Previous Topic: Configure Security Policies Using Domain-based Policy ManagementNext Topic: Guided Example: Create Security Policies from a WSDL File


How to Identify a Web Service Resource by Agent, Realm, and Rule

The Resource field in a CA SiteMinder® Web Services Security rule specifies the resource that is the subject of the rule. The complete resource specification (shown by the Effective Resource field on the Rule dialog box) is a concatenation of the values of the Agent, the Resource Filter of the parent realm (or realms in a nested realm environment), and the Resource field of the rule itself:

[agent] [realm_resource_filter] [rule_resource]

agent

Specifies a SiteMinder WSS Agent that monitors a server or gateway that contains one or more realms of protected web service resources.

realm_resource_filter

Specifies a string that specifies the resources covered by the realm. If the realm is a top-level realm, specify the resources relative to the server that serves up the files or application. If the realm is nested, specify the resources relative to the parent realm.

rule_resource

Specifies a string or regular expression that specifies the resources to which the rule applies. Specify the resources relative to the realm containing the resource. You can use wildcards (for example, "*") to broaden the specification of a rule.

How a SiteMinder WSS Agent for Web Servers Identifies Web Service Resources

By default, the SiteMinder WSS Agent for Web Servers identifies a web service being requested by extracting the binding URL and name of the web service and concatenating them as follows:

[agent] [/web_service_URL] [/web_service_name]

However, the SiteMinder WSS Agent for Web Servers can be configured to perform fine-grain resource identification, in which case it additionally identifies the web service operation being requested:

[agent] [/web_service_URL] [/web_service_name] [/web_service_operation]

How Other SiteMinder WSS Agent Types Identify Web Service Resources

This topic describes how the following SiteMinder WSS Agent types identify web service resources:

If a request is received over HTTP(S) transport, these SiteMinder WSS Agent types identify the web services being requested by extracting the binding URL, the name of the web service, and the name of the web service operation and concatenating them as follows:

[agent] [/web_service_URL] [/web_service_name] [/web_service_operation]

If a request is received over JMS transport, these SiteMinder WSS Agent types identify the web services being requested by extracting the JMS queue or topic name and the name of the web service operation and concatenating them as follows

[agent] [/queue_or_topic_name] [/web_service_operation]

Resource Identification Policy Examples

Coarse-Grain Resource Identification Over HTTP Example

Say you want to protect a resource with the following properties.

To protect ExampleSearchService, configure the following:

Fine-Grain Resource Identification Over HTTP Example

Say you want to protect a resource with the following properties.

To protect ExampleSearchService, configure the following:

Fine-Grain Resource Identification Over JMS Example

Say you want to protect a resource with the following properties.

To protect ExampleSearchService, configure the following:

Unprotected Realms, Rules, and Policies

By default a realm is created in a protected state. In most cases, you should use protected realms instead of changing a realm to an Unprotected state. In a protected realm, all resources are protected against access. To allow access, a rule must be defined, then included in a policy.

When you create a realm in an unprotected state, you must configure rules before CA SiteMinder® Web Services Security protects the resources in the realm. If you create a rule for resources in the unprotected realm, only the specified resources are protected. Once the resource is protected, the rule must be added to a policy to allow users to access the resource. You may want to use an unprotected realm if only a subset of the resources in a realm need to be protected from unauthorized access.

The following is an example of the actions required when setting up an Unprotected realm:

Action

Protection State

Create unprotected realm called Realm1 with the Resource Filter: /dir.

Resources contained in /dir and subdirectories are not protected.

Create Rule1 in Realm1 for the resource:

getCachedQuote.asp.

The /dir/getCachedQuote.asp resource is protected, but the rest of the contents of /dir are not protected.

Create Policy1 and bind Rule1 and User1 to the Policy.

User1 can access /dir/getCachedQuote.asp. All other users cannot access the protected file.