6 Replies Latest reply on Apr 3, 2008 3:48 PM by marklittle

About authentication / authorization on ESB services?

lihui_pang Apr 1, 2008 5:34 PM

Can anyone tell me how to authenticate and authorize the user when using sendESbMessage class - ServiceInvoker? I didn't find the any document on it.

The programmer document says that "The message context contains session related information, such as transaction or security". Does it mean the developer needs to do programmatic authentication and authorization from the information on Message context?

Thanks for your help.

1. Re: About authentication / authorization on ESB services?

marklittle Apr 2, 2008 8:46 AM (in response to lihui_pang)

Yes, it does at this time. However, we are actively working on adding such support for the next major release.
Actions
2. Re: About authentication / authorization on ESB services?

lihui_pang Apr 2, 2008 11:03 AM (in response to lihui_pang)

Thanks for your quick reply.

In most of quick start samples, there are two client programs:
one is sendJMSMessage, one is sendESBMessage. Can you please let me know the justification on using these two, e.g. in which case the client should use sendJMSMessage, or sendESBMessage? I find there is sample jms_secured, wondering if I can use this to pass user credential instead of programming authentication in my action class (if it's sendESBMessage).

Thanks for your help.
Actions
3. Re: About authentication / authorization on ESB services?

marklittle Apr 3, 2008 2:57 AM (in response to lihui_pang)

Which source at your referring to?
Actions
4. Re: About authentication / authorization on ESB services?

kconner Apr 3, 2008 4:38 AM (in response to lihui_pang)

"lihui_pang" wrote:
Can you please let me know the justification on using these two, e.g. in which case the client should use sendJMSMessage, or sendESBMessage?

SendESBMessage sends an ESB aware message into the bus, it demonstrates how an ESB message can be propagated.

SendJMSMessage sends a native message (i.e. external to the ESB) onto the bus via the gateways.

"lihui_pang" wrote:
I find there is sample jms_secured, wondering if I can use this to pass user credential instead of programming authentication in my action class (if it's sendESBMessage).

This demonstrates how to access a secured JMS destination, the credentials will not be propagated from that point.

This functionality will be in the next major release of the ESB project and will be core to the bus. Unfortunately, until that point, the security aspect is in the hands of the service writer.
Actions
5. Re: About authentication / authorization on ESB services?

lihui_pang Apr 3, 2008 10:18 AM (in response to lihui_pang)

So, from design point of view, the external client should not call sendESBMessage directly (-- shoud not expose the service to the client) . It should use sendJMSMessage. Is that correct?

Another question, as SOA runs on top of the JBoss AS 4.2 platform, is there a way to use the standard container HTTP authentication? if do, how to design it?

Thanks for help.
Actions
6. Re: About authentication / authorization on ESB services?

marklittle Apr 3, 2008 3:48 PM (in response to lihui_pang)

"lihui_pang" wrote:
So, from design point of view, the external client should not call sendESBMessage directly (-- shoud not expose the service to the client) . It should use sendJMSMessage. Is that correct?

That depends. You can have ESB-aware clients as well as ESB-aware services. Then you can have ESB-unaware clients and ESB-unaware services. The cross-product of possible interactions is supported by the ESB.
Actions

Go to original post