You can use WebSphere method-level declarative security to restrict access to Common Event Infrastructure functions.
The Common Event Infrastructure defines six security roles, each one associated with a related group of functions. These security roles control access to both programming interfaces and commands. (The default configuration of the Common Event Infrastructure does not require the use of these roles; however, in a Network Deployment environment, the WebSphere ESB needs to be authenticated with the same users assigned to the Common Event Infrastructure security roles. For more information about security roles, see Learning about security and Role-based authorization in the WebSphere Application Server Information Center.) If you are already a WebSphere ESB authenticated user, and global security is turned on, you can access the Common Event Infrastructure resources.
If the security roles are used by mapping specific users to the roles, the authenticated users need to be the same users as assigned to the security role. For additional information about authenticated users and the RunAs role, see Assigning users to RunAs roles.
The following table describes the security roles and the types of users associated with each role.
Security role | User types |
---|---|
eventAdministrator | Event consumers that need to query, update, and delete
events stored in the event database. This role provides access to the following
interfaces:
|
eventConsumer | Event consumers that need to query events stored in
the event database. This role provides access to the following interfaces:
|
eventUpdater | Event consumers that need to update events stored in
the event database. This role provides access to the following interfaces:
|
eventCreator | Event sources that need to submit events to an emitter
using synchronous EJB calls. This role provides access to the following interfaces:
Note: The eventCreator role restricts access to event submission only
if the emitter is configured to use synchronous EJB calls for event transmission.
If the emitter uses asynchronous JMS messaging for event transmission, you
must use JMS security to restrict access to the destination used to submit
events.
|
catalogAdministrator | Event catalog applications that need to create, update, delete, or retrieve event definitions in the event catalog. This role provides access to all methods of the EventCatalog interface and all functions of the eventcatalog.jacl script. Because changes to the event catalog can result in generation of events, this role also provides access to event submission interfaces. |
catalogReader | Event catalog applications that need to retrieve event
definitions from the event catalog. This role provides access to the following
interfaces:
|
The security roles most relevant to utilizing the functionality of the Common Event Infrastructure are eventAdministrator and eventConsumer .
The event server message-driven bean runs using the WebSphere ESB user identity. If you are using asynchronous JMS transmission to submit events to the event server, and you have enabled method-based security, you must map this user identity to the eventCreator role.
If Java 2 security is enabled, you must modify your policy file to enable access to certain functions:
permission java.io.FilePermission "${java.io.tmpdir}${/}guid.lock", "read, write, delete"; permission java.net.SocketPermission "*", "resolve";
permission java.util.PropertyPermission "*", "read"; permission java.io.FilePermission "${was.install.root}${/}java${/}jre${/}lib${/}jxpath.properties", "read";