Enter your keyword


Secure Oracle Service Bus REST using OWSM

Security is one of the main aspects of any service. Services are reusable and can be invoked by either internal or external customers, so we should secure our Service Bus Proxy Services so that only valid users can use them.Service Bus is completely integrated with Oracle Webservices Manager (OWSM) that provides several out of the box security policies. You can use any of these OWSM policies to secure your Proxy Services based on requirements. 

Some Useful links

In this post, you will use oracle/wss_http_token_service_policy policy to secure REST Service.

In the case of a proxy REST Service, where there is no Envelope message, We can use this policy to send requests with user and password elements in HTTP Transport Header.

Considering you already have a REST service and gonna to secure the same REST service. If you don’t have REST service you can follow the Blog

Let’s proceed with the example.

Open the REST service in JDeveloper, Move to the Policies tab , select the From OWSM Policy Store, Click + sign and add oracle/wss_http_token_service_policy -> Click OK


Make sure policy has been attached


To test the service, you have to create a user in WebLogic console. To do so, please follow the steps:

1) Login into the console
2) Click on Security Realms from left navigation
3) Click on myrealm
4) Go to Users and Groups tab
5) Click New and enter the information -> Click OK


Now this is time to test the REST service using any SOAP UI tool, let’s begin with  POSTMAN

Case 1) Let’s hit the service without user credentials

Enter the URL and click SEND. You will get 401 Unauthorized Status code

Case 2) Let’s hit the service with user credentials

Add the Basic Auth in POSTMAN, enter User Name and Password you created in Weblogic console and click Update Request button

Hit the SEND button and see the response.

Now you know how to add and test basic user and password authentication on REST services which are published in OSB, using default OWSM policies.

Some Toughts (4)

  1. Anonymous
    added on 16 Feb, 2018

    The policy «oracle/wss_http_token_service_policy» provides authentication, but not authorization. Any user created can access this service. How to create in OSB 12c access to the Proxy service only for certain users, but not for everyone?

  2. Anonymous
    added on 17 Feb, 2018

    I've been trying to find information on this topic, as well. Although I haven't found anything recent ( or later), this 11g blog posting looks like it may provide some guidance. https://blogs.oracle.com/soaproactive/policy-authorization-example-in-soa-suite-11g

  3. added on 13 Nov, 2018

    Nice and good article. It is very useful for me to learn and understand easily. Thanks for sharing your valuable information and time. Please keep updatingmulesoft online training

  4. added on 18 Jul, 2019

    Thankyou for sharingerp software

Leave a Reply

Your email address will not be published.