Use two Service Component Architecture (SCA) declarative policies
(authorization and security identity) to protect SCA components and
operations and to declare the security identity under which the SCA components or operations are
executed.
Deprecated feature: The Service Component Architecture (SCA)
programming model and samples are deprecated, and will be removed in a future release. You cannot
deploy new SCA business-level applications. If you want to continue to use SCA as part of your
long-term strategy, consider hosting your applications on
IBM Business Process Manager.
Before you begin
A user registry must be configured and an SCA component
must first have been developed. You must also enable application security.
About this task
An authorization policy controls who can access protected
SCA components and operations. A security identity policy declares
the security identity under which an SCA component or operation is
executed. You can limit access to an SCA component or to an operation
to particular users or groups. You can also delegate access to another
user when executing an SCA component or an operation.
Note the
following limitations:
Access to an SCA component is permitted or denied by using
the following steps:
Procedure
- The policy administrator creates one or more policy sets
in the file named definitions.xml.
OSOA example
<definitions xmlns="https://www.osoa.org/xmlns/sca/1.0"
targetNamespace="http://smallvilleBank"
xmlns:sca="https://www.osoa.org/xmlns/sca/1.0">
<policySet name="StaffAuthorizationPolicy"
appliesTo="sca:implementation.java"
xmlns="https://www.osoa.org/xmlns/sca/1.0">
<authorization>
<allow roles="staff"/>
</authorization>
</policySet>
<policySet name="SupervisorAuthorizationPolicy"
appliesTo="sca:implementation.java"
xmlns="https://www.osoa.org/xmlns/sca/1.0">
<authorization>
<allow roles="supervisor manager specialist"/>
</authorization>
<securityIdentity>
<runAs role="specialist"/>
</securityIdentity>
</policySet>
</definitions>
OASIS example
<definitions xmlns="http://docs.oasis-open.org/ns/opencsa/sca/200912"
targetNamespace="http://smallvilleBank"
xmlns:sca="http://docs.oasis-open.org/ns/opencsa/sca/200912"
xmlns:tuscany="http://tuscany.apache.org/xmlns/sca/1.1">
<policySet name="StaffAuthorizationPolicy"
appliesTo="sca:implementation.java"
provides="authorization">
<tuscany:authorization>
<tuscany:allow roles="staff"/>
</tuscany:authorization>
</policySet>
<policySet name="SupervisorAuthorizationPolicy"
appliesTo="sca:implementation.java">
<tuscany:authorization>
<tuscany:allow roles="supervisor manager specialist"/>
</tuscany:authorization>
<tuscany:securityIdentity>
<tuscany:runAs role="specialist"/>
</tuscany:securityIdentity>
</policySet>
</definitions>
- The assembler attaches the policy to the SCA composite.
OSOA example
<?xml version="1.0" encoding="UTF-8"?>
<composite xmlns="https://www.osoa.org/xmlns/sca/1.0"
xmlns:bank="http://smallvilleBank"
name="AccountServices">
<component name="AccountAccess">
<implementation.java class="smallvilleBank.AccountAccessImpl"
policySets="bank:StaffAuthorizationPolicy"/>
</component>
<component name="AccountAudit">
<implementation.java class="smallvilleBank.AccountAuditImpl"
policySets="bank:SupervisorAuthorizationPolicy"/>
</component>
</composite>
OASIS example
<?xml version="1.0" encoding="UTF-8"?>
<composite xmlns="http://docs.oasis-open.org/ns/opencsa/sca/200912"
xmlns:bank="http://smallvilleBank"
name="AccountServices">
<component name="AccountAccess">
<implementation.java class="smallvilleBank.AccountAccessImpl"
requires="authorization" policySets="bank:StaffAuthorizationPolicy"/>
</component>
<component name="AccountAudit">
<implementation.java class="smallvilleBank.AccountAuditImpl"
policySets="bank:SupervisorAuthorizationPolicy"/>
</component>
</composite>
- The deployer assigns users and or groups to the roles that
are defined in the composite.
- The deployer assigns a user to the
runAs
roles
that are defined in the composite.
What to do next
Access to the SCA component is permitted or denied according
to the authorization policy.