Security Considerations for WSRP Service

When you use WSRP with your portal, you can configure security and provide authentication by using different authentication mechanisms.
You can choose between using Web services security (WS-Security) or Secure Socket Layer (SSL):

  • Authentication of the end user by using WS-Security (Web services security). For example, this can be by using Lightweight Third-Party Authentication (LTPA) token forwarding. In this case the Consumer portal passes requests from individual users on to the Producer portal under separate user IDs.
    Note: With the portal you can use all security tokens that IBM® WebSphere® Application Server supports. For most tokens the Consumer and Producer portals need to share the same user registry, for example, LTPA.

  • Authentication of the Consumer portal by using Secure Socket Layer Client Certificate Authentication: In this case the Consumer portal channels all requests by its users under the same preset shared user ID and passes them on to the Producer portal. For this option the Consumer and Producer portal can have shared or separate user registries.



When you configure security between your WSRP portals by one of these options, you also need to configure Portal Access Control and assign access rights for the Consumer portal users on the Producer portal. If you do not use either of these two authentication methods, the Producer portal assumes the anonymous user.
Assigning access rights: The Producer needs to assign access rights on the Producer portal based on the authentication information as follows:


  • If you use WS-Security, assign access rights on the Producer portal to the actual Consumer portal users.

  • If you use SSL client certificate authentication, assign access rights to the shared user ID that the Consumer uses and that is specified in the client certificate.

  • If you use none of these two authentication methods, assign access rights to the anonymous user. This is necessary because the Producer portal assumes the anonymous user, if no authentication is performed.

No comments: