Release 10.1A: OpenEdge Application Server:
Administration

Controlling access to Web services, WSDL, and WSA administration using user-authorization role-names

You can control access to all of a WSA instance’s Web services, WSDL, and WSA administration, or to any desired combination of these functions, using user-authorization role-names.

To control access to Web services, WSDL, and WSA administration:
  1. Choose user-authorization role-names to identify users who can access your desired combination of functions.

  2. In each security-constraint, uncommented or created in the previous step, add a role-name element for each user-authorization role-name you chose. The syntax of a role-name element is:

    3. Syntax 
    <auth-constraint> 
  <role-name>name</role-name> 
</auth-constraint>

    For example, if you want to grant access to all of a WSA’s Web services, WSDL, and WSA administration and grant access to the user-authorization role-names PSCAdmin and GuestAdmin, you might modify the security-constraints as shown in Table 7–4.

    Table 7–4: Controlling Web service, WSDL, and administration access using role names
    For accessing ...
    The modified security-constraint might look like this ...
    Web services 
    <security-constraint> 
  <web-resource-collection> 
    <url-pattern>/wsa1/</url-pattern> 
      <auth-constraint> 
        <role-name>PSCAdmin</role-name> 
        <role-name>GuestAdmin</role-name> 
      </auth-constraint> 
  </web-resource-collection> 
</security-constraint>
    WSDL 
    <security-constraint> 
  <web-resource-collection> 
    <url-pattern>/wsa1/wsdl/*</url-pattern> 
      <auth-constraint> 
        <role-name>PSCADmin</role-name> 
        <role-name>GuestAdmin</role-name> 
      </auth-constraint> 
  </web-resource-collection> 
</security-constraint>
    WSA administration 
    <security-constraint> 
  <web-resource-collection> 
    <url-pattern>/wsa1/admin/*</url-pattern/*> 
      <auth-constraint> 
        <role-name>PSCAdmin</role-name> 
        <role-name>GuestAdmin</role-name> 
      </auth-constraint> 
  </web-resource-collection> 
</security-constraint>

  3. Modify the properties of the WSA instance to require JSE authentication of all users of your desired combination of functions. The technique for doing so depends on whether the WSA instance is local (residing on the AdminServer machine) or remote (not residing on the AdminServer machine):

    4. If the WSA instance is local, using Progress Explorer, select the WSA instance, right-click, and select Security in the property sheet:

    Then, enable the checkboxes on the Security panel to require JSE user authentication of all users in your desired combination of functions as follows:

    • Require WSA Administration Authorization.
    • Require Web Services Authorization.
    • Require WSDL Retrieval Authorization.

      • For more info, see the Progress Explorer online help.

      If the WSA instance is remote, edit the ubroker.properties file for the WSA. In the section for the WSA instance, for each function in your desired combination, set the property that enables JSE authentication of all users of that function, as shown in Table 7–5.

      Table 7–5: Requiring Web service user authorization for Web service, WSDL, and administration access
      To require JSE user authentication for all users of ...
      Set this property ...
      To ...
      Web services
      appAuth
      1
      WSDL
      wsdlAuth
      1
      WSA administration
      adminAuth
      1

      For more information on the properties of a WSA instance, see the comments in the ubroker.properties file.

Copyright © 2005 Progress Software Corporation
 www.progress.com
Voice: (781) 280-4000
Fax: (781) 280-4095