Securing your WSRP producer

By default, WSRP connections are not secured and there is no reliable user identity propagated from the consumer portal to the producer portal. Instead you can configure what all user information should be carried from consumer to producer and those fields would be carried as SOAP META Information.

When it comes to security for WSRP you have two options to choose from one is WS-Security and other is SSL certificate

  • WS-Security: WebSPhere Portal is installed as enterprise application in WebSphere Application Server and it takes advantage of WAS Web Services infrastructure for both producing and consuming web services. The WAS Web Services infrastructure allows you to pass userId of the actual user using token in the body of the message. Ex. you can pass LTPAToken of the user in the body of the message to the web service. So if both source and target portal are in SSO then target portal can use this LTPA token to find out user id of the actual user accessing consumer portlet and execute the producer portlet in the context of that user id.

  • SSL certificate: You can create a SSL connection between producer and consumer portal, in which case a single certifcate will be used by producer to authenticate request. As a result producer wont be able to find out the actual user who is accessing the consumer portlet. So it will work under the shared user id



If you do not use either of these two authentication methods, the Producer portal assumes the anonymous user.

Assigning access rights: The Producer needs to assign access rights on the Producer portal based on the authentication information as follows:

* If you use WS-Security, assign access rights on the Producer portal to the actual Consumer portal users.
* If you use SSL client certificate authentication, assign access rights to the shared user ID that the Consumer uses and that is specified in the client certificate.
* If you use none of these two authentication methods, assign access rights to the anonymous user. This is necessary because the Producer portal assumes the anonymous user, if no authentication is performed.

No comments: