Date of First Response: 2008-10-07 00:53:41
project_key: SOA

The current ESB security support provides for authentication, but not authorization. It will authenticate a user before allowing access to a service, but not check that the user is authorized to access the service. The security implementation does not access role information. It will add roles to the security context based on run-as property (when using SIngelSingOn), but not check the initial roles assigned to the user. Nor does the security implementation check that the user is in the role (this is left to the developer to check in a custom action).

The security implementation should be extended to check a users role. If the using SingleSignOn, the roles information should be added to the security context. Furthermore, the security implementation should allow the user to specify a role associated with the service (through WS-Policy for example), and validate that the user has this role before allowing access to the service.