Task: Implement Security
Define security implementation for ESB Services that are published as Web services for external consumption and may also be consumed as part of an orchestrated business process.
Disciplines: Service Development
Main Description

Security in the JBoss SOA Platform is based on WS-Security and JBoss Application server login modules. The first step is to define a number of different roles and users and their relationships. These will be maintained in an Identity component. Each service will define a set of roles that are allowed to consume the service in the jboss-esb.xml. A SingleSignOn application may also be implemented to reduce the overhead of repeated authentications.

Identity

Identity plays a central role here, since you have to know "who" in order to enforce "what". Individuals (actors / subjects / principals) can play multiple roles if necessary. The SOA Platform uses JAAS Login modules to access identity components; several different types of login modules are supported (e.g., LDAP). Since users can login anywhere and be authenticated, authentication information must be transportable to and from the ESB. This can be accomplished through WS-Security and SingleSignon.

SingleSignon (Federated Access Management)

Particularly with orchestrated services, there is the need to access multiple services as part of a user's request. In these scenarios, it having each service authenticate the user is inefficient. SingleSignOn addresses this, by allowing a user to be authenticated once, and then providing an indication of this login as a token in a security context. (reword this). Thus an important component of a security scheme in a service oriented architecture is a SingleSignOn component. JBoss SOA-P has been tested with the Sun OpenSSO Federated Access Management product.

Install and configure OpenSSO. Add user / role data.

Client

In WS-Security, security data is specified using security tokens. Tokens can either be binary or structured XML. XML tokens are inserted directly as sub-elements of the <Security> element in the SOAP Header. E.g.,

<soap:Header>
  <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
    <wsse:UsernameToken>
      <wsse:Username>user1</wsse:Username>
      <wsse:Password>user1pass</wsse:Password>
    </wsse:UsernameToken>
  </wsse:Security>
</soap:Header>

All clients that consume ESB hosted web services must provide security information in the SOAP Header.

Authentication

Authentication requirements are configured in jboss-esb.xml by specifying a security element as part of the service configuration. The moduleName must match the name of a application-policy in the conf/login-conf.xml file. When using OpenSSO, the moduleName should be OpenSSOLogin.

jboss-esb.xml

<services>
  <service category="ESBServiceSample" name="AccountOpeningProcess" description="Account Opening Process">
    <security moduleName="OpenSSOLogin"/>
    <listeners>
      <jms-listener name="AccountOpeningProcessListener" busidref="AccountOpeningProcessChannel" maxThreads="1" />
    </listeners>
    <actions inXsd="/request.xsd" outXsd="/response.xsd" faultXsd="/fault.xsd" webservice="security">

The SSO token can be propagated between services orchestrated by jBPM by copying between the jBPM Context and the ESB Message. For example:

<action name="create_new_process_instance" class="org.jboss.soa.esb.services.jbpm.actions.BpmProcessor">
  <property name="command" value="StartProcessInstanceCommand" />
  <property name="process-definition-name" value="helloWorld"/>  
   <property name="esbToBpmVars">
    <mapping esb="BODY_CONTENT" bpm="request" />
    <mapping esb="properties.'org.jboss.soa.esb.services.security.context'" bpm="securityContext" />
  </property>
</action>   

Note that the dot delimited context name has single quotes around it, and is prefaced with properties, since that is where the security context is currently situated in the ESB Message. A similar mapping must be configured in the JPDL process definition ESB Service Node.

Authorization

<services>
  <service category="ESBServiceSample" name="AccountOpeningProcess" description="Account Opening Process">
    <security moduleName="OpenSSOLogin" allowedRoled="CSR" runAs="adminRole"/>
    <listeners>
      <jms-listener name="AccountOpeningProcessListener" busidref="AccountOpeningProcessChannel" maxThreads="1" />
    </listeners>
    <actions inXsd="/request.xsd" outXsd="/response.xsd" faultXsd="/fault.xsd" webservice="security">

org.jboss.ws.extensions.security.jaxws.WSSecurityHandlerServer