IBM BPM, V8.0.1, All platforms > Securing IBM BPM and applications > Get started with security > Considerations for securing adapters
Considerations for securing WebSphere Adapters
When working with WebSphere Adapters, there are a number of considerations for administering application security.
The following list provides security considerations when working with WebSphere Adapters:
- WebSphere Adapters enable managed, bidirectional connectivity between an EIS and Java EE components supported by IBM BPM.
- For inbound communication from WebSphere Adapters into IBM BPM, there is no authentication mechanism. JCA also lacks inbound security support; therefore, WebSphere Adapters also have no authentication mechanism for inbound communication.
- The entry from an adapter to IBM BPM always employs a Service Component Architecture export. The SCA export has to be wired to an SCA component, such as mediation, business process, SCA Java™ component, or Selector.
- The security solution is to define a runAs role on the component that is the target for the WebSphere Adapter export. This is done using the SCA qualifier SecurityIdentity during development. When the component runs, it does so under the identity defined in the runAs role.
- The value for SecurityIdentity is a role, not a user. Nevertheless, when the EAR file is deployed to IBM BPM, you must provide a user name and password for the identity that is to be used. The use of SecurityIdentity prevents exceptions being thrown if a downstream component is secured and requires the client to have an authenticated identity.
The use of SecurityIdentity does not secure the communication between the adapter and the EIS.
- WebSphere Adapters reside in the JVM of the IBM BPM, and therefore only the communication between the adapter and the target EIS needs to be secured. The protocol between the adapter and the EIS is EIS-specific. The documentation of the EIS provides information about how to secure this link.