Blueprint security and OSGi applications
You can configure bean security so that the methods of the bean can be accessed only by users that are assigned a specified role.
You configure security by defining one or more <access-constraint> elements, inside the <bean> element for the bean whose security you want to configure, in the Blueprint XML file of your OSGi application. If you do not define an <access-constraint> element, the bean is not secured; this means that all the methods of the bean can be accessed by any user.
For the bean security configuration to be effective, application security must be enabled in WebSphere® Application Server.
You can configure bean security at the bean level and at the method level. If you configure security at both bean level and at method level, the method-level configuration takes precedence.
<blueprint
xmlns="https://www.osgi.org/xmlns/blueprint/v1.0.0"
xmlns:sec="https://www.ibm.com/appserver/schemas/blueprint/security/v1.0.0">
Configuring bean-level security
To configure security at the bean level, include a role attribute in the <access-constraint> element definition. The methods of the bean can be accessed only by users that are assigned the specified role.
<bean
id="secureBean1"
class="com.ibm.ws.eba.wab.componenttest.blueprint.secure.BlueprintSecureServiceImpl">
<sec:access-constraint role="ROLE1" />
</bean>
Configuring method-level security
To configure security at the method level, include, in addition to the role attribute, a method attribute. The specified method can be accessed only by users that are assigned the specified role.
<bean
id="secureBean1"
class="com.ibm.ws.eba.wab.componenttest.blueprint.secure.BlueprintSecureServiceImpl">
<sec:access-constraint method="getPrice" role="ROLE1" />
</bean>
<bean
id="secureBean1"
class="com.ibm.ws.eba.wab.componenttest.blueprint.secure.BlueprintSecureServiceImpl">
<sec:access-constraint method="getPrice" role="ROLE1" />
<sec:access-constraint method="printReport" role="ROLE2" />
<sec:access-constraint role="ROLE3" />
</bean>
Assigning roles
To assign a role to users or to groups, use the Security role to user or group mapping panel in the WebSphere Application Server administrative console.