Applying Security to a Data Service¶
WSO2 supports WS-Security, WS-Policy, and WS-Security Policy specifications. These specifications define a behavioral model for Web services. To enable a security policy for a data service, you need to first create a security policy file, and then add it to the data service.
Prerequisites¶
Be sure to configure a user store for the Micro Integrator and add the required users and roles.
Step 1: Create a registry resource module and a security policy as a registry resource¶
Registry artifacts (such as security policy files) should be stored in a Registry Resource module. Follow the steps given below to create a module:
-
Open MI for VS Code and create a new project.
-
Open the MI project view and click the
+
button next to the Registry. A form will open to create a new registry resource. -
Select the From existing template option and enter the following details, as shown in the image below.
Property Value Resource Name Sample_Policy
Artifact Name Sample_Policy
Template WS-Policy
Registry gov
Registry path ws-policy/
-
Click Create and the policy file will be listed in the MI project view.
-
You can enable the required security scenario via the source view of the policy file. For example, enable the Sign and Encrypt security scenario.
-
You can also provide encryption properties, signature properties, and advanced rampart configurations.
Info
Using role-based permissions?
For certain scenarios, you can specify user roles. After you select the scenario, scroll to the right to see the User Roles button. Either define the user roles inline or retrieve the user roles from the server.
Info
Make sure the
tokenStoreClass
in the source view of the policy file isorg.wso2.micro.integrator.security.extensions.SecurityTokenStore
. In addition, replace theServerCrypto
class withorg.wso2.micro.integrator.security.util.ServerCrypto
if present.
-
-
Save the policy file.
Step 2: Add the security policy to the data service¶
Once you have configured the policy file, you can add the security policy to the data service as explained below.
-
If you have already created a data service, Open the file using WSO2 Micro Integrator Visual Studio Code extension.
Tip
Be sure to update your database credentials in the dataservice file.
-
Once you have opened the data service file, switch to the Source View to see the source of the data service.
-
Add the following elements inside the
<data>
element and save the file.<policy key="gov:ws-policy/Sample_Policy.xml" /> <enableSec />
Step 3: Package the artifacts¶
See the instructions on packaging the artifacts into a composite exporter.
Step 4: Build and run the artifacts¶
See the instructions deploying the artifacts.
Step 5: Test the service¶
Create a Soap UI project with the relevant security settings and then send the request to the hosted service.
For guidelines on using SoapUI, see general guidelines on testing with SOAP UI.
Use an encrypted datasource password¶
When you create a data service for an RDBMS datasource, you have the option of encrypting the datasource connection password. This ensures that the password is encrypted in the configuration file (.dbs file) of the data service.
See the instructions on encrypting plain-text passwords
Once you have encrypted the datasource password, you can update the data service as explained below.
- Open the data service and click Add Datasource to create a new data source.
- Select RDBMS as datasource type and MySQL as database engine. Enter values for datasource identifier, driver class, URL and username as shown in the image below.
- Add the datasource to the data service.
- Switch to the source view and add the following element to the datasource
<config>
to use a secret alias for the password.<property xmlns:svns="http://org.wso2.securevault/configuration" name="password" svns:secretAlias="Datasource.Password"/>