RSS

Using OWSM UsernameToken for authentication and authorisation of OSB services

09 Aug

With the use of Oracle Web Service Manager (OWSM) we can easily configure Oracle Service Bus (OSB) services with different message security polices. This configuration can be done from Eclipse (OEPE), OSB SBConsole or the Enterprise Manager. One of the most common WS-Security mechanismes and therefor also OWSM policies is the UsernameToken where a username and password are send along with the message.

In this blog we will:

  • part I: how to enable authentication of users against the list of all known users
  • part II: how to enable authorisation of only a specific subset of users to access a service

First we configure a proxy service in OEPE with the OWSM UsernameToken policy oracle/wss_username_token_service_policy:


And make sure we process the WS-Security header:


After deployment we call the service with a request that is missing the WS-Security to test the result.


<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
   <soapenv:Body>
      <GreetingRequestMessage>
         <in>I say hello ...</in>
      <GreetingRequestMessage>
   </soapenv:Body>
</soapenv:Envelope>

As expected the result is an error because the OWSM policy requires a WS-Security segment in the SOAP-header which contains a username and password:


<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
   <soapenv:Body>
      <soapenv:Fault>
         <faultcode>soapenv:Server</faultcode>
         <faultstring>BEA-386200: General web service security error</faultstring>
         <detail>
            <con:fault xmlns:con="http://www.bea.com/wli/sb/context">
               <con:errorCode>BEA-386200</con:errorCode>
               <con:reason>General web service security error</con:reason>
               <con:location>
                  <con:path>request-pipeline</con:path>
               </con:location>
            </con:fault>
         </detail>
      </soapenv:Fault>
   </soapenv:Body>
</soapenv:Envelope>

So to make sure we can send a UsernameToken we add 2 users to the Weblogic security realm called userA and userB.

The request to the proxy service containing the WS-Security UsernameToken for userA


<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
   <soapenv:Header>
      <wsse:Security soapenv:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
         <wsse:UsernameToken wsu:Id="UsernameToken-4" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
            <wsse:Username>userA</wsse:Username>
            <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">welcomeA1</wsse:Password>
         </wsse:UsernameToken>
      </wsse:Security>
   </soapenv:Header>
   <soapenv:Body>
      <GreetingRequestMessage>
         <in>I say hello ...</in>
      </GreetingRequestMessage>
   </soapenv:Body>
</soapenv:Envelope>

This results in a successfull response from the proxy service:


<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
   <soapenv:Body>
      <GreetingResponseMessage>
         <out>HelloWorld</out>
      </GreetingResponseMessage>
   </soapenv:Body>
</soapenv:Envelope>

So part 1 is complete, we succesfully implemented a proxy service that requires a WS-Security UsernameToken and authenticates these users against the Weblogic security realm. But in our case we have a tight security requirement and need to make sure the user is not only authenticated, but also authorized to access this specific service.

The result from part 1 means this is not the case, both userA and userB would be able to access this service. So let’s start part 2 where we will limit the access to the proxy service to only userB. For this we have to login to the sbconsole, since the OEPE does not allow you to make Message (or Transport) Access Control settings.

  • Login the sbconsole
  • Select Project Explorer
  • Select the the proxy service
  • Go to the Security Tab

  • Click on Message Access Control option (either for the whole service or just a single operation).
  • Click on Add Condition
  • Select User from predicate list
  • Type userB at the User Argument Name
  • Click on Add and Finish
  • Click on Save and Activate to finish the OSB session
Next thing we can call the service again and this time with userB and we still receive a succesfull result.
However if we call the service again with a UsernameToken containing userA we get the following SoapFault:
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
   <soapenv:Body>
      <soapenv:Fault>
         <faultcode>soapenv:Server</faultcode>
         <faultstring>BEA-386102: Message-level authorization denied</faultstring>
         <detail>
            <con:fault xmlns:con="http://www.bea.com/wli/sb/context">
               <con:errorCode>BEA-386102</con:errorCode>
               <con:reason>Message-level authorization denied</con:reason>
               <con:location>
                  <con:path>request-pipeline</con:path>
               </con:location>
            </con:fault>
         </detail>
      </soapenv:Fault>
   </soapenv:Body>
</soapenv:Envelope>

Part 2 is completed and we finished with a proxy service that has both Authentication and Authorization enabled.

Remarks:

  • You can also use groups and roles (rather than users) to authorize access to services.
  • If you implement and configure an external LDAP (like Oracle Internet Directory) in Weblogic you can control ACL with groups central in your company LDAP instead of in each Weblogic security realm.
  • The SOAP fault for Message Level Authorization denied (BEA-386102) contains a faultcode value of “Server” which is not correct if you look at the w3c definition. This should be the value “Client” because: “….. the message could lack the proper authentication or payment information. It is generally an indication that the message should not be resent without change”

Update 2011-08-10:
Added 3rd remark regarding the SOAP Fault code

Update 2012-01-13:
Using the OWSM username token policies you get some additional information on runtime in you $inbound variable. See this blogpost for more details.
References:


About these ads
 
23 Comments

Posted by on 09-08-2011 in OSB, WS-Security

 

Tags: , , ,

23 responses to “Using OWSM UsernameToken for authentication and authorisation of OSB services

  1. Derrick

    18-01-2012 at 21:33

    This question is a little off-subject but wanted to confirm with you. Was the OWSM Gateway functionality was removed in OWSM 11g integration with Weblogic???

     
    • jvzoggel

      18-01-2012 at 22:00

      Hi Derrick, I haven’t worked with the gateway in OWSM 10. However Oracle Support knowledge base has a article (ID 882229.1) stating Oracle Web Services Manager 11g does not provide the functionality to have a Gateway like OWSM 10g did. The article even mentions advise regarding using products from other vendors, like Vordel / Layer7 / etc. So it’s probably outdated before Oracle made the deal with Vordel to license/resell Vordel XML Gateway as Oracle Enterprise Gateway.

      Maybe chapter 16 – OWSM 11g Interoperability @ http://docs.oracle.com/cd/E12839_01/web.1111/b32511.pdf can help you further as mentioned.

      regards,

      Jan

       
      • Derrick

        25-01-2012 at 14:44

        Thanks for the link to the OWSM doc. My team had a meeting with our local Oracle Sales Rep yesterday regarding OWSM 11g and Oracle Enterprise Gateway (OEG) which has a lot of the Policy Enforcement Point features that was previously in OWSM 10g. OEG serves as avXML firewall at the DMZ level.

        By the way this is a great blog. Forgot to mention that in my previous post, I definitely appreciate your time/effort you have put into this blog great stuff.

         
      • jvzoggel

        25-01-2012 at 16:57

        Your welcome. I’ve worked with the Vordel XMLGateway hardware compliance a while back. Was really impressed by the stability and high load capacity of the product under maximum production load. If my understanding was correctly this product is identically sold now as Oracle OEG. Some sort of reselling license deal I guess until Oracle buys Vordel.
        And thank you for your kind words, really appreciate it. Always hope that my posts help in one way or another. :)

         
  2. Aswin PS

    12-03-2012 at 10:23

    jvzoggel
    i have an osb proxy secured with wss usertoken service policy, i need the header with tokens in message flow,but after the authentication the header becomes empty
    is there any way to retrieve the header in message flow,i need both username and password(cleartext)

     
  3. raj

    21-03-2012 at 19:35

    jvzoggel
    Thanks for your post. I tired to do it to test authentication and authorization. But when i goto Proxy Service -> security tab and clicking Service Name at Message Access Control. I could not see “Add Conditions” button.

    I am not sure if there is some problem with domain creation. Please advise.

     
    • jvzoggel

      22-03-2012 at 08:06

      Hello Raj,

      my best guess would be that your domain was created without the Oracle Service Bus OWSM extension.
      During the Domain Config Wizard make sure to select this template.

      hope it helps,

      Jan

       
  4. jvzoggel

    22-03-2012 at 08:03

    Hello Aswin, you can access the username in the $inbound variable segment:
    http://jvzoggel.wordpress.com/2012/01/13/username-information-in-osb/

    Regarding passwords, you cant access them which is actually designed that way to protect the users security.

     
  5. Alok

    30-03-2012 at 07:19

    Hi,
    I wanted to know that what is the use of WS-I compliance while configuring the proxy service and what is its significance as when this is set to yes I am not able to open the effective WSDL from the browser.Can you please help?

     
    • jvzoggel

      30-03-2012 at 10:38

      WS-I compliance checkbox validates that the Web Service Interoperability compliance for SOAP 1.1 services is correct on run-time.
      Quote: When you configure WS-I compliance for a proxy service, checks are performed on inbound request messages received by that proxy service. When you configure WS-I compliance for an invoked service, checks are performed when any proxy receives a response message from that invoked service.

      If you receive errors from Service Callout or Routing the error would likely be on the backend SOAP message. Since you receive the error while retrieving the WSDL from the Proxy Service, my 1st guess would be that for some reason your WSDL is not valid ?

      Check this Oracle website for information regarding the WS-I compliance checks:

      http://docs.oracle.com/cd/E13159_01/osb/docs10gr3/userguide/modelingmessageflow.html#wp1076699

       
  6. mithesh

    05-04-2012 at 18:51

    Hi Genius, :-)

    It’s a great blog it works fine with soap ui. Actually I was running through a lot of iterations and I am basically not using the csf-key as I am authenticating the users using openldap and that is configured on my weblogic.

    Although I have faced issues using the code for “wss11_username_token_with_message_protection_policy” and then lateron just switched to “wss_username_policy” .

    My code is based on a POC

    alculatorWS calcservice = service.getCalculatorWSPort(securityFeatures);

    Map reqContext = ((BindingProvider)
    calcservice).getRequestContext();
    // Add the user
    reqContext.put(BindingProvider.USERNAME_PROPERTY,
    “mkumar@test.com” );
    reqContext.put(BindingProvider.PASSWORD_PROPERTY,
    “RHAap5QC” );

    // reqContext.put(SecurityConstants.ClientConstants.WSS_CSF_KEY, “mitz”);
    // reqContext.put(ClientConstants.WSSEC_KEYSTORE_TYPE,
    // “JKS”);
    // reqContext.put(ClientConstants.WSSEC_KEYSTORE_LOCATION,
    // “C:/keys/sdi-keystore.jks”);
    // reqContext.put(ClientConstants.WSSEC_KEYSTORE_PASSWORD,
    // “password”);
    //
    // reqContext.put(ClientConstants.WSSEC_ENC_KEY_ALIAS,
    // “sdikey”);
    // reqContext.put(ClientConstants.WSSEC_ENC_KEY_PASSWORD,
    // “password”);
    // reqContext.put(ClientConstants.WSSEC_RECIPIENT_KEY_ALIAS,
    // “sdikey”);
    // reqContext.put(ClientConstants.WSSEC_SIG_KEY_ALIAS,
    // “sdikey”);
    // reqContext.put(ClientConstants.WSSEC_SIG_KEY_PASSWORD,
    // “password”);

    int i = 1;
    int j = 3;

    int result = calcservice.add(i, j);

    Error as below :

    #### <>
    #### <> <An error ocurred during web service security inbound request processing [error-code: SecurityHeaderUnmarshallingError, message-id: 1198234943626868863--33a9afa1.13683054ba4.-7fc3, proxy: calculator/proxy/calculator, operation: null]
    — Error message:

    oracle.wsm.security.SecurityException: WSM-00069 : The security header is missing. Ensure that there is a valid security policy attached at the client side, and the policy is enabled.
    at oracle.wsm.security.policy.scenario.processor.UsernameTokenProcessor.verify(UsernameTokenProcessor.java:221)
    at oracle.wsm.security.policy.scenario.executor.WssUsernameTokenScenarioExecutor.receiveRequest(WssUsernameTokenScenarioExecutor.java:126)
    at oracle.wsm.security.policy.scenario.executor.SecurityScenarioExecutor.execute(SecurityScenarioExecutor.java:596)
    at oracle.wsm.policyengine.impl.runtime.AssertionExecutor.execute(AssertionExecutor.java:41)
    at oracle.wsm.policyengine.impl.runtime.WSPolicyRuntimeExecutor.executeSimpleAssertion(WSPolicyRuntimeExecutor.java:666)
    at oracle.wsm.policyengine.impl.runtime.WSPolicyRuntimeExecutor.executeAndAssertion(WSPolicyRuntimeExecutor.java:342)
    at oracle.wsm.policyengine.impl.runtime.WSPolicyRuntimeExecutor.execute(WSPolicyRuntimeExecutor.java:289)
    at oracle.wsm.policyengine.impl.PolicyExecutionEngine.execute(PolicyExecutionEngine.java:102)
    at oracle.wsm.agent.WSMAgent.processCommon(WSMAgent.java:975)
    at oracle.wsm.agent.WSMAgent.processRequest(WSMAgent.java:460)
    at oracle.wsm.agent.handler.WSMEngineInvoker.handleRequest(WSMEngineInvoker.java:366)
    at com.bea.wli.sb.security.wss.wsm.WsmInboundHandler.processRequest(WsmInboundHandler.java:150)
    at com.bea.wli.sb.security.wss.WssHandlerImpl.doInboundRequest(WssHandlerImpl.java:223)
    at com.bea.wli.sb.context.BindingLayerImpl.addRequest(BindingLayerImpl.java:289)
    at com.bea.wli.sb.pipeline.MessageProcessor.processRequest(MessageProcessor.java:87)
    at com.bea.wli.sb.pipeline.RouterManager$1.run(RouterManager.java:593)
    at com.bea.wli.sb.pipeline.RouterManager$1.run(RouterManager.java:591)
    at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:363)
    at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:146)
    at com.bea.wli.sb.security.WLSSecurityContextService.runAs(WLSSecurityContextService.java:55)
    at com.bea.wli.sb.pipeline.RouterManager.processMessage(RouterManager.java:590)
    at com.bea.wli.sb.transports.TransportManagerImpl.receiveMessage(TransportManagerImpl.java:375)
    at com.bea.wli.sb.transports.http.generic.RequestHelperBase.invokePipeline(RequestHelperBase.java:179)
    at com.bea.wli.sb.transports.http.wls.HttpTransportServlet$RequestHelperWLS.invokePipeline(HttpTransportServlet.java:227)
    at com.bea.wli.sb.transports.http.generic.RequestHelperBase$1.run(RequestHelperBase.java:154)
    at com.bea.wli.sb.transports.http.generic.RequestHelperBase$1.run(RequestHelperBase.java:152)
    at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:363)
    at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:146)
    at com.bea.wli.sb.transports.http.generic.RequestHelperBase.securedInvoke(RequestHelperBase.java:151)
    at com.bea.wli.sb.transports.http.generic.RequestHelperBase.service(RequestHelperBase.java:107)
    at com.bea.wli.sb.transports.http.wls.HttpTransportServlet.service(HttpTransportServlet.java:129)
    at weblogic.servlet.FutureResponseServlet.service(FutureResponseServlet.java:24)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:820)
    at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227)
    at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125)
    at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:300)
    at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:183)
    at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.wrapRun(WebAppServletContext.java:3717)
    at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3681)
    at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
    at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:120)
    at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2277)
    at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2183)
    at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1454)
    at weblogic.work.ExecuteThread.execute(ExecuteThread.java:209)
    at weblogic.work.ExecuteThread.run(ExecuteThread.java:178)

     
  7. mithesh

    05-04-2012 at 20:47

    Actually I just noticed on Jdev the plain “oracle/wss_username_token_service_policy” works fine just that it does not like to work with Netbeans . I need a way to figure out for that to work and if not then I will just use JDev. Meanwhile will again try “wss11_username_token_with_message_protection_client_policy”.

    Thanks,
    Kumar

     
  8. kumar

    05-04-2012 at 21:58

    I could m fix my issue . I was using a non compliant IDE and hence the problems I ran into . I am all set.

    Thanks,
    Kumar

     
  9. mithesh

    05-04-2012 at 22:45

    Both policies worked like a charm on jdeveloper so please ignore my above issues. I am all set . The moderator is free to delete those issues. Might be irrelevant and more confusing .

     
  10. Abdel

    29-05-2012 at 14:18

    Hi,
    I would like to thank you for your blog, i’m using OSB 10g and would like to implement authentication and authorisation of OSB Proxy services, i would like to use OWSM 10g (I will migrate next year), what is the best architecture that i can use ?
    Can i install OWSM on OSB 10g for that issue ?

    Thanks for your reply

     
  11. floridaparnell

    18-12-2012 at 10:26

    It is actually a nice and helpful piece of info. I am glad
    that you just shared this helpful info with us.
    Please stay us informed like this. Thank you for sharing.

     
  12. 96

    16-02-2013 at 23:50

    Hello, of course this post is in fact good and I have learned lot of things from it
    about blogging. thanks.

     
  13. Dhiego

    05-06-2013 at 21:56

    Hi. Nice post.

    I already configured my proxy, however, when I try to launch test console I receive the following error:

    oracle.wsm.policymanager.PolicyManagerException: WSM-02079 : “java.rmi.RemoteException: EJB Exception: ; nested exception is:
    java.lang.NullPointerException”.

    Can you help me?

    Thanks

     
  14. Shashidhar

    26-06-2013 at 21:30

    Jan,

    I have done poc on above , but my problem is when i am using weblogic static users

    and testing the authentication and authorization through osb proxy and header information.

    that works fine, when i use the Active directory ldap provider which is configured at weblogic.

    and using the active directory user doesn’t work for me.

    I am not sure how to overcome this issue, appreciate your help if you give some inputs on this.

    Thanks
    Shashidhar

     
  15. Nits

    10-10-2013 at 15:56

    Hi Jan,
    I have used the same oracle/wss_username_token_service_policy with my proxy and managed to get it to work successfully, however this policy passes password as clear text, is it possible to pass the password as encrypted??

    Second question: I tried to delete the password element from my security header and the proxy still works fine, the only time it wont work is when I do not pass the username as well. Is this the expected behaviour?

    If this policy is not suitable, then as we need a username/password(encrypted) policy which one do you recommend? Pleae reply.

     
  16. Nits

    10-10-2013 at 16:21

    Ignore the second question, it seems it was a testing error on my behalf… :)

    please respond to the others.

     

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
Follow

Get every new post delivered to your Inbox.

Join 335 other followers

%d bloggers like this: