Network Deployment (Distributed operating systems), v8.0 > Develop and deploying applications > Develop SCA composites > Specify bindings in an SCA environment > Use Atom bindings in SCA applications
Secure data exposed by Atom bindings
We can secure collections of data that are exposed by an Atom binding in a Service Component Architecture (SCA) application. An Atom binding can expose data as an Atom feed or reference existing external Atom feeds.
If you are unfamiliar with the Atom protocol, refer to documentation on the Atom Syndication Format, an XML-based document format that describes web feeds, and the Atom Publishing Protocol, a protocol for publishing and updating web resources.
For information about using Atom bindings in this product, refer to Use Atom bindings in SCA applications.
For transitioning users: In v8.0, the default value for the web authentication property webAuthReq is persisting, which enables credential persistence that allows login information to be available to unprotected web clients and enables additional access to user information. We must set the webAuthReq property to lazy to prevent unprotected web clients additional access to user information through persisting credentials. For more information, see Security hardening features enablement and migration.
We can set webAuthReq to lazy on the administrative console Web security - General settings page:
- Click Security > Global security > Authentication > web and SIP security > General settings
.
- Select Authenticate only when the URI is protected, which enables lazy authentication.
- Click Apply.
See Web authentication settings.trns
Use the Atom binding to work securely with services that provide or consume entries described in the Atom Syndication Format and Atom Publishing Protocol.
Procedure
- Configure the Atom feed service security in an SCA composite
definition.
We can secure services that are exposed over an Atom binding using intents. Administrative and application security must be enabled for the intents to be enforced. The following three intents are valid options for the requires attribute on the binding.atom element:
- authentication.transport
- Requires any client invoking the service to provide valid authentication information
- confidentiality.transport
- Requires any client invoking the service to do so over a secure transport that provides confidentiality of the transport
- integrity.transport
- Requires any client invoking the service to do so over a secure transport that provides integrity of the transport
Edit a composite definition that exposes a Java service over the Atom binding so that the exposed service requires a client to authenticate and communicate over a secure transport; for example:
<component name="NewsServiceComponent"> <implementation.java class="test.abdera.NewsServiceImpl"/> <service name="NewsService"> <t:binding.atom uri="/NewsServiceComponent/newsService" requires="authentication.transport confidentiality.transport"/> </service> </component>For information about authorization policy, refer to documentation on SCA authorization and security identity policies.
- Invoke a secure service that is exposed over an Atom binding.
We can access the service directly from a browser or a client that supports Atom feeds.
To access the feed directly, you can use the uniform resource indicator (URI) that the service specifies.
If the service requires confidentiality or integrity, use the https protocol. If the service requires authentication, the user is prompted by the browser to enter valid credentials. If a Java client is used to access the service, include the authentication information in the HTTP header.
The following example invokes a service using a reference URI. If the service being referenced requires confidentiality or integrity, use the https protocol.
<reference name="atomFeed"> <tuscany:binding.atom uri="https://localhost:9443/newsService"/> </reference>
We can also invoke the service using a reference target:
<reference name="atomFeed" target="NewsServiceComponent/NewsService"> <tuscany:binding.atom/> </reference>
For this example, the invocation is secure only if the service specifies the confidentiality.transport or integrity.transport intent.
To authenticate when invoking a service over an Atom binding, we have two options:
- Use single sign-on (SSO) to authenticate.
If SSO is enabled and there has been a successful authentication before, the credentials are propagated with the request. For information about enabling SSO, see the topic on implementing single sign-on to minimize web user authentications.
- Configure an authentication-alias, and send a specific user name and password with the request.
We can use this option for references in implementation.java components. This option is not supported for references in implementation.widget components.
- Create an authentication-alias using the admin console J2C authentication data entry page or wsadmin commands. See topics on J2C authentication data entries.
- In the composite
definition, define the product SCA namespace
and specify the alias name on the binding.atom element
using the authentication-alias attribute.
<composite xmlns="http://www.osoa.org/xmlns/sca/1.0" ... xmlns:qos="http://www.ibm.com/xmlns/prod/websphere/sca/1.0/2007/06" ... <reference name="atomFeed" target="NewsServiceComponent/NewsService"> <tuscany:binding.atom qos:authentication-alias=”AtomAlias"/> </reference>
- Use single sign-on (SSO) to authenticate.
What to do next
Test the service security.
Enablement and migration considerations of Security hardening features
Use Atom bindings in SCA applications
Use SCA authorization and security identity policies
Implement single sign-on to minimize web user authentications
Manage Java 2 Connector Architecture authentication data entries for JAAS
Configure new Java 2 Connector authentication data entries using wsadmin
Specify bindings in an SCA environment
Related
Web authentication settings
Java 2 Connector authentication data entry settings
Atom Syndication Format
Atom Publishing Protocol