The WSRP Producer contains an authorization component that provides access control. It is described under Using the authorization provider to protect portlets
. The authorization provider checks access permissions on provided portlets for the current security context.
For the WSRP Producer, security for WSRP services is optional. You can configure it if required, but you do not have to provide security. If you provide security for your WSRP services, the WSRP Consumer must be configured to use the same authentication mechanism as the WSRP Producer from which the Consumer consumes portlets.
You can configure security for the WSRP Producer by using either of the following two authentication mechanisms:
Web Services Security
You can configure the WSRP web service providers for Web Service Security according to the WS-Security standard. This security option is available on WebSphere Application Server Full Profile only. The WSRP Consumer sends a header that complies with the WS-Security standard as part of the WSRP request messages. The header contains credentials that serve to identify and authenticate the user. For example, you can configure the Consumer portal to include Lightweight Third-Party Authentication (LTPA) tokens in the WS-Security header. For this option, both the WSRP Consumer and the WSRP Producer must be configured for Web Services Security.HTTP-cookie-based single sign-on
The web service security configuration is based on policy sets. The WSRP Producer provides a set of default policy sets and provider policy set bindings that can be attached to the WSRP service providers. If you configure your WSRP Producer for WS-Security, the Producer accepts and processes only authenticated requests. It rejects unauthenticated requests that do not contain a WS-Security compliant header.
This security option is available on WebSphere
Application Server Full Profile Version 8.5.0 and later versions and on WebSphere
Application Server Liberty Profile. To authenticate and identify the user and establish the security context for processing the WSRP request, the WSRP Producer uses LTPA V2 HTTP cookies that the WSRP Consumer sends as part of the WSRP request messages. For example, these credentials can be in the form of an LTPA V2 cookie. The WSRP Producer receives the cookie and establishes the corresponding security context on the Producer side. This option requires configuration of the WSRP Consumer to forward HTTP cookies. It has the following advantages:
- It does not require configuration of the WSRP web services.
- It makes it possible for the WSRP Producer to accept and process both unauthenticated and authenticated requests. The Producer processes unauthenticated requests that do not contain an LTPA V2 cookie without establishing an individual security context.
For both setup options, the WSRP Producer and the WSRP Consumer must be configured for Single Sign-On (SSO). The requirements for SSO depend on the authentication method that is used. For example, if you use LTPA V2, the WSRP Consumer and the WSRP Producer must use the same user registry or use the same realm. In addition, the WSRP Producer and the WSRP Consumer must exchange shared keys that are used to sign the security credentials.
If you use the Web Services Security option, the WSRP Producer accepts only authenticated request messages and rejects those request messages that do not contain a respective security header. In contrast, if you use the HTTP-cookie-based single sign-on security option, the WSRP Producer accepts both authenticated and unauthenticated request messages. If the message does not contain a security credential, the WSRP Producer does not establish a security context for processing the request. If application security is enabled and the authorization provider is enabled, the authorization provider checks permissions according to the defined security constraints. If the portlet application does not define any security constraint, the authorization provider gives users access to the portlets both for authenticated requests and for unauthenticated requests. Therefore, verify the security constraints of provided portlets carefully if you enable application security.
You can choose to not set up security for the WSRP Producer and Consumer portals. In this case, the WSRP Producer does not process the WSRP requests from the Consumer under a user identity. Instead, the Producer processes the WSRP requests anonymously. Therefore, the Consumer must not be configured for WSRP security.
IBM WebSphere Application Server product documentation