Using the HTTP Publish-Subscribe Server 12-17
wlps:channel-patternwlps:channel-pattern wlps:channel-resource-collection
wlps:auth-constraint wlps:auth-constraint wlps:channel-constraint
12.5.1.3 Opening Access to All Channel Operations
The absence of an authorization constraint within a channel constraint means that access is not limited for the specified channel operations, or all channel operations if
wlps:channel-operation is not specified.
In contrast, the presence of an empty authorization constraint wlps:auth-constraint wlps:auth-constraint means that all access
is prohibited for the specified channel operations, or all channel operations for that channel if wlps:channel-operation is not specified.
Therefore, to open up all channel operations for the channel for all users, set up your weblogic-pub-sub.xml configuration file without wlps:channel-operation
or wlps:auth-constraint elements, as follows:
wlps:channel-constraint wlps:channel-resource-collection
wlps:descriptionAll Acessswlps:description wlps:channel-patternwlps:channel-pattern
wlps:channel-resource-collection -- Not defining an auth-constraint will open up access to everyone --
wlps:channel-constraint
12.5.1.4 Updating a Constraint Requires Redeploy of Web Application
Constraints cannot be updated dynamically. You must redeploy the Web application for new settings to take effect.
12.5.2 Map Roles to Principals
The primary pub-sub security mechanism is authorization. As previously described, the pub-sub server uses the a combination of wlps:channel-operation and
wlps:auth-constraint elements to set up roles and policies on the channels. Each bayeux packet corresponds to one bayeux request. One HTTP request can
translate to one or more bayeux requests. WebLogic Server the servlet container performs authorization checks for the HTTP request, and the pub-sub server performs
one authorization check for each bayeux request.
To set up the pub-sub authorization, you must map the role names, which you specify as wlps:role-namesome-role-namewlps:role-name in your
weblogic-pub-sub.xml file, to principal names using the security-role-assignment element configured in your weblogic.xml file.
Note: The pub-sub server does not directly perform authentication.
Rather, the pub-Sub server runs on top of WebLogic Server the servlet container and leverages the WebLogic authentication services.
Specifically, the pub-sub server uses the currently-authenticated user or anonymous for requests originating from a given client.
12-18 Developing Web Applications, Servlets, and JSPs for Oracle WebLogic Server
As described insecurity-role-assignment, the security-role-assignment element declares a mapping between a security role and one or more principals in the
WebLogic Server security realm.
Example 12–3 shows how to use the security-role-assignment element to
assign principals to the publisher role.
Example 12–3 security-role-assignment Element
weblogic-web-app security-role-assignment
role-namepublisherrole-name principal-nameTanyaprincipal-name
principal-nameFredprincipal-name principal-namesystemprincipal-name
security-role-assignment
weblogic-web-app
12.5.3 Configure SSL for Pub-Sub Communication
By default, all pub-sub communication is via HTTP. However, you can configure the pub-sub server to require SSL by modifying the web.xml file. Requiring SSL ensures
that all communication between the pub-sub server and the Web 2.0 clients happens over SSL.
WebLogic Server establishes an SSL connection when the user is authenticated using the INTEGRAL or CONFIDENTIAL transport guarantee, as specified in the web.xml
file. In Example 12–4
, the transport guarantee is set to integral.
Example 12–4 Requiring SSL Via web.xml
security-constraint web-resource-collection
web-resource-nameSuccessweb-resource-name url-patterncometdurl-pattern
http-methodGEThttp-method http-methodPOSThttp-method
web-resource-collection
user-data-constraint transport-guaranteeINTEGRALtransport-guarantee
user-data-constraint
security-constraint
12.5.4 Additional Security Considerations
