Thursday, October 27, 2011

Oracle SOA 11g : Securing and Calling Secured Web Services (Example)

In Oracle Fusion Middleware 11g , Oracle Web Services Manager (WSM) security and management has been completely redesigned and rearchitected. The previous release, Oracle WSM 10g, was delivered as a standalone product or as a component of the Oracle SOA Suite. In the 11g release, Oracle WSM has been integrated with Oracle WebLogic Server as part of the Oracle Fusion Middleware SOA Suite.

In this post, I would explain how WSM integration can be used to secure a composite and also how to invoke a secured composite/ webservice. In order to accomplish it, let's create 2 composite projects:

- Child Process (secured composite): This composite has a simple BPEL project that accepts a string and returns the same string with "Hello " appended.

- Parent Process (unsecured composite calling the Child Process): This composite has a BPEL process that accepts the string, invokes the Child Process passing the input string and returns the output from the Child Process back to the calling interface.

I am skipping the development of the child and parent processes/composites as it is very simple and will detail how to configure Policies as below:

- Child Process:

Step1: Go to composite.xml and right click on the Exposed Services and click "Configure WS Policies" as below:


Step2: You can configure the policy pipeline but for the sake of simplicity, I will only configure the Security using the "oracle/wss_username_token_service_policy" as shown below:


Step3: Deploy the composite and test it using the em console. Remember now the composite is secured and requires a username token as part of the SOAP Header as below:

<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Header>
<wsse:Security soap:mustUnderstand="1"
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wsse:UsernameToken xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
wsu:Id="UsernameToken-FvmfJSSMf71Q3Z9gn4chiQ22"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsse:Username>weblogic</wsse:Username>
<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">welcome1</wsse:Password>
</wsse:UsernameToken>
</wsse:Security>
</soap:Header>
<soap:Body xmlns:ns1="http://xmlns.oracle.com/SecurityApplication_jws/ChildProcess/SecuredSvc">
<ns1:process>
<ns1:input>Neeraj</ns1:input>
</ns1:process>
</soap:Body>
</soap:Envelope>

Either modify the SOAP packet as above in the XML View or use the WSS UserName Token under Security configuration as below:


Parent Process:

Step 1: Go to composite.xml and right click on the External References (Child Process) and click on "Configure WS Policies". Select the "oracle/wss_username_token_client_policy" policy under security.

Step 2: Open the composite.xml in Source view and add the following properties under <reference> tag as below:

<reference name="SecuredBPEL"
:
:
<wsp:PolicyReference URI="oracle/wss_username_token_client_policy"
orawsp:category="security" orawsp:status="enabled"/>
<property name="weblogic.wsee.wsat.transaction.flowOption"
type="xs:string" many="false">WSDLDriven</property>
<property name="oracle.webservices.auth.username" type="xs:string"
many="false" override="may">weblogic</property>
<property name="oracle.webservices.auth.password" type="xs:string"
many="false" override="may">welcome1</property>
</binding.ws>
</reference>

Make sure the username and password is same as configured in the Weblogic Server.

Step3: Test the Parent process and it should be able to invoke the secured child process.

Few things to note:

1. All the above policy configurations can be done at runtime using the EM console without doing anything at the design time.

2. In the above example, we have hard-coded the username/password at development which should be made configurable as mentioned below:

- Go to EM console and right click on ParentProcess ->Service/Reference Properties -> PartnerLink -> Enter the username and password for the Child service in the below screen

8 comments:

Unknown said...

I was looking for a simple example as here. Thanks for the Efforts :)

Anonymous said...

Good One

I did the same without adding the properties it works.

Any Idea why it works?

weblogic
password

Olubisi said...

Hi,

What about calling a web service that's not secured using ws-security but http authentication.
I can't even get jdeveloper to download the wsdl. It keeps raising a 401 unauthorized error.

Anonymous said...

jdeveloper fails to load the wsdl, it throws 401 unauthorised error.
How to configure a web service adapter for a wsdl protected by user name / password

Unknown said...

That was simple n gud. Thanks

Anonymous said...
This comment has been removed by the author.
Anonymous said...

property name="oracle.soa.two.way.ssl.enabled"

Binh Nguyen said...

Thanks, nice tips

Search This Blog