WebSphere brand IBM WebSphere Telecom Web Services Server, Version 7.1

Service Authorization

Provides fine-grained authorization for access to Web services.

Description

The Service Authorization mediation primitive provides fine-grained authorization for access to Web services. Authorization is determined by examining policies indicating whether the access for the requester, service, or operation can succeed.

The Service Authorization mediation primitive follows block-or-pass semantics. All authorization policies must be true for the request to proceed. Multiple authorization policies are used to allow the administrator to take advantage of the policy scoping capabilities of the Service Policy Manager. Each authorization policy name implies (although it does not require) the corresponding appropriate scope for its usage.

Policy configuration

This mediation primitive uses the following policies for runtime configuration:
Policy Type Description
requester.service.Authorized Boolean Indicates whether access to a service is allowed for a requester.

Default: true

requester.operation.Authorized Boolean Indicates whether access to a service operation is allowed for a requester.

Default: true

requester.anonymousAccessAllowed Boolean Indicates whether anonymous requests (for example, unauthenticated requests) are allowed to pass.

Default: false

Mediation primitive properties

None

Upstream SOAP headers

The following SOAP header elements are expected from upstream mediation primitives:
<twss:twssHeaders>
  ...
  <globalTransactionID>
  <!-- Used to identify the transaction associated with this request. The global transaction ID is used in a foreign key relationship with the TRANSA    CTIONS table. -->
  </globalTransactionID> 
  <requesterID>
  <!-- Used to identify the requester for this request -->
  y</requesterID>
  ...
  <twss:policies>
    <twss:policy attribute="" value=""/>
    <twss:policy attribute="" value=""/>
    ...
  </twss:policies>
  ...
</twss:twssHeaders>

Added SOAP headers

The following SOAP header elements are added or modified for downstream mediation primitives:

None

Message handling

Messages that are successfully processed by the Service Authorization mediation primitive are passed to the output terminal of the mediation primitive. If an error occurs while processing the message or if the Web service request is not authorized, the message is redirected to the fault terminal:
  • The service message object (SMO) data object transient context (“context/transient/exceptionType”) indicates whether a service-related or policy-related exception occurred.
  • Fault information is set in the SMO headers as indicated in the following table:
    SMO header (represented by XPath) Content
    ServiceMessageObject/context/failInfo/failureString The full message text that represents the fault situation with substituted variables. For example, SOAC4025E: Error occurred.
    ServiceMessageObject/context/failInfo/origin The name of the mediation primitive class that originated the fault.
    ServiceMessageObject/SOAPFaultInfo/faultcode The TWSS message code that represents the fault situation. For example, SOAC4025E.
    ServiceMessageObject/SOAPFaultInfo/faultstring The full message text that represents the fault situation with substituted variables. For example, SOAC4025E: Error occurred.



Terms of use
(C) Copyright IBM Corporation 2009. All Rights Reserved.