Using multiple credentials in an IBM Business Process Manager system lane

Optimize and extend security for advanced integration services in IBM BPM Advanced Edition

This article describes how to transfer selected security credentials from the Business Process Model Notation system tasks to SCA advanced integration services by leveraging WebSphere® Application Server standard security mechanisms. This content is part of the IBM Business Process Management Journal.

Jean-François Buisson (jbui@ch.ibm.com ), IT Architect, IBM

Photo of Jean-François BuissonJean-François Buisson started working for IBM in 2000 as an IT Specialist in WebSphere Application Server, WebSphere Portal, and SOA JEE projects. He is recently working on BPM projects, specializing in the service layer.



02 April 2014

Introduction

When a system service is called from a Business Process Model Notation (BPMN) process, security credentials are transferred as a security context to the Service Component Architecture (SCA) called modules (for example, advanced services implementation). This security context always transfers the credentials of the user defined as <system-lane-users> in the 100Custom.xml file, basically the tw_admin system user credentials.

Imagine you want to call several SCA modules with different credentials requirements. Let's say an account management module needs a dedicated account management technical user and a customer management module needs a different technical user. There are several cases where you would need such a configuration. You can have different process applications that may need different system lane users. It is actually not possible with the current product implementation and this article describes how to do it, while leveraging the existing WebSphere security model.

Why using Security Quality of Service (QoS) of the SCA components is not the solution?

Using the Security QoS of an SCA component, you can define access Role and RunAs settings. If you set the RunAs qualifier of your components to the different required security roles and the access role to a single role (tw_admin, for example), you will flatten the service security model. All Advanced Integration Services (AIS) could be called by the same user.

Download files

All the artifacts have been developed using IBM BPM Advanced Edition V8.0.1. The following files are provided with this article in the Download section:

  • Process application containing the BPMN process and the attached AIS: JKBankLoan - JKBL_SNP1.twx
  • Interchange file containing the JKBank legacy EJBs: JKBankLegacy.zip
  • Interchange file containing the AliasLogin project: AliasLogin.zip
  • Compiled JAR file for AliasLogin (also included in the process application): aliaslogin.jar
  • Interchange file containing the AIS (not mandatory if you synchronize Process Designer and IBM Integration Designer): JKBankAIS.zip

JK Bank scenario

JK Bank wants to use IBM® Business Process Manager (BPM) for an "Account Cancellation" process and for a "Loan" process. JK Bank has bought IBM BPM Advanced edition and wants to use the advanced integration services to access the already existing enterprise services exposed as Enterprise Java Beans (EJBs).

An existing AcountManagement EJB can only be accessed by the AccountManager role. An existing LoanOperations EJB can only be accessed by the LoanManager role.

According to JK Bank, those roles are clearly separated and are not given to a single technical user for security reasons. It is then required that the system services implemented by the advanced services should call those EJBs with different credentials and that the advanced services cannot be used by the same technical user.


JK Bank legacy

This section describes how to set up the secured bank legacy services in your development environment.

Existing EJB services security setup

For the example, we will use an enterprise project called "JKBankServices" that contains two EJBs. Each one is secured by an application role as shown in Table 1.

Table 1. Security methods and roles
EJBMethodSecured by role
AccountManagement closeAccount AccountManager
AccountManagement getAccount AccountManager
LoanOperations approveLoan LoanManager

EJBs are secured by annotations as shown in Listing 1.

Listing 1. Security annotations
@Stateless
@DeclareRoles("LoanManager")
publicclass LoanOperations implements LoanOperationsLocal {
...
	@RolesAllowed("LoanManager")
   	 publicboolean approveLoan(String customerNumber){

Installing and configuring the JK Bank legacy sample

  1. Create two groups, AccountManagers and LoanManagers, and populate them with the users "accountTechUser" and "loanTechUser", respectively. From the WebSphere admin console, go to User and groups > Manage groups > Create to obtain the following result as shown in Figure 1.
    Figure 1. Groups of authorized users for the JK Bank legacy
    Groups of authorized users for the JK Bank legacy
  2. Create two technical users in the WebSphere admin console. Go to User and groups > Manage users > Create. Then add accountTechUser to the AccountManagers group and loanTechUser to the LoanManagers group, as shown in Figure 2.
    Figure 2. Group members for the JK Bank Legacy
    Group members for the JK Bank Legacy
  3. Install the provided JKBankServices EAR, and then map the predefined groups to the security roles as shown in Figure 3
    Figure 3. Security role to user and group mapping for the JK Bank legacy
    Security role to user and group mapping for the JK Bank legacy

    Click to see larger image

    Figure 3. Security role to user and group mapping for the JK Bank legacy

    Security role to user and group mapping for the JK Bank legacy
  4. The two JK Bank legacy services are now configured and secured. Start the application, if you have done so.

Note: JK Bank legacy services are secured by roles. Keep in mind that you cannot change those roles and that separation of duty should be kept. It is not possible for JK Bank to have one single role, even if technical, to access all the services with the same access rights.


Solving the case by using WebSphere security

To solve our JK Bank case by calling the advanced AIS services from a Process application with different user roles and security context, we need to retrieve the secure stored user and password pairs. Then we need to initiate a dedicated security context to call the AIS and SCA modules, so that this context can be transferred to the underlying layers by the standard WebSphere security mechanisms (see Figure 4).

Figure 4. Application layer and security context
Application layer and security context

Once again, it is worth to notice that the SCA components authorization reflects the underlying services authorization model, and can be changed independently from the BPM system lane default user (by default, a single "tw_admin" for all the system lanes of the process applications).

Using a secure storage for process applications to retrieve technical users

The J2C and the JAS framework will fit our needs. The technical users that call AIS from the system lane will be stored as J2C authentications aliases. This storage is safe, standard, and can be accessed by the WebSphere API.

Using LoginContext to create new dedicated security contexts

The WebSphere API also provides classes to initiate security context programmatically. We will use those APIs to instantiate new security context, by login in users defined in the previously mentioned authentication aliases.


Technical implementation

This section describes the architecture of the solution and how to setup the end-to-end security, from the business process layer to the bank legacy services.

Using the AliasLoginJAR file

A JAR module called "AliasLogin" has been developed to be used by the process application. This module retrieves technical user credentials based on an authentication alias name. Once done, the module initiates a new security context based on those credentials. The "AliasLogin" code is available in the Download section of the article.

Using the AliasLogin JAR file in an integration service

The integration service is a good container for our implementation. As you can see in Figure 5, we created a new security context by providing the authentication alias. This is the work of the AliasLogin module used in a Java integration module. If you need to import the aliaslogin.jar file in Process Designer, just drag and drop it on the Files icon. All the classes and methods in it will then be available in the Java service box.

Once the security context is initiated, we can call the advanced integration service (declared in a nested service). The AIS will then use the newly created security context.

Figure 5. Integration service implementation
Integration service implementation

Click to see larger image

Figure 5. Integration service implementation

Integration service implementation

Define security on AIS and SCA modules

Because we do not want the exposed SCA components to be accessible by the same technical user, we need to set permissions accordingly by using the Quality of Service qualifiers. The AIS implementing the mediation to the account service EJB is only accessible by the "AccountManager" role, and the AIS implementing the loan service is only accessible by the "LoanManager" role (see Figure 6). This way, we keep role separation as required by JK Bank. The SCA access model is the same as the services access model.

Figure 6. AIS components in IBM Integration Designer
AIS components in IBM Integration Designer

Click to see larger image

Figure 6. AIS components in IBM Integration Designer

AIS components in IBM Integration Designer

For the example, we defined two AIS that are simple mediations to EJB calls, each mediation component is secured with a "Security Permission" QoS (see Figure 7).

Figure 7. Secured mediation
Secured mediation

Click to see larger image

Figure 7. Secured mediation

Secured mediation

The Loan process application

Finally, we illustrate the new capabilities of our implementation in the Loan process application. This process application, based on the JK Bank security requirements, calls two AIS in the same system lane with different credentials. The security model is kept, from top to bottom layers. The BPMN process can retrieve securely stored user and initiate new security contexts, the SCA modules are secured, and the legacy EJBs keep the same security model.

You can see in Figure 8 the two advanced service calls in purple. With our integration service implementation, those services are called once under "loanTechUser", and once with "accountUserRole".

Figure 8. Loan process
Loan process

Click to see larger image

Figure 8. Loan process

Loan process

Installing and configuring the process application and AIS

Since the AIS project is packaged within the process application, you just have to install the application delivered in the material in Process Center. AIS implementation is then visible in IBM Integration Designer when opening the application from the Process Center view. In Process Center, the application is automatically deployed, but there still are some security configurations to do.

Creating the J2C authentication aliases

In the WebSphere admin console, go to Global Security > Java Authentication and Authorization Service > J2C Authentication Data and click New to create the following two aliases, accountTechUserAlias and loanTechUserAlias, as shown in Figure 9.

Figure 9. Authentication aliases to be passed to the AliasLogin module
Authentication aliases to be passed to the AliasLogin module

Click to see larger image

Figure 9. Authentication aliases to be passed to the AliasLogin module

Authentication aliases to be passed to the AliasLogin module

Mapping groups to the SCA component security roles

In the WebSphere admin console, go to the enterprise applications and locate the application JKBL–Tip–JKBankLoan_ImplementationApp that hosts the SCA modules (Figure 10). This application has been generated by the Process Center and is deployed automatically. Note that the security mappings will be deleted each publishing time.

Figure 10. Application hosting the SCA modules
Application hosting the SCA modules

Click to see larger image

Figure 10. Application hosting the SCA modules

Application hosting the SCA modules

Map the SCA role authorizations to the existing security groups, LoanManagers and AccountManagers, as shown in Figure 11.

Figure 11. Security role mapping for SCA modules
Security role mapping for SCA modules

Click to see larger image

Figure 11. Security role mapping for SCA modules

Security role mapping for SCA modules

Known limitations

Since AIS calls are embedded in BPM Integration Services, the solution proposed in this article works only in synchronous mode. See Step 5 in Building an Advanced Integration service from the IBM BPM Information Center.

IBM cannot guarantee that a security context set in an integration service will automatically be propagated by following the AIS invocation in future releases of the product.


Conclusion

This article has provided a complete solution to implement an end-to-end security in IBM BPM Advanced Edition by calling the Advanced Integration Services with other credentials than the default system lane. Figure 12 illustrates the call chain between the different layers as well as the security used to protect the enterprise services.

Using selected credentials to call advanced services is valuable in many situations where you want to have clearly separated security roles. It is possible to use different security contexts for different process applications, or, as in the "Loan Process" example, use different security contexts within the same system lane.

Figure 12. Complete implementation scheme
Complete implementation scheme

Click to see larger image

Figure 12. Complete implementation scheme

Complete implementation scheme

Acknowledgments

The author would like to thank the following colleagues and mentors for their review and support of this article, Martin Smolny, Bryan Brown, Ray Lang Rui, David Booz, Allen Chan, and Eric Herness.


Download

DescriptionNameSize
Code samplecode_sample.zip1172KB

Resources

Comments

developerWorks: Sign in

Required fields are indicated with an asterisk (*).


Need an IBM ID?
Forgot your IBM ID?


Forgot your password?
Change your password

By clicking Submit, you agree to the developerWorks terms of use.

 


The first time you sign into developerWorks, a profile is created for you. Information in your profile (your name, country/region, and company name) is displayed to the public and will accompany any content you post, unless you opt to hide your company name. You may update your IBM account at any time.

All information submitted is secure.

Choose your display name



The first time you sign in to developerWorks, a profile is created for you, so you need to choose a display name. Your display name accompanies the content you post on developerWorks.

Please choose a display name between 3-31 characters. Your display name must be unique in the developerWorks community and should not be your email address for privacy reasons.

Required fields are indicated with an asterisk (*).

(Must be between 3 – 31 characters.)

By clicking Submit, you agree to the developerWorks terms of use.

 


All information submitted is secure.

Dig deeper into Business process management on developerWorks


static.content.url=http://www.ibm.com/developerworks/js/artrating/
SITE_ID=1
Zone=Business process management, WebSphere
ArticleID=967498
ArticleTitle=Using multiple credentials in an IBM Business Process Manager system lane
publish-date=04022014