When you create a Web Service, you have the option of applying security constraints so that only approved clients (those with administrator privileges, for example) can execute it. You specify the security constraints using a security configuration, which is a repository item that stores information that controls access to the Web Service. You can create any number of different security configurations using the Web Services Administration UI, and you can apply a security configuration to any number of Web Services.
A security configuration has a corresponding security policy component, plus an optional ACL. A security configuration is identified by its functional name, which is a property of the repository item that maps the security configuration to a security component and ACL.
This section describes the main components involved in securing Web Service methods, as well as how to create security configurations through the Web Services Administration UI. For a broader discussion of the Oracle Commerce Platform security API, see the Managing Access Control section in the Platform Programming Guide.
Security Components
There are two primary components involved in securing a Web Service method:
/atg/webservice/security/NucleusSecurityManager
(an instance ofatg.webservice.NucleusSecurityManager
) uses the security configuration associated with the Web Service to apply the corresponding security policy and ACL, to determine whether to grant or deny access. See NucleusSecurityManager/atg/webservice/security/NucleusSecurityRepository
(an instance ofatg.adapter.gsa.GSARepository
) stores the Web Service security configurations used by theNucleusSecurityManager
. See NucleusSecurityRepository
NucleusSecurityManager
At startup time, the NucleusSecurityManager
retrieves the repository items from the NucleusSecurityRepository
(described below) and creates an internal mapping between each functional name and the SecurityPolicy
component and ACL associated with it.
When a client calls a Web Service, the service invokes the hasAccess
method on the /atg/webservice/security/NucleusSecurityManager
component, passing it the functional name of the service’s security configuration, the name of the Nucleus component and method exposed by the service, and a Map containing the method’s parameters. The NucleusSecurityManager
uses the functional name to find the associated SecurityPolicy
component and ACL, applies them to the call, and returns the result (true
or false
) to the client. If true
is returned, the Nucleus method exposed by the Web Service is invoked; if false
is returned, access to the method is denied, and an exception of class atg.security.SecurityException
is thrown.
If the NucleusSecurityManager
is unable to apply the security configuration to a Web Service call (for example, if the SecurityPolicy
is not valid), it determines whether to grant access based on the value of its defaultGrantAccess
property. The default value of this property is false
(deny access).
Setting defaultGrantAccess
to true
facilitates the development process, because it allows any Web Service that does not have an associated security configuration to be called by any client.
For deployment purposes, though, this behavior is undesirable, because of the security risks involved. Therefore, when you enable liveconfig
settings for the Oracle Commerce Platform, the defaultGrantAccess
property is set to false
. Note, however, that this means that each of your Web Services must have an associated security configuration, because any call to a service without a security configuration will fail.
For information about enabling liveconfig
settings, see the Platform Installation and Configuration Guide
NucleusSecurityRepository
Web Service security configurations are stored in the NucleusSecurityRepository
. This repository includes a single item descriptor called nucleusSecurity
, which has properties called functionalName
, policy
, and ACL
. The NucleusSecurityManager
parses the items in this repository at startup time.
The Web Services Administration interface provides an easy way to add new security configurations to this repository. See the next section for details.
Creating and Editing Security Configurations
The Web Services Administration page in the Dynamo Server Admin includes a Web Service Security Manager link that takes you to a page that where you can view and edit the security configurations stored in the NucleusSecurityRepository
, or create new security configurations.
Follow these steps to create a new security configuration:
Click the Create New link.
On the Create Security Configuration page, enter a name for the security configuration in the Functional Name field, and click Create New button.
On the Edit Web Service Security Configuration page, click the Add buttons to add users, roles, and organizations to the security configuration. You can change the security policy (from the
/atg/dynamo/security/SecurityPolicy
default) if necessary.
The new security configuration appears on the main Web Service Security Configurations page. If you need to make changes to it, click the Edit link to open the Edit Web Service Security Configuration page. Note that you cannot change the functional name.