Securing my Fron End Service (RAP application) thru WSO2 ESB

Hi Salim,

So the RAP application is an OSGi bundle right?

You can write a class mediator in the WSO2 ESB to invoke the RAP application and proxy the application with a WSO2 ESB proxy service, so that you could apply WS-Security for the Proxy service to secure your application which will be accessed via the proxy.

A message flow will be as follows;

Client -------WS-Sec (BasicAuth/UserNameToken/SignAndEncript/etc..)-----> WSO2 ESB Proxy Service ---------> Class mediator -------> RAP application

WSO2 ESB has built in set of mediators to secure the service with the WSO2 Identity server, if you could elaborate on the exact security requirements, we would be able to help you out to configure it to use the Identity server.

Thanks,
Ruwan Linton
Product Manager - WSO2 ESB

Hi Ruwan,

First, thanks a lot for your fast response. I appreciate it a lot.

Yes, our RAP application is a set of OSGI bundles.
A RAP application runs inside a browser, thanit is a WEB application thru a URL resource.
In your scenario, the client is a WEB browser that issue a HTTP request to the RAP application where the runtime runs on the server side in a jetty container.

A RAP application has multiple entrypoints (an entrypoint in RAP is represented by URL).

My sign-in scenario would be :

Client access application resource ----> security module intercept the call and redirect to an entrypoint (RAP one) that is the login page -----> client enter credentials and submit -----> security module verify credential (identity manager) and create a security token and let the request go thru the first entrypoint that represents the application.

Later, subsequent requests are intercepted by security module to verify if token is still valid.

For now, I just want to authenticate users to provide them access to my RAP application using the ESB and Identity manager. Later on I will add authorization capabilities.

I am not really familiar with WS-Sec, but I will read this specification. Though, can I configure WS-Sec to redirect the initial request to my login page to provide with credential information ? Cause I do not understand what the class mediator role would be !

Thanks a lot Ruwan,

Salim MANSOURI.
CTO Mobiscom Consulting Inc.
Ottawa, CANADA.

Hi Ruwan,

I have read WS-Security to see how can I use it to secure my RAP application (web application in fact).
I saw that you're using Rampart (apache) to provide WS-Security capablities to WSO2, but on their web site they stated that Rampart is used to secure Axis2 web services ! RAP application is a Front end service (or WEB application) that should be secured within WSO2 framework.

One of the solution I am thinking about is the following :
1. RAP application is similar to a web application, thus is there a Filter provided by Identity Manager that I can put in front of my web app to authenticate my web application ?
2. If I do so, my incoming request would not go thru the ESB ! Is that a problem ?

Thanks a lot,

Salim MANSOURI.
CTO Mobiscom Consulting Inc.
Ottawa, CANADA.

Hi. If its a web front end then you need to look at the "Relying Parties" that ship with Identity Server.
We support OpenID and Infocard RPs for Apache HTTPD and Java Servlet/Tomcat. Would that help?

Paul

Hi Paul,

Is the relying party a Servlet Filter class that I can put in Front my RAP application (cause it uses Jetty servlet engine) ? Is there any documentation I can look at to understand how I can integrate this relying party ?

I believe that I should take this topic into Identity Forum !

Thanks Paul,

Salim.