Oracle Web Service Manager 11g

Oracle Web Service Manager 11g Component Level Role Authorization (in SOA Suite) March, 2012

Step-by-Step Instruction Guide Author: Prakash Yamuna Senior Development Manager Oracle Corporation

Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g

Table of Contents Use Case .................................................................................................................................................................................. 3 Description .......................................................................................................................................................................... 3 Objective ............................................................................................................................................................................. 4 Scenario............................................................................................................................................................................... 4 Policies Used ....................................................................................................................................................................... 4 Software Requirements .......................................................................................................................................................... 4 Prerequisites ....................................................................................................................................................................... 4 Verified Product Version ..................................................................................................................................................... 4 Potentially Applies to Product Version(s) ........................................................................................................................... 4 Download Main Page .......................................................................................................................................................... 4 Product URLs ....................................................................................................................................................................... 4 Step by Step Instructions ........................................................................................................................................................ 6 Create HelloWorldComposite Application ...................................................................................................................... 6 Build and Deploy HelloWorldComposite Application ................................................................................................... 16 Create SOA Component level Role based Authorization Policy.................................................................................... 22 Attach OOTB authentication policy to the SOA Service................................................................................................ 27 Test the Secured HelloWorldComposite App ............................................................................................................... 33 Attach Custom authorization policy to the SOA Component ....................................................................................... 39

Oracle Corporation | Component level Role authorization | Version 1.0

2


Use Case Description OWSM supports two types of authorization policies: 

Role based Authorization policies



Permission based Authorization policies

For SOA Composite Apps – OWSM supports authorization policies at two levels: 

At the SOA Web Service binding level ()



At the SOA component level ()

In general I would recommend the following when securing SOA: 

Attach authentication /message protection policies at the SOA Web Service binding level



Attach authorization policies at the SOA component level

There are two reasons for this recommendation: 

Messages can enter SOA via different bindings – ex: JCA bindings (, Events, etc – attaching the authorization policy at the SOA component level ensures that no matter which binding is used to reach the component – the authorization policy will be enforced.



If you want to leverage local optimization – there are a number of rules that determine if SOA local optimization will be enabled when a security policy is attached at the Web Service binding level. While I cannot get into the details of the local optimization rules in this How To – one thing to note is local optimization will be disabled if an authorization policy is attached at the web service binding level.

This How To focuses on how to secure a SOA Composite app using role based authorization policy at the SOA component, the steps outlined will be similar in nature for the SOA Web Service binding level as well. A few other caveats to note when using role based authorization for SOA. Currently as of the writing of this How To – OWSM does not support specifying Application Roles when securing SOA composite apps in the Role based authorization policy. This limitation is specific to SOA and does not apply for other type of services like ADF BC Web Services or WLS Web Services. From a terminology perspective – Enterprise Roles and Ldap Groups are identical and are used interchangeably. For the purposes of this How To – the Ldap Groups used for the Authorization Policy are those that ship with Weblogic. The steps would be identical, if Weblogic was wired to an external Ldap like Active Directory, etc. Also note that in this How To we will use the EM Web Service Tester page that ships with EM Fusion Middleware Control. However any other tool like SOAP UI can be used for testing purposes. Oracle Corporation | Component level Role authorization | Version 1.0

3


Objective To describe the steps required to Security SOA Composite Apps at the Component level with OWSM SOA component authorization policies.

Scenario Policies Used Service/Client

Policy

HelloWorldComposite HelloWorldComposite

oracle/wss_username_token_service_policy mycompany/soa_component_authorization_monitor_role_policy

Policy Type Service Service

Software Requirements Prerequisites # Product 1 Install SOA Suite 11.1.1.6 with JDeveloper

Download URL

Verified Product Version # Product 1 SOA Suite

Release Version 11.1.1.6

Potentially Applies to Product Version(s) # Product 1 SOA Suite

Release Version 11.1.1.4, 11.1.1.5, 11.1.1.6

Download Main Page http://www.oracle.com/technetwork/middleware/soasuite/downloads/index.html

Product URLs Product

URL

Login/Password


4


EM Fusion Middle Control

http://admin_host:admin_port/em

Weblogic Console

http://admin_host:admin_port/console

User: weblogic Password: welcome1 User: weblogic Password: welcome1


5


Step by Step Instructions At a high level we will perform the following in this How-To:       

Create a HelloWorldComposite Application using JDeveloper Build and Deploy the HelloWorldComposite application using EM Create a Custom Authorization Policy using EM Attach an Authentication Policy to HelloWorldComposite App using EM Test the secured HelloWorldComposite app using EM Web Service Tester page Attach the Custom Authorization Policy using EM Test the secured HelloWorldComposite app using EM Web Service Tester page.

Create HelloWorldComposite Application 1. To create the HelloWorld Composite Application -Select “New Application” from the “Application Navigator”.

Figure 1. Select "New Application" from the "Application Navigator"


6


2. This will launch the “New Application” Wizard. Provide the “Application Name” as HelloWorldCompositeApp and select “SOA Application” from the “Application Template” list as show in Figure 2. Click “Next” to proceed.

Figure 2. Create a SOA Application by choosing the appropriate template


7


3. Provide “Project Name” as HelloWorldComposite as show in Figure 3. In this project no other technologies are required so leave the “Selected” Project technologies as SOA. Click “Next” to proceed.

Figure 3. Project information for SOA Composite App.


8


4. JDeveloper provides some default templates for creating a composite application. In this How To – we will create a Composite with a BPEL Process. Select the “Composite with BPEL Process” as shown in Figure 4. Click “Finish” to complete the SOA Application creation steps.

Figure 4. Create a Composite with BPEL Process


9


5. This will launch the BPEL Process Creation dialog as shown in Figure 5. Select Template as “Synchronous BPEL Process”. Ensure “Expose as a SOAP service” is selected. These options will result in the creation of a Synchronous BPEL process exposing a web service endpoint. Click “OK” to finish the BPEL process creation.

Figure 5. BPEL Process Creation Dialog in JDeveloper


10


6. Once the synchronous BPEL Process is created add a BPEL Assign Activity by selecting “Assign” activity from the “Activities” sub-section under the “BPEL Constructs” section on the right hand side and add it in between the “receiveInput” and the “replyOutput” nodes as show in Figure 6.

Figure 6. Synchronous BPEL Process exposed as Web Service

7. After adding the “Assign” activity, double click on the “Assign” activity node to edit the Assign activity. This will open a dialog box as shown in Figure 7.


11


Figure 7. BPEL Edit Assign Activity Dialog

8. Expand the “outputVariable” on the right hand side of the dialog and double click on “client:result” field as shown in Figure 8. Upon double clicking this will launch the “Expression Builder” dialog as show in Figure 9.

Figure 8. Expand the output variable to launch the Expression Builder.


12


Figure 9. Expression Builder Dialog

Note: JDeveloper based on the selections we had done previously creates by default a composite app that takes a single argument (of type String) as input and returns a single value (of type String) as output.


13


9. We construct a simple by selecting the “concat()” function from the list of pre-built String functions that are available in SOA. This is show in Figure 10. Hit “OK” to dismiss the “Expression Builder” dialog.

Figure 10. Using the concat function in BPEL Expression Builder


14


10. The previous steps will result in an automatic Copy Rule being created where in the expression that was created in Figure 10 is assigned to the output payload as shown in Figure 11.

Figure 11. Copy Rule in the Assign Activity


15


Build and Deploy HelloWorldComposite Application 1. Make or Build the Composite Application and ensure there are no compilation failures. To Build the Composite Application – “right click” on the HelloWorldComposite Project and click on “Make HelloWorldComposite.jpr” as show in Figure 12.

Figure 12. Build the Composite Application

2. There are many ways to deploy the Composite Application but in this How To we will create a jar for the HelloWorldComposite application. To create a jar “Right Click” on the HelloWorldComposite project and click on Deploy from the Menu; Figure 13 - Figure 16 show the steps for creating a jar (SAR) for the HelloWorldComposite app. Oracle Corporation | Component level Role authorization | Version 1.0

16


Figure 13. Steps to create a jar for the HelloWorld Composite app


17


Figure 14 Select the SAR option to create a jar

Figure 15. Steps for creating a jar for HelloWorld Composite App


18


Figure 16. Final step in the creation of jar for HelloWorld Composite app

3. Once the jar is created we will use EM to deploy the composite app. To deploy the Composite application Oracle Corporation | Component level Role authorization | Version 1.0

19




Log into EM



Expand the SOA folder on the Left Hand navigation tree.



Click on “soa-infra” on the Left Hand tree. The Right hand panel is updated. Now click on “SOA Infrastructure” this will open a menu.



Select “SOA Deployment” and “Deploy” from the menu as shown in Figure 17.

Figure 17. Deploying HelloWorld Composite app from EM


20


4. This will launch the SOA Composite Deployment wizard. Browse the local file system to select the jar to deploy by created in Figure 16 as shown in Figure 18. Click “Next” to proceed.

Figure 18. Selecting HelloWorldComposite archive in EM

5. In the sample topology there is only one target and so there are no choices. Select the partition to deploy the composite app. SOA ships will a “default” partition out of the box. Select the default partition (Note: It is a Oracle Corporation | Component level Role authorization | Version 1.0

21


mandatory field) as show in Figure 19. Click “Next” to proceed. Leave the defaults as show in Figure 20 on the confirmation page and click on “Deploy” to finish deployment.

Figure 19. Target Selection for HelloWorldComposite

Figure 20. HelloWorldComposte deployment via EM Confirmation page

Create SOA Component level Role based Authorization Policy 1. Search for policies that can be applied to SOA Component. Oracle Corporation | Component level Role authorization | Version 1.0

22


Figure 21. Search for SOA Component Authorization policies

2. Make a Copy of the OOTB Authorization policy using the “Create Like” feature as shown in Figure 22.


23


Figure 22. Make a Copy of the OOTB Authorization Policy using "Create Like"

3. Name the Policy appropriately as show in Figure 23.


24


Figure 23. New SOA Component Authorization Policy

4. Select the Role in the settings tab of the Policy. You do this by clicking on the “settings tab” for the Authorization assertion and selecting the “Selected Roles” radio button as shown in Figure 24. Oracle Corporation | Component level Role authorization | Version 1.0

25


Figure 24. Select a Role as part of the creation of the new Authorization Policy

5. You can add the Role by clicking on the “Add” button in Figure 24. This will launch a “Add Role” dialog box as shown in Figure 25. In this example – the “Monitor” role has been selected.


26


Figure 25. Selecting the Monitor role to add to the Authorization policy

Click “OK” on the diaglog in Figure 25, after adding the role click on the “Save” button to save the policy.

Attach OOTB authentication policy to the SOA Service 1. Before we can attach the Custom Authorization Policy created in the previous steps to the SOA Component, we need to secure the HelloWorldComposite with an authentication policy. For this How-To we will use the “oracle/wss_username_token_service_policy”. Go to the HelloWorldComposite Dashboard page as shown in Figure


27


26. In Figure 26 we have Service “bpelprocess1_client_ep” of type Web Service. Click on the “bpelprocess1_client_ep” to navigate to the Service Dashboard page as shown in Figure 27.

Figure 26. HelloWorldComposite Dashboard page in EM.


28


Figure 27. Service Dashboard page for HelloWorldComposite in EM


29


2. Click on the “Policies” Tab. This will show polices attached to the Service. Click on the “Attach/Detach” button to a launch the Policy Attachment Dialog as show in Figure 28. The Policy Attachment Dialog is show in Figure 29.

Figure 28. Launching OWSM Policy Attachment Dialog in EM for SOA Service

3. In the Policy Attachment Dialog in Figure 29, select “Name” as the search criteria and enter “username” and click on the button next to it to search. Select “oracle/wss_username_token_service_policy” and click on the “Attach” Oracle Corporation | Component level Role authorization | Version 1.0

30


button. Click on “OK” button to finish the policy attachment. Figure 30 shows the results of attaching the oracle/wss_username_token_service_policy.

Figure 29. Selecting oracle/wss_username_token_service_policy


31


Figure 30. Result of attaching the oracle/wss_username_token_service_policy

A few things to note: 

Starting with PS5 - we now show the security status as seen in Figure 30



Starting with PS5 – we now show the overall validity of the policy attachments.


32


Test the Secured HelloWorldComposite App To test the HelloWorldComposite – navigate to the HelloWorldComposite Dashboard page and click on the “Test” button as shown in Figure 31. This will launch the Web Service Tester page that ships with EM as shown in Figure 32

Figure 31. Testing HelloWorldComposite


33


Figure 32. EM Web Service Tester page

We will do a quick negative test by not providing any authentication information. Enter “Negative World” in the “input” field as show in Figure 33 and click on “Test Web Service” button. This will result in an Error dialog as shown in Figure 34.


34


Figure 33. Provide Inputs for testing HelloWorldComposite


35


Figure 34 Results of Negative Testing

Now perform a positive test by providing the authentication information as shown in Figure 35. You can provide the authentication information by expanding the “Security” section. Enter the following information for the fields show in


36


Figure 35. Select an appropriate policy from the “Compatible Client Policies” list. (Note: This is important if a policy is not selected then no security information will be sent and thus may result in failures). Username: weblogic Password:weblogic1 Click “Test Web Service” button to test. This should result in a successful response from the HelloWorldComposite as show in Figure 36

Figure 35. Testing oracle/wss_username_token_service_policy using EM Web Service Tester

Note: Username/password will vary by deployment. Provide username/password that is appropriate for your deployment. Oracle Corporation | Component level Role authorization | Version 1.0

37


Figure 36. Response from HelloWorldComposite

Now that we have successfully tested the HelloWorldComposite app with the OOTB OWSM authentication policy, we will now secure it with the Custom Authorization policy that was created previously.


38


Attach Custom authorization policy to the SOA Component 1. Go to the SOA Composite you want to secure with this Authorization Policy. In the SOA Composite page click on the Component as shown in Figure 37. In Figure 37 we have a “HelloWorldComposite” that has a “BPELProcess1” SOA Component.

Figure 37. Attaching OWSM Policy to SOA Component

2. Click on the Policies tab for the SOA Component. In this example the SOA Component is called “BPELProcess1” as shown in Figure 38. Oracle Corporation | Component level Role authorization | Version 1.0

39


Figure 38. Attaching Policies to a SOA Component.


40


3. On the Policies tab click on “Attach/Detach” button as shown in Figure 39. Select the newly created Authorization Policy.

Figure 39. Selecting the Policy to attach.


41


4. Once done selecting the policy to attach. Click “OK” in Figure 39. You have completed the process of attaching an Authorization Policy to a SOA Component. Figure 40 shows the results of attaching the custom authorization policy.

Figure 40. Policies attached to a SOA Component


42


5. Test the HelloWorldComposite from the EM Web Service Tester page. Provide the credentials as weblogic/welcome1 as shown in Figure 41.

Figure 41. Negative Authorization Test with correct credentials.


43


Notice that even though the credentials weblogic/welcome1 is correct the test fails as shown in Figure 42.

Figure 42. Negative Authorization Test Response


44


6. In order to perform a positive authorization test – we need to add the weblogic user to the Monitor role. In order to do this – we first need to log in to Weblogic Console. Click on “Security Realms” on the Left Hand Domain Structure Tree as show in Figure 43.

Figure 43. Navigating to the Security Realms in Weblogic Console


45


7. Weblogic ships with a default realm called “myrealm”. Click on “myrealm” as show in Figure 44.

Figure 44. List of Security realms


46


8. Click on the “Users and Groups” tab under “myrealm” as shown in Figure 45. Figure 46 shows the default set of users that ship with Weblogic. In this case the users are “weblogic” and “OracleSystemUser”.

Figure 45. "myrealm" General tab


47


Figure 46. Default set of users that ship with Weblogic


48


9. Click on “weblogic” user in Figure 46 and then click on the “Groups” tab for the user “weblogic”. This shows the default group membership for “weblogic” as shown in Figure 47. As we can see “weblogic” is not part of the “Monitor” group.

Figure 47. Default Group membership of user "weblogic"


49


10. Add the “Monitor” group from the Parent Groups Available in Figure 47. The result is that the “weblogic” user is now a member of both “Administrators” and “Monitor” group as shown in Figure 48 and click “Save”.

Figure 48. Make "weblogic" user a member of "Monitor" group.

11. Now go back to the EM Web Service Tester page and test the HelloWorldComposite app. Note: You may need to start the weblogic server for changes to take effect Oracle Corporation | Component level Role authorization | Version 1.0

50


Oracle Web Services Manager March 2012 Author: Prakash Yamuna Oracle Corporation World Headquarters 500 Oracle Parkway Redwood Shores, CA 94065 U.S.A. Worldwide Inquiries: Phone: +1.650.506.7000 Fax: +1.650.506.7200 oracle.com

Copyright © 2011, Oracle and/or its affiliates. All rights reserved. This document is provided for information purposes only and the contents hereof are subject to change without notice. This document is not warranted to be error-free, nor subject to any other warranties or conditions, whether expressed orally or implied in law, including implied warranties and conditions of merchantability or fitness for a particular purpose. We specifically disclaim any liability with respect to this document and no contractual obligations are formed either directly or indirectly by this document. This document may not be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without our prior written permission. Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners. 0109


51