|
  • Usage
Last Published: 2007-09-07

52n Security WSC.Web

Facade Types

The WSC.Web provides to different kinds of facades: Transient facades and persistent facades

Transient facades...

  • are facades that will expire after a certain time.
  • can be created interactively by just opening the for immediate facade creation or by calling a web API operation (for applications tightly coupled with the WSC.Web).
  • can be deleted by means of the administration interface

Persistent facades...

  • never expire but are active as long as they are not deleted
  • can be created and deleted using the administration interface

User Interfaces

The WSC.Web application provides to different user interfaces to create and manage facades.

Immediate facade creation

This interface is intended to be used by public clients that whish to create a facade on demand. By opening http://HOST:PORT/WEBAPPNAME you get a web page to immediately create a transient facade. You have to enter the following information:

  • facade name
  • the URL of the Web Security Service (WSS) that protects the desired service
  • a valid username/password combination that is known by the Web Authentication Service (WAS) that is accepted by the WSS
  • optionally you may enable IP filtering by specifying an IP address of a host that is the only one allowed to call the facade

The WSC.Web application then creates a new facade that is valid for the next 15 minutes (by default, the value can be configured globally). Every interaction with the facade delays the expiration of the facade by the same amount of time. The specific facade URL is shown on the next page. Just copy the URL and use it as any other URL of an unprotected service.

Facade administration

The facade administratio interface is not intended to be used by public clients but system administrators and service providers. It allows to

  • display all existing facades (transient and persistent)
  • create persistent facades
  • delete facades (transient and persistent)

The management interface is available at http://HOST:PORT/WEBAPPNAME/admin/Admin.do and protected by username/password inquiry. Enter username and password of a Tomcat user that has the manager role. Tomcat users are usually defined in the TOMCAT_HOME/conf/tomcat-users.xml file. After successful login you get a table showing all existing facades together with some information about the facades. The "Expires" column shows whether e facade is transient (showing the expiration date) or persistent (just showing a dash "-").

To create a facade just click on "Create facade" and enter the values as described for the immediate facade creation. If you are prompted to select an authentication method always select "Type: authn:WASType..." to authenticate at the corresponding WAS. This selection provides for future support of multiple WAS and other authentication methods than username/password. All facades created by means of the administrative facade interface are persistent.

To delete a facade click "delete" in the last column of the facades information table and confirm the deletion.

General Information

Facade storage
Facades, either transient or persistent, are stored in a file to ensure that they are not lost if the Tomcat is shut down. The location of the file can be configured. Direct modifcation of the file is not recommended but possible. Modifications will take effect as soon as the web application is restarted or another facade is added/deleted by the web GUI.
Expiration
Facades expiration is delayed by the pre-configured amount of time as soon as the facade is used (called).
Security aspects
Facade URLs are security sensitive. Every peron that knows a certain facade URL can access a service under the name of the person that was authenticated when creating the facade. To prevent others from accessing the service you can take the following countermeasures:
  • enable IP filtering
  • select hard-to-guess facade names (like the automatically created UUIDs which serve as default values)
  • restrict general WSC.Web application access, e.g. on the intranet
  • enable HTTPS communication with the WSC.Web application, but be aware that the client application has to support HTTPS, too.
back top