The Store Web Service Proxy (WSP) is the primary gateway
of the application domain. It receives a request with an LTPA token
attached.
When requested, the processing rule for the request completes the
following actions:
- Validates the request, as requested by the Validation policy.
For more information, see Overview of WSRR artifacts in the sample.
- Routes the request to the alternate endpoint if the service level
agreement (SLA) is
Gold
.
- Authenticates, completes authorization, and accounting (AAA) on the request. The authentication
includes the following actions:
- Authenticates the user with an LTPA token.
- Maps the credentials against the LDAP server that provides information as to which groups the
customer belongs. These groups include Manager, Clerk, and Customer.
- Transforms the provided inputs into a request object that the XACML policy decision point (PDP)
can understand.
- Completes authorization by using an XACML PDP on the DataPower® box, with an XACML policy document that can be created in IBM®
Tivoli® Security Policy Manager. The criteria of the policy
is that the user must be a Manager, Customer, or Clerk. For the findInventory operation, the returns
require either Manager or Clerk, and purchases can be made by customers.
- Sets the ConsumerID value by using an XSL script.
- Removes the entire HTTP Security Header from the request.
- Calls the Store service back end.
When the request is processed, the response processing rule completes
the following actions:
- Calls the StoreXACMLFW gateway, that acts as the PDP in the scenario.
- Based on the response, the price info field is redacted (zeroed
out) depending on if the user has the Manager role or not.