Blueprint security and OSGi applications

You can configure bean security so that the methods of the bean can be accessed only by users that are assigned a specified role.

You configure security by defining one or more <access-constraint> elements, inside the <bean> element for the bean whose security you want to configure, in the Blueprint XML file of your OSGi application. If you do not define an <access-constraint> element, the bean is not secured; this means that all the methods of the bean can be accessed by any user.

For the bean security configuration to be effective, application security must be enabled in WebSphere® Application Server.

You can configure bean security at the bean level and at the method level. If you configure security at both bean level and at method level, the method-level configuration takes precedence.

The <access-constraint> element is defined in a Blueprint namespace extension, https://www.ibm.com/appserver/schemas/blueprint/security/v1.0.0. Therefore, you must specify a namespace prefix for this extension in the <blueprint> element. In the examples that follow, the prefix "sec" is used; this prefix is specified as follows:

<blueprint
  xmlns="https://www.osgi.org/xmlns/blueprint/v1.0.0"
  xmlns:sec="https://www.ibm.com/appserver/schemas/blueprint/security/v1.0.0">

Configuring bean-level security

To configure security at the bean level, include a role attribute in the <access-constraint> element definition. The methods of the bean can be accessed only by users that are assigned the specified role.

In the following example, the methods of the secureBean1 bean are accessible only by users that are assigned the role called "ROLE1":

<bean
  id="secureBean1"
  class="com.ibm.ws.eba.wab.componenttest.blueprint.secure.BlueprintSecureServiceImpl">
  <sec:access-constraint role="ROLE1" />
</bean>

Configuring method-level security

To configure security at the method level, include, in addition to the role attribute, a method attribute. The specified method can be accessed only by users that are assigned the specified role.

In the following example, the getPrice method of the secureBean1 bean is accessible only by users that are assigned ROLE1. All the other methods of the bean can be accessed by any user.

<bean
  id="secureBean1"
  class="com.ibm.ws.eba.wab.componenttest.blueprint.secure.BlueprintSecureServiceImpl">
  <sec:access-constraint method="getPrice" role="ROLE1" />
</bean>

In the following example, the getPrice method is accessible only by users that are assigned ROLE1, and the printReport method is accessible only by users that are assigned ROLE2. All the other methods can be accessed by users that are assigned ROLE3.

<bean
  id="secureBean1"
  class="com.ibm.ws.eba.wab.componenttest.blueprint.secure.BlueprintSecureServiceImpl">
  <sec:access-constraint method="getPrice" role="ROLE1" />
  <sec:access-constraint method="printReport" role="ROLE2" />
  <sec:access-constraint role="ROLE3" />
</bean>

Assigning roles

To assign a role to users or to groups, use the Security role to user or group mapping panel in the WebSphere Application Server administrative console.