|
|
|
A rule’s action determines what must take place for the rule to fire. A rule fires when the Policy Server determines that an action specified in a rule occurs. The rule must be contained in an existing, enabled policy. For example, if a policy contains a rule that allows access to a web service operation, and the policy specifies users who exist in a particular directory, when one of the users listed in the directory attempts to access a resource, the Policy Server determines that the rule must fire in order to process the request.
When a rule that specifies Allow Access fires, if a user authenticates successfully, SOA Security Manager allows the user to access the specified resource. If a rule specifies Deny Access, SOA Security Manager denies access to the successfully authenticated user. Deny access rules may be added to policies to provide an additional layer of security by rejecting specific individuals or groups who should not have access to a resource. Allow Access is the default.
Deny access rules take precedence over allow access rules. If a deny access rule and an allow access rule fire when a user attempts to access a resource, the presence of the deny access rule overrides all allow access rules.
SOA Security Manager rules should specify one or more of the following Web Agent actions:
Incoming web service request sent to the URL to which your web service is bound using the Post HTTP request action. Rules that specify the Post action will fire for any web service request posted over HTTP.
Incoming web service request is a SOAP message. Rules that specify the Process SOAP action will fire for any web service request sent over HTTP or JMS and wrapped in a SOAP envelope.
Incoming web service request is raw XML (not wrapped with a SOAP envelope). Rules that specify the Process XML action will fire for any web service request sent in raw XML format.
Note: For ProcessSOAP and ProcessXML actions to be identified, the XMLSDKResourceIdentification Agent parameter must be set true for the target SOA Agent.
Web service requests sent over HTTP must be sent to the URL to which your web service is bound using the POST HTTP request action, so the standard action that you should define for rules protecting web services accessed over HTTP is Post.
Web service request sent over JMS must be sent to the JMS queue or topic serving your web service in a SOAP message, so the standard action that you should define for rules protecting web services accessed over JMS is Process SOAP.
By default, rules created by the SOA Security Manager Administrative UI specify Post, ProcessSOAP, and ProcessXML Agent actions.
| Copyright © 2011 CA. All rights reserved. | Email CA Technologies about this topic |