I've created a new role and added a new user in the user.properties file. I've applied the role to one of my bizdocs.
I turned on security by uncommenting the section in the web.XML. I tested the webservice through Web Services explorer and was prompted for a user id and password. I was able to execute my BizDoc, but I can't figure out where I'm supposed to pass the user id and password to my Bizdoc so it gets to the webservice, so it can do the appropriate user validation. I'm not sure if it matters, but I'm using all SQL biz drivers and SQL Biz Components.
I appreciate your help.
Thank you.
Kelli

Kelli, it sounds like what you've done so far is enable security at the Servlet level. This is sufficient if you want to protect the ability to execute any/all BizView files. But to get finer grained access control, you need to enable BizView file authorization either through the JMX console, or the configuration file <xaware.home>.conf/common/Spring/SecurityConfig.XML. Only then will the role assigned to a BizView file matter. Once configured, you can allow or deny execution of a specific BizDoc based on the role.

You can read about the full process on this wiki:

http://www.xaware.org/components/com_mambowiki/index.php/How_to_enable_security_on_the_HTTP_connector

The article shows how to configure using JMX. The JMX identifiers relate directly to the config file, so you will likely see how to take that alternative as well. Let me know if you need more help.

-Kirstan

Thank you. I've been able to configure the security, but I'm running into one issue. One of my BizComponents uses the Lookup Functoid. Now that I've applied the role based security, I'm getting errors with reading the Lookup.XML file. Is there a way to apply the role security to this xml file?
When I remove the role based security from the BizComp, the functoid works fine.
Thank you.
Kelli

Kelli, there is a way to apply a role to a lookup file, and yes, that is likely what is required. Lookup files use the same resource loading code as other BizView files, so they are access-controlled like other files. Can you see from the log that it is failing because of an access control problem with your lookup file?

If so, you need to set up a role for it. If you deploy the lookup file with your XAR, you would do this just like any other BizView file. If not, you can do this using the JMX console, or by modifying RolesConfig.XML directly, located in <xaware.home>/conf.

Please let me know if you need more information!

-Kirstan

I apologize for taking so long to reply.
Yes, the error I'm getting is due to an access control problem on the lookup.XML, so I know that I need to add a role to it.
I've been adding my roles to the BizViews via the Package Assembly tool. Is it possible to use this tool to add a role to the lookup.xml file? If so, can you explain how, since I can't figure out how to include the lookup.xml in my xar.
Thank you.
Kelli

Kelli, you can set up your aliases.properties file so that it points to a file in your XAR. I've done this on a project with an alias entry like this:

updater=xaware/updater/conf/updaterLookup.XML

I also tested yesterday with security enabled, and I was able to access the file properly. In this case, with the lookup file in the XAR file, you can apply a role just like any BizView file. But keep in mind that the lookup file is loaded as a resource, so this is controlled by these settings in SecurityConfig.xml:

<property name="authorizeResourceFiles" value="true"/>
<property name="defaultResourceRole" value="ROLE_USER"/>

Please let me know if this fixes the problem.

Thanks,

-Kirstan