Overview

Web services provide a layer of abstraction between the back end business logic they invoke, and the user or application running the Web service. This allows for easy application integration but raises the concern about controlling the use and execution of critical and sensitive business logic, that can be run as a Web service.

iWay Business Services Provider (iBSP) controls the use of Web services that use iWay adapters, through a feature called policy-based security. This feature allows an administrator to apply “policies” to iWay Business Services (Web services) to restrict or allow their execution. A policy is a set of privileges dealing with the execution of an iWay Business Services (iBS), which can be applied to an existing or new iBS. By setting specific rights or privileges inside a policy, you do not have to recreate these for every iBS that has common security concerns. Instead, you reuse a policy on multiple iBSs. The goal of the feature is to secure requests at both the transport and the SOAP request level transmitted on the wire. Some of the policies do not deal with security issues directly, but do effect the run-time behavior of the Web services to which they have been applied.

There are specific policies types available, each controlling different execution concerns. The iBS administrator creates an “instance” of a policy type, names it, associates individual users and/or groups (a collection of users), and then applies that policy to one or more iWay Business Services. Multiple policies can be applied to an iBS. You can assign a policy to an iBS, or to a method within an iBS. If a policy is only applied to a method, other methods in that iBS will not be governed by it. Likewise, if a policy is applied to the iBS, all methods are governed by it. At run time, the user ID and password that are sent to iBSP in the SOAP request message are checked against the list of users for all policies applied to that specific iBS.

The default behavior for an iBS to which a specific policy is not applied is to “grant all”. That means, using the Resource Execution policy as an example, anybody can execute the iBS, until the policy is associated to the iBS. At that time, only those granted execution permissions, or users not part of the group that has been denied execution permissions, will have access to the iBS.


iWay Software