OSB Security, is it worthwhile securing Both the Proxy Service and The Business Service?
Or just the Proxy service?
In other words if the business service is not configured with security, could this be a security hole?
OSB Security, is it worthwhile securing Both the Proxy Service and The Business Service
294 Views Asked by Nahser Bakht At
2
There are 2 best solutions below
0
On
In my opinion, its advisable to secure the proxy service alone. Unlike Proxy Service, business services dont have an endpoint URI to expose them over the internet to other services / proxies. so unless, a developer explicitly "References" his proxy services to the business service that you are using, i dont see any point in securing the business service for wrong use from other proxies, clients.
Please note, for the same reason as mentioned above, we only expose proxies to the external world (clients, other services, etc) and not the business service. Business services are only used to connect to the end systems (legacy systems, other webservices, JMS queues, siebel systems, etc.,)
I will link to a couple parts of the documentation for you:
Now, when you say "if the business service is insecure", you're actually pointing out what needs to be understood. Can you call a Business Service from a context OUTSIDE of the Proxy Service that you wrote it for? I would say that there are plenty fo Business Services that you could call from ANY Proxy Service in OSB, so if you feel that at the OSB level, you are concerned some developer might code something against your business service and call it without needing to provide some sort of authentication/authorization, you probbaly will need to secure it.
Furthermore, if you're able to call the Business Service from outside of the box (as you would do with a Proxy Service), then you're likely to face the same sets of concerns as far as letting anyone call that service if they happen to find the URL for it.
This might not be the best answer, but I think your question could use some refining to ask more specifically, "Can Business Services be invoked directly from outside of SBConsole?", which I unfortunately don't have a good answer for you.
I think an even better question is "What vectors can an OSB Business Service be invoked from?" as it points out WHERE you have to look to ensure that people aren't trying to call your sensitive business services directly.