| Oracle® SOA Suite Developer's Guide 10g (10.1.3.1.0) Part Number B28764-01 |
|
|
View PDF |
| Oracle® SOA Suite Developer's Guide 10g (10.1.3.1.0) Part Number B28764-01 |
|
|
View PDF |
|
Note: This section illustrates a specific use case for providing web services security with Oracle Web Services Manager. It does not provide comprehensive details about Oracle WSM product features and capabilities. |
In the SOA Order Booking Application, an Oracle Web Services Manager server agent can be deployed to enforce authentication by verifying the customer's user name and password against an LDAP repository, with Identity Management infrastructure like Oracle Access Manager or SiteMinder, or by means of a simple file-based repository.
Figure 10-2 shows how an Oracle Web Services Manager agent can be utilized for this purpose in the demo application. The agent intercepts requests from Oracle BPEL Process Manager clients to the web service. It extracts the client credentials and verifies the customer's user name against data contained in an operating system file.
Figure 10-2 Authentication with Oracle Web Services Manager
|
Note: The use of an agent illustrates just one approach for performing this task with Oracle Web Services Manager. For a comparison of agents and gateways, see Section 10.2.1, "When to Use Agents or Gateways". |
|
See Also: The Oracle Web Services Manager Administrator's Guide for details about Oracle Web Services Manager's authentication capabilities |
The general steps to provide user name authentication are:
Register an Oracle Web Services Manager server agent.
Define the policy set for the server agent.
The policy set dictates the specific security and management steps that Oracle Web Services Manager will enforce.
For test environments, set up a file-based repository of user credentials.
The example in this use case utilizes a file repository.
Install the server agent as a J2EE agent.
Configure the Credit Validation Service web service agent in Application Server Control Console.
Test the authentication.
Configure the Oracle BPEL Process Manager process to send the username token, which is validated by the Oracle Web Services Manager server agent.
You use the Web Services Manager Control Console to define Oracle Web Services Manager components such as server agents. The server agent acts as an enforcement point for security policies.
To configure a server agent component in Oracle Web Services Manager:
Point your browser to the Web Services Manager Control Console and log in using your single sign-on user name and password.
The Web Services Manager Control Console is accessed with a URL of the form:
http://<hostname>:port_number/ccore
For example:
http://itapps.globalcompany.com:8888/ccore
Click Add New Component.
On the Add New Component page, define:
Component name
Component type
Container type
Figure 10-3 shows how a server agent named the Authentication Agent is defined:
Note that the component type is Server Agent.
Click Register. A confirmation page appears, as shown in Figure 10-4:
Make a note of this unique component ID for later use, and click OK.
The new agent appears in the list of components.
When you register an agent, Oracle WSM adds it to the server system registry. It also assigns a unique component ID to the agent, identifying it for all actions across your deployment.
A policy set consists of the explicit security and management policies that are to be implemented at a server agent. Oracle Web Services Manager offers a large selection of policy steps that can be combined as appropriate for specific security tasks.
For example, the Credit Validation Service can be protected by defining a policy set for the server agent consisting of:Oracle Web Services Manager
A policy step to extract credentials contained in the SOAP security headers
A policy step to authenticate the credentials
These policy steps must be defined at the agent's request pipeline.
You use the Web Services Manager Control Console to define the desired policies for the agent. After selecting the agent of interest, you can choose whether to update the default policy or add a new policy. Next, define one or more policy steps for the selected policy.
To define the policy set for the server agent:
At the Web Services Manager Control Console, click Policy Management, then click Manage Policies.
In the component list, select the agent for which the policy set is to be defined, and click Policies.
The policy set for the agent is displayed.
Oracle Web Services Manager provides a default policy for each agent or gateway component, and you have the ability to add additional policies to implement additional policy controls.
Click the Edit icon for the Default Policy. The Policy Definition page appears. Figure 10-5 shows the default policy pipeline for Authentication Agent:
The Web Services Manager Control Console displays the current contents of the policy, namely the steps in the Pre-Request, Request, Response, and Post-Response pipelines. A log step is enabled for the Request and Response pipelines by default.
In the request pipeline, implement credential authentication following the Log policy step. Click Add Step Below.
A box appears at the appropriate location, allowing you to select a policy step as shown in Figure 10-6:
Select Extract Credentials from the list, and click OK.
The Policy Definition page reappears, showing the newly added Extract Credentials step.
Click Configure to define the properties for the Extract Credentials step, as illustrated in Figure 10-7:
On the Configure Step page shown in this figure:
The Enabled property is set to true by default.
The credentials location is set to WS-BASIC.
The WS-BASIC location indicates that credentials are to be extracted from the standard UsernameToken as specified in the WS-I Basic Security Profile.
Click OK.
The Policy Definition page reappears.
To add the second step for credential authentication, in the Extract Credentials row, click Add Step Below.
In the New Step box, select the step template named File Authenticate, and click OK.
The request pipeline steps are displayed, and File Authenticate appears as the last step in the pipeline as shown in Figure 10-8:
To define properties for the new step, click Configure in the File Authenticate row.
The Configure Step page appears, as shown in Figure 10-9:
Define these properties for the step:
Specify C:\admin\.htpasswd as the Passwd (password) file location.
Select md5 as the .htpasswd file format.
|
Note: The step is enabled by default. |
Click OK to complete the step definition. The Policy Definition page reappears.
Click Next to return to the policy page.
Click Save to save the step definitions.
Click Commit on the Policy Set page.
After you define one or more policies and their respective policy steps, they do not take effect immediately. You can continue to update or amend the policy configuration for the agent as needed, for example, by adding more policy steps to a policy pipeline. Once you are satisfied with the step definitions that have been saved, the agent's policy set is displayed as in Figure 10-10:
"Commit Policy" appears in red on the page, and the Oracle WSM Policy Manager is not updated with the new information until you click Commit. Once this is done, the component's policy set becomes effective, and remains in effect until subsequent changes are made and committed.
In the previous step, Section 10.3.3, "How to Define the Policy Set for the Server Agent", a File Authenticate step was configured. As noted there, file-based authentication is typically used in test environments.
The format of the credential file is the same as the .htpasswd file format used by the Apache Web server. The password can be encoded in four forms: MD5, SHA1, plain text, or some mix of the three forms.
To set up a file with user credentials:
Use a text editor such as Notepad or vi to create the file. Add a single user name entry to the file, for example:
bill:
Save and close the file.
Use the Oracle WSM command-line tool, found at ORACLE_HOME\owsm\bin\wsmadmin, to complete the file.
The command syntax is:
wsmadmin md5encode user_name password htpasswdfile
For example:
C:\OracleAS_1\wsmadmin md5encode bill billspwd .htpasswd
See the Oracle Web Services Manager Deployment Guide for details.
The server agent must be installed as a J2EE agent. Oracle Web Services Manager provides the wsmadmin command-line Oracle Web Services Manager tool Oracle Web Services Manager for a number of administrative tasks, including agent registration.
To install the server agent as a J2EE agent:
At a Oracle Web Services Manager command prompt, navigate to the bin directory of the Oracle Web Services Manager component within your Oracle SOA installation. For example:
ORACLE_HOME\owsm\bin
Using a text editor, edit the agent.properties file.
For the agent.component.id, insert the Component ID of the server agent that was registered. Figure 10-11 provides an example:
Save the file.
At the command prompt, run the installAgent command:
ORACLE_HOME\owsm\bin\wsmadmin installAgent Oracle-AS-password
where Oracle-AS-password is the OC4J administrator password.
The command is executed to build and install the J2EE server agent, as shown in Figure 10-12:
You must enable the Oracle Web Services Manager agent, Oracle Web Services Manager and associate it with the Oracle WSM Server Agent.
To Configure the web services Agent in Enterprise Manager:
Begin at the Oracle Enterprise Manager 10g Application Server Control Console home page.
Under Members, click the home link.
Click Web Services. The list of web services is displayed.
Click the link for the ValidateCreditCardServiceSoapHttp web service. The main page for the service is displayed, as illustrated in Figure 10-13:
Click the Administration link to display the management features available for this web service, as shown in Figure 10-14:
To enable the web services Agent feature, click Enable/Disable Features. The list of available features appears.
Move Web Services Agent to the Enabled Features list, as shown in Figure 10-15:
Click OK. The Web Service:ValidateCreditCardServiceSoapHttp page reappears, with the web services Agent enabled
Note the confirmation message at the top of the page.
The final configuration step involves associating the component ID for the Oracle Web Services Manager Server Agent with this web service agent.
On the ValidateCreditCardServiceSoapHttp web service management features page, shown in Figure 10-14, click the Edit Configuration icon for the Web Services Agent.
The Edit Web Services Agent Configuration page appears.
In the Configuration Directory box, enter the component ID of the Oracle Web Services Manager Server Agent, as shown in Figure 10-16:
Click OK. A confirmation is displayed on the web service management features page.
Configuring the web services agent in Application Server Control makes the Oracle WSM Server Agent known to the application server. The integration of Oracle WSM in the Oracle SOA Suite enables you to configure this management information simply by supplying the agent's Oracle WSM component ID. Note that the management information is completely separate from the web service, business logic, and client implementation.
The final step is to test the agent that you have configured for credential authentication.
To test the authentication:
Return to the Applications link of the OC4J home instance and expand the default application.
Click the link for the application of interest to display the application home page. In the example, this is the SOADEMO-CREDITSERVICE-CreditService-WS link.
Select the Web Services tab. The SOADEMO-CREDITSERVICE-CreditService-WS application contains a single web service, as shown in Figure 10-17:
Click Test Service. A list of URLs appears, showing the sites that can be used to test the web service. For the Credit Validation Service, there is just one URL as shown in Figure 10-18:
Click Test Web Service. The service's test page is displayed.
Expand WS-Security. Input fields, such as the User Name and Password fields in the example, appear.
Select the Enable checkbox, and enter the user credentials and credit card information as shown in Figure 10-19:
Click Invoke. A Test Result page appears.
You can validate the results by querying the Oracle Web Services Manager Oracle Web Services Manager logs. From the Web Services Manager Control Console, click Operational Management, then click Overall Statistics, and click Message Logs.
Click Search to display message logs, as shown in Figure 10-20:
Note that two logs, a request log and a response log, were generated for the Credit Validation Service over the last hour.
Clicking the number in the Index column for the request log opens a page which displays the parameters that were passed in, as illustrated in Figure 10-21:
The response log entry shows that the credentials were validated as true, as in Figure 10-22:
In the preceding example, Oracle Web Services Manager performed two key actions at runtime:
User credentials were extracted.
Message credentials, typically user name and password combinations, are delivered in various ways: in the transport headers, as SOAP headers, or in the XML body. The example utilized the WS-BASIC soap security header, which extracts credentials from the standard UsernameToken specified in the WS-I Basic Security Profile.
Oracle Web Services Manager provides other options for credential extraction. See the discussion of the Extract Credentials policy step in the Oracle Web Services Manager Administrator's Guide for more information.
The credentials were authenticated.
In addition to the file-based authentication in the example, Oracle Web Services Manager supports authentication against LDAP directories and security data stores. Authentication may also be presented and verified with an X.509 certificate.
Oracle Web Services Manager provides a variety of credential management, authentication, authorization, message security, and other features. For Oracle Web Services Manager a discussion of available runtime actions, see the appendix for "Oracle WSM Policy Steps" in the Oracle Web Services Manager Administrator's Guide.
Error Handling
If policy execution (such as user authentication) fails, Oracle Web Services Manager returns a SOAP fault to the client.Oracle Web Services Manager
To interact with a secured web service, the client must send SOAP messages containing valid security credentials. To achieve this, you can configure Oracle BPEL Process Manager to send username tokens that include the relevant WS-Security header tags in the bpel.xml file.
|
Note: bpel.xml is the BPEL metadata file which contains partner links, WSDLs, and so on. |
The following portion of bpel.xml, shown in Figure 10-23, illustrates how to enable a username token for the CreditValidationService partner link:
Here, credentials for the user jstein with password welcome1 are set by means of the wsseHeaders, wsseUsername, and wssePassword deployment descriptors; these properties will be validated by the authenticating Oracle Web Services Manager Server Agent.
