As mentioned before, is possible to protect the broker using a authentication provider. One of the available providers validates ESBTokens provided by the Service Delivery Broker (SDB).
<global-config>
<!-- .... more configs .... -->
<credential-validators>
<credential-validator provider-name="SapoSTS">
<class>pt.com.broker.auth.saposts.SapoSTSAuthInfoValidator</class>
<provider-params>
<sts>
<!-- .... SDB STS endpoint .... -->
<sts-location>https://pre-release.services.bk.sapo.pt/STS/</sts-location>
<!-- .... SDB ESBToken with permissions to validate other users credentials .... -->
<sts-token>29b54e8fcc92fd3ceacaf8d807df335d49c7474343325ca83beda4e268b48883</sts-token>
</sts>
</provider-params>
</credential-validator>
</credential-validators>
</global-config>