In this example SOA composite is consisted of a simple BPEL component which is exposed as Web service.
In order to protect the SOA composite from unauthorized access Oracle policy oracle/binding_permission_authorization_policy need to be applied the service of the SOA composite. This policy will ensure that the authenticated subject has the permission to access the resource specified in the policy. In Oracle the application policy defines the resource to be protected, the permission class which is used to check the permission. Here the permission class is: oracle.wsm.security.WSFunctionPermission. The application policy also associates the resource with the application role, user or group. So the only authenticated subject which belongs to the application roles can will be granted to permission to the resource.
The authenticated subject is the entity that has been authenticated. Thus before the authorization is applied the authentication is needed to apply first. So the authentication policy oracle/wss_username_token_service_policy is also required.
The user and group are defined in Oracle Weblogic Admin Console and the application policy and application role are defined in Enterprise Manager. The below diagram shows the the relationship:
Create the User and Group in Oracle Administrator Console
Login into Oracle Weblogic Administrator console.
Go to Security Realm->myrealm->Users and Groups->Users->New
Type in your user name and password and click on OK button.
Go to Security Realm->myrealm->Users and Groups->Groups->New
Select the group CustomerManager and add to chosen.
Click on OK button.
Create the Application Role in Enterprise Manager console
Login into Oracle Enterprise Manager console
Go to Farm_soa_domain->SOA and then right click on soa-infra and choose Security->Application Roles.
Click on Create... and then type in the group information.
In Members click Add...
Change the type as Group and then click Search button. Select the group: CustomerManager which is defined in Admin Console. Then click on OK button.
Click on Save button.
Create the Application Policy in Enterprise Manager console
Go to Farm_soa_domain->SOA and then right click on soa-infra and choose Security->Application Policies.
Click on Create...
Click on Grantee->Add
Search Principal with type as Application Role and select the application role: CustomerManagerRole and then click on OK button.
Click on Permissions->Add
Click on Continue button. Type in oracle.wsm.security.WSFunctionPermission in Permission Class.
and http://www.toic.com/customer/wsdl/UpdateCustomerService#update in Rescource Name and invoke in Permission Actions.
Click on Select button.
Click on OK button.
Add the policies to the service of SOA composite in JDeveloper
In JDeveloper right click on the service of the SOA composite and choose the menu item Configure WS Policies...
Click on add icon of Security to add
Choose oracle/binding_permission_authorization_policy and then click on OK button.
Do the same to add the oracle/wss_username_token_service_policy.
Then click on OK button.
Deploy the SOA composite to the SOA server.
Test the authorization using soapUI
The first message is the one with right user name and password: premium/welcome1 which is set up in Oracle Admin console.
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:cus="http://www.toic.com/customer"> <soapenv:Header> <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"> <wsse:UsernameToken> <wsse:Username>premium</wsse:Username> <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">welcome1</wsse:Password> </wsse:UsernameToken> </wsse:Security> </soapenv:Header> <soapenv:Body> <cus:UpdateCustomerRequest> <cus:CustomerID>1234567</cus:CustomerID> </cus:UpdateCustomerRequest> </soapenv:Body> </soapenv:Envelope>The SOA composite will be successfully invoked. The response message comes back correctly without authorization error.
If the user name/password is changed to weblogic/welcome1 which is valid user set up in Oracle Weblogic Admin console. But this user doesn't belong to the application role which has the permission to invoke the SOA composite in the policy. Now the response message shows that the authorization is not successful.
<env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/"> <env:Header/> <env:Body> <env:Fault xmlns:ns0="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"> <faultcode>ns0:FailedAuthorization</faultcode> <faultstring>FailedAuthorization : failure in authorization</faultstring> <faultactor/> </env:Fault> </env:Body> </env:Envelope>
It is very good blog and useful for students and developer , Thanks for sharing
ReplyDeleteThanks for sharing this amazing blog
Oracle SOA Online Training Bangalore
Thanks for sharing the information on this blog. One question, in the Create Application Grant permission section, the resource name is : http://www.toic.com/customer/wsdl/UpdateCustomerService#update
ReplyDeleteWhat is this url ? Is this the end point of the SOA service that is exposed or something else?
az 104 exam questions
ReplyDeletescrum master exam questions
dp 900 exam questions
da 100 exam questions
Enjoyed every bit of your article post. Great.
ReplyDeleteSAP Grc training
SAP Grc online training
Wow, what an insightful article! I thoroughly enjoyed reading it. The way you explained those trading strategies was brilliant. Kudos to you! By the way, radhe exchange id seems like a promising platform to implement some of these tactics.
ReplyDeleteGo India Tour and Cabs leads in providing Taxi service in Jaipur that offers the most luxurious and reasonably priced taxi trips in world-class vehicles. We offer cab in Jaipur travel, outstation trips, weddings, corporate events, airport services, and sightseeing in Jaipur.
ReplyDeleteThis platform consistently delivers remarkable insights! Each blog post showcases a profound understanding and genuine enthusiasm for the subject matter. Keep up the outstanding work. Moreover, for an exhilarating experience, I recommend checking out Reddy Anna Club , an online investment platform that adds a thrilling dimension to your entertainment. Take a leap and discover where opportunity leads you!
ReplyDeletemt5 download apk
ReplyDeleteforex trading kya hai
ReplyDeleteWhat a breath of fresh air! Your enthusiasm and positivity are contagious. Thank you for spreading such good vibes!
ReplyDeleteApplying an authorization policy to a SOA composite enhances security by ensuring only authorized users can access specific services. Club Hosty provides guidance on implementing these policies effectively to safeguard your applications.
ReplyDelete