Show TOC

Enabling Endpoints for SecurityLocate this document in the navigation structure

Prerequisites

A new simplified service should be composed and the original service should be consumed in the diagram of the simplified service. Moreover, the consumed service should be mapped to the service composition flow elements. Once you have composed your service, assign a service group for the activity of the consumed original service. Then save and generate the diagram.

Procedure

1. Open the EJB deployment descriptor in the Java EE perspective

Since by default the EJB project does not provide deployment descriptors for EJB 3.0, you have to generate one by right-clicking on the project and selecting Start of the navigation path Java EE Tools Next navigation step Generate Deployment Descriptor Stub End of the navigation path

Double-click on the deployment descriptor node (the first node under the EJB project) and an xml editor for ejb-jar.xml opens.

2. Define an EJB role

In the ejb-jar.xml insert the following fragment as a child of the <ejb-jar> tag:

Sample Code 
                  <assembly-descriptor>
  <security-role>
    <description/>
    <role-name>PowerRole</role-name>
  </security-role>
  <method-permission>
    <description/>
    <role-name>PowerRole</role-name>
    <method>
         <ejb-name>SalesOrderByIDQueryResponseInEjb</ejb-name>
         <method-name>*</method-name>
    </method>
  </method-permission>
</assembly-descriptor>

3. Define a mapping between the EJB role and an SAP specific role:

In the ejb-j2ee-engine.xml (located under "ejbModule\META-INF\") insert the following fragment as a child of the <ejb-j2ee-engine> tag.

               <security-permission>
  <security-role-map>
    <role-name>PowerRole</role-name>
    <server-role-name>ServerPowerRole</server-role-name>
  </security-role-map>
</security-permission>

Note that you can also add this child in the tree of the XML editor.

4. Runtime Configuration Steps

You can check the assigned roles and actions in the Identity Management.

Execute the Web service (that is, the EJB) without authorization. To do that, open the Web Service Navigator and in the Local Java AS provider system find your service. Execute it. As a result, an exception related to accessing the EJB should be thrown.

Now assign the user to the SAP specific role in UME.

As a result, the Web service executes successfully because the user (principal) has the necessary authorizations.

To the service group of the service you have to assign the configured provider system pointing to the external service that you want to consume or compose.