10.20. Further HTTP Gateway Security
To force an end-point to use a log-in, utilise the <protected-methods> and <allowed-roles> sections of a <http-bus> configuration file:
<http-bus busid="secureSalesDeletes"> <allowed-roles> <role name="friend" /> </allowed-roles> <protected-methods> <method name="DELETE" /> </protected-methods> </http-bus>
The above configuration stipulates that a valid "friend" log-in is required for delete requests made on the "secureSalesDeletes" bus.
The following log-in matrix tries to illustrate which configurations will enforce a log-in, and when.
| Methods Specified | Roles Specified | Log-in Required |
|---|---|---|
| No |
No
| No |
| No |
Yes
| For All Methods |
| Yes |
Yes
| For Specified Methods Only |
| Yes |
No
| No. Specified methods blocked to all. |
Configure the authentication method and security domain from within the <war-security> configuration's <globals> element:
<http-provider name="http"> <http-bus busid="secureFriends"> <allowed-roles> <role name="friend" /> </allowed-roles> <protected-methods> <method name="DELETE" /> </protected-methods> </http-bus> <auth method="BASIC" domain="java:/jaas/JBossWS" /> </http-provider>
The method attribute can be one of "BASIC" (default), "CLIENT-CERT" or "DIGEST".
You can configure the HTTP Transport Guarantee on a per http-bus basis by specifying it on the bus using the "transportGuarantee" attribute.
<http-bus busid="secureFriends" transportGuarantee="CONFIDENTIAL"> <!-- etc etc --> </http-bus>
The valid values for transportGuarantee are "CONFIDENTIAL", "INTEGRAL" and "NONE".
