About the Security Identity Propagation sample

The Security Identity Propagation sample demonstrates how to use some of the Identity Security features provided in IBM Integration Bus.

Because a real security implementation depends on an external centralized security provider to define the identities and authorizations, this sample does not implement security enforcement. The prebuilt sample shows how to extract security credentials from messages on MQInput and HTTPInput nodes, how to manipulate the security credentials by using ESQL, and how to report and optionally map them. The sample also shows how to propagate the identity by using MQOutput and HTTPRequest nodes.

The "Extending the sample" section provides details of how to include an external security provider in the sample.

The Security Identity Propagation sample demonstrates the following tasks:

How to use a per message Identity for security purposes.
How to configure automatic extraction of an Identity from WebSphere MQ and HTTP message headers, or extraction of an Identity from fields in the body of a message.
How to implement custom Identity based processing by using the extracted Identity independently from the underlying transports.
How to implement a custom Identity mapping to map an incoming Identity to an Identity that is used in outgoing requests from a message flow.
How to configure message flows to propagate the per message Identity when making outgoing requests.

For details of the concepts related to message flow security, see Message flow security in the IBM Integration Bus documentation.

The message flows

The following diagram shows the main Security Propagation Sample message flow, which is the SecurityIdentitySampleFlow.msgflow in the SecurityIdentitySampleFlowProject Integration project. The message flow consists of an HTTPInput node and two MQInput nodes that invoke a common subflow.

A screen capture of the main Security Propagation message flow.

The HTTPInput node, called HTTP_ID, extracts the Identity passed in the HTTP Basic Authentication header, which encodes a username and password token from incoming requests. The HTTPInput node is configured, in the BAR file provided, SecurityIdentityPropagation.bar, to have a security profile setting of Default Propagation.

The MQ_ID MQInput node extracts the Identity, with only a username, that is passed in the WebSphere MQ MQMD message header of the incoming message. The MQ_ID node is configured in the BAR file provided, SecurityIdentityPropagation.bar, to have a security profile setting of Default Propagation.

The MSG_ID MQInput node extracts a set of Identity credentials, consisting of both a username and password. The Security properties on the MSG_ID node are configured so that the Identity credentials are passed in the body of the WebSphere MQ message. The MSG_ID node is configured in the BAR file provided, SecurityIdentityPropagation.bar, to have a security profile setting of Default Propagation.

The following diagram shows the Security Identity Propagation subflow, SecurityIdentitySubFlow.msgflow, that is called by each input node.

A screen capture of the Security Identity Propagation subflow.

The subflow contains a Compute node, called MapIdentity, that can set the Mapped Identity in the properties folder of the message, if the contents of the input message requests that the Mapped Identity is set. The HTTPRequest node, called HTTP_ReqAsID, uses either the source or mapped identity in the properties folder to issue a request to the SecurityIdentityReportFlow message flow. This node replaces the message tree with the response from that flow. The HTTPRequestNode propagates the source of the mapped identity because it is configured in the BAR file provided, SecurityIdentityPropagation.bar, to have a security profile of Default Propagation. The final Compute node, called ClearHdrs, is provided to clear the HTTP request header in case the main flow sends a reply message across WebSphere MQ.

The following diagram shows the Security Propagation Sample Report Identity message flow, called SecurityIdentityReportFlow.msgflow, that is invoked by the subflow. This message flow propagates the relevant identity.

A screen capture of the Security Propagation Report Identity message flow.

The Report Identity Compute node in the Security Propagation Sample Report Identity message flow reports the received identity in the body element fields of the message, if the body folder is present.

The messages

Three input messages are supplied for running the Security Propagation sample:

Simple Message is a small XML message that contains the structure to which the incoming message Identity is reported:
```
<?xml version="1.0" encoding="UTF-8"?>
 <Envelope>
   <Body>
   </Body>
</Envelope>
```
See Simple.xml, Security_Identity_MQ_ID.mbtest

Identity Message is an XML message that is used to demonstrate passing a set of identity credentials within the body of the message:

<?xml version="1.0" encoding="UTF-8"?>
 <Envelope>
   <Body>
     <MessageIdentity>
       <Username>IdInMsg</Username>
       <Password>PwdInMsg</Password>
       <IssuedBy>InMsgIssuer</IssuedBy>
     </MessageIdentity>
   </Body>
</Envelope>

See Security_Identity_MSG_ID.mbtest

Map To Identity is an XML message that is used to demonstrate passing an Identity in the WebSphere MQ header. The Identity is then set to the mapped Identity by using a Compute node, and is used when the flow makes an outgoing request over HTTP:
```
<?xml version="1.0" encoding="UTF-8"?>
 <Envelope>
   <Body>
     <MapIdentity>true</MapIdentity>
   </Body>
</Envelope>
```
See Security_Identity_Mapped.mbtest

Back to sample home