Friday, 13 January 2017

Secure REST service in Oracle Service Bus using OWSM(Oracle Webservcie Manager)

Security is one of the main aspects of any service. Services are reusable and can be invoked by either internal or external customers, so we should secure our Service Bus Proxy Services so that only valid users can use them.

Service Bus is completely integrated with Oracle Webservices Manager (OWSM) that provides several out of the box security policies. You can use any of these OWSM policies to secure your Proxy Services based on requirements.

In this post, you will use oracle/wss_http_token_service_policy policy to secure REST Service.


In the case of a proxy REST Service, where there is no Envelope message, We can use this policy to send requests with user and password elements in HTTP Transport Header.

Considering you already have a REST service and gonna to secure the same REST service. If you don't have REST service you can follow the Blog

Let's proceed with the example.

Open the REST service in Jdeveloper, Move to the Policies tab , select the From OWSM Policy Store, Click + sign and add oracle/wss_http_token_service_policy -> Click OK


OWSM

Make sure policy has been attached.

OWSM

To test the service, you have to create a user in Weblogic console. To do so, please follow the steps:

1) Login into the console
2) Click on Security Realms from left navigation
3) Click on myrealm
4) Go to Users and Groups tab
5) Click New and enter the information -> Click OK



Now this is time to test the REST service using any SOAP UI tool, let's begin with  POSTMAN

Case 1) Let's hit the service without user credentials

Enter the URL and click SEND. You will get 401 Unauthorized Status code


Case 2) Let's hit the service with user credentials

Add the Basic Auth in POSTMAN, enter User Name and Password you created in Weblogic console and click Update Request button


Hit the SEND button and see the response.



Now you know how to add and test basic user and password authentication on REST services which are published in OSB, using default OWSM policies.



3 comments:

  1. The policy «oracle/wss_http_token_service_policy» provides authentication, but not authorization. Any user created can access this service. How to create in OSB 12c access to the Proxy service only for certain users, but not for everyone?

    ReplyDelete
    Replies
    1. I've been trying to find information on this topic, as well. Although I haven't found anything recent (12.2.1.0.0 or later), this 11g blog posting looks like it may provide some guidance. https://blogs.oracle.com/soaproactive/policy-authorization-example-in-soa-suite-11g

      Delete
  2. Nice and good article. It is very useful for me to learn and understand easily. Thanks for sharing your valuable information and time. Please keep updatingmulesoft online training

    ReplyDelete