on 06-03-2009 12:33 PM
Hi!
I've got 2 topics to address:
1. topic:
I have found several blogs handling the topic Access Control via "Assigned Users" in Sender Agreements and/or "Communication Components".
E.g.
/people/community.user/blog/2006/11/15/security-access-control-via-assigned-users
/people/rahul.nawale2/blog/2006/06/16/acl--confine-users-sending-messages
/people/sap.user72/blog/2005/11/17/xi-controlling-access-to-sensitive-interfaces
BUT: I could not found any information why this obviously does not work when working with SOAP Axis Adapter.
Trying things out with e.g. SOAP Adapter everything is fine and the Access Control List is checked. But when using the Axis Framework the Access Control List is not checked. Each and every request containing a valid PI user is accepted regardless of the content of the User Access List in Sender Agreement and/or Communication Component.
Anyone out there who already had this issue and .... solved it?
2. topic:
When working whith Access Control Lists in Sender Agreements the lowest level of checks are based on Service Interfaces. But we have several Service Interfaces with multiple operations each. Is it possible to check on Service Interface Operation also? If yes, how? If not, why not and when will this "feature" come?
Thanx for any hint!
Regards,
Volker
Edited by: Volker Kolberg on Jun 5, 2009 9:32 AM
Sorry. I was wrong. This issue is not fixed.
Any further ideas in this forum?
Thanx!
Regards,
Volker
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi!
Issue is fixed. Just wanted to keep you informed about how we fixed it: We applied Patch SAP_XIAF 7.10.6.25 and then it worked.
Regards,
Volker
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi,
Not sure about solution but after going through above blogs my conclusion is:
-> Only adapter listed for assigned user have adapter framework to check ACL or assigned user. SOAP Axis adapter is not one of them.
->Obisious conclusion from my part is that it is adapter which checks assigned user or ACL not communication channel or sender agreement in other word XI framework doesn't check assigned user, it is responsibility of respective adapters.
->Service interface is replicating webservices and till now security is supported on the level of webserive not service methods or operation, however it is possible that something similar will be come in future which will support secutiry on most granular level i.e. service operation.
Regards,
Gourav
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Gourav!
Many thanx for your reply.
I see the world in a similar way. BUT:
1. Axis SOAP Adapter is SOAP Adapter with Extensions. In the lisrt of Adapters i still select the SOAP Adapter and the Core EJB Module in Ayis SOAP Adapter is still the Module of SOAP Adapter. Quite strange ...
2. This is not optimal. I see many realistic scenarios where I have more or less large Web Services with several operations and not every operation is valid for every user/customer/partner/vendor and so on. So I want to avoid access to "forbidden operations" at the earliest possible stage - and this is the Inbound Adpater I use.
Regards,
Volker
User | Count |
---|---|
86 | |
10 | |
10 | |
9 | |
6 | |
6 | |
6 | |
5 | |
4 | |
3 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.