, the Consumer must not be configured for Web Service Security.
- Secure the producer by HTTP-cookie-based single sign-on
We can provide security for the producer using HTTP-cookie-based single sign-on (SSO). For using this security option, the producer requires no configuration. The consumer must be configured to send or forward LTPA V2 single sign-on cookies as part of the WSRP request message to the producer.
- Secure the producer by WS-Security
We can configure Web Services Security according to the WS-Security standard for the producer and the provided web services.
Parent Secure a producer portalRelated concepts:
Exchange required information between Producer and Consumer portals
Security for WSRP services
Related information
WebSphere Application Server product documentation V 8.5