How to Identify a Web Service Resource by Agent, Realm, and Rule

Web Services Security Guides › CA SiteMinder WSS Policy Configuration Guide › Configure Security Policies Using Domain-based Policy Management › How to Identify a Web Service Resource by Agent, Realm, and Rule

How to Identify a Web Service Resource by Agent, Realm, and Rule

The Resource field in a CA SiteMinder WSS rule specifies the resource that is the subject of the rule. The complete resource specification (shown by the Effective Resource field on the Rule dialog box) is a concatenation of the values of the Agent, the Resource Filter of the parent realm (or realms in a nested realm environment), and the Resource field of the rule itself:

[agent] [realm_resource_filter] [rule_resource]

agent: Specifies a SiteMinder WSS Agent that monitors a server or gateway that contains one or more realms of protected web service resources.
realm_resource_filter: Specifies a string that specifies the resources covered by the realm. If the realm is a top-level realm, specify the resources relative to the server that serves up the files or application. If the realm is nested, specify the resources relative to the parent realm.
rule_resource: Specifies a string or regular expression that specifies the resources to which the rule applies. Specify the resources relative to the realm containing the resource. You can use wildcards (for example, "*") to broaden the specification of a rule.

How a SiteMinder WSS Agent for Web Servers Identifies Web Service Resources

By default, the SiteMinder WSS Agent for Web Servers identifies a web service being requested by extracting the binding URL and name of the web service and concatenating them as follows:

[agent] [/web_service_URL] [/web_service_name]

However, the SiteMinder WSS Agent for Web Servers can be configured to perform fine-grain resource identification, in which case it additionally identifies the web service operation being requested:

[agent] [/web_service_URL] [/web_service_name] [/web_service_operation]

How Other SiteMinder WSS Agent Types Identify Web Service Resources

This topic describes how the following SiteMinder WSS Agent types identify web service resources:

SiteMinder WSS Agent for IBM WebSphere
SiteMinder WSS Agent for Oracle WebLogic
SiteMinder Agent for JBoss SiteMinder WSS Agent Security Interceptor

If a request is received over HTTP(S) transport, these SiteMinder WSS Agent types identify the web services being requested by extracting the binding URL, the name of the web service, and the name of the web service operation and concatenating them as follows:

[agent] [/web_service_URL] [/web_service_name] [/web_service_operation]

If a request is received over JMS transport, these SiteMinder WSS Agent types identify the web services being requested by extracting the JMS queue or topic name and the name of the web service operation and concatenating them as follows

[agent] [/queue_or_topic_name] [/web_service_operation]

Resource Identification Policy Examples

Coarse-Grain Resource Identification Over HTTP Example

Say you want to protect a resource with the following properties.

The resource is hosted on an IIS web server on host soap in domain example.com that is protected by a SiteMinder WSS Agent called MySoaAgent.
MyIISSoaAgent is configured to provide coarse-grain resource identification
The resource is accessible over HTTP transport
Web service URL is services/soap2.
Web service name is ExampleSearchService.
ExampleSearchService provides two operations:
- KeywordSearchRequest
- PowerSearchRequest

To protect ExampleSearchService, configure the following:

A realm for ExampleSearchService with Resource Filter value "/services/soap2/ExampleSearchService"
A single rule in the ExampleSearchService realm with Resource value "*"

Fine-Grain Resource Identification Over HTTP Example

Say you want to protect a resource with the following properties.

The resource is hosted on an IBM WebSphere Application Server on host soap in domain example.com that is protected by a SiteMinder WSS Agent called MyWSSoaAgent.
MyWSSoaAgent provides fine-grain resource identification
The resource is accessible over HTTP transport
Web service URL is services/soap2.
Web service name is ExampleSearchService.
ExampleSearchService provides two operations:
- KeywordSearchRequest
- PowerSearchRequest

To protect ExampleSearchService, configure the following:

A realm for ExampleSearchService with Resource Filter value "/services/soap2/ExampleSearchService"
One rule in the ExampleSearchService realm for each operation:
- A rule for the KeywordSearchRequest operation with Resource value "/KeywordSearchRequest"
- A rule for the PowerSearchRequest operation with Resource value "/PowerSearchRequest"

Fine-Grain Resource Identification Over JMS Example

Say you want to protect a resource with the following properties.

The resource is hosted on BEA WebLogic Server on host soap in domain example.com that is protected by a SiteMinder WSS Agent called MyWebLogicSoaAgent.
MyWebLogicSoaAgent provides fine-grain resource identification
The resource is accessible over JMS transport
JMS queue name is ExampleQueue
Web service name is ExampleSearchService.
ExampleSearchService provides two operations:
- KeywordSearchRequest
- PowerSearchRequest

To protect ExampleSearchService, configure the following:

A realm for ExampleSearchService with Resource Filter value "/ExampleQueue"
One rule in the ExampleSearchService realm for each operation:
- A rule for the KeywordSearchRequest operation with Resource value "/KeywordSearchRequest"
- A rule for the PowerSearchRequest operation with Resource value "/PowerSearchRequest"

Unprotected Realms, Rules, and Policies

By default a realm is created in a protected state. In most cases, you should use protected realms instead of changing a realm to an Unprotected state. In a protected realm, all resources are protected against access. To allow access, a rule must be defined, then included in a policy.

When you create a realm in an unprotected state, you must configure rules before CA SiteMinder WSS protects the resources in the realm. If you create a rule for resources in the unprotected realm, only the specified resources are protected. Once the resource is protected, the rule must be added to a policy to allow users to access the resource. You may want to use an unprotected realm if only a subset of the resources in a realm need to be protected from unauthorized access.

The following is an example of the actions required when setting up an Unprotected realm:

Action	Protection State
Create unprotected realm called Realm1 with the Resource Filter: /dir.	Resources contained in /dir and subdirectories are not protected.
Create Rule1 in Realm1 for the resource: getCachedQuote.asp.	The /dir/getCachedQuote.asp resource is protected, but the rest of the contents of /dir are not protected.
Create Policy1 and bind Rule1 and User1 to the Policy.	User1 can access /dir/getCachedQuote.asp. All other users cannot access the protected file.