We are currently deploying our first web services which the business will be able to use in iWay.

Some of these require security. We need to know who is calling the web service from within the firewall. We basically want to control which users can call specific methods within web services. We also want to audit who has called a specific web service since the data passed to us will be loaded in a database.

If we were in .NET, we could probably use the web.config and define who has access but of course this is not the case within such a platform. Of course, we want to avoid developing .NET code and that is why we are using such a platform.

How is this done in an SOA/ESB world? How is security handled? We would like to use Active Directory has much as possible but this might not be the best solution (we are a Windows shop). Does anybody have examples?

Please help

Pascal Couture

Pascal,

Maybe to get started, take a look at iWay Business Services Provider User's Guide - Using Web Services Policy-Based Security . So you can apply different policies to services/methods according to defined users and groups.

Br,
Rivo

Hi,

Thank you for your answer... This is an interesting start but having to recreate users and maintain them a side form our Active Directory kinds of defeats the purpose of all our network policies... Plus, having users passing a clear text password is not something we really want...

A combination of this and SSL might sadly be our solution though and we will definitely look into it...

Any other way? Has anybody used a security tokens approach or anything?

Pascal