Http Header Policy DBO
Portlet Title | Http Header Policy |
Portlet Name | wm_xt_httpheaderpolicy |
Portlet File Name | wm_xt_httpheaderpolicy.pdp |
Top-level Folder | extras |
JSR168 Portlet? | No |
Alias | None |
Default Instances of the portlet | Folders > System > Policy Providers > Available Types > Http Header Policy Provider |
Security. Administrators use this security provider to configure permissions on My webMethods Server items. Unlike other security providers where privileges are manually assigned, use this security provider to dynamically grant or deny access to server objects based on information that is passed to My webMethods Server in the HTTP header when a user logs in.
Administrators select to use the HTTP Header Policy security provider when creating a new security realm. This security provider is useful when My webMethods Server is protected by a front-end authentication product, for example, SiteMinder.
The HTTP Header Policy security provider grants or denies READ, MODIFY, CREATE CHILD, SET PERMISSIONS, and DELETE privileges. To grant/deny privileges, the security provider first examines the key/value pairs in the HTTP header attempting to find those that match key/value pairs configured in the properties of the HTTP Header Policy portlet. Administrator can configure key/value pairs for each of the privileges. When the security provider finds a matching key/value pair in the HTTP header, it determines whether to grant or deny the privilege based on the value of the Authorization Policy (authorizationPolicy) property.
If an administrator does not configure a key/value pair for a privilege, the security provider uses the Default Right Set (defaultRightSet) property to determine whether to grant or deny that privilege. For example, if an administrator does not configure a key/value pair for the CREATE CHILD privilege, the security provider grants the privilege if it is configured in the default right set or denies the privilege if it is not configured in the default right set.
Policy Configuration Properties
Default Right Set (defaultRightSet)
Identifies the set of default privileges to grant to the security realm. The security provider uses the default right set to determine whether to grant a privilege when there is no configured key/value pair for that privilege, or when the configured key/value pair is not present in the HTTP header. By default, READ is included in the default right set.
When using the portlet's user interface, select the check boxes that correspond to the privileges that you to include in the default right set. When programmatically configuring this portlet, provide a bit field to indicate the privileges to include in the default right set. The following shows the bits associated with each privilege:
00000001 | READ |
00000100 | CREATE CHILD |
00010000 | MODIFY |
01000000 | SET PERMISSIONS |
10000000 | DELETE |
For example, to set the default right set to include the READ, SET PERMISSIONS, and DELETE privileges, specify the bit field 11000001.
Authorization Policy (authorizationPolicy)
Indicates whether to grant or deny the privileges associated with the configured key/value pairs found in the HTTP header. For example, if the security provider finds the key/value pair identified by the READ Header (readHeader) property, it grants or denies READ access based on the value of this property. Specify one of the following:
GRANT | Default. Grant the privileges associated with the configured key/value pairs that are found in the HTTP header. |
DENY | Deny the privileges associated with the configured key/value pairs that are found in the HTTP header. |
READ Header (readHeader)
Identifies the key/value pair in the HTTP header to associate with the READ privilege. If the security provider finds the key/value pair in the HTTP header, it grants or denies the privilege based on the value of the Authorization Policy (authorizationPolicy) property.
For example, you might set this property to read_privilege=UseSecurityProvider and the Authorization Policy (authorizationPolicy) to GRANT. If the security provider finds the key/value pair read_privilege=UseSecurityProviderin the HTTP header, it grants the READ privilege.
If the property has no value, the security provider grants the READ privilege if it is included in the Default Right Set (defaultRightSet) property or denies the READ privilege if it is not included in the Default Right Set (defaultRightSet) property.
CREATE CHILD Header (createItemHeader)
Identifies the key/value pair in the HTTP header to associate with the CREATE CHILD privilege. The CREATE CHILD privilege controls whether the user can create new items or create subfolders in folders controlled by the security realm. If the security provider finds the key/value pair in the HTTP header, it grants or denies the privilege based on the value of the Authorization Policy (authorizationPolicy) property.
For example, you might set this property to create_privilege=UseSecurityProvider and the Authorization Policy to GRANT. If the security provider finds the key/value pair create_privilege=UseSecurityProvider in the HTTP header, it grants the CREATE CHILD privilege.
If the property has no value, the security provider grants the CREATE CHILD privilege if it is included in the Default Right Set (defaultRightSet) property or denies the CREATE CHILD privilege if it is not included in the Default Right Set (defaultRightSet) property.
MODIFY Header (modifyHeader)
Identifies the key/value pair in the HTTP header to associate with the MODIFY privilege. If the security provider finds the key/value pair in the HTTP header, it grants or denies the privilege based on the value of the Authorization Policy (authorizationPolicy) property.
For example, you might set this property to modify_privilege=UseSecurityProvider and the Authorization Policy to DENY. If the security provider finds the key/value pair modify_privilege=UseSecurityProvider in the HTTP header, it denies the MODIFY privilege.
If the property has no value, the security provider grants the MODIFY privilege if it is included in the Default Right Set (defaultRightSet) property or denies the MODIFY privilege if it is not included in the Default Right Set (defaultRightSet) property.
SET PERMISSIONS Header (setPermissionsHeader)
Identifies the key/value pair in the HTTP header to associate with the SET PERMISSIONS privilege. The SET PERMISSIONS privilege controls whether the user can modify the permissions of items controlled by the security realm. If the security provider finds the key/value pair in the HTTP header, it grants or denies the privilege based on the value of the Authorization Policy (authorizationPolicy) property.
For example, you might set this property to permissions_privilege=UseSecurityProvider and the Authorization Policy to GRANT. If the security provider finds the key/value pair permissions_privilege=UseSecurityProvider in the HTTP header, it grants the SET PERMISSIONS privilege.
If the property has no value, the security provider grants the SET PERMISSIONS privilege if it is included in the Default Right Set (defaultRightSet) property or denies the SET PERMISSIONS privilege if it is not included in the Default Right Set (defaultRightSet) property.
DELETE Header (deleteHeader)
Identifies the key/value pair in the HTTP header to associate with the DELETE privilege. If the security provider finds the key/value pair in the HTTP header, it grants or denies the privilege based on the value of the Authorization Policy (authorizationPolicy) property.
For example, you might set this property to delete_privilege=UseSecurityProvider and the Authorization Policy (authorizationPolicy) to DENY. If the security provider finds the key/value pair delete_privilege=UseSecurityProviderin the HTTP header, it denies the DELETE privilege.
If the property has no value, the security provider grants the DELETE privilege if it is included in the Default Right Set (defaultRightSet) property or denies the DELETE privilege if it is not included in the Default Right Set (defaultRightSet) property.