IIB SecurityPEPNode

I think we should all thank Ivan for another great article on IIB/WMB/ACE development .

It covers how adding a SecurityPEPNode to your REST service can help to enforce access controls .

The idea is that each subflow that implements a REST call should enforce authorization and access control. And it does this by delegating to a security provider.

It does this by using a SecurityPEP node.

You can read more details on the SecurityPEPNode here .

With the SecurityPEPNode, there are a number of different options that can used to authenticate the REST request. Each team or organization might have a slightly different approach or a different authentication and authorization provider.

We already have some rules around security, such as:

R497 - MQ CHANNEL does not use TLS/SSL (SSLCIPH) (MQ)

R496 - AsyncSOAPRequest node using deprecated protocol (WMB)

R495 - AsyncSOAPRequest node calls HTTP URL (WMB)

R484 - File read or write directory could be manipulated (WMB)

From our perspective, there are lots of different avenues or standards that teams could find useful in this ensuring that security is enforced.

We have added a new rule :

R498 - RESTAPI subflow implementation does not contain a policy enforcement node (PEP)

We don't have a rule that will validate what token type is used, but once a you add the SecurityPEPNode to a flow, then when the flow REST API is invoked, the policy node will execute and if the token doesn't make sense, the flow will throw an exception.

More information on our products and on pricing can be found on our website:

https://bettercodingtools.com

You can also reach me via email at:

[email protected]

Or contact me via the contact page on our website:

www.bettercodingtools.com/contact

Regards

Richard