12 Using the HTTP Publish-Subscribe Server
12.5 Enabling Security
The pub-sub server offers the following security features:
■ Section 12.5.1, "Use Pub-Sub Constraints"
■ Section 12.5.2, "Map Roles to Principals"
■ Section 12.5.3, "Configure SSL for Pub-Sub Communication"
■ Section 12.5.4, "Additional Security Considerations"
The use of these features is described in the sections that follow.
12.5.1 Use Pub-Sub Constraints
The pub-sub server provides the capability to secure a channel via a combination of two mechanisms: a channel constraint and an authorization constraint.
Conceptually, a channel constraint is a container that includes a collection of resources to be protected and, optionally, authorization constraints on the specific resources in the resource collection. The authorization constraints represent WebLogic Server roles and policies, and answer the question "Who can perform a given operation on the resources in the collection?"
You specify the pub-sub constraints in a configuration file, weblogic-pub-sub.xml.
The pub-sub server uses the channel constraint and any authorization constraints in the weblogic-pub-sub.xml configuration file to set up roles and policies on the channels.
Consider the example shown in Example 12–1. Significant sections are shown in bold.
Example 12–1 Pub/Sub Constraints
<wlps:channel-constraint>
<wlps:channel-resource-collection>
<wlps:channel-resource-name>publish</wlps:channel-resource-name>
<wlps:description>publish channel constraint</wlps:description>
<wlps:channel-pattern>/stock/* *</wlps:channel-pattern>
<wlps:channel-pattern>/management/publisher</wlps:channel-pattern>
<wlps:channel-operation>publish</wlps:channel-operation>
</wlps:channel-resource-collection>
<wlps:auth-constraint>
<wlps:description>publisher</wlps:description>
<wlps:role-name>publisher</wlps:role-name>
</wlps:auth-constraint>
</wlps:channel-constraint>
Enabling Security
In this example, the operation publish for the /stock/* * and
/management/publisher channels is available only to users with the WebLogic Server role publisher.
12.5.1.1 Specify Access to Channel Operations
Four types of actions (operations) are allowed on channels:
■ create
■ delete
■ subscribe
■ publish
By default (with no channel constraints defined), subscribe operations are open for all users on all channels.
Similarly, create, delete, and publish operations are restricted for all users on all channels by default. Create, delete, and publish operations are allowed only if explicitly configured in channel constraints.
You use a combination of <wlps:channel-operation> and
<wlps:auth-constraint> to specify access to a channel operation for a given role.
For example, in Example 12–2, the publish operation is permitted for authenticated subjects with the publisher role, and denied to all other roles.
Example 12–2 Publisher Role Constraint
<wlps:channel-constraint>
<wlps:channel-resource-collection>
<wlps:channel-resource-name>publish</wlps:channel-resource-name>
<wlps:description>publish channel constraint</wlps:description>
<wlps:channel-pattern>/stock/* *</wlps:channel-pattern>
<wlps:channel-pattern>/management/publisher</wlps:channel-pattern>
<wlps:channel-operation>publish</wlps:channel-operation>
</wlps:channel-resource-collection>
<wlps:auth-constraint>
<wlps:description>publisher</wlps:description>
<wlps:role-name>publisher</wlps:role-name>
</wlps:auth-constraint>
</wlps:channel-constraint>
12.5.1.2 Restricting Access to All Channel Operations
The presence of an empty authorization constraint (<wlps:auth-constraint>
</wlps:auth-constraint>) means that all access is prohibited for the specified channel operations, or all channel operations if <wlps:channel-operation> is not specified.
Therefore, to restrict all channel operations for the channel for all users, set up your weblogic-pub-sub.xml configuration file with an empty
<wlps:auth-constraint> element, as follows:
<wlps:channel-constraint>
<wlps:channel-resource-collection>
<wlps:description>Restrict All Acesss</wlps:description>
Enabling Security
Using the HTTP Publish-Subscribe Server 12-17 <wlps:channel-pattern>/**</wlps:channel-pattern>
</wlps:channel-resource-collection>
<wlps:auth-constraint> </wlps:auth-constraint>
</wlps:channel-constraint>
12.5.1.3 Opening Access to All Channel Operations
The absence of an authorization constraint within a channel constraint means that access is not limited for the specified channel operations, or all channel operations if
<wlps:channel-operation> is not specified.
(In contrast, the presence of an empty authorization constraint
(<wlps:auth-constraint> </wlps:auth-constraint>) means that all access is prohibited for the specified channel operations, or all channel operations for that channel if <wlps:channel-operation> is not specified.)
Therefore, to open up all channel operations for the channel for all users, set up your weblogic-pub-sub.xml configuration file without <wlps:channel-operation>
or <wlps:auth-constraint> elements, as follows:
<wlps:channel-constraint>
<wlps:channel-resource-collection>
<wlps:description>All Acesss</wlps:description>
<wlps:channel-pattern>/**</wlps:channel-pattern>
</wlps:channel-resource-collection>
<!-- Not defining an auth-constraint will open up access to everyone -->
</wlps:channel-constraint>
12.5.1.4 Updating a Constraint Requires Redeploy of Web Application
Constraints cannot be updated dynamically. You must redeploy the Web application for new settings to take effect.
12.5.2 Map Roles to Principals
The primary pub-sub security mechanism is authorization. As previously described, the pub-sub server uses the a combination of <wlps:channel-operation> and
<wlps:auth-constraint> elements to set up roles and policies on the channels.
Each bayeux packet corresponds to one bayeux request. One HTTP request can translate to one or more bayeux requests. WebLogic Server (the servlet container) performs authorization checks for the HTTP request, and the pub-sub server performs one authorization check for each bayeux request.
To set up the pub-sub authorization, you must map the role names, which you specify as <wlps:role-name>some-role-name</wlps:role-name> in your
weblogic-pub-sub.xml file, to principal names using the
security-role-assignment element configured in your weblogic.xml file.
Note: The pub-sub server does not directly perform authentication.
Rather, the pub-Sub server runs on top of WebLogic Server (the servlet container) and leverages the WebLogic authentication services.
Specifically, the pub-sub server uses the currently-authenticated user (or anonymous) for requests originating from a given client.
Enabling Security
As described insecurity-role-assignment, the security-role-assignment element declares a mapping between a security role and one or more principals in the WebLogic Server security realm.
Example 12–3 shows how to use the security-role-assignment element to assign principals to the publisher role.
Example 12–3 security-role-assignment Element
<weblogic-web-app>
<security-role-assignment>
<role-name>publisher</role-name>
<principal-name>Tanya</principal-name>
<principal-name>Fred</principal-name>
<principal-name>system</principal-name>
</security-role-assignment>
</weblogic-web-app>
12.5.3 Configure SSL for Pub-Sub Communication
By default, all pub-sub communication is via HTTP. However, you can configure the pub-sub server to require SSL by modifying the web.xml file. Requiring SSL ensures that all communication between the pub-sub server and the Web 2.0 clients happens over SSL.
WebLogic Server establishes an SSL connection when the user is authenticated using the INTEGRAL or CONFIDENTIAL transport guarantee, as specified in the web.xml file. In Example 12–4, the transport guarantee is set to integral.
Example 12–4 Requiring SSL Via web.xml
<security-constraint>
<web-resource-collection>
<web-resource-name>Success</web-resource-name>
<url-pattern>/cometd/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>INTEGRAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
12.5.4 Additional Security Considerations
This section describes the following additional pub-sub security considerations:
■ Section 12.5.4.1, "Use AuthCookieEnabled to Access Resources"
Note: The absence of such a mapping in the weblogic.xml file will cause the role to be used implicitly; this generates a warning.
Enabling Security
Using the HTTP Publish-Subscribe Server 12-19
■ Section 12.5.4.2, "Locking Down the Pub-Sub Server"
12.5.4.1 Use AuthCookieEnabled to Access Resources
WebLogic Server allows a user to securely access HTTPS resources in a session that was initiated using HTTP, without loss of session data. To enable this feature, add AuthCookieEnabled="true" to the WebServer element in config.xml:
<WebServer Name="myserver" AuthCookieEnabled="true"/>
Setting AuthCookieEnabled to true, which is the default setting, causes the WebLogic Server instance to send a new secure cookie, _WL_AUTHCOOKIE_JSESSIONID, to the browser when authenticating via an HTTPS connection. Once the secure cookie is set, the session is allowed to access other security-constrained HTTPS resources only if the cookie is sent from the browser.
12.5.4.2 Locking Down the Pub-Sub Server
This section describes how to lock down the pub-sub server to prevent unauthorized access. The steps described here offer additional security at the cost of reduced access.
It is up to you to decide which level of security is appropriate for your environment.
To lock down the pub-sub server, perform the following steps:
1. Configure SSL for pub-sub communication, as described in Section 12.5.3,
"Configure SSL for Pub-Sub Communication".
2. Require authentication (BASIC, FORM, and so forth.)
WebLogic Server sets the required authentication method for the Web application in the web.xml file.
In the following example, HTTP BASIC authentication is required:
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>default</realm-name>
</login-config>
3. Ensure auth-cookie is enabled for the WebApps, as described in Section 12.5.4.1,
"Use AuthCookieEnabled to Access Resources".
4. Ensure that all the channels are constrained in the weblogic-pubsub.xml file.
5. Lock subscribe operations, which are allowed by default.
<wlps:channel-constraint>
<wlps:channel-resource-collection>
<wlps:channel-resource-name>publish</wlps:channel-resource-name>
<wlps:description>publish channel constraint</wlps:description>
<wlps:channel-pattern>/stock/*</wlps:channel-pattern>
<wlps:channel-pattern>/management/publisher</wlps:channel-pattern>
<wlps:channel-operation>publish</wlps:channel-operation>
</wlps:channel-resource-collection>
<wlps:auth-constraint>
Note: This feature will work even when cookies are disabled because WebLogic Server will use URL rewriting over secure connections to rewrite secure URLs in order to encode the authCookieID in the URL along with the JSESSIONID.
Advanced Topic: Using JMS as a Provider to Enable Cluster Support
<wlps:description>publisher</wlps:description>
<wlps:role-name>publisher</wlps:role-name>
</wlps:auth-constraint>
</wlps:channel-constraint>
<wlps:channel-constraint>
<wlps:channel-resource-collection>
<wlps:channel-resource-name>subscribe</wlps:channel-resource-name>
<wlps:description>subscribe channel constraint</wlps:description>
<wlps:channel-pattern>/stock/*</wlps:channel-pattern>
<wlps:channel-operation>subscribe</wlps:channel-operation>
</wlps:channel-resource-collection>
<wlps:auth-constraint>
<wlps:description>subscriber</wlps:description>
<wlps:role-name>subscriber</wlps:role-name>
</wlps:auth-constraint>
</wlps:channel-constraint>