Security is major concern when we expose
our services to external world. If services are not secured than anyone can
access the service from web and manipulate the data so to avoid this we must add
security to our web service when we expose it to external world.
In this post, I will show you how to
secure Oracle service Bus proxy service when we expose it to external world.
We use OWSM policies to add security to
OSB proxy service, we use user name token policy so the user need to pass user
credentials to access this service. There are many other policies available in OWSM which we can apply to proxy service but for this post , we will use only
username token policy just to show how we can apply OWSM policy to proxy
service.
First create a OSB project. Add required
folders under it.
Inside resource folder, import SOA composite WSDL and XSD
file. We will invoke this service from OSB.
Create a business service which invokes SOA composite.
Create a proxy service based on above created business
service.
Now to secure your proxy service, go to “Policies” tab of
proxy service.
Check “From OWSM Policy Store” radio button as we use OWSM security policy.
Click on Add button to add required OWSM policy.
Choose “Oracle/wss_username_token_service_polciy” from the
list.
You will see policy added to your proxy service and your
proxy is secure now.
Now we will see how we can test this secure service.
We can test this by following two ways.
- SOAP Security header
- OWSM client policy and CSF-key
Sometime you may face below error when you try to test
proxy service.
Error:
[OSB Security - OWSM: 387253] Failed to initialize Owsm Credential Manager.
Please validate the Keystore Configuration.
See my next post, how to resolve this error.
Let’s discuss above mentioned option one by one.
SOAP
Security header
As proxy service is secured by username so we need to
pass user credentials in SOAP header to call this proxy service.
Add below security header inside SOAP header.
<wsse:Security
xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-
secext-1.0.xsd"
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-
1.0.xsd">
<wsse:UsernameToken>
<Username>weblogic</Username>
<Password>welcome1</Password>
</wsse:UsernameToken>
</wsse:Security>
Once you add above security header inside SOAP header,
test your proxy service. You see successful response.
Request
message
Response
Message
OWSM
client policy and CSF-key
Another way to test this proxy service is to add client
user name token policy to proxy service, assign CSF-key which has user
credentials to the client policy.
First create a CSF-key, see my post to create CSF-key.
Once you create the key, go to proxy service test
console. Add user name token client policy under security section and provide
csf-key name.
Test your proxy service, you see success response.
Hi..
ReplyDeleteHow can we achieve application level authentication in OSB?
Thanks in advance.
Hi,
ReplyDeleteIf you aware or come across this, could you please tell how to move the wls polices to OWSM policy while upgrading the OSB domain from 11g to 12c.
Thanks.