IntroductionThe last week we had to implement some Authorization functionality on Cordys BOP4 (CU9) services. During this journey I discovered that there were several ways in defining the security and this makes it very complex (if you’re a first user just like me). So this blog item describes some ways to define the security and my experiences.
Ways to IdentifyCordys supports several ways to identify users:
- No identification is used, in this case this is mapped to an “anonymous” authenticated user within Cordys.
- Cordys. The credentials are put in the soap header request and are mapped to a Cordys user.
- WS-Security SAML. This can be used for single-sign-on
- WS-Security User name token. The user puts its identity (user and password, clear text or encrypted are possible) within the soap header
This blog item uses the last with clear text user and password.
You can set Cordys identification within the LDAP Explorer:
- Open LDAP Explorer
- Goto Organization (HRM) > soap nodes > AddEmployee
- On the right window, select “...” at the bussoapnodeconfiguration
- Add <authenticator implementation="com.eibus.security.authentication.CARSAuthenticator" />
ACLAccess Control lists are used to define security at several levels. These levels can be:
* Service Group. This is best used when webservices are bundled and all of them should have the same restrictions. * Webservice interface. This is best used when the several interfaces need different restrictions. * Webservice operation. The restriction can also be set op webservice operation level.
In this example we use the unconditional ACL in which the security setting is put stactically on an object.
Defining securityThis example uses the service as build within my previous post.
When you try to call this service from soapui:
<soapenv:Envelope xmlns:emp="http://www.examples.com/employee/" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<emp:LastName>van de Kimmenade</emp:LastName>
you will get a soap fault that contains: <faultstring xml:lang="en-US">Anonymous access is denied for the method 'Employee'.</faultstring>
First we create a Role and a new User with no roles attached
- Create Users Folder
- Create HRMEmployee Role within this Folder
- Publish the Users
- Goto User Manager
Note: This is also the place to remove roles and users, because when removed from the workspace and republish does not give the wanted effect. They are still within the LDAP (CARS). So remove them from within the User Manager.
- Create a New User with no roles attached
Next we define the security on the AddEmployee service that the HRMEmployee Role is permitted to execute the webservice.
- Goto Workspace > AddEmployee Service > EmployeeBinding
- Right click Define Runtime Security
- Add HRMEmployee Role, Save and Publish
- When you run the service from within soapUI again you get the error:
Access is denied for the method 'Employee'. This is because you did not give the new User the needed Role, so that is what you do next. Note: You can add the WS-Security name token within the Aut tab and then right click Add WSS Username Token, remove soapenv:mustUnderstand="1" and Nonce and Create elements.
- Goto User Manager > Users Roles > Assign HRMEmployee to New User
- Execute the service request again from soapUI and the service should execute
User ManagerWhen you goto the User Manager and select Roles - Roles you will see the Organization Roles.
Right-click on HRMEmployee > Security on you will see the defined ACL on the Role:
When you click on the “Key” you will see the actual ACL:
You see that the state is “open”. In case the webservice should be blocked it would be “blocked”.
Note that this is also the place to remove the binding of the Role to the webservice !!
When you remove the Runtime Security on the AddEmployee Service and republish again the service is still accessible by the New User. I think this is a bug within Cordys.
Define on Service Group levelYou can also set the security on Service Group level in which case all services within that group have the same security settings.
- Goto System Resource Manager
- Show All Service Groups
- Right click Define Security
- Add HRMEmployee , Allow, and click OK
Note: If you goto the User Manager > Roles - Roles and Select HRMEmployee and right click Security you will see that two ACL sets are defined on this Role: