There are two primary components involved in securing a Web service method:


At startup time, the NucleusSecurityManager retrieves the repository items from the NucleusSecurityRepository (described below) and creates an internal mapping between each functional name and the SecurityPolicy component and ACL associated with it.

When a client calls a Web service, the service invokes the hasAccess() method on the /atg/webservice/security/NucleusSecurityManager component, passing it the functional name of the service’s security configuration, the name of the Nucleus component and method exposed by the service, and a Map containing the method’s parameters. The NucleusSecurityManager uses the functional name to find the associated SecurityPolicy component and ACL, applies them to the call, and returns the result (true or false) to the client. If true is returned, the Nucleus method exposed by the Web service is invoked; if false is returned, access to the method is denied, and an exception of class is thrown.

If the NucleusSecurityManager is unable to apply the security configuration to a Web service call (for example, if the SecurityPolicy is not valid), it determines whether to grant access based on the value of its defaultGrantAccess property. The default value of this property is true (grant access). This setting facilitates the development process, because it allows any Web service that does not have an associated security configuration to be called by any client.

For deployment purposes, though, this behavior is undesirable, because of the security risks involved. Therefore, when you enable liveconfig settings for the ATG platform, the defaultGrantAccess property is set to false. Note, however, that this means that each of your Web services must have an associated security configuration, because any call to a service without a security configuration will fail.

For information about enabling liveconfig settings, see the ATG Installation and Configuration Guide.


Web service security configurations are stored in the NucleusSecurityRepository. This repository includes a single item descriptor called nucleusSecurity, which has properties called functionalName, policy, and ACL. The NucleusSecurityManager parses the items in this repository at startup time.

The Web Services Administration interface provides an easy way to add new security configurations to this repository. See the next section for details.

loading table of contents...