OSB-12C : Security : OWSM use-case
Security is one of the main aspects while developing any service and is no different from our regular web applications. Service Bus supports open industry standards for ensuring the integrity and privacy of communications and to ensure that only authorized users can access resources in a Service Bus domain. It uses the underlying WebLogic security framework as building blocks for its security services.
Service Bus uses Oracle Platform Security Services (OPSS) and Oracle Web Services Manager (OWSM) as the building blocks for higher-level security services including authentication, identity assertion, authorization, role mapping, auditing, and credential mapping. In order to configure Service Bus access security, you must first configure Oracle WebLogic Server security. Service Bus uses OWSM to provide a policy framework to manage and secure web services consistently across your organization.
Here in this post, you will use oracle/wss_username_token_service_policy policy to secure Proxy Service
Use case:
* Create http based proxy and assign owsm policy to created proxy.
* Create relevant user and group in server.
* Assign particular group to particular user.
* Assign group created in server with proxy service.
* Test the proxy service from soap UI, by passing username and password in soap-header.
Create new project and name it as ‘OWSM_Policy_UseCase’. Along with this create folder structure as shown below.
In this case for testing purpose we have created sample XSDs and WSDL and placed same inside ‘Resources’ folder.
CustomerRequest.xsd /CustomerResponse.xsd
CustomerInfo.wsdl
Create a new pipeline with template and name it as ‘OWSM_Policy_EnabledProxyService’.As we have selected ‘From Template’ option, generic stages like Start inbound and generic error handler are pre-defined in code
From screenshot it is clear that, while creation of proxy service we have used template in order to bypass creation of generic stages like start inbound, Generic Error Handler etc.
If you want to learn about Template reusability in osb-12c , click below link
http://pebblesofosb.blogspot.in/2017/05/osb-12c-template-reusability.html
Select ‘Customer Info’ wsdl from defined location.
In Pipeline pair, a new stage with ‘Assign’ activity to save incoming body in a variable called ‘$incomingRequest’.
Next add one ‘IF’ condition and specify below mentioned expression.
Here in this case we are checking whether value of ‘ID’ passed in request is ‘ABC123’.
data ($incomingRequest/exam:CustomerDetails/exam: ID)=”ABC123"
‘IF’ condition passes successfully, replace body with success response as shown below.
Deploy the service into weblogic server. Once deployment is successful, we can locate service in sbconsole.
Next in order to make proxy service secure, we need to attach preferred owsm policy to proxy service. Below are the steps to attach policy to proxy service.
Note: Here in this case we are using simple policy ‘oracle/wss_username_token_service_policy policy’ for testing purpose.
You can use any policy as per your project requirements.
Take session in sbconsole by clicking on ‘Create’ button.
Select ‘Policies’ option in proxy service and then select ‘From OWSM Policy Store’ option.
Click on ‘Upin’ icon at right hand side in order to select and attach policy. Refer below image.
We can see a list of policies from owsm policy store which can be attached to proxy service. But we need ‘oracle/wss_username_token_service_policy policy’, Hence in search tab specify name of particular policy and attach the same.
Save the changes and activate the session in order to commit the changes.
Next we need to create ‘user’ [BTPocUser] and ‘group’ in server. Provide access to this created user to access this particular project or proxy. Apart from this user, any other user tries to access this project will face error.
Find below steps for creation of user and group in weblogic console.
In ‘Environment’ tab select ‘Security Realms’.
Click on ‘myrealm’ option
Next click on ‘Users and Groups’ in my realm.
In ‘Users and Groups’ click on ‘Users’ tab and select ‘New’ in order to create new user.
Home -> Security Realms -> myrealm -> Users and Groups -> Users
Specify ‘User’ name and password. Here in this test case we have created user by name ‘BTPocUser’.
Username: BTPocUser
Password: weblogic123
Similarly create group and assign this group to ‘BTPocUser’.
Home -> Security Realms -> myrealm -> Users and Groups -> Groups
Group Name: BTPocGroup
Next we need to assign ‘BTPocGroup’ to ‘BTPocUser’.
Click on user ‘BTPocUser’ and select ‘Groups’ option.
Select ‘BTPocGroup’ from list and add this to user. Refer below screenshot.
Click on ‘Save’ to save the changes made at server.
Next we need to assign ‘BTPocGroup’ to proxy service in order to link with group created in server.
Find below steps in order to assign ‘BTPocGroup’ with proxy service.
Take session in sbconsole by clicking on ‘Create’ button.
Select ‘Security Settings’ in proxy service and click on ‘execute’ operation in ‘Message Access Control’.
A new window will pop up and specify ‘Group Argument Name’ as ‘BTPocGroup’.
Note: This Group Argument Name must be same as group name created in server.
Click on ‘Add’. Once Group is added, click on ‘Finish’ button.
We can see that ‘BTPocGroup’ is added to proxy service. Click on ‘Save’ button in order to commit changes.
Now we need to test this service. Pass username and password in soap-env header.
Here we have used soap-UI to test the service.
Please find below screen shot and sample request structure.
Sample Request:
— — — — — — — — — — — — -
<soapenv:Envelope xmlns:soapenv=”http://schemas.xmlsoap.org/soap/envelope/" xmlns:exam=”http://www.example.org">
<soapenv:Header>
<wsse:Security xmlns:wsse=”http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wsse:UsernameToken wsu:Id=”Id-0001427873415141–0000000076fdd541–1" xmlns:wsu=”http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsse:Username>BTPocUser</wsse:Username>
<wsse:Password>weblogic123</wsse:Password>
<wsu:Created>2015–04–01T07:30:15Z</wsu:Created>
</wsse:UsernameToken>
</wsse:Security>
</soapenv:Header>
<soapenv:Body>
<exam:CustomerDetails>
<exam:Name>tapan</exam:Name>
<exam:ID>ABC123</exam:ID>
</exam:CustomerDetails>
</soapenv:Body>
</soapenv:Envelope>
Sample Response:
— — — — — — — — — — — —
<soapenv:Envelope xmlns:env=”http://schemas.xmlsoap.org/soap/envelope/" xmlns:soapenv=”http://schemas.xmlsoap.org/soap/envelope/">
<env:Header xmlns:exam=”http://www.example.org"/>
<env:Body xmlns:exam=”http://www.example.org">
<FinalResponse>
<Status>OWSM Policy enabled service tested successfully.</Status>
</FinalResponse>
</env:Body>
</soapenv:Envelope>
Similarly we need to test fault cases.
Pass any other username apart from ‘BTPocUser’.
Eg : Here we are passing username as ‘TestPocUser’, which is not configured in server
From Screen shot it is clear that, on passing wrong username we will face error like “OSB-386200: General web service security error”.
Hence it is confirmed from above test case, by enabling and using owsm policy we can secure proxy service.