I wrote earlier about defining a Generic API in your SOA by encapsulating the heterogeneous service platforms that you find in your infrastructure. The two patterns I’ll discuss today are sub-patterns that we can refine from the features provided by the Generic API pattern.
The Internal Services Gateway (ISG) pattern exposes services in the underlying service platforms to internal service consumers by using the Generic API pattern. The WSO2 Enterprise Service Bus (ESB) is deployed in the local area network (LAN) and exposes backend services as proxy services. This aggregates the backend services into a unified services layer and simplifies the backend service contracts.
Security policies for authentication and authorization can be designed appropriately for the context that only internal consumers will be allowed access to the services. Some ISG deployments only consider network level security provided by the infrastructure, others leverage Single Sign-On (SSO) through an internal user store hosted by Active Directory, LDAP, and RDBMS, or Windows-based Kerberos tokens.
The Public Services Gateway (PSG) pattern exposes select services to external service consumers. In a normal infrastructure this is achieved by deploying a WSO2 ESB in a “DMZ” (demilitarized zone where security is carefully managed – I’ll provide more information about DMZ practices in a future post) and exposing the services to external service consumers. The DMZ ESB pre-processes service requests coming from the public service gateway, and thus originating outside the core network, and routes only valid and authorized messages to the actual service platforms deployed in the LAN.
Pre-processing steps typically consist of message validation, filtering, and transformation. Compared with the ISG, a PSG should maintain a higher level of security due of course to the origin of service requests coming from outside. The PSG should be configured to use the relevant security policies and bridge into the internal security policies by using the security protocol switching capabilities of WSO2 ESB. SSO support for external consumers can be implemented using SAML2 tokens or any other Secure Token format (such as OpenID).
Two implementation models are popular: a PSG consuming services through an ISG or a PSG directly consuming the backend services. In addition to message-level validation the PSG can extend validation to the attachments coming with the message, for example executing virus checks by configuring WSO2 ESB to execute a virus check program.
In summary these two patterns provide clean, proper control of services exposed variously to the internal and external consumers. Security policies appropriate to each type of customer can be developed, deployed, and managed simply through the internal registry in the ESB or through and external WSO2 Governance Registry instance.
Asanka Abeysinghe, Director of Solutions Architecture
Asanka’s blog: http://asanka.abeysinghe.org/