Contents
This is part of the Oracle SOA11g hands on tutorials.
Overview
* Composite security should be configured by system administrators, NOT coded by developers.
Secure a Composite
* Authenticate client invoking the composite.
* Authorize client accessing service.
* Sign messages.
* Encrypt messages.
* Propagate client identity to downstream services.
Secure Composite with OWSM
* OWSM: Oracle Web Services Manager
Overview
* OWSM supports standard-based policy management, attachment, and enforcement.
* Policies can be created and attached to
– composite services,
– references,
– components.
* Policy management and attachment can be done in
– EM console
– JDev via deployment plan
* Examples of Policies
– Authorization policies
– WS-Security
– WS- Addressing
– MTOM
– WS-ReliableMessaging
– Management policies, e.g. logging
View Built-in Policies
* Go to EM console
* Farm_soa_domain -> Expand WebLogic Domain
* Right click soa_domain
* Select Web Services -> Policies
Secure Credit Card Validation Service
Define a New User
* Login WebLogic Admin Console.
* Click Security Realms link in Domain Structure panel.
* Click myrealm link in the Summary of Security Realms panel.
* Click Users and Groups tab.
* Click New button to bring up the Create a New User page. Enter:
– Name: weblogic1
– Password: welcome1
– Click OK button.
* Click weblogic1 user to bring up the Settings for weblogic1 page.
– Click Groups tab.
– Select Administrators group on Available list and click the single right arrow to move it to Chosen list.
– Click Save button.
Attach Policies with EM Console
* Login EM console.
Attach Policy to receivePO
* Click on POProcessing composite link.
* Click on Policies tab.
* Click Attach To/Detach From drop down list and select receivePO. It will bring up a new window.
* In the Available Policies panel, select oracle/wss_username_token_service_policy and click the Attach button.
* Click the OK button.
Attach Policy to getCreditCardStatus
* Attach: oracle/wss11_saml_token_with_message_protection_client_policy
Attach Policy to getStatusByCC
* Click validationForCC composite application
* Click on Policies tab.
* Attach: oracle/ wss11_saml_token_with_message_protection_service_policy
Attach Policies with JDeveloper
Secure POProcessing Composite
* Open POProcessing composite.xml file.
* Right click receivePO and select Configure WS Policies…
* Click the green plus sign to the right of Security field.
* Select: oracle/wss_username_token_service_policy and click OK
* Notice receivePO has a new lock icon on the upper right corner.
* Do the same and select oracle/wss11_saml_token_with_message_protection_client_policy.
Secure validationForCC Composite
* Open validationForCC composite.xml file.
* Right click getStatusByCC and select Configure WS Policies…
* select oracle/ wss11_saml_token_with_message_protection_service_policy
Test Security Policy
* Click the Test tab.
* Click Request -> Security accordion.
* Select WSS username Token and enter
– Username: weblogic1
– Password: welcome1
* Input message
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"> <soap:Body xmlns:ns1="http://xmlns.oracle.com/ns/order"> <ns1:PurchaseOrder> <ns1:CustID>1111</ns1:CustID> <ns1:ID>2121</ns1:ID> <ns1:productName>Bluetooth Headset</ns1:productName> <ns1:itemType>Electronics</ns1:itemType> <ns1:price>49.99</ns1:price> <ns1:quantity>1</ns1:quantity> <ns1:status>Initial</ns1:status> <ns1:ccType>Mastercard</ns1:ccType> <ns1:ccNumber>8765-8765-8765-8765</ns1:ccNumber> </ns1:PurchaseOrder> </soap:Body> </soap:Envelope>
Test with Wrong Password
* Repeat the same test but purposely use the wrong password welcome2
* Check that web service invocation fails.