Embed Size (px)
Citation preview
Oracle Web Service Manager 11g Component Level Role Authorization (in SOA Suite) March 2012
Step-by-Step Instruction Guide
Author Prakash Yamuna Senior Development Manager
Oracle Corporation
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 2
Table of Contents Use Case 3
Description 3
Objective 4
Scenario 4
Policies Used 4
Software Requirements 4
Prerequisites 4
Verified Product Version 4
Potentially Applies to Product Version(s) 4
Download Main Page 4
Product URLs 4
Step by Step Instructions 6
Create HelloWorldComposite Application 6
Build and Deploy HelloWorldComposite Application 16
Create SOA Component level Role based Authorization Policy 22
Attach OOTB authentication policy to the SOA Service 27
Test the Secured HelloWorldComposite App 33
Attach Custom authorization policy to the SOA Component 39
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 3
Use Case
Description
OWSM supports two types of authorization policies
Role based Authorization policies
Permission based Authorization policies
For SOA Composite Apps ndash OWSM supports authorization policies at two levels
At the SOA Web Service binding level (ltbindingwsgt)
At the SOA component level (ltcomponentgt)
In general I would recommend the following when securing SOA
Attach authentication message protection policies at the SOA Web Service binding level
Attach authorization policies at the SOA component level
There are two reasons for this recommendation
Messages can enter SOA via different bindings ndash ex JCA bindings (ltbindingjcagt Events etc ndash
attaching the authorization policy at the SOA component level ensures that no matter which binding is
used to reach the component ndash the authorization policy will be enforced
If you want to leverage local optimization ndash there are a number of rules that determine if SOA local
optimization will be enabled when a security policy is attached at the Web Service binding level While
I cannot get into the details of the local optimization rules in this How To ndash one thing to note is local
optimization will be disabled if an authorization policy is attached at the web service binding level
This How To focuses on how to secure a SOA Composite app using role based authorization policy at the SOA
component the steps outlined will be similar in nature for the SOA Web Service binding level as well
A few other caveats to note when using role based authorization for SOA Currently as of the writing of this
How To ndash OWSM does not support specifying Application Roles when securing SOA composite apps in the
Role based authorization policy This limitation is specific to SOA and does not apply for other type of services
like ADF BC Web Services or WLS Web Services From a terminology perspective ndash Enterprise Roles and
Ldap Groups are identical and are used interchangeably For the purposes of this How To ndash the Ldap Groups
used for the Authorization Policy are those that ship with Weblogic The steps would be identical if Weblogic
was wired to an external Ldap like Active Directory etc Also note that in this How To we will use the EM
Web Service Tester page that ships with EM Fusion Middleware Control However any other tool like SOAP
UI can be used for testing purposes
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 4
Objective
To describe the steps required to Security SOA Composite Apps at the Component level with OWSM SOA component
authorization policies
Scenario
Policies Used
ServiceClient Policy Policy
Type
HelloWorldComposite oraclewss_username_token_service_policy Service
HelloWorldComposite mycompanysoa_component_authorization_monitor_role_policy Service
Software Requirements
Prerequisites
Product Download URL
1 Install SOA Suite 11116 with
JDeveloper
Verified Product Version
Product Release Version
1 SOA Suite 11116
Potentially Applies to Product Version(s)
Product Release Version
1 SOA Suite 11114 11115 11116
Download Main Page
httpwwworaclecomtechnetworkmiddlewaresoasuitedownloadsindexhtml
Product URLs
Product URL LoginPassword
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 5
EM Fusion Middle Control httpadmin_hostadmin_portem User weblogic
Password welcome1
Weblogic Console httpadmin_hostadmin_portconsole User weblogic
Password welcome1
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 6
Step by Step Instructions
At a high level we will perform the following in this How-To
Create a HelloWorldComposite Application using JDeveloper
Build and Deploy the HelloWorldComposite application using EM
Create a Custom Authorization Policy using EM
Attach an Authentication Policy to HelloWorldComposite App using EM
Test the secured HelloWorldComposite app using EM Web Service Tester page
Attach the Custom Authorization Policy using EM
Test the secured HelloWorldComposite app using EM Web Service Tester page
Create HelloWorldComposite Application
1 To create the HelloWorld Composite Application -Select ldquoNew Applicationrdquo from the ldquoApplication Navigatorrdquo
Figure 1 Select New Application from the Application Navigator
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 7
2 This will launch the ldquoNew Applicationrdquo Wizard Provide the ldquoApplication Namerdquo as HelloWorldCompositeApp and
select ldquoSOA Applicationrdquo from the ldquoApplication Templaterdquo list as show in Figure 2 Click ldquoNextrdquo to proceed
Figure 2 Create a SOA Application by choosing the appropriate template
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 8
3 Provide ldquoProject Namerdquo as HelloWorldComposite as show in Figure 3 In this project no other technologies are
required so leave the ldquoSelectedrdquo Project technologies as SOA Click ldquoNextrdquo to proceed
Figure 3 Project information for SOA Composite App
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 9
4 JDeveloper provides some default templates for creating a composite application In this How To ndash we will create a
Composite with a BPEL Process Select the ldquoComposite with BPEL Processrdquo as shown in Figure 4 Click ldquoFinishrdquo to
complete the SOA Application creation steps
Figure 4 Create a Composite with BPEL Process
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 10
5 This will launch the BPEL Process Creation dialog as shown in Figure 5 Select Template as ldquoSynchronous BPEL
Processrdquo Ensure ldquoExpose as a SOAP servicerdquo is selected These options will result in the creation of a Synchronous
BPEL process exposing a web service endpoint Click ldquoOKrdquo to finish the BPEL process creation
Figure 5 BPEL Process Creation Dialog in JDeveloper
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 11
6 Once the synchronous BPEL Process is created add a BPEL Assign Activity by selecting ldquoAssignrdquo activity from the
ldquoActivitiesrdquo sub-section under the ldquoBPEL Constructsrdquo section on the right hand side and add it in between the
ldquoreceiveInputrdquo and the ldquoreplyOutputrdquo nodes as show in Figure 6
Figure 6 Synchronous BPEL Process exposed as Web Service
7 After adding the ldquoAssignrdquo activity double click on the ldquoAssignrdquo activity node to edit the Assign activity This will open
a dialog box as shown in Figure 7
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 12
Figure 7 BPEL Edit Assign Activity Dialog
8 Expand the ldquooutputVariablerdquo on the right hand side of the dialog and double click on ldquoclientresultrdquo field as shown in
Figure 8 Upon double clicking this will launch the ldquoExpression Builderrdquo dialog as show in Figure 9
Figure 8 Expand the output variable to launch the Expression Builder
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 13
Figure 9 Expression Builder Dialog
Note JDeveloper based on the selections we had done previously creates by default a composite app that takes a single
argument (of type String) as input and returns a single value (of type String) as output
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 14
9 We construct a simple ltldquoHello ldquo+inputgt by selecting the ldquoconcat()rdquo function from the list of pre-built String functions
that are available in SOA This is show in Figure 10 Hit ldquoOKrdquo to dismiss the ldquoExpression Builderrdquo dialog
Figure 10 Using the concat function in BPEL Expression Builder
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 15
10 The previous steps will result in an automatic Copy Rule being created where in the expression that was created in
Figure 10 is assigned to the output payload as shown in Figure 11
Figure 11 Copy Rule in the Assign Activity
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 16
Build and Deploy HelloWorldComposite Application
1 Make or Build the Composite Application and ensure there are no compilation failures To Build the Composite
Application ndash ldquoright clickrdquo on the HelloWorldComposite Project and click on ldquoMake HelloWorldCompositejprrdquo as
show in Figure 12
Figure 12 Build the Composite Application
2 There are many ways to deploy the Composite Application but in this How To we will create a jar for the
HelloWorldComposite application
To create a jar ldquoRight Clickrdquo on the HelloWorldComposite project and click on Deploy from the Menu Figure 13 - Figure
16 show the steps for creating a jar (SAR) for the HelloWorldComposite app
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 17
Figure 13 Steps to create a jar for the HelloWorld Composite app
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 18
Figure 14 Select the SAR option to create a jar
Figure 15 Steps for creating a jar for HelloWorld Composite App
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 19
Figure 16 Final step in the creation of jar for HelloWorld Composite app
3 Once the jar is created we will use EM to deploy the composite app To deploy the Composite application
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 20
Log into EM
Expand the SOA folder on the Left Hand navigation tree
Click on ldquosoa-infrardquo on the Left Hand tree The Right hand panel is updated Now click on ldquoSOA Infrastructurerdquo
this will open a menu
Select ldquoSOA Deploymentrdquo and ldquoDeployrdquo from the menu as shown in Figure 17
Figure 17 Deploying HelloWorld Composite app from EM
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 21
4 This will launch the SOA Composite Deployment wizard Browse the local file system to select the jar to deploy by
created in Figure 16 as shown in Figure 18 Click ldquoNextrdquo to proceed
Figure 18 Selecting HelloWorldComposite archive in EM
5 In the sample topology there is only one target and so there are no choices Select the partition to deploy the
composite app SOA ships will a ldquodefaultrdquo partition out of the box Select the default partition (Note It is a
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 22
mandatory field) as show in Figure 19 Click ldquoNextrdquo to proceed Leave the defaults as show in Figure 20 on the
confirmation page and click on ldquoDeployrdquo to finish deployment
Figure 19 Target Selection for HelloWorldComposite
Figure 20 HelloWorldComposte deployment via EM Confirmation page
Create SOA Component level Role based Authorization Policy
1 Search for policies that can be applied to SOA Component
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 23
Figure 21 Search for SOA Component Authorization policies
2 Make a Copy of the OOTB Authorization policy using the ldquoCreate Likerdquo feature as shown in Figure 22
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 24
Figure 22 Make a Copy of the OOTB Authorization Policy using Create Like
3 Name the Policy appropriately as show in Figure 23
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 25
Figure 23 New SOA Component Authorization Policy
4 Select the Role in the settings tab of the Policy You do this by clicking on the ldquosettings tabrdquo for the Authorization
assertion and selecting the ldquoSelected Rolesrdquo radio button as shown in Figure 24
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 26
Figure 24 Select a Role as part of the creation of the new Authorization Policy
5 You can add the Role by clicking on the ldquoAddrdquo button in Figure 24 This will launch a ldquoAdd Rolerdquo dialog box as shown
in Figure 25 In this example ndash the ldquoMonitorrdquo role has been selected
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 27
Figure 25 Selecting the Monitor role to add to the Authorization policy
Click ldquoOKrdquo on the diaglog in Figure 25 after adding the role click on the ldquoSaverdquo button to save the policy
Attach OOTB authentication policy to the SOA Service
1 Before we can attach the Custom Authorization Policy created in the previous steps to the SOA Component we
need to secure the HelloWorldComposite with an authentication policy For this How-To we will use the
ldquooraclewss_username_token_service_policyrdquo Go to the HelloWorldComposite Dashboard page as shown in Figure
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 28
26 In Figure 26 we have Service ldquobpelprocess1_client_eprdquo of type Web Service Click on the
ldquobpelprocess1_client_eprdquo to navigate to the Service Dashboard page as shown in Figure 27
Figure 26 HelloWorldComposite Dashboard page in EM
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 29
Figure 27 Service Dashboard page for HelloWorldComposite in EM
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 30
2 Click on the ldquoPoliciesrdquo Tab This will show polices attached to the Service Click on the ldquoAttachDetachrdquo button to a
launch the Policy Attachment Dialog as show in Figure 28 The Policy Attachment Dialog is show in Figure 29
Figure 28 Launching OWSM Policy Attachment Dialog in EM for SOA Service
3 In the Policy Attachment Dialog in Figure 29 select ldquoNamerdquo as the search criteria and enter ldquousernamerdquo and click on
the button next to it to search Select ldquooraclewss_username_token_service_policyrdquo and click on the ldquoAttachrdquo
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 31
button Click on ldquoOKrdquo button to finish the policy attachment Figure 30 shows the results of attaching the
oraclewss_username_token_service_policy
Figure 29 Selecting oraclewss_username_token_service_policy
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 32
Figure 30 Result of attaching the oraclewss_username_token_service_policy
A few things to note
Starting with PS5 - we now show the security status as seen in Figure 30
Starting with PS5 ndash we now show the overall validity of the policy attachments
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 33
Test the Secured HelloWorldComposite App
To test the HelloWorldComposite ndash navigate to the HelloWorldComposite Dashboard page and click on the ldquoTestrdquo
button as shown in Figure 31 This will launch the Web Service Tester page that ships with EM as shown in Figure 32
Figure 31 Testing HelloWorldComposite
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 34
Figure 32 EM Web Service Tester page
We will do a quick negative test by not providing any authentication information Enter ldquoNegative Worldrdquo in the ldquoinputrdquo
field as show in Figure 33 and click on ldquoTest Web Servicerdquo button This will result in an Error dialog as shown in Figure 34
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 35
Figure 33 Provide Inputs for testing HelloWorldComposite
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 36
Figure 34 Results of Negative Testing
Now perform a positive test by providing the authentication information as shown in Figure 35 You can provide the
authentication information by expanding the ldquoSecurityrdquo section Enter the following information for the fields show in
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 37
Figure 35 Select an appropriate policy from the ldquoCompatible Client Policiesrdquo list (Note This is important if a policy is not
selected then no security information will be sent and thus may result in failures)
Username weblogic Passwordweblogic1
Click ldquoTest Web Servicerdquo button to test This should result in a successful response from the HelloWorldComposite as
show in Figure 36
Figure 35 Testing oraclewss_username_token_service_policy using EM Web Service Tester
Note Usernamepassword will vary by deployment Provide usernamepassword that is appropriate for your
deployment
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 38
Figure 36 Response from HelloWorldComposite
Now that we have successfully tested the HelloWorldComposite app with the OOTB OWSM authentication policy we
will now secure it with the Custom Authorization policy that was created previously
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 39
Attach Custom authorization policy to the SOA Component
1 Go to the SOA Composite you want to secure with this Authorization Policy In the SOA Composite page click on the
Component as shown in Figure 37 In Figure 37 we have a ldquoHelloWorldCompositerdquo that has a ldquoBPELProcess1rdquo SOA
Component
Figure 37 Attaching OWSM Policy to SOA Component
2 Click on the Policies tab for the SOA Component In this example the SOA Component is called ldquoBPELProcess1rdquo as
shown in Figure 38
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 40
Figure 38 Attaching Policies to a SOA Component
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 41
3 On the Policies tab click on ldquoAttachDetachrdquo button as shown in Figure 39 Select the newly created Authorization
Policy
Figure 39 Selecting the Policy to attach
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 42
4 Once done selecting the policy to attach Click ldquoOKrdquo in Figure 39 You have completed the process of attaching an
Authorization Policy to a SOA Component Figure 40 shows the results of attaching the custom authorization policy
Figure 40 Policies attached to a SOA Component
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 43
5 Test the HelloWorldComposite from the EM Web Service Tester page Provide the credentials as
weblogicwelcome1 as shown in Figure 41
Figure 41 Negative Authorization Test with correct credentials
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 44
Notice that even though the credentials weblogicwelcome1 is correct the test fails as shown in Figure 42
Figure 42 Negative Authorization Test Response
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 45
6 In order to perform a positive authorization test ndash we need to add the weblogic user to the Monitor role In order to
do this ndash we first need to log in to Weblogic Console Click on ldquoSecurity Realmsrdquo on the Left Hand Domain Structure
Tree as show in Figure 43
Figure 43 Navigating to the Security Realms in Weblogic Console
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 46
7 Weblogic ships with a default realm called ldquomyrealmrdquo Click on ldquomyrealmrdquo as show in Figure 44
Figure 44 List of Security realms
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 47
8 Click on the ldquoUsers and Groupsrdquo tab under ldquomyrealmrdquo as shown in Figure 45 Figure 46 shows the default set of
users that ship with Weblogic In this case the users are ldquoweblogicrdquo and ldquoOracleSystemUserrdquo
Figure 45 myrealm General tab
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 48
Figure 46 Default set of users that ship with Weblogic
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 49
9 Click on ldquoweblogicrdquo user in Figure 46 and then click on the ldquoGroupsrdquo tab for the user ldquoweblogicrdquo This shows the
default group membership for ldquoweblogicrdquo as shown in Figure 47 As we can see ldquoweblogicrdquo is not part of the
ldquoMonitorrdquo group
Figure 47 Default Group membership of user weblogic
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 50
10 Add the ldquoMonitorrdquo group from the Parent Groups Available in Figure 47 The result is that the ldquoweblogicrdquo user is now
a member of both ldquoAdministratorsrdquo and ldquoMonitorrdquo group as shown in Figure 48 and click ldquoSaverdquo
Figure 48 Make weblogic user a member of Monitor group
11 Now go back to the EM Web Service Tester page and test the HelloWorldComposite app
Note You may need to start the weblogic server for changes to take effect
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 51
Oracle Web Services Manager
March 2012
Author Prakash Yamuna
Oracle Corporation
World Headquarters
500 Oracle Parkway
Redwood Shores CA 94065
USA
Worldwide Inquiries
Phone +16505067000
Fax +16505067200
oraclecom
Copyright copy 2011 Oracle andor its affiliates All rights reserved This document is provided for
information purposes only and the contents hereof are subject to change without notice This
document is not warranted to be error-free nor subject to any other warranties or conditions whether
expressed orally or implied in law including implied warranties and conditions of merchantability or
fitness for a particular purpose We specifically disclaim any liability with respect to this document and
no contractual obligations are formed either directly or indirectly by this document This document may
not be reproduced or transmitted in any form or by any means electronic or mechanical for any
purpose without our prior written permission
Oracle is a registered trademark of Oracle Corporation andor its affiliates Other names may be
trademarks of their respective owners
0109
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 2
Table of Contents Use Case 3
Description 3
Objective 4
Scenario 4
Policies Used 4
Software Requirements 4
Prerequisites 4
Verified Product Version 4
Potentially Applies to Product Version(s) 4
Download Main Page 4
Product URLs 4
Step by Step Instructions 6
Create HelloWorldComposite Application 6
Build and Deploy HelloWorldComposite Application 16
Create SOA Component level Role based Authorization Policy 22
Attach OOTB authentication policy to the SOA Service 27
Test the Secured HelloWorldComposite App 33
Attach Custom authorization policy to the SOA Component 39
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 3
Use Case
Description
OWSM supports two types of authorization policies
Role based Authorization policies
Permission based Authorization policies
For SOA Composite Apps ndash OWSM supports authorization policies at two levels
At the SOA Web Service binding level (ltbindingwsgt)
At the SOA component level (ltcomponentgt)
In general I would recommend the following when securing SOA
Attach authentication message protection policies at the SOA Web Service binding level
Attach authorization policies at the SOA component level
There are two reasons for this recommendation
Messages can enter SOA via different bindings ndash ex JCA bindings (ltbindingjcagt Events etc ndash
attaching the authorization policy at the SOA component level ensures that no matter which binding is
used to reach the component ndash the authorization policy will be enforced
If you want to leverage local optimization ndash there are a number of rules that determine if SOA local
optimization will be enabled when a security policy is attached at the Web Service binding level While
I cannot get into the details of the local optimization rules in this How To ndash one thing to note is local
optimization will be disabled if an authorization policy is attached at the web service binding level
This How To focuses on how to secure a SOA Composite app using role based authorization policy at the SOA
component the steps outlined will be similar in nature for the SOA Web Service binding level as well
A few other caveats to note when using role based authorization for SOA Currently as of the writing of this
How To ndash OWSM does not support specifying Application Roles when securing SOA composite apps in the
Role based authorization policy This limitation is specific to SOA and does not apply for other type of services
like ADF BC Web Services or WLS Web Services From a terminology perspective ndash Enterprise Roles and
Ldap Groups are identical and are used interchangeably For the purposes of this How To ndash the Ldap Groups
used for the Authorization Policy are those that ship with Weblogic The steps would be identical if Weblogic
was wired to an external Ldap like Active Directory etc Also note that in this How To we will use the EM
Web Service Tester page that ships with EM Fusion Middleware Control However any other tool like SOAP
UI can be used for testing purposes
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 4
Objective
To describe the steps required to Security SOA Composite Apps at the Component level with OWSM SOA component
authorization policies
Scenario
Policies Used
ServiceClient Policy Policy
Type
HelloWorldComposite oraclewss_username_token_service_policy Service
HelloWorldComposite mycompanysoa_component_authorization_monitor_role_policy Service
Software Requirements
Prerequisites
Product Download URL
1 Install SOA Suite 11116 with
JDeveloper
Verified Product Version
Product Release Version
1 SOA Suite 11116
Potentially Applies to Product Version(s)
Product Release Version
1 SOA Suite 11114 11115 11116
Download Main Page
httpwwworaclecomtechnetworkmiddlewaresoasuitedownloadsindexhtml
Product URLs
Product URL LoginPassword
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 5
EM Fusion Middle Control httpadmin_hostadmin_portem User weblogic
Password welcome1
Weblogic Console httpadmin_hostadmin_portconsole User weblogic
Password welcome1
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 6
Step by Step Instructions
At a high level we will perform the following in this How-To
Create a HelloWorldComposite Application using JDeveloper
Build and Deploy the HelloWorldComposite application using EM
Create a Custom Authorization Policy using EM
Attach an Authentication Policy to HelloWorldComposite App using EM
Test the secured HelloWorldComposite app using EM Web Service Tester page
Attach the Custom Authorization Policy using EM
Test the secured HelloWorldComposite app using EM Web Service Tester page
Create HelloWorldComposite Application
1 To create the HelloWorld Composite Application -Select ldquoNew Applicationrdquo from the ldquoApplication Navigatorrdquo
Figure 1 Select New Application from the Application Navigator
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 7
2 This will launch the ldquoNew Applicationrdquo Wizard Provide the ldquoApplication Namerdquo as HelloWorldCompositeApp and
select ldquoSOA Applicationrdquo from the ldquoApplication Templaterdquo list as show in Figure 2 Click ldquoNextrdquo to proceed
Figure 2 Create a SOA Application by choosing the appropriate template
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 8
3 Provide ldquoProject Namerdquo as HelloWorldComposite as show in Figure 3 In this project no other technologies are
required so leave the ldquoSelectedrdquo Project technologies as SOA Click ldquoNextrdquo to proceed
Figure 3 Project information for SOA Composite App
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 9
4 JDeveloper provides some default templates for creating a composite application In this How To ndash we will create a
Composite with a BPEL Process Select the ldquoComposite with BPEL Processrdquo as shown in Figure 4 Click ldquoFinishrdquo to
complete the SOA Application creation steps
Figure 4 Create a Composite with BPEL Process
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 10
5 This will launch the BPEL Process Creation dialog as shown in Figure 5 Select Template as ldquoSynchronous BPEL
Processrdquo Ensure ldquoExpose as a SOAP servicerdquo is selected These options will result in the creation of a Synchronous
BPEL process exposing a web service endpoint Click ldquoOKrdquo to finish the BPEL process creation
Figure 5 BPEL Process Creation Dialog in JDeveloper
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 11
6 Once the synchronous BPEL Process is created add a BPEL Assign Activity by selecting ldquoAssignrdquo activity from the
ldquoActivitiesrdquo sub-section under the ldquoBPEL Constructsrdquo section on the right hand side and add it in between the
ldquoreceiveInputrdquo and the ldquoreplyOutputrdquo nodes as show in Figure 6
Figure 6 Synchronous BPEL Process exposed as Web Service
7 After adding the ldquoAssignrdquo activity double click on the ldquoAssignrdquo activity node to edit the Assign activity This will open
a dialog box as shown in Figure 7
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 12
Figure 7 BPEL Edit Assign Activity Dialog
8 Expand the ldquooutputVariablerdquo on the right hand side of the dialog and double click on ldquoclientresultrdquo field as shown in
Figure 8 Upon double clicking this will launch the ldquoExpression Builderrdquo dialog as show in Figure 9
Figure 8 Expand the output variable to launch the Expression Builder
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 13
Figure 9 Expression Builder Dialog
Note JDeveloper based on the selections we had done previously creates by default a composite app that takes a single
argument (of type String) as input and returns a single value (of type String) as output
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 14
9 We construct a simple ltldquoHello ldquo+inputgt by selecting the ldquoconcat()rdquo function from the list of pre-built String functions
that are available in SOA This is show in Figure 10 Hit ldquoOKrdquo to dismiss the ldquoExpression Builderrdquo dialog
Figure 10 Using the concat function in BPEL Expression Builder
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 15
10 The previous steps will result in an automatic Copy Rule being created where in the expression that was created in
Figure 10 is assigned to the output payload as shown in Figure 11
Figure 11 Copy Rule in the Assign Activity
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 16
Build and Deploy HelloWorldComposite Application
1 Make or Build the Composite Application and ensure there are no compilation failures To Build the Composite
Application ndash ldquoright clickrdquo on the HelloWorldComposite Project and click on ldquoMake HelloWorldCompositejprrdquo as
show in Figure 12
Figure 12 Build the Composite Application
2 There are many ways to deploy the Composite Application but in this How To we will create a jar for the
HelloWorldComposite application
To create a jar ldquoRight Clickrdquo on the HelloWorldComposite project and click on Deploy from the Menu Figure 13 - Figure
16 show the steps for creating a jar (SAR) for the HelloWorldComposite app
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 17
Figure 13 Steps to create a jar for the HelloWorld Composite app
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 18
Figure 14 Select the SAR option to create a jar
Figure 15 Steps for creating a jar for HelloWorld Composite App
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 19
Figure 16 Final step in the creation of jar for HelloWorld Composite app
3 Once the jar is created we will use EM to deploy the composite app To deploy the Composite application
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 20
Log into EM
Expand the SOA folder on the Left Hand navigation tree
Click on ldquosoa-infrardquo on the Left Hand tree The Right hand panel is updated Now click on ldquoSOA Infrastructurerdquo
this will open a menu
Select ldquoSOA Deploymentrdquo and ldquoDeployrdquo from the menu as shown in Figure 17
Figure 17 Deploying HelloWorld Composite app from EM
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 21
4 This will launch the SOA Composite Deployment wizard Browse the local file system to select the jar to deploy by
created in Figure 16 as shown in Figure 18 Click ldquoNextrdquo to proceed
Figure 18 Selecting HelloWorldComposite archive in EM
5 In the sample topology there is only one target and so there are no choices Select the partition to deploy the
composite app SOA ships will a ldquodefaultrdquo partition out of the box Select the default partition (Note It is a
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 22
mandatory field) as show in Figure 19 Click ldquoNextrdquo to proceed Leave the defaults as show in Figure 20 on the
confirmation page and click on ldquoDeployrdquo to finish deployment
Figure 19 Target Selection for HelloWorldComposite
Figure 20 HelloWorldComposte deployment via EM Confirmation page
Create SOA Component level Role based Authorization Policy
1 Search for policies that can be applied to SOA Component
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 23
Figure 21 Search for SOA Component Authorization policies
2 Make a Copy of the OOTB Authorization policy using the ldquoCreate Likerdquo feature as shown in Figure 22
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 24
Figure 22 Make a Copy of the OOTB Authorization Policy using Create Like
3 Name the Policy appropriately as show in Figure 23
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 25
Figure 23 New SOA Component Authorization Policy
4 Select the Role in the settings tab of the Policy You do this by clicking on the ldquosettings tabrdquo for the Authorization
assertion and selecting the ldquoSelected Rolesrdquo radio button as shown in Figure 24
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 26
Figure 24 Select a Role as part of the creation of the new Authorization Policy
5 You can add the Role by clicking on the ldquoAddrdquo button in Figure 24 This will launch a ldquoAdd Rolerdquo dialog box as shown
in Figure 25 In this example ndash the ldquoMonitorrdquo role has been selected
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 27
Figure 25 Selecting the Monitor role to add to the Authorization policy
Click ldquoOKrdquo on the diaglog in Figure 25 after adding the role click on the ldquoSaverdquo button to save the policy
Attach OOTB authentication policy to the SOA Service
1 Before we can attach the Custom Authorization Policy created in the previous steps to the SOA Component we
need to secure the HelloWorldComposite with an authentication policy For this How-To we will use the
ldquooraclewss_username_token_service_policyrdquo Go to the HelloWorldComposite Dashboard page as shown in Figure
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 28
26 In Figure 26 we have Service ldquobpelprocess1_client_eprdquo of type Web Service Click on the
ldquobpelprocess1_client_eprdquo to navigate to the Service Dashboard page as shown in Figure 27
Figure 26 HelloWorldComposite Dashboard page in EM
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 29
Figure 27 Service Dashboard page for HelloWorldComposite in EM
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 30
2 Click on the ldquoPoliciesrdquo Tab This will show polices attached to the Service Click on the ldquoAttachDetachrdquo button to a
launch the Policy Attachment Dialog as show in Figure 28 The Policy Attachment Dialog is show in Figure 29
Figure 28 Launching OWSM Policy Attachment Dialog in EM for SOA Service
3 In the Policy Attachment Dialog in Figure 29 select ldquoNamerdquo as the search criteria and enter ldquousernamerdquo and click on
the button next to it to search Select ldquooraclewss_username_token_service_policyrdquo and click on the ldquoAttachrdquo
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 31
button Click on ldquoOKrdquo button to finish the policy attachment Figure 30 shows the results of attaching the
oraclewss_username_token_service_policy
Figure 29 Selecting oraclewss_username_token_service_policy
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 32
Figure 30 Result of attaching the oraclewss_username_token_service_policy
A few things to note
Starting with PS5 - we now show the security status as seen in Figure 30
Starting with PS5 ndash we now show the overall validity of the policy attachments
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 33
Test the Secured HelloWorldComposite App
To test the HelloWorldComposite ndash navigate to the HelloWorldComposite Dashboard page and click on the ldquoTestrdquo
button as shown in Figure 31 This will launch the Web Service Tester page that ships with EM as shown in Figure 32
Figure 31 Testing HelloWorldComposite
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 34
Figure 32 EM Web Service Tester page
We will do a quick negative test by not providing any authentication information Enter ldquoNegative Worldrdquo in the ldquoinputrdquo
field as show in Figure 33 and click on ldquoTest Web Servicerdquo button This will result in an Error dialog as shown in Figure 34
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 35
Figure 33 Provide Inputs for testing HelloWorldComposite
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 36
Figure 34 Results of Negative Testing
Now perform a positive test by providing the authentication information as shown in Figure 35 You can provide the
authentication information by expanding the ldquoSecurityrdquo section Enter the following information for the fields show in
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 37
Figure 35 Select an appropriate policy from the ldquoCompatible Client Policiesrdquo list (Note This is important if a policy is not
selected then no security information will be sent and thus may result in failures)
Username weblogic Passwordweblogic1
Click ldquoTest Web Servicerdquo button to test This should result in a successful response from the HelloWorldComposite as
show in Figure 36
Figure 35 Testing oraclewss_username_token_service_policy using EM Web Service Tester
Note Usernamepassword will vary by deployment Provide usernamepassword that is appropriate for your
deployment
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 38
Figure 36 Response from HelloWorldComposite
Now that we have successfully tested the HelloWorldComposite app with the OOTB OWSM authentication policy we
will now secure it with the Custom Authorization policy that was created previously
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 39
Attach Custom authorization policy to the SOA Component
1 Go to the SOA Composite you want to secure with this Authorization Policy In the SOA Composite page click on the
Component as shown in Figure 37 In Figure 37 we have a ldquoHelloWorldCompositerdquo that has a ldquoBPELProcess1rdquo SOA
Component
Figure 37 Attaching OWSM Policy to SOA Component
2 Click on the Policies tab for the SOA Component In this example the SOA Component is called ldquoBPELProcess1rdquo as
shown in Figure 38
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 40
Figure 38 Attaching Policies to a SOA Component
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 41
3 On the Policies tab click on ldquoAttachDetachrdquo button as shown in Figure 39 Select the newly created Authorization
Policy
Figure 39 Selecting the Policy to attach
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 42
4 Once done selecting the policy to attach Click ldquoOKrdquo in Figure 39 You have completed the process of attaching an
Authorization Policy to a SOA Component Figure 40 shows the results of attaching the custom authorization policy
Figure 40 Policies attached to a SOA Component
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 43
5 Test the HelloWorldComposite from the EM Web Service Tester page Provide the credentials as
weblogicwelcome1 as shown in Figure 41
Figure 41 Negative Authorization Test with correct credentials
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 44
Notice that even though the credentials weblogicwelcome1 is correct the test fails as shown in Figure 42
Figure 42 Negative Authorization Test Response
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 45
6 In order to perform a positive authorization test ndash we need to add the weblogic user to the Monitor role In order to
do this ndash we first need to log in to Weblogic Console Click on ldquoSecurity Realmsrdquo on the Left Hand Domain Structure
Tree as show in Figure 43
Figure 43 Navigating to the Security Realms in Weblogic Console
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 46
7 Weblogic ships with a default realm called ldquomyrealmrdquo Click on ldquomyrealmrdquo as show in Figure 44
Figure 44 List of Security realms
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 47
8 Click on the ldquoUsers and Groupsrdquo tab under ldquomyrealmrdquo as shown in Figure 45 Figure 46 shows the default set of
users that ship with Weblogic In this case the users are ldquoweblogicrdquo and ldquoOracleSystemUserrdquo
Figure 45 myrealm General tab
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 48
Figure 46 Default set of users that ship with Weblogic
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 49
9 Click on ldquoweblogicrdquo user in Figure 46 and then click on the ldquoGroupsrdquo tab for the user ldquoweblogicrdquo This shows the
default group membership for ldquoweblogicrdquo as shown in Figure 47 As we can see ldquoweblogicrdquo is not part of the
ldquoMonitorrdquo group
Figure 47 Default Group membership of user weblogic
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 50
10 Add the ldquoMonitorrdquo group from the Parent Groups Available in Figure 47 The result is that the ldquoweblogicrdquo user is now
a member of both ldquoAdministratorsrdquo and ldquoMonitorrdquo group as shown in Figure 48 and click ldquoSaverdquo
Figure 48 Make weblogic user a member of Monitor group
11 Now go back to the EM Web Service Tester page and test the HelloWorldComposite app
Note You may need to start the weblogic server for changes to take effect
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 51
Oracle Web Services Manager
March 2012
Author Prakash Yamuna
Oracle Corporation
World Headquarters
500 Oracle Parkway
Redwood Shores CA 94065
USA
Worldwide Inquiries
Phone +16505067000
Fax +16505067200
oraclecom
Copyright copy 2011 Oracle andor its affiliates All rights reserved This document is provided for
information purposes only and the contents hereof are subject to change without notice This
document is not warranted to be error-free nor subject to any other warranties or conditions whether
expressed orally or implied in law including implied warranties and conditions of merchantability or
fitness for a particular purpose We specifically disclaim any liability with respect to this document and
no contractual obligations are formed either directly or indirectly by this document This document may
not be reproduced or transmitted in any form or by any means electronic or mechanical for any
purpose without our prior written permission
Oracle is a registered trademark of Oracle Corporation andor its affiliates Other names may be
trademarks of their respective owners
0109
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 3
Use Case
Description
OWSM supports two types of authorization policies
Role based Authorization policies
Permission based Authorization policies
For SOA Composite Apps ndash OWSM supports authorization policies at two levels
At the SOA Web Service binding level (ltbindingwsgt)
At the SOA component level (ltcomponentgt)
In general I would recommend the following when securing SOA
Attach authentication message protection policies at the SOA Web Service binding level
Attach authorization policies at the SOA component level
There are two reasons for this recommendation
Messages can enter SOA via different bindings ndash ex JCA bindings (ltbindingjcagt Events etc ndash
attaching the authorization policy at the SOA component level ensures that no matter which binding is
used to reach the component ndash the authorization policy will be enforced
If you want to leverage local optimization ndash there are a number of rules that determine if SOA local
optimization will be enabled when a security policy is attached at the Web Service binding level While
I cannot get into the details of the local optimization rules in this How To ndash one thing to note is local
optimization will be disabled if an authorization policy is attached at the web service binding level
This How To focuses on how to secure a SOA Composite app using role based authorization policy at the SOA
component the steps outlined will be similar in nature for the SOA Web Service binding level as well
A few other caveats to note when using role based authorization for SOA Currently as of the writing of this
How To ndash OWSM does not support specifying Application Roles when securing SOA composite apps in the
Role based authorization policy This limitation is specific to SOA and does not apply for other type of services
like ADF BC Web Services or WLS Web Services From a terminology perspective ndash Enterprise Roles and
Ldap Groups are identical and are used interchangeably For the purposes of this How To ndash the Ldap Groups
used for the Authorization Policy are those that ship with Weblogic The steps would be identical if Weblogic
was wired to an external Ldap like Active Directory etc Also note that in this How To we will use the EM
Web Service Tester page that ships with EM Fusion Middleware Control However any other tool like SOAP
UI can be used for testing purposes
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 4
Objective
To describe the steps required to Security SOA Composite Apps at the Component level with OWSM SOA component
authorization policies
Scenario
Policies Used
ServiceClient Policy Policy
Type
HelloWorldComposite oraclewss_username_token_service_policy Service
HelloWorldComposite mycompanysoa_component_authorization_monitor_role_policy Service
Software Requirements
Prerequisites
Product Download URL
1 Install SOA Suite 11116 with
JDeveloper
Verified Product Version
Product Release Version
1 SOA Suite 11116
Potentially Applies to Product Version(s)
Product Release Version
1 SOA Suite 11114 11115 11116
Download Main Page
httpwwworaclecomtechnetworkmiddlewaresoasuitedownloadsindexhtml
Product URLs
Product URL LoginPassword
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 5
EM Fusion Middle Control httpadmin_hostadmin_portem User weblogic
Password welcome1
Weblogic Console httpadmin_hostadmin_portconsole User weblogic
Password welcome1
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 6
Step by Step Instructions
At a high level we will perform the following in this How-To
Create a HelloWorldComposite Application using JDeveloper
Build and Deploy the HelloWorldComposite application using EM
Create a Custom Authorization Policy using EM
Attach an Authentication Policy to HelloWorldComposite App using EM
Test the secured HelloWorldComposite app using EM Web Service Tester page
Attach the Custom Authorization Policy using EM
Test the secured HelloWorldComposite app using EM Web Service Tester page
Create HelloWorldComposite Application
1 To create the HelloWorld Composite Application -Select ldquoNew Applicationrdquo from the ldquoApplication Navigatorrdquo
Figure 1 Select New Application from the Application Navigator
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 7
2 This will launch the ldquoNew Applicationrdquo Wizard Provide the ldquoApplication Namerdquo as HelloWorldCompositeApp and
select ldquoSOA Applicationrdquo from the ldquoApplication Templaterdquo list as show in Figure 2 Click ldquoNextrdquo to proceed
Figure 2 Create a SOA Application by choosing the appropriate template
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 8
3 Provide ldquoProject Namerdquo as HelloWorldComposite as show in Figure 3 In this project no other technologies are
required so leave the ldquoSelectedrdquo Project technologies as SOA Click ldquoNextrdquo to proceed
Figure 3 Project information for SOA Composite App
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 9
4 JDeveloper provides some default templates for creating a composite application In this How To ndash we will create a
Composite with a BPEL Process Select the ldquoComposite with BPEL Processrdquo as shown in Figure 4 Click ldquoFinishrdquo to
complete the SOA Application creation steps
Figure 4 Create a Composite with BPEL Process
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 10
5 This will launch the BPEL Process Creation dialog as shown in Figure 5 Select Template as ldquoSynchronous BPEL
Processrdquo Ensure ldquoExpose as a SOAP servicerdquo is selected These options will result in the creation of a Synchronous
BPEL process exposing a web service endpoint Click ldquoOKrdquo to finish the BPEL process creation
Figure 5 BPEL Process Creation Dialog in JDeveloper
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 11
6 Once the synchronous BPEL Process is created add a BPEL Assign Activity by selecting ldquoAssignrdquo activity from the
ldquoActivitiesrdquo sub-section under the ldquoBPEL Constructsrdquo section on the right hand side and add it in between the
ldquoreceiveInputrdquo and the ldquoreplyOutputrdquo nodes as show in Figure 6
Figure 6 Synchronous BPEL Process exposed as Web Service
7 After adding the ldquoAssignrdquo activity double click on the ldquoAssignrdquo activity node to edit the Assign activity This will open
a dialog box as shown in Figure 7
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 12
Figure 7 BPEL Edit Assign Activity Dialog
8 Expand the ldquooutputVariablerdquo on the right hand side of the dialog and double click on ldquoclientresultrdquo field as shown in
Figure 8 Upon double clicking this will launch the ldquoExpression Builderrdquo dialog as show in Figure 9
Figure 8 Expand the output variable to launch the Expression Builder
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 13
Figure 9 Expression Builder Dialog
Note JDeveloper based on the selections we had done previously creates by default a composite app that takes a single
argument (of type String) as input and returns a single value (of type String) as output
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 14
9 We construct a simple ltldquoHello ldquo+inputgt by selecting the ldquoconcat()rdquo function from the list of pre-built String functions
that are available in SOA This is show in Figure 10 Hit ldquoOKrdquo to dismiss the ldquoExpression Builderrdquo dialog
Figure 10 Using the concat function in BPEL Expression Builder
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 15
10 The previous steps will result in an automatic Copy Rule being created where in the expression that was created in
Figure 10 is assigned to the output payload as shown in Figure 11
Figure 11 Copy Rule in the Assign Activity
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 16
Build and Deploy HelloWorldComposite Application
1 Make or Build the Composite Application and ensure there are no compilation failures To Build the Composite
Application ndash ldquoright clickrdquo on the HelloWorldComposite Project and click on ldquoMake HelloWorldCompositejprrdquo as
show in Figure 12
Figure 12 Build the Composite Application
2 There are many ways to deploy the Composite Application but in this How To we will create a jar for the
HelloWorldComposite application
To create a jar ldquoRight Clickrdquo on the HelloWorldComposite project and click on Deploy from the Menu Figure 13 - Figure
16 show the steps for creating a jar (SAR) for the HelloWorldComposite app
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 17
Figure 13 Steps to create a jar for the HelloWorld Composite app
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 18
Figure 14 Select the SAR option to create a jar
Figure 15 Steps for creating a jar for HelloWorld Composite App
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 19
Figure 16 Final step in the creation of jar for HelloWorld Composite app
3 Once the jar is created we will use EM to deploy the composite app To deploy the Composite application
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 20
Log into EM
Expand the SOA folder on the Left Hand navigation tree
Click on ldquosoa-infrardquo on the Left Hand tree The Right hand panel is updated Now click on ldquoSOA Infrastructurerdquo
this will open a menu
Select ldquoSOA Deploymentrdquo and ldquoDeployrdquo from the menu as shown in Figure 17
Figure 17 Deploying HelloWorld Composite app from EM
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 21
4 This will launch the SOA Composite Deployment wizard Browse the local file system to select the jar to deploy by
created in Figure 16 as shown in Figure 18 Click ldquoNextrdquo to proceed
Figure 18 Selecting HelloWorldComposite archive in EM
5 In the sample topology there is only one target and so there are no choices Select the partition to deploy the
composite app SOA ships will a ldquodefaultrdquo partition out of the box Select the default partition (Note It is a
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 22
mandatory field) as show in Figure 19 Click ldquoNextrdquo to proceed Leave the defaults as show in Figure 20 on the
confirmation page and click on ldquoDeployrdquo to finish deployment
Figure 19 Target Selection for HelloWorldComposite
Figure 20 HelloWorldComposte deployment via EM Confirmation page
Create SOA Component level Role based Authorization Policy
1 Search for policies that can be applied to SOA Component
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 23
Figure 21 Search for SOA Component Authorization policies
2 Make a Copy of the OOTB Authorization policy using the ldquoCreate Likerdquo feature as shown in Figure 22
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 24
Figure 22 Make a Copy of the OOTB Authorization Policy using Create Like
3 Name the Policy appropriately as show in Figure 23
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 25
Figure 23 New SOA Component Authorization Policy
4 Select the Role in the settings tab of the Policy You do this by clicking on the ldquosettings tabrdquo for the Authorization
assertion and selecting the ldquoSelected Rolesrdquo radio button as shown in Figure 24
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 26
Figure 24 Select a Role as part of the creation of the new Authorization Policy
5 You can add the Role by clicking on the ldquoAddrdquo button in Figure 24 This will launch a ldquoAdd Rolerdquo dialog box as shown
in Figure 25 In this example ndash the ldquoMonitorrdquo role has been selected
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 27
Figure 25 Selecting the Monitor role to add to the Authorization policy
Click ldquoOKrdquo on the diaglog in Figure 25 after adding the role click on the ldquoSaverdquo button to save the policy
Attach OOTB authentication policy to the SOA Service
1 Before we can attach the Custom Authorization Policy created in the previous steps to the SOA Component we
need to secure the HelloWorldComposite with an authentication policy For this How-To we will use the
ldquooraclewss_username_token_service_policyrdquo Go to the HelloWorldComposite Dashboard page as shown in Figure
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 28
26 In Figure 26 we have Service ldquobpelprocess1_client_eprdquo of type Web Service Click on the
ldquobpelprocess1_client_eprdquo to navigate to the Service Dashboard page as shown in Figure 27
Figure 26 HelloWorldComposite Dashboard page in EM
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 29
Figure 27 Service Dashboard page for HelloWorldComposite in EM
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 30
2 Click on the ldquoPoliciesrdquo Tab This will show polices attached to the Service Click on the ldquoAttachDetachrdquo button to a
launch the Policy Attachment Dialog as show in Figure 28 The Policy Attachment Dialog is show in Figure 29
Figure 28 Launching OWSM Policy Attachment Dialog in EM for SOA Service
3 In the Policy Attachment Dialog in Figure 29 select ldquoNamerdquo as the search criteria and enter ldquousernamerdquo and click on
the button next to it to search Select ldquooraclewss_username_token_service_policyrdquo and click on the ldquoAttachrdquo
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 31
button Click on ldquoOKrdquo button to finish the policy attachment Figure 30 shows the results of attaching the
oraclewss_username_token_service_policy
Figure 29 Selecting oraclewss_username_token_service_policy
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 32
Figure 30 Result of attaching the oraclewss_username_token_service_policy
A few things to note
Starting with PS5 - we now show the security status as seen in Figure 30
Starting with PS5 ndash we now show the overall validity of the policy attachments
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 33
Test the Secured HelloWorldComposite App
To test the HelloWorldComposite ndash navigate to the HelloWorldComposite Dashboard page and click on the ldquoTestrdquo
button as shown in Figure 31 This will launch the Web Service Tester page that ships with EM as shown in Figure 32
Figure 31 Testing HelloWorldComposite
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 34
Figure 32 EM Web Service Tester page
We will do a quick negative test by not providing any authentication information Enter ldquoNegative Worldrdquo in the ldquoinputrdquo
field as show in Figure 33 and click on ldquoTest Web Servicerdquo button This will result in an Error dialog as shown in Figure 34
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 35
Figure 33 Provide Inputs for testing HelloWorldComposite
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 36
Figure 34 Results of Negative Testing
Now perform a positive test by providing the authentication information as shown in Figure 35 You can provide the
authentication information by expanding the ldquoSecurityrdquo section Enter the following information for the fields show in
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 37
Figure 35 Select an appropriate policy from the ldquoCompatible Client Policiesrdquo list (Note This is important if a policy is not
selected then no security information will be sent and thus may result in failures)
Username weblogic Passwordweblogic1
Click ldquoTest Web Servicerdquo button to test This should result in a successful response from the HelloWorldComposite as
show in Figure 36
Figure 35 Testing oraclewss_username_token_service_policy using EM Web Service Tester
Note Usernamepassword will vary by deployment Provide usernamepassword that is appropriate for your
deployment
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 38
Figure 36 Response from HelloWorldComposite
Now that we have successfully tested the HelloWorldComposite app with the OOTB OWSM authentication policy we
will now secure it with the Custom Authorization policy that was created previously
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 39
Attach Custom authorization policy to the SOA Component
1 Go to the SOA Composite you want to secure with this Authorization Policy In the SOA Composite page click on the
Component as shown in Figure 37 In Figure 37 we have a ldquoHelloWorldCompositerdquo that has a ldquoBPELProcess1rdquo SOA
Component
Figure 37 Attaching OWSM Policy to SOA Component
2 Click on the Policies tab for the SOA Component In this example the SOA Component is called ldquoBPELProcess1rdquo as
shown in Figure 38
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 40
Figure 38 Attaching Policies to a SOA Component
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 41
3 On the Policies tab click on ldquoAttachDetachrdquo button as shown in Figure 39 Select the newly created Authorization
Policy
Figure 39 Selecting the Policy to attach
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 42
4 Once done selecting the policy to attach Click ldquoOKrdquo in Figure 39 You have completed the process of attaching an
Authorization Policy to a SOA Component Figure 40 shows the results of attaching the custom authorization policy
Figure 40 Policies attached to a SOA Component
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 43
5 Test the HelloWorldComposite from the EM Web Service Tester page Provide the credentials as
weblogicwelcome1 as shown in Figure 41
Figure 41 Negative Authorization Test with correct credentials
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 44
Notice that even though the credentials weblogicwelcome1 is correct the test fails as shown in Figure 42
Figure 42 Negative Authorization Test Response
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 45
6 In order to perform a positive authorization test ndash we need to add the weblogic user to the Monitor role In order to
do this ndash we first need to log in to Weblogic Console Click on ldquoSecurity Realmsrdquo on the Left Hand Domain Structure
Tree as show in Figure 43
Figure 43 Navigating to the Security Realms in Weblogic Console
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 46
7 Weblogic ships with a default realm called ldquomyrealmrdquo Click on ldquomyrealmrdquo as show in Figure 44
Figure 44 List of Security realms
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 47
8 Click on the ldquoUsers and Groupsrdquo tab under ldquomyrealmrdquo as shown in Figure 45 Figure 46 shows the default set of
users that ship with Weblogic In this case the users are ldquoweblogicrdquo and ldquoOracleSystemUserrdquo
Figure 45 myrealm General tab
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 48
Figure 46 Default set of users that ship with Weblogic
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 49
9 Click on ldquoweblogicrdquo user in Figure 46 and then click on the ldquoGroupsrdquo tab for the user ldquoweblogicrdquo This shows the
default group membership for ldquoweblogicrdquo as shown in Figure 47 As we can see ldquoweblogicrdquo is not part of the
ldquoMonitorrdquo group
Figure 47 Default Group membership of user weblogic
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 50
10 Add the ldquoMonitorrdquo group from the Parent Groups Available in Figure 47 The result is that the ldquoweblogicrdquo user is now
a member of both ldquoAdministratorsrdquo and ldquoMonitorrdquo group as shown in Figure 48 and click ldquoSaverdquo
Figure 48 Make weblogic user a member of Monitor group
11 Now go back to the EM Web Service Tester page and test the HelloWorldComposite app
Note You may need to start the weblogic server for changes to take effect
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 51
Oracle Web Services Manager
March 2012
Author Prakash Yamuna
Oracle Corporation
World Headquarters
500 Oracle Parkway
Redwood Shores CA 94065
USA
Worldwide Inquiries
Phone +16505067000
Fax +16505067200
oraclecom
Copyright copy 2011 Oracle andor its affiliates All rights reserved This document is provided for
information purposes only and the contents hereof are subject to change without notice This
document is not warranted to be error-free nor subject to any other warranties or conditions whether
expressed orally or implied in law including implied warranties and conditions of merchantability or
fitness for a particular purpose We specifically disclaim any liability with respect to this document and
no contractual obligations are formed either directly or indirectly by this document This document may
not be reproduced or transmitted in any form or by any means electronic or mechanical for any
purpose without our prior written permission
Oracle is a registered trademark of Oracle Corporation andor its affiliates Other names may be
trademarks of their respective owners
0109
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 4
Objective
To describe the steps required to Security SOA Composite Apps at the Component level with OWSM SOA component
authorization policies
Scenario
Policies Used
ServiceClient Policy Policy
Type
HelloWorldComposite oraclewss_username_token_service_policy Service
HelloWorldComposite mycompanysoa_component_authorization_monitor_role_policy Service
Software Requirements
Prerequisites
Product Download URL
1 Install SOA Suite 11116 with
JDeveloper
Verified Product Version
Product Release Version
1 SOA Suite 11116
Potentially Applies to Product Version(s)
Product Release Version
1 SOA Suite 11114 11115 11116
Download Main Page
httpwwworaclecomtechnetworkmiddlewaresoasuitedownloadsindexhtml
Product URLs
Product URL LoginPassword
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 5
EM Fusion Middle Control httpadmin_hostadmin_portem User weblogic
Password welcome1
Weblogic Console httpadmin_hostadmin_portconsole User weblogic
Password welcome1
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 6
Step by Step Instructions
At a high level we will perform the following in this How-To
Create a HelloWorldComposite Application using JDeveloper
Build and Deploy the HelloWorldComposite application using EM
Create a Custom Authorization Policy using EM
Attach an Authentication Policy to HelloWorldComposite App using EM
Test the secured HelloWorldComposite app using EM Web Service Tester page
Attach the Custom Authorization Policy using EM
Test the secured HelloWorldComposite app using EM Web Service Tester page
Create HelloWorldComposite Application
1 To create the HelloWorld Composite Application -Select ldquoNew Applicationrdquo from the ldquoApplication Navigatorrdquo
Figure 1 Select New Application from the Application Navigator
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 7
2 This will launch the ldquoNew Applicationrdquo Wizard Provide the ldquoApplication Namerdquo as HelloWorldCompositeApp and
select ldquoSOA Applicationrdquo from the ldquoApplication Templaterdquo list as show in Figure 2 Click ldquoNextrdquo to proceed
Figure 2 Create a SOA Application by choosing the appropriate template
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 8
3 Provide ldquoProject Namerdquo as HelloWorldComposite as show in Figure 3 In this project no other technologies are
required so leave the ldquoSelectedrdquo Project technologies as SOA Click ldquoNextrdquo to proceed
Figure 3 Project information for SOA Composite App
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 9
4 JDeveloper provides some default templates for creating a composite application In this How To ndash we will create a
Composite with a BPEL Process Select the ldquoComposite with BPEL Processrdquo as shown in Figure 4 Click ldquoFinishrdquo to
complete the SOA Application creation steps
Figure 4 Create a Composite with BPEL Process
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 10
5 This will launch the BPEL Process Creation dialog as shown in Figure 5 Select Template as ldquoSynchronous BPEL
Processrdquo Ensure ldquoExpose as a SOAP servicerdquo is selected These options will result in the creation of a Synchronous
BPEL process exposing a web service endpoint Click ldquoOKrdquo to finish the BPEL process creation
Figure 5 BPEL Process Creation Dialog in JDeveloper
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 11
6 Once the synchronous BPEL Process is created add a BPEL Assign Activity by selecting ldquoAssignrdquo activity from the
ldquoActivitiesrdquo sub-section under the ldquoBPEL Constructsrdquo section on the right hand side and add it in between the
ldquoreceiveInputrdquo and the ldquoreplyOutputrdquo nodes as show in Figure 6
Figure 6 Synchronous BPEL Process exposed as Web Service
7 After adding the ldquoAssignrdquo activity double click on the ldquoAssignrdquo activity node to edit the Assign activity This will open
a dialog box as shown in Figure 7
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 12
Figure 7 BPEL Edit Assign Activity Dialog
8 Expand the ldquooutputVariablerdquo on the right hand side of the dialog and double click on ldquoclientresultrdquo field as shown in
Figure 8 Upon double clicking this will launch the ldquoExpression Builderrdquo dialog as show in Figure 9
Figure 8 Expand the output variable to launch the Expression Builder
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 13
Figure 9 Expression Builder Dialog
Note JDeveloper based on the selections we had done previously creates by default a composite app that takes a single
argument (of type String) as input and returns a single value (of type String) as output
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 14
9 We construct a simple ltldquoHello ldquo+inputgt by selecting the ldquoconcat()rdquo function from the list of pre-built String functions
that are available in SOA This is show in Figure 10 Hit ldquoOKrdquo to dismiss the ldquoExpression Builderrdquo dialog
Figure 10 Using the concat function in BPEL Expression Builder
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 15
10 The previous steps will result in an automatic Copy Rule being created where in the expression that was created in
Figure 10 is assigned to the output payload as shown in Figure 11
Figure 11 Copy Rule in the Assign Activity
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 16
Build and Deploy HelloWorldComposite Application
1 Make or Build the Composite Application and ensure there are no compilation failures To Build the Composite
Application ndash ldquoright clickrdquo on the HelloWorldComposite Project and click on ldquoMake HelloWorldCompositejprrdquo as
show in Figure 12
Figure 12 Build the Composite Application
2 There are many ways to deploy the Composite Application but in this How To we will create a jar for the
HelloWorldComposite application
To create a jar ldquoRight Clickrdquo on the HelloWorldComposite project and click on Deploy from the Menu Figure 13 - Figure
16 show the steps for creating a jar (SAR) for the HelloWorldComposite app
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 17
Figure 13 Steps to create a jar for the HelloWorld Composite app
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 18
Figure 14 Select the SAR option to create a jar
Figure 15 Steps for creating a jar for HelloWorld Composite App
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 19
Figure 16 Final step in the creation of jar for HelloWorld Composite app
3 Once the jar is created we will use EM to deploy the composite app To deploy the Composite application
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 20
Log into EM
Expand the SOA folder on the Left Hand navigation tree
Click on ldquosoa-infrardquo on the Left Hand tree The Right hand panel is updated Now click on ldquoSOA Infrastructurerdquo
this will open a menu
Select ldquoSOA Deploymentrdquo and ldquoDeployrdquo from the menu as shown in Figure 17
Figure 17 Deploying HelloWorld Composite app from EM
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 21
4 This will launch the SOA Composite Deployment wizard Browse the local file system to select the jar to deploy by
created in Figure 16 as shown in Figure 18 Click ldquoNextrdquo to proceed
Figure 18 Selecting HelloWorldComposite archive in EM
5 In the sample topology there is only one target and so there are no choices Select the partition to deploy the
composite app SOA ships will a ldquodefaultrdquo partition out of the box Select the default partition (Note It is a
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 22
mandatory field) as show in Figure 19 Click ldquoNextrdquo to proceed Leave the defaults as show in Figure 20 on the
confirmation page and click on ldquoDeployrdquo to finish deployment
Figure 19 Target Selection for HelloWorldComposite
Figure 20 HelloWorldComposte deployment via EM Confirmation page
Create SOA Component level Role based Authorization Policy
1 Search for policies that can be applied to SOA Component
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 23
Figure 21 Search for SOA Component Authorization policies
2 Make a Copy of the OOTB Authorization policy using the ldquoCreate Likerdquo feature as shown in Figure 22
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 24
Figure 22 Make a Copy of the OOTB Authorization Policy using Create Like
3 Name the Policy appropriately as show in Figure 23
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 25
Figure 23 New SOA Component Authorization Policy
4 Select the Role in the settings tab of the Policy You do this by clicking on the ldquosettings tabrdquo for the Authorization
assertion and selecting the ldquoSelected Rolesrdquo radio button as shown in Figure 24
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 26
Figure 24 Select a Role as part of the creation of the new Authorization Policy
5 You can add the Role by clicking on the ldquoAddrdquo button in Figure 24 This will launch a ldquoAdd Rolerdquo dialog box as shown
in Figure 25 In this example ndash the ldquoMonitorrdquo role has been selected
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 27
Figure 25 Selecting the Monitor role to add to the Authorization policy
Click ldquoOKrdquo on the diaglog in Figure 25 after adding the role click on the ldquoSaverdquo button to save the policy
Attach OOTB authentication policy to the SOA Service
1 Before we can attach the Custom Authorization Policy created in the previous steps to the SOA Component we
need to secure the HelloWorldComposite with an authentication policy For this How-To we will use the
ldquooraclewss_username_token_service_policyrdquo Go to the HelloWorldComposite Dashboard page as shown in Figure
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 28
26 In Figure 26 we have Service ldquobpelprocess1_client_eprdquo of type Web Service Click on the
ldquobpelprocess1_client_eprdquo to navigate to the Service Dashboard page as shown in Figure 27
Figure 26 HelloWorldComposite Dashboard page in EM
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 29
Figure 27 Service Dashboard page for HelloWorldComposite in EM
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 30
2 Click on the ldquoPoliciesrdquo Tab This will show polices attached to the Service Click on the ldquoAttachDetachrdquo button to a
launch the Policy Attachment Dialog as show in Figure 28 The Policy Attachment Dialog is show in Figure 29
Figure 28 Launching OWSM Policy Attachment Dialog in EM for SOA Service
3 In the Policy Attachment Dialog in Figure 29 select ldquoNamerdquo as the search criteria and enter ldquousernamerdquo and click on
the button next to it to search Select ldquooraclewss_username_token_service_policyrdquo and click on the ldquoAttachrdquo
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 31
button Click on ldquoOKrdquo button to finish the policy attachment Figure 30 shows the results of attaching the
oraclewss_username_token_service_policy
Figure 29 Selecting oraclewss_username_token_service_policy
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 32
Figure 30 Result of attaching the oraclewss_username_token_service_policy
A few things to note
Starting with PS5 - we now show the security status as seen in Figure 30
Starting with PS5 ndash we now show the overall validity of the policy attachments
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 33
Test the Secured HelloWorldComposite App
To test the HelloWorldComposite ndash navigate to the HelloWorldComposite Dashboard page and click on the ldquoTestrdquo
button as shown in Figure 31 This will launch the Web Service Tester page that ships with EM as shown in Figure 32
Figure 31 Testing HelloWorldComposite
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 34
Figure 32 EM Web Service Tester page
We will do a quick negative test by not providing any authentication information Enter ldquoNegative Worldrdquo in the ldquoinputrdquo
field as show in Figure 33 and click on ldquoTest Web Servicerdquo button This will result in an Error dialog as shown in Figure 34
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 35
Figure 33 Provide Inputs for testing HelloWorldComposite
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 36
Figure 34 Results of Negative Testing
Now perform a positive test by providing the authentication information as shown in Figure 35 You can provide the
authentication information by expanding the ldquoSecurityrdquo section Enter the following information for the fields show in
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 37
Figure 35 Select an appropriate policy from the ldquoCompatible Client Policiesrdquo list (Note This is important if a policy is not
selected then no security information will be sent and thus may result in failures)
Username weblogic Passwordweblogic1
Click ldquoTest Web Servicerdquo button to test This should result in a successful response from the HelloWorldComposite as
show in Figure 36
Figure 35 Testing oraclewss_username_token_service_policy using EM Web Service Tester
Note Usernamepassword will vary by deployment Provide usernamepassword that is appropriate for your
deployment
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 38
Figure 36 Response from HelloWorldComposite
Now that we have successfully tested the HelloWorldComposite app with the OOTB OWSM authentication policy we
will now secure it with the Custom Authorization policy that was created previously
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 39
Attach Custom authorization policy to the SOA Component
1 Go to the SOA Composite you want to secure with this Authorization Policy In the SOA Composite page click on the
Component as shown in Figure 37 In Figure 37 we have a ldquoHelloWorldCompositerdquo that has a ldquoBPELProcess1rdquo SOA
Component
Figure 37 Attaching OWSM Policy to SOA Component
2 Click on the Policies tab for the SOA Component In this example the SOA Component is called ldquoBPELProcess1rdquo as
shown in Figure 38
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 40
Figure 38 Attaching Policies to a SOA Component
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 41
3 On the Policies tab click on ldquoAttachDetachrdquo button as shown in Figure 39 Select the newly created Authorization
Policy
Figure 39 Selecting the Policy to attach
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 42
4 Once done selecting the policy to attach Click ldquoOKrdquo in Figure 39 You have completed the process of attaching an
Authorization Policy to a SOA Component Figure 40 shows the results of attaching the custom authorization policy
Figure 40 Policies attached to a SOA Component
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 43
5 Test the HelloWorldComposite from the EM Web Service Tester page Provide the credentials as
weblogicwelcome1 as shown in Figure 41
Figure 41 Negative Authorization Test with correct credentials
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 44
Notice that even though the credentials weblogicwelcome1 is correct the test fails as shown in Figure 42
Figure 42 Negative Authorization Test Response
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 45
6 In order to perform a positive authorization test ndash we need to add the weblogic user to the Monitor role In order to
do this ndash we first need to log in to Weblogic Console Click on ldquoSecurity Realmsrdquo on the Left Hand Domain Structure
Tree as show in Figure 43
Figure 43 Navigating to the Security Realms in Weblogic Console
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 46
7 Weblogic ships with a default realm called ldquomyrealmrdquo Click on ldquomyrealmrdquo as show in Figure 44
Figure 44 List of Security realms
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 47
8 Click on the ldquoUsers and Groupsrdquo tab under ldquomyrealmrdquo as shown in Figure 45 Figure 46 shows the default set of
users that ship with Weblogic In this case the users are ldquoweblogicrdquo and ldquoOracleSystemUserrdquo
Figure 45 myrealm General tab
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 48
Figure 46 Default set of users that ship with Weblogic
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 49
9 Click on ldquoweblogicrdquo user in Figure 46 and then click on the ldquoGroupsrdquo tab for the user ldquoweblogicrdquo This shows the
default group membership for ldquoweblogicrdquo as shown in Figure 47 As we can see ldquoweblogicrdquo is not part of the
ldquoMonitorrdquo group
Figure 47 Default Group membership of user weblogic
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 50
10 Add the ldquoMonitorrdquo group from the Parent Groups Available in Figure 47 The result is that the ldquoweblogicrdquo user is now
a member of both ldquoAdministratorsrdquo and ldquoMonitorrdquo group as shown in Figure 48 and click ldquoSaverdquo
Figure 48 Make weblogic user a member of Monitor group
11 Now go back to the EM Web Service Tester page and test the HelloWorldComposite app
Note You may need to start the weblogic server for changes to take effect
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 51
Oracle Web Services Manager
March 2012
Author Prakash Yamuna
Oracle Corporation
World Headquarters
500 Oracle Parkway
Redwood Shores CA 94065
USA
Worldwide Inquiries
Phone +16505067000
Fax +16505067200
oraclecom
Copyright copy 2011 Oracle andor its affiliates All rights reserved This document is provided for
information purposes only and the contents hereof are subject to change without notice This
document is not warranted to be error-free nor subject to any other warranties or conditions whether
expressed orally or implied in law including implied warranties and conditions of merchantability or
fitness for a particular purpose We specifically disclaim any liability with respect to this document and
no contractual obligations are formed either directly or indirectly by this document This document may
not be reproduced or transmitted in any form or by any means electronic or mechanical for any
purpose without our prior written permission
Oracle is a registered trademark of Oracle Corporation andor its affiliates Other names may be
trademarks of their respective owners
0109
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 5
EM Fusion Middle Control httpadmin_hostadmin_portem User weblogic
Password welcome1
Weblogic Console httpadmin_hostadmin_portconsole User weblogic
Password welcome1
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 6
Step by Step Instructions
At a high level we will perform the following in this How-To
Create a HelloWorldComposite Application using JDeveloper
Build and Deploy the HelloWorldComposite application using EM
Create a Custom Authorization Policy using EM
Attach an Authentication Policy to HelloWorldComposite App using EM
Test the secured HelloWorldComposite app using EM Web Service Tester page
Attach the Custom Authorization Policy using EM
Test the secured HelloWorldComposite app using EM Web Service Tester page
Create HelloWorldComposite Application
1 To create the HelloWorld Composite Application -Select ldquoNew Applicationrdquo from the ldquoApplication Navigatorrdquo
Figure 1 Select New Application from the Application Navigator
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 7
2 This will launch the ldquoNew Applicationrdquo Wizard Provide the ldquoApplication Namerdquo as HelloWorldCompositeApp and
select ldquoSOA Applicationrdquo from the ldquoApplication Templaterdquo list as show in Figure 2 Click ldquoNextrdquo to proceed
Figure 2 Create a SOA Application by choosing the appropriate template
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 8
3 Provide ldquoProject Namerdquo as HelloWorldComposite as show in Figure 3 In this project no other technologies are
required so leave the ldquoSelectedrdquo Project technologies as SOA Click ldquoNextrdquo to proceed
Figure 3 Project information for SOA Composite App
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 9
4 JDeveloper provides some default templates for creating a composite application In this How To ndash we will create a
Composite with a BPEL Process Select the ldquoComposite with BPEL Processrdquo as shown in Figure 4 Click ldquoFinishrdquo to
complete the SOA Application creation steps
Figure 4 Create a Composite with BPEL Process
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 10
5 This will launch the BPEL Process Creation dialog as shown in Figure 5 Select Template as ldquoSynchronous BPEL
Processrdquo Ensure ldquoExpose as a SOAP servicerdquo is selected These options will result in the creation of a Synchronous
BPEL process exposing a web service endpoint Click ldquoOKrdquo to finish the BPEL process creation
Figure 5 BPEL Process Creation Dialog in JDeveloper
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 11
6 Once the synchronous BPEL Process is created add a BPEL Assign Activity by selecting ldquoAssignrdquo activity from the
ldquoActivitiesrdquo sub-section under the ldquoBPEL Constructsrdquo section on the right hand side and add it in between the
ldquoreceiveInputrdquo and the ldquoreplyOutputrdquo nodes as show in Figure 6
Figure 6 Synchronous BPEL Process exposed as Web Service
7 After adding the ldquoAssignrdquo activity double click on the ldquoAssignrdquo activity node to edit the Assign activity This will open
a dialog box as shown in Figure 7
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 12
Figure 7 BPEL Edit Assign Activity Dialog
8 Expand the ldquooutputVariablerdquo on the right hand side of the dialog and double click on ldquoclientresultrdquo field as shown in
Figure 8 Upon double clicking this will launch the ldquoExpression Builderrdquo dialog as show in Figure 9
Figure 8 Expand the output variable to launch the Expression Builder
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 13
Figure 9 Expression Builder Dialog
Note JDeveloper based on the selections we had done previously creates by default a composite app that takes a single
argument (of type String) as input and returns a single value (of type String) as output
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 14
9 We construct a simple ltldquoHello ldquo+inputgt by selecting the ldquoconcat()rdquo function from the list of pre-built String functions
that are available in SOA This is show in Figure 10 Hit ldquoOKrdquo to dismiss the ldquoExpression Builderrdquo dialog
Figure 10 Using the concat function in BPEL Expression Builder
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 15
10 The previous steps will result in an automatic Copy Rule being created where in the expression that was created in
Figure 10 is assigned to the output payload as shown in Figure 11
Figure 11 Copy Rule in the Assign Activity
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 16
Build and Deploy HelloWorldComposite Application
1 Make or Build the Composite Application and ensure there are no compilation failures To Build the Composite
Application ndash ldquoright clickrdquo on the HelloWorldComposite Project and click on ldquoMake HelloWorldCompositejprrdquo as
show in Figure 12
Figure 12 Build the Composite Application
2 There are many ways to deploy the Composite Application but in this How To we will create a jar for the
HelloWorldComposite application
To create a jar ldquoRight Clickrdquo on the HelloWorldComposite project and click on Deploy from the Menu Figure 13 - Figure
16 show the steps for creating a jar (SAR) for the HelloWorldComposite app
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 17
Figure 13 Steps to create a jar for the HelloWorld Composite app
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 18
Figure 14 Select the SAR option to create a jar
Figure 15 Steps for creating a jar for HelloWorld Composite App
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 19
Figure 16 Final step in the creation of jar for HelloWorld Composite app
3 Once the jar is created we will use EM to deploy the composite app To deploy the Composite application
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 20
Log into EM
Expand the SOA folder on the Left Hand navigation tree
Click on ldquosoa-infrardquo on the Left Hand tree The Right hand panel is updated Now click on ldquoSOA Infrastructurerdquo
this will open a menu
Select ldquoSOA Deploymentrdquo and ldquoDeployrdquo from the menu as shown in Figure 17
Figure 17 Deploying HelloWorld Composite app from EM
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 21
4 This will launch the SOA Composite Deployment wizard Browse the local file system to select the jar to deploy by
created in Figure 16 as shown in Figure 18 Click ldquoNextrdquo to proceed
Figure 18 Selecting HelloWorldComposite archive in EM
5 In the sample topology there is only one target and so there are no choices Select the partition to deploy the
composite app SOA ships will a ldquodefaultrdquo partition out of the box Select the default partition (Note It is a
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 22
mandatory field) as show in Figure 19 Click ldquoNextrdquo to proceed Leave the defaults as show in Figure 20 on the
confirmation page and click on ldquoDeployrdquo to finish deployment
Figure 19 Target Selection for HelloWorldComposite
Figure 20 HelloWorldComposte deployment via EM Confirmation page
Create SOA Component level Role based Authorization Policy
1 Search for policies that can be applied to SOA Component
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 23
Figure 21 Search for SOA Component Authorization policies
2 Make a Copy of the OOTB Authorization policy using the ldquoCreate Likerdquo feature as shown in Figure 22
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 24
Figure 22 Make a Copy of the OOTB Authorization Policy using Create Like
3 Name the Policy appropriately as show in Figure 23
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 25
Figure 23 New SOA Component Authorization Policy
4 Select the Role in the settings tab of the Policy You do this by clicking on the ldquosettings tabrdquo for the Authorization
assertion and selecting the ldquoSelected Rolesrdquo radio button as shown in Figure 24
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 26
Figure 24 Select a Role as part of the creation of the new Authorization Policy
5 You can add the Role by clicking on the ldquoAddrdquo button in Figure 24 This will launch a ldquoAdd Rolerdquo dialog box as shown
in Figure 25 In this example ndash the ldquoMonitorrdquo role has been selected
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 27
Figure 25 Selecting the Monitor role to add to the Authorization policy
Click ldquoOKrdquo on the diaglog in Figure 25 after adding the role click on the ldquoSaverdquo button to save the policy
Attach OOTB authentication policy to the SOA Service
1 Before we can attach the Custom Authorization Policy created in the previous steps to the SOA Component we
need to secure the HelloWorldComposite with an authentication policy For this How-To we will use the
ldquooraclewss_username_token_service_policyrdquo Go to the HelloWorldComposite Dashboard page as shown in Figure
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 28
26 In Figure 26 we have Service ldquobpelprocess1_client_eprdquo of type Web Service Click on the
ldquobpelprocess1_client_eprdquo to navigate to the Service Dashboard page as shown in Figure 27
Figure 26 HelloWorldComposite Dashboard page in EM
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 29
Figure 27 Service Dashboard page for HelloWorldComposite in EM
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 30
2 Click on the ldquoPoliciesrdquo Tab This will show polices attached to the Service Click on the ldquoAttachDetachrdquo button to a
launch the Policy Attachment Dialog as show in Figure 28 The Policy Attachment Dialog is show in Figure 29
Figure 28 Launching OWSM Policy Attachment Dialog in EM for SOA Service
3 In the Policy Attachment Dialog in Figure 29 select ldquoNamerdquo as the search criteria and enter ldquousernamerdquo and click on
the button next to it to search Select ldquooraclewss_username_token_service_policyrdquo and click on the ldquoAttachrdquo
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 31
button Click on ldquoOKrdquo button to finish the policy attachment Figure 30 shows the results of attaching the
oraclewss_username_token_service_policy
Figure 29 Selecting oraclewss_username_token_service_policy
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 32
Figure 30 Result of attaching the oraclewss_username_token_service_policy
A few things to note
Starting with PS5 - we now show the security status as seen in Figure 30
Starting with PS5 ndash we now show the overall validity of the policy attachments
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 33
Test the Secured HelloWorldComposite App
To test the HelloWorldComposite ndash navigate to the HelloWorldComposite Dashboard page and click on the ldquoTestrdquo
button as shown in Figure 31 This will launch the Web Service Tester page that ships with EM as shown in Figure 32
Figure 31 Testing HelloWorldComposite
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 34
Figure 32 EM Web Service Tester page
We will do a quick negative test by not providing any authentication information Enter ldquoNegative Worldrdquo in the ldquoinputrdquo
field as show in Figure 33 and click on ldquoTest Web Servicerdquo button This will result in an Error dialog as shown in Figure 34
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 35
Figure 33 Provide Inputs for testing HelloWorldComposite
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 36
Figure 34 Results of Negative Testing
Now perform a positive test by providing the authentication information as shown in Figure 35 You can provide the
authentication information by expanding the ldquoSecurityrdquo section Enter the following information for the fields show in
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 37
Figure 35 Select an appropriate policy from the ldquoCompatible Client Policiesrdquo list (Note This is important if a policy is not
selected then no security information will be sent and thus may result in failures)
Username weblogic Passwordweblogic1
Click ldquoTest Web Servicerdquo button to test This should result in a successful response from the HelloWorldComposite as
show in Figure 36
Figure 35 Testing oraclewss_username_token_service_policy using EM Web Service Tester
Note Usernamepassword will vary by deployment Provide usernamepassword that is appropriate for your
deployment
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 38
Figure 36 Response from HelloWorldComposite
Now that we have successfully tested the HelloWorldComposite app with the OOTB OWSM authentication policy we
will now secure it with the Custom Authorization policy that was created previously
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 39
Attach Custom authorization policy to the SOA Component
1 Go to the SOA Composite you want to secure with this Authorization Policy In the SOA Composite page click on the
Component as shown in Figure 37 In Figure 37 we have a ldquoHelloWorldCompositerdquo that has a ldquoBPELProcess1rdquo SOA
Component
Figure 37 Attaching OWSM Policy to SOA Component
2 Click on the Policies tab for the SOA Component In this example the SOA Component is called ldquoBPELProcess1rdquo as
shown in Figure 38
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 40
Figure 38 Attaching Policies to a SOA Component
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 41
3 On the Policies tab click on ldquoAttachDetachrdquo button as shown in Figure 39 Select the newly created Authorization
Policy
Figure 39 Selecting the Policy to attach
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 42
4 Once done selecting the policy to attach Click ldquoOKrdquo in Figure 39 You have completed the process of attaching an
Authorization Policy to a SOA Component Figure 40 shows the results of attaching the custom authorization policy
Figure 40 Policies attached to a SOA Component
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 43
5 Test the HelloWorldComposite from the EM Web Service Tester page Provide the credentials as
weblogicwelcome1 as shown in Figure 41
Figure 41 Negative Authorization Test with correct credentials
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 44
Notice that even though the credentials weblogicwelcome1 is correct the test fails as shown in Figure 42
Figure 42 Negative Authorization Test Response
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 45
6 In order to perform a positive authorization test ndash we need to add the weblogic user to the Monitor role In order to
do this ndash we first need to log in to Weblogic Console Click on ldquoSecurity Realmsrdquo on the Left Hand Domain Structure
Tree as show in Figure 43
Figure 43 Navigating to the Security Realms in Weblogic Console
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 46
7 Weblogic ships with a default realm called ldquomyrealmrdquo Click on ldquomyrealmrdquo as show in Figure 44
Figure 44 List of Security realms
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 47
8 Click on the ldquoUsers and Groupsrdquo tab under ldquomyrealmrdquo as shown in Figure 45 Figure 46 shows the default set of
users that ship with Weblogic In this case the users are ldquoweblogicrdquo and ldquoOracleSystemUserrdquo
Figure 45 myrealm General tab
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 48
Figure 46 Default set of users that ship with Weblogic
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 49
9 Click on ldquoweblogicrdquo user in Figure 46 and then click on the ldquoGroupsrdquo tab for the user ldquoweblogicrdquo This shows the
default group membership for ldquoweblogicrdquo as shown in Figure 47 As we can see ldquoweblogicrdquo is not part of the
ldquoMonitorrdquo group
Figure 47 Default Group membership of user weblogic
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 50
10 Add the ldquoMonitorrdquo group from the Parent Groups Available in Figure 47 The result is that the ldquoweblogicrdquo user is now
a member of both ldquoAdministratorsrdquo and ldquoMonitorrdquo group as shown in Figure 48 and click ldquoSaverdquo
Figure 48 Make weblogic user a member of Monitor group
11 Now go back to the EM Web Service Tester page and test the HelloWorldComposite app
Note You may need to start the weblogic server for changes to take effect
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 51
Oracle Web Services Manager
March 2012
Author Prakash Yamuna
Oracle Corporation
World Headquarters
500 Oracle Parkway
Redwood Shores CA 94065
USA
Worldwide Inquiries
Phone +16505067000
Fax +16505067200
oraclecom
Copyright copy 2011 Oracle andor its affiliates All rights reserved This document is provided for
information purposes only and the contents hereof are subject to change without notice This
document is not warranted to be error-free nor subject to any other warranties or conditions whether
expressed orally or implied in law including implied warranties and conditions of merchantability or
fitness for a particular purpose We specifically disclaim any liability with respect to this document and
no contractual obligations are formed either directly or indirectly by this document This document may
not be reproduced or transmitted in any form or by any means electronic or mechanical for any
purpose without our prior written permission
Oracle is a registered trademark of Oracle Corporation andor its affiliates Other names may be
trademarks of their respective owners
0109
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 6
Step by Step Instructions
At a high level we will perform the following in this How-To
Create a HelloWorldComposite Application using JDeveloper
Build and Deploy the HelloWorldComposite application using EM
Create a Custom Authorization Policy using EM
Attach an Authentication Policy to HelloWorldComposite App using EM
Test the secured HelloWorldComposite app using EM Web Service Tester page
Attach the Custom Authorization Policy using EM
Test the secured HelloWorldComposite app using EM Web Service Tester page
Create HelloWorldComposite Application
1 To create the HelloWorld Composite Application -Select ldquoNew Applicationrdquo from the ldquoApplication Navigatorrdquo
Figure 1 Select New Application from the Application Navigator
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 7
2 This will launch the ldquoNew Applicationrdquo Wizard Provide the ldquoApplication Namerdquo as HelloWorldCompositeApp and
select ldquoSOA Applicationrdquo from the ldquoApplication Templaterdquo list as show in Figure 2 Click ldquoNextrdquo to proceed
Figure 2 Create a SOA Application by choosing the appropriate template
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 8
3 Provide ldquoProject Namerdquo as HelloWorldComposite as show in Figure 3 In this project no other technologies are
required so leave the ldquoSelectedrdquo Project technologies as SOA Click ldquoNextrdquo to proceed
Figure 3 Project information for SOA Composite App
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 9
4 JDeveloper provides some default templates for creating a composite application In this How To ndash we will create a
Composite with a BPEL Process Select the ldquoComposite with BPEL Processrdquo as shown in Figure 4 Click ldquoFinishrdquo to
complete the SOA Application creation steps
Figure 4 Create a Composite with BPEL Process
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 10
5 This will launch the BPEL Process Creation dialog as shown in Figure 5 Select Template as ldquoSynchronous BPEL
Processrdquo Ensure ldquoExpose as a SOAP servicerdquo is selected These options will result in the creation of a Synchronous
BPEL process exposing a web service endpoint Click ldquoOKrdquo to finish the BPEL process creation
Figure 5 BPEL Process Creation Dialog in JDeveloper
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 11
6 Once the synchronous BPEL Process is created add a BPEL Assign Activity by selecting ldquoAssignrdquo activity from the
ldquoActivitiesrdquo sub-section under the ldquoBPEL Constructsrdquo section on the right hand side and add it in between the
ldquoreceiveInputrdquo and the ldquoreplyOutputrdquo nodes as show in Figure 6
Figure 6 Synchronous BPEL Process exposed as Web Service
7 After adding the ldquoAssignrdquo activity double click on the ldquoAssignrdquo activity node to edit the Assign activity This will open
a dialog box as shown in Figure 7
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 12
Figure 7 BPEL Edit Assign Activity Dialog
8 Expand the ldquooutputVariablerdquo on the right hand side of the dialog and double click on ldquoclientresultrdquo field as shown in
Figure 8 Upon double clicking this will launch the ldquoExpression Builderrdquo dialog as show in Figure 9
Figure 8 Expand the output variable to launch the Expression Builder
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 13
Figure 9 Expression Builder Dialog
Note JDeveloper based on the selections we had done previously creates by default a composite app that takes a single
argument (of type String) as input and returns a single value (of type String) as output
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 14
9 We construct a simple ltldquoHello ldquo+inputgt by selecting the ldquoconcat()rdquo function from the list of pre-built String functions
that are available in SOA This is show in Figure 10 Hit ldquoOKrdquo to dismiss the ldquoExpression Builderrdquo dialog
Figure 10 Using the concat function in BPEL Expression Builder
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 15
10 The previous steps will result in an automatic Copy Rule being created where in the expression that was created in
Figure 10 is assigned to the output payload as shown in Figure 11
Figure 11 Copy Rule in the Assign Activity
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 16
Build and Deploy HelloWorldComposite Application
1 Make or Build the Composite Application and ensure there are no compilation failures To Build the Composite
Application ndash ldquoright clickrdquo on the HelloWorldComposite Project and click on ldquoMake HelloWorldCompositejprrdquo as
show in Figure 12
Figure 12 Build the Composite Application
2 There are many ways to deploy the Composite Application but in this How To we will create a jar for the
HelloWorldComposite application
To create a jar ldquoRight Clickrdquo on the HelloWorldComposite project and click on Deploy from the Menu Figure 13 - Figure
16 show the steps for creating a jar (SAR) for the HelloWorldComposite app
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 17
Figure 13 Steps to create a jar for the HelloWorld Composite app
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 18
Figure 14 Select the SAR option to create a jar
Figure 15 Steps for creating a jar for HelloWorld Composite App
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 19
Figure 16 Final step in the creation of jar for HelloWorld Composite app
3 Once the jar is created we will use EM to deploy the composite app To deploy the Composite application
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 20
Log into EM
Expand the SOA folder on the Left Hand navigation tree
Click on ldquosoa-infrardquo on the Left Hand tree The Right hand panel is updated Now click on ldquoSOA Infrastructurerdquo
this will open a menu
Select ldquoSOA Deploymentrdquo and ldquoDeployrdquo from the menu as shown in Figure 17
Figure 17 Deploying HelloWorld Composite app from EM
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 21
4 This will launch the SOA Composite Deployment wizard Browse the local file system to select the jar to deploy by
created in Figure 16 as shown in Figure 18 Click ldquoNextrdquo to proceed
Figure 18 Selecting HelloWorldComposite archive in EM
5 In the sample topology there is only one target and so there are no choices Select the partition to deploy the
composite app SOA ships will a ldquodefaultrdquo partition out of the box Select the default partition (Note It is a
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 22
mandatory field) as show in Figure 19 Click ldquoNextrdquo to proceed Leave the defaults as show in Figure 20 on the
confirmation page and click on ldquoDeployrdquo to finish deployment
Figure 19 Target Selection for HelloWorldComposite
Figure 20 HelloWorldComposte deployment via EM Confirmation page
Create SOA Component level Role based Authorization Policy
1 Search for policies that can be applied to SOA Component
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 23
Figure 21 Search for SOA Component Authorization policies
2 Make a Copy of the OOTB Authorization policy using the ldquoCreate Likerdquo feature as shown in Figure 22
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 24
Figure 22 Make a Copy of the OOTB Authorization Policy using Create Like
3 Name the Policy appropriately as show in Figure 23
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 25
Figure 23 New SOA Component Authorization Policy
4 Select the Role in the settings tab of the Policy You do this by clicking on the ldquosettings tabrdquo for the Authorization
assertion and selecting the ldquoSelected Rolesrdquo radio button as shown in Figure 24
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 26
Figure 24 Select a Role as part of the creation of the new Authorization Policy
5 You can add the Role by clicking on the ldquoAddrdquo button in Figure 24 This will launch a ldquoAdd Rolerdquo dialog box as shown
in Figure 25 In this example ndash the ldquoMonitorrdquo role has been selected
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 27
Figure 25 Selecting the Monitor role to add to the Authorization policy
Click ldquoOKrdquo on the diaglog in Figure 25 after adding the role click on the ldquoSaverdquo button to save the policy
Attach OOTB authentication policy to the SOA Service
1 Before we can attach the Custom Authorization Policy created in the previous steps to the SOA Component we
need to secure the HelloWorldComposite with an authentication policy For this How-To we will use the
ldquooraclewss_username_token_service_policyrdquo Go to the HelloWorldComposite Dashboard page as shown in Figure
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 28
26 In Figure 26 we have Service ldquobpelprocess1_client_eprdquo of type Web Service Click on the
ldquobpelprocess1_client_eprdquo to navigate to the Service Dashboard page as shown in Figure 27
Figure 26 HelloWorldComposite Dashboard page in EM
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 29
Figure 27 Service Dashboard page for HelloWorldComposite in EM
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 30
2 Click on the ldquoPoliciesrdquo Tab This will show polices attached to the Service Click on the ldquoAttachDetachrdquo button to a
launch the Policy Attachment Dialog as show in Figure 28 The Policy Attachment Dialog is show in Figure 29
Figure 28 Launching OWSM Policy Attachment Dialog in EM for SOA Service
3 In the Policy Attachment Dialog in Figure 29 select ldquoNamerdquo as the search criteria and enter ldquousernamerdquo and click on
the button next to it to search Select ldquooraclewss_username_token_service_policyrdquo and click on the ldquoAttachrdquo
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 31
button Click on ldquoOKrdquo button to finish the policy attachment Figure 30 shows the results of attaching the
oraclewss_username_token_service_policy
Figure 29 Selecting oraclewss_username_token_service_policy
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 32
Figure 30 Result of attaching the oraclewss_username_token_service_policy
A few things to note
Starting with PS5 - we now show the security status as seen in Figure 30
Starting with PS5 ndash we now show the overall validity of the policy attachments
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 33
Test the Secured HelloWorldComposite App
To test the HelloWorldComposite ndash navigate to the HelloWorldComposite Dashboard page and click on the ldquoTestrdquo
button as shown in Figure 31 This will launch the Web Service Tester page that ships with EM as shown in Figure 32
Figure 31 Testing HelloWorldComposite
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 34
Figure 32 EM Web Service Tester page
We will do a quick negative test by not providing any authentication information Enter ldquoNegative Worldrdquo in the ldquoinputrdquo
field as show in Figure 33 and click on ldquoTest Web Servicerdquo button This will result in an Error dialog as shown in Figure 34
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 35
Figure 33 Provide Inputs for testing HelloWorldComposite
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 36
Figure 34 Results of Negative Testing
Now perform a positive test by providing the authentication information as shown in Figure 35 You can provide the
authentication information by expanding the ldquoSecurityrdquo section Enter the following information for the fields show in
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 37
Figure 35 Select an appropriate policy from the ldquoCompatible Client Policiesrdquo list (Note This is important if a policy is not
selected then no security information will be sent and thus may result in failures)
Username weblogic Passwordweblogic1
Click ldquoTest Web Servicerdquo button to test This should result in a successful response from the HelloWorldComposite as
show in Figure 36
Figure 35 Testing oraclewss_username_token_service_policy using EM Web Service Tester
Note Usernamepassword will vary by deployment Provide usernamepassword that is appropriate for your
deployment
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 38
Figure 36 Response from HelloWorldComposite
Now that we have successfully tested the HelloWorldComposite app with the OOTB OWSM authentication policy we
will now secure it with the Custom Authorization policy that was created previously
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 39
Attach Custom authorization policy to the SOA Component
1 Go to the SOA Composite you want to secure with this Authorization Policy In the SOA Composite page click on the
Component as shown in Figure 37 In Figure 37 we have a ldquoHelloWorldCompositerdquo that has a ldquoBPELProcess1rdquo SOA
Component
Figure 37 Attaching OWSM Policy to SOA Component
2 Click on the Policies tab for the SOA Component In this example the SOA Component is called ldquoBPELProcess1rdquo as
shown in Figure 38
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 40
Figure 38 Attaching Policies to a SOA Component
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 41
3 On the Policies tab click on ldquoAttachDetachrdquo button as shown in Figure 39 Select the newly created Authorization
Policy
Figure 39 Selecting the Policy to attach
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 42
4 Once done selecting the policy to attach Click ldquoOKrdquo in Figure 39 You have completed the process of attaching an
Authorization Policy to a SOA Component Figure 40 shows the results of attaching the custom authorization policy
Figure 40 Policies attached to a SOA Component
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 43
5 Test the HelloWorldComposite from the EM Web Service Tester page Provide the credentials as
weblogicwelcome1 as shown in Figure 41
Figure 41 Negative Authorization Test with correct credentials
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 44
Notice that even though the credentials weblogicwelcome1 is correct the test fails as shown in Figure 42
Figure 42 Negative Authorization Test Response
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 45
6 In order to perform a positive authorization test ndash we need to add the weblogic user to the Monitor role In order to
do this ndash we first need to log in to Weblogic Console Click on ldquoSecurity Realmsrdquo on the Left Hand Domain Structure
Tree as show in Figure 43
Figure 43 Navigating to the Security Realms in Weblogic Console
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 46
7 Weblogic ships with a default realm called ldquomyrealmrdquo Click on ldquomyrealmrdquo as show in Figure 44
Figure 44 List of Security realms
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 47
8 Click on the ldquoUsers and Groupsrdquo tab under ldquomyrealmrdquo as shown in Figure 45 Figure 46 shows the default set of
users that ship with Weblogic In this case the users are ldquoweblogicrdquo and ldquoOracleSystemUserrdquo
Figure 45 myrealm General tab
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 48
Figure 46 Default set of users that ship with Weblogic
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 49
9 Click on ldquoweblogicrdquo user in Figure 46 and then click on the ldquoGroupsrdquo tab for the user ldquoweblogicrdquo This shows the
default group membership for ldquoweblogicrdquo as shown in Figure 47 As we can see ldquoweblogicrdquo is not part of the
ldquoMonitorrdquo group
Figure 47 Default Group membership of user weblogic
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 50
10 Add the ldquoMonitorrdquo group from the Parent Groups Available in Figure 47 The result is that the ldquoweblogicrdquo user is now
a member of both ldquoAdministratorsrdquo and ldquoMonitorrdquo group as shown in Figure 48 and click ldquoSaverdquo
Figure 48 Make weblogic user a member of Monitor group
11 Now go back to the EM Web Service Tester page and test the HelloWorldComposite app
Note You may need to start the weblogic server for changes to take effect
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 51
Oracle Web Services Manager
March 2012
Author Prakash Yamuna
Oracle Corporation
World Headquarters
500 Oracle Parkway
Redwood Shores CA 94065
USA
Worldwide Inquiries
Phone +16505067000
Fax +16505067200
oraclecom
Copyright copy 2011 Oracle andor its affiliates All rights reserved This document is provided for
information purposes only and the contents hereof are subject to change without notice This
document is not warranted to be error-free nor subject to any other warranties or conditions whether
expressed orally or implied in law including implied warranties and conditions of merchantability or
fitness for a particular purpose We specifically disclaim any liability with respect to this document and
no contractual obligations are formed either directly or indirectly by this document This document may
not be reproduced or transmitted in any form or by any means electronic or mechanical for any
purpose without our prior written permission
Oracle is a registered trademark of Oracle Corporation andor its affiliates Other names may be
trademarks of their respective owners
0109
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 7
2 This will launch the ldquoNew Applicationrdquo Wizard Provide the ldquoApplication Namerdquo as HelloWorldCompositeApp and
select ldquoSOA Applicationrdquo from the ldquoApplication Templaterdquo list as show in Figure 2 Click ldquoNextrdquo to proceed
Figure 2 Create a SOA Application by choosing the appropriate template
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 8
3 Provide ldquoProject Namerdquo as HelloWorldComposite as show in Figure 3 In this project no other technologies are
required so leave the ldquoSelectedrdquo Project technologies as SOA Click ldquoNextrdquo to proceed
Figure 3 Project information for SOA Composite App
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 9
4 JDeveloper provides some default templates for creating a composite application In this How To ndash we will create a
Composite with a BPEL Process Select the ldquoComposite with BPEL Processrdquo as shown in Figure 4 Click ldquoFinishrdquo to
complete the SOA Application creation steps
Figure 4 Create a Composite with BPEL Process
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 10
5 This will launch the BPEL Process Creation dialog as shown in Figure 5 Select Template as ldquoSynchronous BPEL
Processrdquo Ensure ldquoExpose as a SOAP servicerdquo is selected These options will result in the creation of a Synchronous
BPEL process exposing a web service endpoint Click ldquoOKrdquo to finish the BPEL process creation
Figure 5 BPEL Process Creation Dialog in JDeveloper
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 11
6 Once the synchronous BPEL Process is created add a BPEL Assign Activity by selecting ldquoAssignrdquo activity from the
ldquoActivitiesrdquo sub-section under the ldquoBPEL Constructsrdquo section on the right hand side and add it in between the
ldquoreceiveInputrdquo and the ldquoreplyOutputrdquo nodes as show in Figure 6
Figure 6 Synchronous BPEL Process exposed as Web Service
7 After adding the ldquoAssignrdquo activity double click on the ldquoAssignrdquo activity node to edit the Assign activity This will open
a dialog box as shown in Figure 7
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 12
Figure 7 BPEL Edit Assign Activity Dialog
8 Expand the ldquooutputVariablerdquo on the right hand side of the dialog and double click on ldquoclientresultrdquo field as shown in
Figure 8 Upon double clicking this will launch the ldquoExpression Builderrdquo dialog as show in Figure 9
Figure 8 Expand the output variable to launch the Expression Builder
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 13
Figure 9 Expression Builder Dialog
Note JDeveloper based on the selections we had done previously creates by default a composite app that takes a single
argument (of type String) as input and returns a single value (of type String) as output
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 14
9 We construct a simple ltldquoHello ldquo+inputgt by selecting the ldquoconcat()rdquo function from the list of pre-built String functions
that are available in SOA This is show in Figure 10 Hit ldquoOKrdquo to dismiss the ldquoExpression Builderrdquo dialog
Figure 10 Using the concat function in BPEL Expression Builder
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 15
10 The previous steps will result in an automatic Copy Rule being created where in the expression that was created in
Figure 10 is assigned to the output payload as shown in Figure 11
Figure 11 Copy Rule in the Assign Activity
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 16
Build and Deploy HelloWorldComposite Application
1 Make or Build the Composite Application and ensure there are no compilation failures To Build the Composite
Application ndash ldquoright clickrdquo on the HelloWorldComposite Project and click on ldquoMake HelloWorldCompositejprrdquo as
show in Figure 12
Figure 12 Build the Composite Application
2 There are many ways to deploy the Composite Application but in this How To we will create a jar for the
HelloWorldComposite application
To create a jar ldquoRight Clickrdquo on the HelloWorldComposite project and click on Deploy from the Menu Figure 13 - Figure
16 show the steps for creating a jar (SAR) for the HelloWorldComposite app
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 17
Figure 13 Steps to create a jar for the HelloWorld Composite app
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 18
Figure 14 Select the SAR option to create a jar
Figure 15 Steps for creating a jar for HelloWorld Composite App
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 19
Figure 16 Final step in the creation of jar for HelloWorld Composite app
3 Once the jar is created we will use EM to deploy the composite app To deploy the Composite application
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 20
Log into EM
Expand the SOA folder on the Left Hand navigation tree
Click on ldquosoa-infrardquo on the Left Hand tree The Right hand panel is updated Now click on ldquoSOA Infrastructurerdquo
this will open a menu
Select ldquoSOA Deploymentrdquo and ldquoDeployrdquo from the menu as shown in Figure 17
Figure 17 Deploying HelloWorld Composite app from EM
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 21
4 This will launch the SOA Composite Deployment wizard Browse the local file system to select the jar to deploy by
created in Figure 16 as shown in Figure 18 Click ldquoNextrdquo to proceed
Figure 18 Selecting HelloWorldComposite archive in EM
5 In the sample topology there is only one target and so there are no choices Select the partition to deploy the
composite app SOA ships will a ldquodefaultrdquo partition out of the box Select the default partition (Note It is a
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 22
mandatory field) as show in Figure 19 Click ldquoNextrdquo to proceed Leave the defaults as show in Figure 20 on the
confirmation page and click on ldquoDeployrdquo to finish deployment
Figure 19 Target Selection for HelloWorldComposite
Figure 20 HelloWorldComposte deployment via EM Confirmation page
Create SOA Component level Role based Authorization Policy
1 Search for policies that can be applied to SOA Component
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 23
Figure 21 Search for SOA Component Authorization policies
2 Make a Copy of the OOTB Authorization policy using the ldquoCreate Likerdquo feature as shown in Figure 22
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 24
Figure 22 Make a Copy of the OOTB Authorization Policy using Create Like
3 Name the Policy appropriately as show in Figure 23
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 25
Figure 23 New SOA Component Authorization Policy
4 Select the Role in the settings tab of the Policy You do this by clicking on the ldquosettings tabrdquo for the Authorization
assertion and selecting the ldquoSelected Rolesrdquo radio button as shown in Figure 24
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 26
Figure 24 Select a Role as part of the creation of the new Authorization Policy
5 You can add the Role by clicking on the ldquoAddrdquo button in Figure 24 This will launch a ldquoAdd Rolerdquo dialog box as shown
in Figure 25 In this example ndash the ldquoMonitorrdquo role has been selected
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 27
Figure 25 Selecting the Monitor role to add to the Authorization policy
Click ldquoOKrdquo on the diaglog in Figure 25 after adding the role click on the ldquoSaverdquo button to save the policy
Attach OOTB authentication policy to the SOA Service
1 Before we can attach the Custom Authorization Policy created in the previous steps to the SOA Component we
need to secure the HelloWorldComposite with an authentication policy For this How-To we will use the
ldquooraclewss_username_token_service_policyrdquo Go to the HelloWorldComposite Dashboard page as shown in Figure
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 28
26 In Figure 26 we have Service ldquobpelprocess1_client_eprdquo of type Web Service Click on the
ldquobpelprocess1_client_eprdquo to navigate to the Service Dashboard page as shown in Figure 27
Figure 26 HelloWorldComposite Dashboard page in EM
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 29
Figure 27 Service Dashboard page for HelloWorldComposite in EM
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 30
2 Click on the ldquoPoliciesrdquo Tab This will show polices attached to the Service Click on the ldquoAttachDetachrdquo button to a
launch the Policy Attachment Dialog as show in Figure 28 The Policy Attachment Dialog is show in Figure 29
Figure 28 Launching OWSM Policy Attachment Dialog in EM for SOA Service
3 In the Policy Attachment Dialog in Figure 29 select ldquoNamerdquo as the search criteria and enter ldquousernamerdquo and click on
the button next to it to search Select ldquooraclewss_username_token_service_policyrdquo and click on the ldquoAttachrdquo
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 31
button Click on ldquoOKrdquo button to finish the policy attachment Figure 30 shows the results of attaching the
oraclewss_username_token_service_policy
Figure 29 Selecting oraclewss_username_token_service_policy
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 32
Figure 30 Result of attaching the oraclewss_username_token_service_policy
A few things to note
Starting with PS5 - we now show the security status as seen in Figure 30
Starting with PS5 ndash we now show the overall validity of the policy attachments
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 33
Test the Secured HelloWorldComposite App
To test the HelloWorldComposite ndash navigate to the HelloWorldComposite Dashboard page and click on the ldquoTestrdquo
button as shown in Figure 31 This will launch the Web Service Tester page that ships with EM as shown in Figure 32
Figure 31 Testing HelloWorldComposite
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 34
Figure 32 EM Web Service Tester page
We will do a quick negative test by not providing any authentication information Enter ldquoNegative Worldrdquo in the ldquoinputrdquo
field as show in Figure 33 and click on ldquoTest Web Servicerdquo button This will result in an Error dialog as shown in Figure 34
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 35
Figure 33 Provide Inputs for testing HelloWorldComposite
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 36
Figure 34 Results of Negative Testing
Now perform a positive test by providing the authentication information as shown in Figure 35 You can provide the
authentication information by expanding the ldquoSecurityrdquo section Enter the following information for the fields show in
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 37
Figure 35 Select an appropriate policy from the ldquoCompatible Client Policiesrdquo list (Note This is important if a policy is not
selected then no security information will be sent and thus may result in failures)
Username weblogic Passwordweblogic1
Click ldquoTest Web Servicerdquo button to test This should result in a successful response from the HelloWorldComposite as
show in Figure 36
Figure 35 Testing oraclewss_username_token_service_policy using EM Web Service Tester
Note Usernamepassword will vary by deployment Provide usernamepassword that is appropriate for your
deployment
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 38
Figure 36 Response from HelloWorldComposite
Now that we have successfully tested the HelloWorldComposite app with the OOTB OWSM authentication policy we
will now secure it with the Custom Authorization policy that was created previously
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 39
Attach Custom authorization policy to the SOA Component
1 Go to the SOA Composite you want to secure with this Authorization Policy In the SOA Composite page click on the
Component as shown in Figure 37 In Figure 37 we have a ldquoHelloWorldCompositerdquo that has a ldquoBPELProcess1rdquo SOA
Component
Figure 37 Attaching OWSM Policy to SOA Component
2 Click on the Policies tab for the SOA Component In this example the SOA Component is called ldquoBPELProcess1rdquo as
shown in Figure 38
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 40
Figure 38 Attaching Policies to a SOA Component
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 41
3 On the Policies tab click on ldquoAttachDetachrdquo button as shown in Figure 39 Select the newly created Authorization
Policy
Figure 39 Selecting the Policy to attach
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 42
4 Once done selecting the policy to attach Click ldquoOKrdquo in Figure 39 You have completed the process of attaching an
Authorization Policy to a SOA Component Figure 40 shows the results of attaching the custom authorization policy
Figure 40 Policies attached to a SOA Component
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 43
5 Test the HelloWorldComposite from the EM Web Service Tester page Provide the credentials as
weblogicwelcome1 as shown in Figure 41
Figure 41 Negative Authorization Test with correct credentials
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 44
Notice that even though the credentials weblogicwelcome1 is correct the test fails as shown in Figure 42
Figure 42 Negative Authorization Test Response
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 45
6 In order to perform a positive authorization test ndash we need to add the weblogic user to the Monitor role In order to
do this ndash we first need to log in to Weblogic Console Click on ldquoSecurity Realmsrdquo on the Left Hand Domain Structure
Tree as show in Figure 43
Figure 43 Navigating to the Security Realms in Weblogic Console
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 46
7 Weblogic ships with a default realm called ldquomyrealmrdquo Click on ldquomyrealmrdquo as show in Figure 44
Figure 44 List of Security realms
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 47
8 Click on the ldquoUsers and Groupsrdquo tab under ldquomyrealmrdquo as shown in Figure 45 Figure 46 shows the default set of
users that ship with Weblogic In this case the users are ldquoweblogicrdquo and ldquoOracleSystemUserrdquo
Figure 45 myrealm General tab
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 48
Figure 46 Default set of users that ship with Weblogic
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 49
9 Click on ldquoweblogicrdquo user in Figure 46 and then click on the ldquoGroupsrdquo tab for the user ldquoweblogicrdquo This shows the
default group membership for ldquoweblogicrdquo as shown in Figure 47 As we can see ldquoweblogicrdquo is not part of the
ldquoMonitorrdquo group
Figure 47 Default Group membership of user weblogic
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 50
10 Add the ldquoMonitorrdquo group from the Parent Groups Available in Figure 47 The result is that the ldquoweblogicrdquo user is now
a member of both ldquoAdministratorsrdquo and ldquoMonitorrdquo group as shown in Figure 48 and click ldquoSaverdquo
Figure 48 Make weblogic user a member of Monitor group
11 Now go back to the EM Web Service Tester page and test the HelloWorldComposite app
Note You may need to start the weblogic server for changes to take effect
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 51
Oracle Web Services Manager
March 2012
Author Prakash Yamuna
Oracle Corporation
World Headquarters
500 Oracle Parkway
Redwood Shores CA 94065
USA
Worldwide Inquiries
Phone +16505067000
Fax +16505067200
oraclecom
Copyright copy 2011 Oracle andor its affiliates All rights reserved This document is provided for
information purposes only and the contents hereof are subject to change without notice This
document is not warranted to be error-free nor subject to any other warranties or conditions whether
expressed orally or implied in law including implied warranties and conditions of merchantability or
fitness for a particular purpose We specifically disclaim any liability with respect to this document and
no contractual obligations are formed either directly or indirectly by this document This document may
not be reproduced or transmitted in any form or by any means electronic or mechanical for any
purpose without our prior written permission
Oracle is a registered trademark of Oracle Corporation andor its affiliates Other names may be
trademarks of their respective owners
0109
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 8
3 Provide ldquoProject Namerdquo as HelloWorldComposite as show in Figure 3 In this project no other technologies are
required so leave the ldquoSelectedrdquo Project technologies as SOA Click ldquoNextrdquo to proceed
Figure 3 Project information for SOA Composite App
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 9
4 JDeveloper provides some default templates for creating a composite application In this How To ndash we will create a
Composite with a BPEL Process Select the ldquoComposite with BPEL Processrdquo as shown in Figure 4 Click ldquoFinishrdquo to
complete the SOA Application creation steps
Figure 4 Create a Composite with BPEL Process
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 10
5 This will launch the BPEL Process Creation dialog as shown in Figure 5 Select Template as ldquoSynchronous BPEL
Processrdquo Ensure ldquoExpose as a SOAP servicerdquo is selected These options will result in the creation of a Synchronous
BPEL process exposing a web service endpoint Click ldquoOKrdquo to finish the BPEL process creation
Figure 5 BPEL Process Creation Dialog in JDeveloper
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 11
6 Once the synchronous BPEL Process is created add a BPEL Assign Activity by selecting ldquoAssignrdquo activity from the
ldquoActivitiesrdquo sub-section under the ldquoBPEL Constructsrdquo section on the right hand side and add it in between the
ldquoreceiveInputrdquo and the ldquoreplyOutputrdquo nodes as show in Figure 6
Figure 6 Synchronous BPEL Process exposed as Web Service
7 After adding the ldquoAssignrdquo activity double click on the ldquoAssignrdquo activity node to edit the Assign activity This will open
a dialog box as shown in Figure 7
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 12
Figure 7 BPEL Edit Assign Activity Dialog
8 Expand the ldquooutputVariablerdquo on the right hand side of the dialog and double click on ldquoclientresultrdquo field as shown in
Figure 8 Upon double clicking this will launch the ldquoExpression Builderrdquo dialog as show in Figure 9
Figure 8 Expand the output variable to launch the Expression Builder
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 13
Figure 9 Expression Builder Dialog
Note JDeveloper based on the selections we had done previously creates by default a composite app that takes a single
argument (of type String) as input and returns a single value (of type String) as output
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 14
9 We construct a simple ltldquoHello ldquo+inputgt by selecting the ldquoconcat()rdquo function from the list of pre-built String functions
that are available in SOA This is show in Figure 10 Hit ldquoOKrdquo to dismiss the ldquoExpression Builderrdquo dialog
Figure 10 Using the concat function in BPEL Expression Builder
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 15
10 The previous steps will result in an automatic Copy Rule being created where in the expression that was created in
Figure 10 is assigned to the output payload as shown in Figure 11
Figure 11 Copy Rule in the Assign Activity
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 16
Build and Deploy HelloWorldComposite Application
1 Make or Build the Composite Application and ensure there are no compilation failures To Build the Composite
Application ndash ldquoright clickrdquo on the HelloWorldComposite Project and click on ldquoMake HelloWorldCompositejprrdquo as
show in Figure 12
Figure 12 Build the Composite Application
2 There are many ways to deploy the Composite Application but in this How To we will create a jar for the
HelloWorldComposite application
To create a jar ldquoRight Clickrdquo on the HelloWorldComposite project and click on Deploy from the Menu Figure 13 - Figure
16 show the steps for creating a jar (SAR) for the HelloWorldComposite app
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 17
Figure 13 Steps to create a jar for the HelloWorld Composite app
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 18
Figure 14 Select the SAR option to create a jar
Figure 15 Steps for creating a jar for HelloWorld Composite App
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 19
Figure 16 Final step in the creation of jar for HelloWorld Composite app
3 Once the jar is created we will use EM to deploy the composite app To deploy the Composite application
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 20
Log into EM
Expand the SOA folder on the Left Hand navigation tree
Click on ldquosoa-infrardquo on the Left Hand tree The Right hand panel is updated Now click on ldquoSOA Infrastructurerdquo
this will open a menu
Select ldquoSOA Deploymentrdquo and ldquoDeployrdquo from the menu as shown in Figure 17
Figure 17 Deploying HelloWorld Composite app from EM
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 21
4 This will launch the SOA Composite Deployment wizard Browse the local file system to select the jar to deploy by
created in Figure 16 as shown in Figure 18 Click ldquoNextrdquo to proceed
Figure 18 Selecting HelloWorldComposite archive in EM
5 In the sample topology there is only one target and so there are no choices Select the partition to deploy the
composite app SOA ships will a ldquodefaultrdquo partition out of the box Select the default partition (Note It is a
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 22
mandatory field) as show in Figure 19 Click ldquoNextrdquo to proceed Leave the defaults as show in Figure 20 on the
confirmation page and click on ldquoDeployrdquo to finish deployment
Figure 19 Target Selection for HelloWorldComposite
Figure 20 HelloWorldComposte deployment via EM Confirmation page
Create SOA Component level Role based Authorization Policy
1 Search for policies that can be applied to SOA Component
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 23
Figure 21 Search for SOA Component Authorization policies
2 Make a Copy of the OOTB Authorization policy using the ldquoCreate Likerdquo feature as shown in Figure 22
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 24
Figure 22 Make a Copy of the OOTB Authorization Policy using Create Like
3 Name the Policy appropriately as show in Figure 23
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 25
Figure 23 New SOA Component Authorization Policy
4 Select the Role in the settings tab of the Policy You do this by clicking on the ldquosettings tabrdquo for the Authorization
assertion and selecting the ldquoSelected Rolesrdquo radio button as shown in Figure 24
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 26
Figure 24 Select a Role as part of the creation of the new Authorization Policy
5 You can add the Role by clicking on the ldquoAddrdquo button in Figure 24 This will launch a ldquoAdd Rolerdquo dialog box as shown
in Figure 25 In this example ndash the ldquoMonitorrdquo role has been selected
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 27
Figure 25 Selecting the Monitor role to add to the Authorization policy
Click ldquoOKrdquo on the diaglog in Figure 25 after adding the role click on the ldquoSaverdquo button to save the policy
Attach OOTB authentication policy to the SOA Service
1 Before we can attach the Custom Authorization Policy created in the previous steps to the SOA Component we
need to secure the HelloWorldComposite with an authentication policy For this How-To we will use the
ldquooraclewss_username_token_service_policyrdquo Go to the HelloWorldComposite Dashboard page as shown in Figure
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 28
26 In Figure 26 we have Service ldquobpelprocess1_client_eprdquo of type Web Service Click on the
ldquobpelprocess1_client_eprdquo to navigate to the Service Dashboard page as shown in Figure 27
Figure 26 HelloWorldComposite Dashboard page in EM
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 29
Figure 27 Service Dashboard page for HelloWorldComposite in EM
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 30
2 Click on the ldquoPoliciesrdquo Tab This will show polices attached to the Service Click on the ldquoAttachDetachrdquo button to a
launch the Policy Attachment Dialog as show in Figure 28 The Policy Attachment Dialog is show in Figure 29
Figure 28 Launching OWSM Policy Attachment Dialog in EM for SOA Service
3 In the Policy Attachment Dialog in Figure 29 select ldquoNamerdquo as the search criteria and enter ldquousernamerdquo and click on
the button next to it to search Select ldquooraclewss_username_token_service_policyrdquo and click on the ldquoAttachrdquo
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 31
button Click on ldquoOKrdquo button to finish the policy attachment Figure 30 shows the results of attaching the
oraclewss_username_token_service_policy
Figure 29 Selecting oraclewss_username_token_service_policy
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 32
Figure 30 Result of attaching the oraclewss_username_token_service_policy
A few things to note
Starting with PS5 - we now show the security status as seen in Figure 30
Starting with PS5 ndash we now show the overall validity of the policy attachments
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 33
Test the Secured HelloWorldComposite App
To test the HelloWorldComposite ndash navigate to the HelloWorldComposite Dashboard page and click on the ldquoTestrdquo
button as shown in Figure 31 This will launch the Web Service Tester page that ships with EM as shown in Figure 32
Figure 31 Testing HelloWorldComposite
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 34
Figure 32 EM Web Service Tester page
We will do a quick negative test by not providing any authentication information Enter ldquoNegative Worldrdquo in the ldquoinputrdquo
field as show in Figure 33 and click on ldquoTest Web Servicerdquo button This will result in an Error dialog as shown in Figure 34
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 35
Figure 33 Provide Inputs for testing HelloWorldComposite
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 36
Figure 34 Results of Negative Testing
Now perform a positive test by providing the authentication information as shown in Figure 35 You can provide the
authentication information by expanding the ldquoSecurityrdquo section Enter the following information for the fields show in
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 37
Figure 35 Select an appropriate policy from the ldquoCompatible Client Policiesrdquo list (Note This is important if a policy is not
selected then no security information will be sent and thus may result in failures)
Username weblogic Passwordweblogic1
Click ldquoTest Web Servicerdquo button to test This should result in a successful response from the HelloWorldComposite as
show in Figure 36
Figure 35 Testing oraclewss_username_token_service_policy using EM Web Service Tester
Note Usernamepassword will vary by deployment Provide usernamepassword that is appropriate for your
deployment
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 38
Figure 36 Response from HelloWorldComposite
Now that we have successfully tested the HelloWorldComposite app with the OOTB OWSM authentication policy we
will now secure it with the Custom Authorization policy that was created previously
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 39
Attach Custom authorization policy to the SOA Component
1 Go to the SOA Composite you want to secure with this Authorization Policy In the SOA Composite page click on the
Component as shown in Figure 37 In Figure 37 we have a ldquoHelloWorldCompositerdquo that has a ldquoBPELProcess1rdquo SOA
Component
Figure 37 Attaching OWSM Policy to SOA Component
2 Click on the Policies tab for the SOA Component In this example the SOA Component is called ldquoBPELProcess1rdquo as
shown in Figure 38
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 40
Figure 38 Attaching Policies to a SOA Component
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 41
3 On the Policies tab click on ldquoAttachDetachrdquo button as shown in Figure 39 Select the newly created Authorization
Policy
Figure 39 Selecting the Policy to attach
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 42
4 Once done selecting the policy to attach Click ldquoOKrdquo in Figure 39 You have completed the process of attaching an
Authorization Policy to a SOA Component Figure 40 shows the results of attaching the custom authorization policy
Figure 40 Policies attached to a SOA Component
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 43
5 Test the HelloWorldComposite from the EM Web Service Tester page Provide the credentials as
weblogicwelcome1 as shown in Figure 41
Figure 41 Negative Authorization Test with correct credentials
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 44
Notice that even though the credentials weblogicwelcome1 is correct the test fails as shown in Figure 42
Figure 42 Negative Authorization Test Response
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 45
6 In order to perform a positive authorization test ndash we need to add the weblogic user to the Monitor role In order to
do this ndash we first need to log in to Weblogic Console Click on ldquoSecurity Realmsrdquo on the Left Hand Domain Structure
Tree as show in Figure 43
Figure 43 Navigating to the Security Realms in Weblogic Console
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 46
7 Weblogic ships with a default realm called ldquomyrealmrdquo Click on ldquomyrealmrdquo as show in Figure 44
Figure 44 List of Security realms
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 47
8 Click on the ldquoUsers and Groupsrdquo tab under ldquomyrealmrdquo as shown in Figure 45 Figure 46 shows the default set of
users that ship with Weblogic In this case the users are ldquoweblogicrdquo and ldquoOracleSystemUserrdquo
Figure 45 myrealm General tab
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 48
Figure 46 Default set of users that ship with Weblogic
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 49
9 Click on ldquoweblogicrdquo user in Figure 46 and then click on the ldquoGroupsrdquo tab for the user ldquoweblogicrdquo This shows the
default group membership for ldquoweblogicrdquo as shown in Figure 47 As we can see ldquoweblogicrdquo is not part of the
ldquoMonitorrdquo group
Figure 47 Default Group membership of user weblogic
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 50
10 Add the ldquoMonitorrdquo group from the Parent Groups Available in Figure 47 The result is that the ldquoweblogicrdquo user is now
a member of both ldquoAdministratorsrdquo and ldquoMonitorrdquo group as shown in Figure 48 and click ldquoSaverdquo
Figure 48 Make weblogic user a member of Monitor group
11 Now go back to the EM Web Service Tester page and test the HelloWorldComposite app
Note You may need to start the weblogic server for changes to take effect
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 51
Oracle Web Services Manager
March 2012
Author Prakash Yamuna
Oracle Corporation
World Headquarters
500 Oracle Parkway
Redwood Shores CA 94065
USA
Worldwide Inquiries
Phone +16505067000
Fax +16505067200
oraclecom
Copyright copy 2011 Oracle andor its affiliates All rights reserved This document is provided for
information purposes only and the contents hereof are subject to change without notice This
document is not warranted to be error-free nor subject to any other warranties or conditions whether
expressed orally or implied in law including implied warranties and conditions of merchantability or
fitness for a particular purpose We specifically disclaim any liability with respect to this document and
no contractual obligations are formed either directly or indirectly by this document This document may
not be reproduced or transmitted in any form or by any means electronic or mechanical for any
purpose without our prior written permission
Oracle is a registered trademark of Oracle Corporation andor its affiliates Other names may be
trademarks of their respective owners
0109
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 9
4 JDeveloper provides some default templates for creating a composite application In this How To ndash we will create a
Composite with a BPEL Process Select the ldquoComposite with BPEL Processrdquo as shown in Figure 4 Click ldquoFinishrdquo to
complete the SOA Application creation steps
Figure 4 Create a Composite with BPEL Process
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 10
5 This will launch the BPEL Process Creation dialog as shown in Figure 5 Select Template as ldquoSynchronous BPEL
Processrdquo Ensure ldquoExpose as a SOAP servicerdquo is selected These options will result in the creation of a Synchronous
BPEL process exposing a web service endpoint Click ldquoOKrdquo to finish the BPEL process creation
Figure 5 BPEL Process Creation Dialog in JDeveloper
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 11
6 Once the synchronous BPEL Process is created add a BPEL Assign Activity by selecting ldquoAssignrdquo activity from the
ldquoActivitiesrdquo sub-section under the ldquoBPEL Constructsrdquo section on the right hand side and add it in between the
ldquoreceiveInputrdquo and the ldquoreplyOutputrdquo nodes as show in Figure 6
Figure 6 Synchronous BPEL Process exposed as Web Service
7 After adding the ldquoAssignrdquo activity double click on the ldquoAssignrdquo activity node to edit the Assign activity This will open
a dialog box as shown in Figure 7
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 12
Figure 7 BPEL Edit Assign Activity Dialog
8 Expand the ldquooutputVariablerdquo on the right hand side of the dialog and double click on ldquoclientresultrdquo field as shown in
Figure 8 Upon double clicking this will launch the ldquoExpression Builderrdquo dialog as show in Figure 9
Figure 8 Expand the output variable to launch the Expression Builder
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 13
Figure 9 Expression Builder Dialog
Note JDeveloper based on the selections we had done previously creates by default a composite app that takes a single
argument (of type String) as input and returns a single value (of type String) as output
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 14
9 We construct a simple ltldquoHello ldquo+inputgt by selecting the ldquoconcat()rdquo function from the list of pre-built String functions
that are available in SOA This is show in Figure 10 Hit ldquoOKrdquo to dismiss the ldquoExpression Builderrdquo dialog
Figure 10 Using the concat function in BPEL Expression Builder
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 15
10 The previous steps will result in an automatic Copy Rule being created where in the expression that was created in
Figure 10 is assigned to the output payload as shown in Figure 11
Figure 11 Copy Rule in the Assign Activity
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 16
Build and Deploy HelloWorldComposite Application
1 Make or Build the Composite Application and ensure there are no compilation failures To Build the Composite
Application ndash ldquoright clickrdquo on the HelloWorldComposite Project and click on ldquoMake HelloWorldCompositejprrdquo as
show in Figure 12
Figure 12 Build the Composite Application
2 There are many ways to deploy the Composite Application but in this How To we will create a jar for the
HelloWorldComposite application
To create a jar ldquoRight Clickrdquo on the HelloWorldComposite project and click on Deploy from the Menu Figure 13 - Figure
16 show the steps for creating a jar (SAR) for the HelloWorldComposite app
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 17
Figure 13 Steps to create a jar for the HelloWorld Composite app
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 18
Figure 14 Select the SAR option to create a jar
Figure 15 Steps for creating a jar for HelloWorld Composite App
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 19
Figure 16 Final step in the creation of jar for HelloWorld Composite app
3 Once the jar is created we will use EM to deploy the composite app To deploy the Composite application
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 20
Log into EM
Expand the SOA folder on the Left Hand navigation tree
Click on ldquosoa-infrardquo on the Left Hand tree The Right hand panel is updated Now click on ldquoSOA Infrastructurerdquo
this will open a menu
Select ldquoSOA Deploymentrdquo and ldquoDeployrdquo from the menu as shown in Figure 17
Figure 17 Deploying HelloWorld Composite app from EM
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 21
4 This will launch the SOA Composite Deployment wizard Browse the local file system to select the jar to deploy by
created in Figure 16 as shown in Figure 18 Click ldquoNextrdquo to proceed
Figure 18 Selecting HelloWorldComposite archive in EM
5 In the sample topology there is only one target and so there are no choices Select the partition to deploy the
composite app SOA ships will a ldquodefaultrdquo partition out of the box Select the default partition (Note It is a
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 22
mandatory field) as show in Figure 19 Click ldquoNextrdquo to proceed Leave the defaults as show in Figure 20 on the
confirmation page and click on ldquoDeployrdquo to finish deployment
Figure 19 Target Selection for HelloWorldComposite
Figure 20 HelloWorldComposte deployment via EM Confirmation page
Create SOA Component level Role based Authorization Policy
1 Search for policies that can be applied to SOA Component
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 23
Figure 21 Search for SOA Component Authorization policies
2 Make a Copy of the OOTB Authorization policy using the ldquoCreate Likerdquo feature as shown in Figure 22
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 24
Figure 22 Make a Copy of the OOTB Authorization Policy using Create Like
3 Name the Policy appropriately as show in Figure 23
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 25
Figure 23 New SOA Component Authorization Policy
4 Select the Role in the settings tab of the Policy You do this by clicking on the ldquosettings tabrdquo for the Authorization
assertion and selecting the ldquoSelected Rolesrdquo radio button as shown in Figure 24
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 26
Figure 24 Select a Role as part of the creation of the new Authorization Policy
5 You can add the Role by clicking on the ldquoAddrdquo button in Figure 24 This will launch a ldquoAdd Rolerdquo dialog box as shown
in Figure 25 In this example ndash the ldquoMonitorrdquo role has been selected
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 27
Figure 25 Selecting the Monitor role to add to the Authorization policy
Click ldquoOKrdquo on the diaglog in Figure 25 after adding the role click on the ldquoSaverdquo button to save the policy
Attach OOTB authentication policy to the SOA Service
1 Before we can attach the Custom Authorization Policy created in the previous steps to the SOA Component we
need to secure the HelloWorldComposite with an authentication policy For this How-To we will use the
ldquooraclewss_username_token_service_policyrdquo Go to the HelloWorldComposite Dashboard page as shown in Figure
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 28
26 In Figure 26 we have Service ldquobpelprocess1_client_eprdquo of type Web Service Click on the
ldquobpelprocess1_client_eprdquo to navigate to the Service Dashboard page as shown in Figure 27
Figure 26 HelloWorldComposite Dashboard page in EM
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 29
Figure 27 Service Dashboard page for HelloWorldComposite in EM
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 30
2 Click on the ldquoPoliciesrdquo Tab This will show polices attached to the Service Click on the ldquoAttachDetachrdquo button to a
launch the Policy Attachment Dialog as show in Figure 28 The Policy Attachment Dialog is show in Figure 29
Figure 28 Launching OWSM Policy Attachment Dialog in EM for SOA Service
3 In the Policy Attachment Dialog in Figure 29 select ldquoNamerdquo as the search criteria and enter ldquousernamerdquo and click on
the button next to it to search Select ldquooraclewss_username_token_service_policyrdquo and click on the ldquoAttachrdquo
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 31
button Click on ldquoOKrdquo button to finish the policy attachment Figure 30 shows the results of attaching the
oraclewss_username_token_service_policy
Figure 29 Selecting oraclewss_username_token_service_policy
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 32
Figure 30 Result of attaching the oraclewss_username_token_service_policy
A few things to note
Starting with PS5 - we now show the security status as seen in Figure 30
Starting with PS5 ndash we now show the overall validity of the policy attachments
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 33
Test the Secured HelloWorldComposite App
To test the HelloWorldComposite ndash navigate to the HelloWorldComposite Dashboard page and click on the ldquoTestrdquo
button as shown in Figure 31 This will launch the Web Service Tester page that ships with EM as shown in Figure 32
Figure 31 Testing HelloWorldComposite
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 34
Figure 32 EM Web Service Tester page
We will do a quick negative test by not providing any authentication information Enter ldquoNegative Worldrdquo in the ldquoinputrdquo
field as show in Figure 33 and click on ldquoTest Web Servicerdquo button This will result in an Error dialog as shown in Figure 34
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 35
Figure 33 Provide Inputs for testing HelloWorldComposite
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 36
Figure 34 Results of Negative Testing
Now perform a positive test by providing the authentication information as shown in Figure 35 You can provide the
authentication information by expanding the ldquoSecurityrdquo section Enter the following information for the fields show in
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 37
Figure 35 Select an appropriate policy from the ldquoCompatible Client Policiesrdquo list (Note This is important if a policy is not
selected then no security information will be sent and thus may result in failures)
Username weblogic Passwordweblogic1
Click ldquoTest Web Servicerdquo button to test This should result in a successful response from the HelloWorldComposite as
show in Figure 36
Figure 35 Testing oraclewss_username_token_service_policy using EM Web Service Tester
Note Usernamepassword will vary by deployment Provide usernamepassword that is appropriate for your
deployment
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 38
Figure 36 Response from HelloWorldComposite
Now that we have successfully tested the HelloWorldComposite app with the OOTB OWSM authentication policy we
will now secure it with the Custom Authorization policy that was created previously
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 39
Attach Custom authorization policy to the SOA Component
1 Go to the SOA Composite you want to secure with this Authorization Policy In the SOA Composite page click on the
Component as shown in Figure 37 In Figure 37 we have a ldquoHelloWorldCompositerdquo that has a ldquoBPELProcess1rdquo SOA
Component
Figure 37 Attaching OWSM Policy to SOA Component
2 Click on the Policies tab for the SOA Component In this example the SOA Component is called ldquoBPELProcess1rdquo as
shown in Figure 38
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 40
Figure 38 Attaching Policies to a SOA Component
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 41
3 On the Policies tab click on ldquoAttachDetachrdquo button as shown in Figure 39 Select the newly created Authorization
Policy
Figure 39 Selecting the Policy to attach
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 42
4 Once done selecting the policy to attach Click ldquoOKrdquo in Figure 39 You have completed the process of attaching an
Authorization Policy to a SOA Component Figure 40 shows the results of attaching the custom authorization policy
Figure 40 Policies attached to a SOA Component
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 43
5 Test the HelloWorldComposite from the EM Web Service Tester page Provide the credentials as
weblogicwelcome1 as shown in Figure 41
Figure 41 Negative Authorization Test with correct credentials
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 44
Notice that even though the credentials weblogicwelcome1 is correct the test fails as shown in Figure 42
Figure 42 Negative Authorization Test Response
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 45
6 In order to perform a positive authorization test ndash we need to add the weblogic user to the Monitor role In order to
do this ndash we first need to log in to Weblogic Console Click on ldquoSecurity Realmsrdquo on the Left Hand Domain Structure
Tree as show in Figure 43
Figure 43 Navigating to the Security Realms in Weblogic Console
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 46
7 Weblogic ships with a default realm called ldquomyrealmrdquo Click on ldquomyrealmrdquo as show in Figure 44
Figure 44 List of Security realms
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 47
8 Click on the ldquoUsers and Groupsrdquo tab under ldquomyrealmrdquo as shown in Figure 45 Figure 46 shows the default set of
users that ship with Weblogic In this case the users are ldquoweblogicrdquo and ldquoOracleSystemUserrdquo
Figure 45 myrealm General tab
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 48
Figure 46 Default set of users that ship with Weblogic
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 49
9 Click on ldquoweblogicrdquo user in Figure 46 and then click on the ldquoGroupsrdquo tab for the user ldquoweblogicrdquo This shows the
default group membership for ldquoweblogicrdquo as shown in Figure 47 As we can see ldquoweblogicrdquo is not part of the
ldquoMonitorrdquo group
Figure 47 Default Group membership of user weblogic
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 50
10 Add the ldquoMonitorrdquo group from the Parent Groups Available in Figure 47 The result is that the ldquoweblogicrdquo user is now
a member of both ldquoAdministratorsrdquo and ldquoMonitorrdquo group as shown in Figure 48 and click ldquoSaverdquo
Figure 48 Make weblogic user a member of Monitor group
11 Now go back to the EM Web Service Tester page and test the HelloWorldComposite app
Note You may need to start the weblogic server for changes to take effect
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 51
Oracle Web Services Manager
March 2012
Author Prakash Yamuna
Oracle Corporation
World Headquarters
500 Oracle Parkway
Redwood Shores CA 94065
USA
Worldwide Inquiries
Phone +16505067000
Fax +16505067200
oraclecom
Copyright copy 2011 Oracle andor its affiliates All rights reserved This document is provided for
information purposes only and the contents hereof are subject to change without notice This
document is not warranted to be error-free nor subject to any other warranties or conditions whether
expressed orally or implied in law including implied warranties and conditions of merchantability or
fitness for a particular purpose We specifically disclaim any liability with respect to this document and
no contractual obligations are formed either directly or indirectly by this document This document may
not be reproduced or transmitted in any form or by any means electronic or mechanical for any
purpose without our prior written permission
Oracle is a registered trademark of Oracle Corporation andor its affiliates Other names may be
trademarks of their respective owners
0109
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 10
5 This will launch the BPEL Process Creation dialog as shown in Figure 5 Select Template as ldquoSynchronous BPEL
Processrdquo Ensure ldquoExpose as a SOAP servicerdquo is selected These options will result in the creation of a Synchronous
BPEL process exposing a web service endpoint Click ldquoOKrdquo to finish the BPEL process creation
Figure 5 BPEL Process Creation Dialog in JDeveloper
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 11
6 Once the synchronous BPEL Process is created add a BPEL Assign Activity by selecting ldquoAssignrdquo activity from the
ldquoActivitiesrdquo sub-section under the ldquoBPEL Constructsrdquo section on the right hand side and add it in between the
ldquoreceiveInputrdquo and the ldquoreplyOutputrdquo nodes as show in Figure 6
Figure 6 Synchronous BPEL Process exposed as Web Service
7 After adding the ldquoAssignrdquo activity double click on the ldquoAssignrdquo activity node to edit the Assign activity This will open
a dialog box as shown in Figure 7
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 12
Figure 7 BPEL Edit Assign Activity Dialog
8 Expand the ldquooutputVariablerdquo on the right hand side of the dialog and double click on ldquoclientresultrdquo field as shown in
Figure 8 Upon double clicking this will launch the ldquoExpression Builderrdquo dialog as show in Figure 9
Figure 8 Expand the output variable to launch the Expression Builder
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 13
Figure 9 Expression Builder Dialog
Note JDeveloper based on the selections we had done previously creates by default a composite app that takes a single
argument (of type String) as input and returns a single value (of type String) as output
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 14
9 We construct a simple ltldquoHello ldquo+inputgt by selecting the ldquoconcat()rdquo function from the list of pre-built String functions
that are available in SOA This is show in Figure 10 Hit ldquoOKrdquo to dismiss the ldquoExpression Builderrdquo dialog
Figure 10 Using the concat function in BPEL Expression Builder
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 15
10 The previous steps will result in an automatic Copy Rule being created where in the expression that was created in
Figure 10 is assigned to the output payload as shown in Figure 11
Figure 11 Copy Rule in the Assign Activity
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 16
Build and Deploy HelloWorldComposite Application
1 Make or Build the Composite Application and ensure there are no compilation failures To Build the Composite
Application ndash ldquoright clickrdquo on the HelloWorldComposite Project and click on ldquoMake HelloWorldCompositejprrdquo as
show in Figure 12
Figure 12 Build the Composite Application
2 There are many ways to deploy the Composite Application but in this How To we will create a jar for the
HelloWorldComposite application
To create a jar ldquoRight Clickrdquo on the HelloWorldComposite project and click on Deploy from the Menu Figure 13 - Figure
16 show the steps for creating a jar (SAR) for the HelloWorldComposite app
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 17
Figure 13 Steps to create a jar for the HelloWorld Composite app
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 18
Figure 14 Select the SAR option to create a jar
Figure 15 Steps for creating a jar for HelloWorld Composite App
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 19
Figure 16 Final step in the creation of jar for HelloWorld Composite app
3 Once the jar is created we will use EM to deploy the composite app To deploy the Composite application
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 20
Log into EM
Expand the SOA folder on the Left Hand navigation tree
Click on ldquosoa-infrardquo on the Left Hand tree The Right hand panel is updated Now click on ldquoSOA Infrastructurerdquo
this will open a menu
Select ldquoSOA Deploymentrdquo and ldquoDeployrdquo from the menu as shown in Figure 17
Figure 17 Deploying HelloWorld Composite app from EM
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 21
4 This will launch the SOA Composite Deployment wizard Browse the local file system to select the jar to deploy by
created in Figure 16 as shown in Figure 18 Click ldquoNextrdquo to proceed
Figure 18 Selecting HelloWorldComposite archive in EM
5 In the sample topology there is only one target and so there are no choices Select the partition to deploy the
composite app SOA ships will a ldquodefaultrdquo partition out of the box Select the default partition (Note It is a
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 22
mandatory field) as show in Figure 19 Click ldquoNextrdquo to proceed Leave the defaults as show in Figure 20 on the
confirmation page and click on ldquoDeployrdquo to finish deployment
Figure 19 Target Selection for HelloWorldComposite
Figure 20 HelloWorldComposte deployment via EM Confirmation page
Create SOA Component level Role based Authorization Policy
1 Search for policies that can be applied to SOA Component
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 23
Figure 21 Search for SOA Component Authorization policies
2 Make a Copy of the OOTB Authorization policy using the ldquoCreate Likerdquo feature as shown in Figure 22
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 24
Figure 22 Make a Copy of the OOTB Authorization Policy using Create Like
3 Name the Policy appropriately as show in Figure 23
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 25
Figure 23 New SOA Component Authorization Policy
4 Select the Role in the settings tab of the Policy You do this by clicking on the ldquosettings tabrdquo for the Authorization
assertion and selecting the ldquoSelected Rolesrdquo radio button as shown in Figure 24
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 26
Figure 24 Select a Role as part of the creation of the new Authorization Policy
5 You can add the Role by clicking on the ldquoAddrdquo button in Figure 24 This will launch a ldquoAdd Rolerdquo dialog box as shown
in Figure 25 In this example ndash the ldquoMonitorrdquo role has been selected
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 27
Figure 25 Selecting the Monitor role to add to the Authorization policy
Click ldquoOKrdquo on the diaglog in Figure 25 after adding the role click on the ldquoSaverdquo button to save the policy
Attach OOTB authentication policy to the SOA Service
1 Before we can attach the Custom Authorization Policy created in the previous steps to the SOA Component we
need to secure the HelloWorldComposite with an authentication policy For this How-To we will use the
ldquooraclewss_username_token_service_policyrdquo Go to the HelloWorldComposite Dashboard page as shown in Figure
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 28
26 In Figure 26 we have Service ldquobpelprocess1_client_eprdquo of type Web Service Click on the
ldquobpelprocess1_client_eprdquo to navigate to the Service Dashboard page as shown in Figure 27
Figure 26 HelloWorldComposite Dashboard page in EM
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 29
Figure 27 Service Dashboard page for HelloWorldComposite in EM
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 30
2 Click on the ldquoPoliciesrdquo Tab This will show polices attached to the Service Click on the ldquoAttachDetachrdquo button to a
launch the Policy Attachment Dialog as show in Figure 28 The Policy Attachment Dialog is show in Figure 29
Figure 28 Launching OWSM Policy Attachment Dialog in EM for SOA Service
3 In the Policy Attachment Dialog in Figure 29 select ldquoNamerdquo as the search criteria and enter ldquousernamerdquo and click on
the button next to it to search Select ldquooraclewss_username_token_service_policyrdquo and click on the ldquoAttachrdquo
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 31
button Click on ldquoOKrdquo button to finish the policy attachment Figure 30 shows the results of attaching the
oraclewss_username_token_service_policy
Figure 29 Selecting oraclewss_username_token_service_policy
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 32
Figure 30 Result of attaching the oraclewss_username_token_service_policy
A few things to note
Starting with PS5 - we now show the security status as seen in Figure 30
Starting with PS5 ndash we now show the overall validity of the policy attachments
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 33
Test the Secured HelloWorldComposite App
To test the HelloWorldComposite ndash navigate to the HelloWorldComposite Dashboard page and click on the ldquoTestrdquo
button as shown in Figure 31 This will launch the Web Service Tester page that ships with EM as shown in Figure 32
Figure 31 Testing HelloWorldComposite
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 34
Figure 32 EM Web Service Tester page
We will do a quick negative test by not providing any authentication information Enter ldquoNegative Worldrdquo in the ldquoinputrdquo
field as show in Figure 33 and click on ldquoTest Web Servicerdquo button This will result in an Error dialog as shown in Figure 34
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 35
Figure 33 Provide Inputs for testing HelloWorldComposite
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 36
Figure 34 Results of Negative Testing
Now perform a positive test by providing the authentication information as shown in Figure 35 You can provide the
authentication information by expanding the ldquoSecurityrdquo section Enter the following information for the fields show in
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 37
Figure 35 Select an appropriate policy from the ldquoCompatible Client Policiesrdquo list (Note This is important if a policy is not
selected then no security information will be sent and thus may result in failures)
Username weblogic Passwordweblogic1
Click ldquoTest Web Servicerdquo button to test This should result in a successful response from the HelloWorldComposite as
show in Figure 36
Figure 35 Testing oraclewss_username_token_service_policy using EM Web Service Tester
Note Usernamepassword will vary by deployment Provide usernamepassword that is appropriate for your
deployment
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 38
Figure 36 Response from HelloWorldComposite
Now that we have successfully tested the HelloWorldComposite app with the OOTB OWSM authentication policy we
will now secure it with the Custom Authorization policy that was created previously
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 39
Attach Custom authorization policy to the SOA Component
1 Go to the SOA Composite you want to secure with this Authorization Policy In the SOA Composite page click on the
Component as shown in Figure 37 In Figure 37 we have a ldquoHelloWorldCompositerdquo that has a ldquoBPELProcess1rdquo SOA
Component
Figure 37 Attaching OWSM Policy to SOA Component
2 Click on the Policies tab for the SOA Component In this example the SOA Component is called ldquoBPELProcess1rdquo as
shown in Figure 38
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 40
Figure 38 Attaching Policies to a SOA Component
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 41
3 On the Policies tab click on ldquoAttachDetachrdquo button as shown in Figure 39 Select the newly created Authorization
Policy
Figure 39 Selecting the Policy to attach
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 42
4 Once done selecting the policy to attach Click ldquoOKrdquo in Figure 39 You have completed the process of attaching an
Authorization Policy to a SOA Component Figure 40 shows the results of attaching the custom authorization policy
Figure 40 Policies attached to a SOA Component
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 43
5 Test the HelloWorldComposite from the EM Web Service Tester page Provide the credentials as
weblogicwelcome1 as shown in Figure 41
Figure 41 Negative Authorization Test with correct credentials
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 44
Notice that even though the credentials weblogicwelcome1 is correct the test fails as shown in Figure 42
Figure 42 Negative Authorization Test Response
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 45
6 In order to perform a positive authorization test ndash we need to add the weblogic user to the Monitor role In order to
do this ndash we first need to log in to Weblogic Console Click on ldquoSecurity Realmsrdquo on the Left Hand Domain Structure
Tree as show in Figure 43
Figure 43 Navigating to the Security Realms in Weblogic Console
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 46
7 Weblogic ships with a default realm called ldquomyrealmrdquo Click on ldquomyrealmrdquo as show in Figure 44
Figure 44 List of Security realms
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 47
8 Click on the ldquoUsers and Groupsrdquo tab under ldquomyrealmrdquo as shown in Figure 45 Figure 46 shows the default set of
users that ship with Weblogic In this case the users are ldquoweblogicrdquo and ldquoOracleSystemUserrdquo
Figure 45 myrealm General tab
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 48
Figure 46 Default set of users that ship with Weblogic
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 49
9 Click on ldquoweblogicrdquo user in Figure 46 and then click on the ldquoGroupsrdquo tab for the user ldquoweblogicrdquo This shows the
default group membership for ldquoweblogicrdquo as shown in Figure 47 As we can see ldquoweblogicrdquo is not part of the
ldquoMonitorrdquo group
Figure 47 Default Group membership of user weblogic
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 50
10 Add the ldquoMonitorrdquo group from the Parent Groups Available in Figure 47 The result is that the ldquoweblogicrdquo user is now
a member of both ldquoAdministratorsrdquo and ldquoMonitorrdquo group as shown in Figure 48 and click ldquoSaverdquo
Figure 48 Make weblogic user a member of Monitor group
11 Now go back to the EM Web Service Tester page and test the HelloWorldComposite app
Note You may need to start the weblogic server for changes to take effect
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 51
Oracle Web Services Manager
March 2012
Author Prakash Yamuna
Oracle Corporation
World Headquarters
500 Oracle Parkway
Redwood Shores CA 94065
USA
Worldwide Inquiries
Phone +16505067000
Fax +16505067200
oraclecom
Copyright copy 2011 Oracle andor its affiliates All rights reserved This document is provided for
information purposes only and the contents hereof are subject to change without notice This
document is not warranted to be error-free nor subject to any other warranties or conditions whether
expressed orally or implied in law including implied warranties and conditions of merchantability or
fitness for a particular purpose We specifically disclaim any liability with respect to this document and
no contractual obligations are formed either directly or indirectly by this document This document may
not be reproduced or transmitted in any form or by any means electronic or mechanical for any
purpose without our prior written permission
Oracle is a registered trademark of Oracle Corporation andor its affiliates Other names may be
trademarks of their respective owners
0109
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 11
6 Once the synchronous BPEL Process is created add a BPEL Assign Activity by selecting ldquoAssignrdquo activity from the
ldquoActivitiesrdquo sub-section under the ldquoBPEL Constructsrdquo section on the right hand side and add it in between the
ldquoreceiveInputrdquo and the ldquoreplyOutputrdquo nodes as show in Figure 6
Figure 6 Synchronous BPEL Process exposed as Web Service
7 After adding the ldquoAssignrdquo activity double click on the ldquoAssignrdquo activity node to edit the Assign activity This will open
a dialog box as shown in Figure 7
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 12
Figure 7 BPEL Edit Assign Activity Dialog
8 Expand the ldquooutputVariablerdquo on the right hand side of the dialog and double click on ldquoclientresultrdquo field as shown in
Figure 8 Upon double clicking this will launch the ldquoExpression Builderrdquo dialog as show in Figure 9
Figure 8 Expand the output variable to launch the Expression Builder
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 13
Figure 9 Expression Builder Dialog
Note JDeveloper based on the selections we had done previously creates by default a composite app that takes a single
argument (of type String) as input and returns a single value (of type String) as output
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 14
9 We construct a simple ltldquoHello ldquo+inputgt by selecting the ldquoconcat()rdquo function from the list of pre-built String functions
that are available in SOA This is show in Figure 10 Hit ldquoOKrdquo to dismiss the ldquoExpression Builderrdquo dialog
Figure 10 Using the concat function in BPEL Expression Builder
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 15
10 The previous steps will result in an automatic Copy Rule being created where in the expression that was created in
Figure 10 is assigned to the output payload as shown in Figure 11
Figure 11 Copy Rule in the Assign Activity
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 16
Build and Deploy HelloWorldComposite Application
1 Make or Build the Composite Application and ensure there are no compilation failures To Build the Composite
Application ndash ldquoright clickrdquo on the HelloWorldComposite Project and click on ldquoMake HelloWorldCompositejprrdquo as
show in Figure 12
Figure 12 Build the Composite Application
2 There are many ways to deploy the Composite Application but in this How To we will create a jar for the
HelloWorldComposite application
To create a jar ldquoRight Clickrdquo on the HelloWorldComposite project and click on Deploy from the Menu Figure 13 - Figure
16 show the steps for creating a jar (SAR) for the HelloWorldComposite app
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 17
Figure 13 Steps to create a jar for the HelloWorld Composite app
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 18
Figure 14 Select the SAR option to create a jar
Figure 15 Steps for creating a jar for HelloWorld Composite App
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 19
Figure 16 Final step in the creation of jar for HelloWorld Composite app
3 Once the jar is created we will use EM to deploy the composite app To deploy the Composite application
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 20
Log into EM
Expand the SOA folder on the Left Hand navigation tree
Click on ldquosoa-infrardquo on the Left Hand tree The Right hand panel is updated Now click on ldquoSOA Infrastructurerdquo
this will open a menu
Select ldquoSOA Deploymentrdquo and ldquoDeployrdquo from the menu as shown in Figure 17
Figure 17 Deploying HelloWorld Composite app from EM
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 21
4 This will launch the SOA Composite Deployment wizard Browse the local file system to select the jar to deploy by
created in Figure 16 as shown in Figure 18 Click ldquoNextrdquo to proceed
Figure 18 Selecting HelloWorldComposite archive in EM
5 In the sample topology there is only one target and so there are no choices Select the partition to deploy the
composite app SOA ships will a ldquodefaultrdquo partition out of the box Select the default partition (Note It is a
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 22
mandatory field) as show in Figure 19 Click ldquoNextrdquo to proceed Leave the defaults as show in Figure 20 on the
confirmation page and click on ldquoDeployrdquo to finish deployment
Figure 19 Target Selection for HelloWorldComposite
Figure 20 HelloWorldComposte deployment via EM Confirmation page
Create SOA Component level Role based Authorization Policy
1 Search for policies that can be applied to SOA Component
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 23
Figure 21 Search for SOA Component Authorization policies
2 Make a Copy of the OOTB Authorization policy using the ldquoCreate Likerdquo feature as shown in Figure 22
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 24
Figure 22 Make a Copy of the OOTB Authorization Policy using Create Like
3 Name the Policy appropriately as show in Figure 23
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 25
Figure 23 New SOA Component Authorization Policy
4 Select the Role in the settings tab of the Policy You do this by clicking on the ldquosettings tabrdquo for the Authorization
assertion and selecting the ldquoSelected Rolesrdquo radio button as shown in Figure 24
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 26
Figure 24 Select a Role as part of the creation of the new Authorization Policy
5 You can add the Role by clicking on the ldquoAddrdquo button in Figure 24 This will launch a ldquoAdd Rolerdquo dialog box as shown
in Figure 25 In this example ndash the ldquoMonitorrdquo role has been selected
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 27
Figure 25 Selecting the Monitor role to add to the Authorization policy
Click ldquoOKrdquo on the diaglog in Figure 25 after adding the role click on the ldquoSaverdquo button to save the policy
Attach OOTB authentication policy to the SOA Service
1 Before we can attach the Custom Authorization Policy created in the previous steps to the SOA Component we
need to secure the HelloWorldComposite with an authentication policy For this How-To we will use the
ldquooraclewss_username_token_service_policyrdquo Go to the HelloWorldComposite Dashboard page as shown in Figure
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 28
26 In Figure 26 we have Service ldquobpelprocess1_client_eprdquo of type Web Service Click on the
ldquobpelprocess1_client_eprdquo to navigate to the Service Dashboard page as shown in Figure 27
Figure 26 HelloWorldComposite Dashboard page in EM
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 29
Figure 27 Service Dashboard page for HelloWorldComposite in EM
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 30
2 Click on the ldquoPoliciesrdquo Tab This will show polices attached to the Service Click on the ldquoAttachDetachrdquo button to a
launch the Policy Attachment Dialog as show in Figure 28 The Policy Attachment Dialog is show in Figure 29
Figure 28 Launching OWSM Policy Attachment Dialog in EM for SOA Service
3 In the Policy Attachment Dialog in Figure 29 select ldquoNamerdquo as the search criteria and enter ldquousernamerdquo and click on
the button next to it to search Select ldquooraclewss_username_token_service_policyrdquo and click on the ldquoAttachrdquo
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 31
button Click on ldquoOKrdquo button to finish the policy attachment Figure 30 shows the results of attaching the
oraclewss_username_token_service_policy
Figure 29 Selecting oraclewss_username_token_service_policy
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 32
Figure 30 Result of attaching the oraclewss_username_token_service_policy
A few things to note
Starting with PS5 - we now show the security status as seen in Figure 30
Starting with PS5 ndash we now show the overall validity of the policy attachments
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 33
Test the Secured HelloWorldComposite App
To test the HelloWorldComposite ndash navigate to the HelloWorldComposite Dashboard page and click on the ldquoTestrdquo
button as shown in Figure 31 This will launch the Web Service Tester page that ships with EM as shown in Figure 32
Figure 31 Testing HelloWorldComposite
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 34
Figure 32 EM Web Service Tester page
We will do a quick negative test by not providing any authentication information Enter ldquoNegative Worldrdquo in the ldquoinputrdquo
field as show in Figure 33 and click on ldquoTest Web Servicerdquo button This will result in an Error dialog as shown in Figure 34
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 35
Figure 33 Provide Inputs for testing HelloWorldComposite
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 36
Figure 34 Results of Negative Testing
Now perform a positive test by providing the authentication information as shown in Figure 35 You can provide the
authentication information by expanding the ldquoSecurityrdquo section Enter the following information for the fields show in
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 37
Figure 35 Select an appropriate policy from the ldquoCompatible Client Policiesrdquo list (Note This is important if a policy is not
selected then no security information will be sent and thus may result in failures)
Username weblogic Passwordweblogic1
Click ldquoTest Web Servicerdquo button to test This should result in a successful response from the HelloWorldComposite as
show in Figure 36
Figure 35 Testing oraclewss_username_token_service_policy using EM Web Service Tester
Note Usernamepassword will vary by deployment Provide usernamepassword that is appropriate for your
deployment
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 38
Figure 36 Response from HelloWorldComposite
Now that we have successfully tested the HelloWorldComposite app with the OOTB OWSM authentication policy we
will now secure it with the Custom Authorization policy that was created previously
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 39
Attach Custom authorization policy to the SOA Component
1 Go to the SOA Composite you want to secure with this Authorization Policy In the SOA Composite page click on the
Component as shown in Figure 37 In Figure 37 we have a ldquoHelloWorldCompositerdquo that has a ldquoBPELProcess1rdquo SOA
Component
Figure 37 Attaching OWSM Policy to SOA Component
2 Click on the Policies tab for the SOA Component In this example the SOA Component is called ldquoBPELProcess1rdquo as
shown in Figure 38
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 40
Figure 38 Attaching Policies to a SOA Component
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 41
3 On the Policies tab click on ldquoAttachDetachrdquo button as shown in Figure 39 Select the newly created Authorization
Policy
Figure 39 Selecting the Policy to attach
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 42
4 Once done selecting the policy to attach Click ldquoOKrdquo in Figure 39 You have completed the process of attaching an
Authorization Policy to a SOA Component Figure 40 shows the results of attaching the custom authorization policy
Figure 40 Policies attached to a SOA Component
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 43
5 Test the HelloWorldComposite from the EM Web Service Tester page Provide the credentials as
weblogicwelcome1 as shown in Figure 41
Figure 41 Negative Authorization Test with correct credentials
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 44
Notice that even though the credentials weblogicwelcome1 is correct the test fails as shown in Figure 42
Figure 42 Negative Authorization Test Response
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 45
6 In order to perform a positive authorization test ndash we need to add the weblogic user to the Monitor role In order to
do this ndash we first need to log in to Weblogic Console Click on ldquoSecurity Realmsrdquo on the Left Hand Domain Structure
Tree as show in Figure 43
Figure 43 Navigating to the Security Realms in Weblogic Console
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 46
7 Weblogic ships with a default realm called ldquomyrealmrdquo Click on ldquomyrealmrdquo as show in Figure 44
Figure 44 List of Security realms
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 47
8 Click on the ldquoUsers and Groupsrdquo tab under ldquomyrealmrdquo as shown in Figure 45 Figure 46 shows the default set of
users that ship with Weblogic In this case the users are ldquoweblogicrdquo and ldquoOracleSystemUserrdquo
Figure 45 myrealm General tab
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 48
Figure 46 Default set of users that ship with Weblogic
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 49
9 Click on ldquoweblogicrdquo user in Figure 46 and then click on the ldquoGroupsrdquo tab for the user ldquoweblogicrdquo This shows the
default group membership for ldquoweblogicrdquo as shown in Figure 47 As we can see ldquoweblogicrdquo is not part of the
ldquoMonitorrdquo group
Figure 47 Default Group membership of user weblogic
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 50
10 Add the ldquoMonitorrdquo group from the Parent Groups Available in Figure 47 The result is that the ldquoweblogicrdquo user is now
a member of both ldquoAdministratorsrdquo and ldquoMonitorrdquo group as shown in Figure 48 and click ldquoSaverdquo
Figure 48 Make weblogic user a member of Monitor group
11 Now go back to the EM Web Service Tester page and test the HelloWorldComposite app
Note You may need to start the weblogic server for changes to take effect
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 51
Oracle Web Services Manager
March 2012
Author Prakash Yamuna
Oracle Corporation
World Headquarters
500 Oracle Parkway
Redwood Shores CA 94065
USA
Worldwide Inquiries
Phone +16505067000
Fax +16505067200
oraclecom
Copyright copy 2011 Oracle andor its affiliates All rights reserved This document is provided for
information purposes only and the contents hereof are subject to change without notice This
document is not warranted to be error-free nor subject to any other warranties or conditions whether
expressed orally or implied in law including implied warranties and conditions of merchantability or
fitness for a particular purpose We specifically disclaim any liability with respect to this document and
no contractual obligations are formed either directly or indirectly by this document This document may
not be reproduced or transmitted in any form or by any means electronic or mechanical for any
purpose without our prior written permission
Oracle is a registered trademark of Oracle Corporation andor its affiliates Other names may be
trademarks of their respective owners
0109
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 12
Figure 7 BPEL Edit Assign Activity Dialog
8 Expand the ldquooutputVariablerdquo on the right hand side of the dialog and double click on ldquoclientresultrdquo field as shown in
Figure 8 Upon double clicking this will launch the ldquoExpression Builderrdquo dialog as show in Figure 9
Figure 8 Expand the output variable to launch the Expression Builder
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 13
Figure 9 Expression Builder Dialog
Note JDeveloper based on the selections we had done previously creates by default a composite app that takes a single
argument (of type String) as input and returns a single value (of type String) as output
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 14
9 We construct a simple ltldquoHello ldquo+inputgt by selecting the ldquoconcat()rdquo function from the list of pre-built String functions
that are available in SOA This is show in Figure 10 Hit ldquoOKrdquo to dismiss the ldquoExpression Builderrdquo dialog
Figure 10 Using the concat function in BPEL Expression Builder
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 15
10 The previous steps will result in an automatic Copy Rule being created where in the expression that was created in
Figure 10 is assigned to the output payload as shown in Figure 11
Figure 11 Copy Rule in the Assign Activity
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 16
Build and Deploy HelloWorldComposite Application
1 Make or Build the Composite Application and ensure there are no compilation failures To Build the Composite
Application ndash ldquoright clickrdquo on the HelloWorldComposite Project and click on ldquoMake HelloWorldCompositejprrdquo as
show in Figure 12
Figure 12 Build the Composite Application
2 There are many ways to deploy the Composite Application but in this How To we will create a jar for the
HelloWorldComposite application
To create a jar ldquoRight Clickrdquo on the HelloWorldComposite project and click on Deploy from the Menu Figure 13 - Figure
16 show the steps for creating a jar (SAR) for the HelloWorldComposite app
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 17
Figure 13 Steps to create a jar for the HelloWorld Composite app
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 18
Figure 14 Select the SAR option to create a jar
Figure 15 Steps for creating a jar for HelloWorld Composite App
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 19
Figure 16 Final step in the creation of jar for HelloWorld Composite app
3 Once the jar is created we will use EM to deploy the composite app To deploy the Composite application
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 20
Log into EM
Expand the SOA folder on the Left Hand navigation tree
Click on ldquosoa-infrardquo on the Left Hand tree The Right hand panel is updated Now click on ldquoSOA Infrastructurerdquo
this will open a menu
Select ldquoSOA Deploymentrdquo and ldquoDeployrdquo from the menu as shown in Figure 17
Figure 17 Deploying HelloWorld Composite app from EM
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 21
4 This will launch the SOA Composite Deployment wizard Browse the local file system to select the jar to deploy by
created in Figure 16 as shown in Figure 18 Click ldquoNextrdquo to proceed
Figure 18 Selecting HelloWorldComposite archive in EM
5 In the sample topology there is only one target and so there are no choices Select the partition to deploy the
composite app SOA ships will a ldquodefaultrdquo partition out of the box Select the default partition (Note It is a
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 22
mandatory field) as show in Figure 19 Click ldquoNextrdquo to proceed Leave the defaults as show in Figure 20 on the
confirmation page and click on ldquoDeployrdquo to finish deployment
Figure 19 Target Selection for HelloWorldComposite
Figure 20 HelloWorldComposte deployment via EM Confirmation page
Create SOA Component level Role based Authorization Policy
1 Search for policies that can be applied to SOA Component
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 23
Figure 21 Search for SOA Component Authorization policies
2 Make a Copy of the OOTB Authorization policy using the ldquoCreate Likerdquo feature as shown in Figure 22
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 24
Figure 22 Make a Copy of the OOTB Authorization Policy using Create Like
3 Name the Policy appropriately as show in Figure 23
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 25
Figure 23 New SOA Component Authorization Policy
4 Select the Role in the settings tab of the Policy You do this by clicking on the ldquosettings tabrdquo for the Authorization
assertion and selecting the ldquoSelected Rolesrdquo radio button as shown in Figure 24
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 26
Figure 24 Select a Role as part of the creation of the new Authorization Policy
5 You can add the Role by clicking on the ldquoAddrdquo button in Figure 24 This will launch a ldquoAdd Rolerdquo dialog box as shown
in Figure 25 In this example ndash the ldquoMonitorrdquo role has been selected
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 27
Figure 25 Selecting the Monitor role to add to the Authorization policy
Click ldquoOKrdquo on the diaglog in Figure 25 after adding the role click on the ldquoSaverdquo button to save the policy
Attach OOTB authentication policy to the SOA Service
1 Before we can attach the Custom Authorization Policy created in the previous steps to the SOA Component we
need to secure the HelloWorldComposite with an authentication policy For this How-To we will use the
ldquooraclewss_username_token_service_policyrdquo Go to the HelloWorldComposite Dashboard page as shown in Figure
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 28
26 In Figure 26 we have Service ldquobpelprocess1_client_eprdquo of type Web Service Click on the
ldquobpelprocess1_client_eprdquo to navigate to the Service Dashboard page as shown in Figure 27
Figure 26 HelloWorldComposite Dashboard page in EM
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 29
Figure 27 Service Dashboard page for HelloWorldComposite in EM
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 30
2 Click on the ldquoPoliciesrdquo Tab This will show polices attached to the Service Click on the ldquoAttachDetachrdquo button to a
launch the Policy Attachment Dialog as show in Figure 28 The Policy Attachment Dialog is show in Figure 29
Figure 28 Launching OWSM Policy Attachment Dialog in EM for SOA Service
3 In the Policy Attachment Dialog in Figure 29 select ldquoNamerdquo as the search criteria and enter ldquousernamerdquo and click on
the button next to it to search Select ldquooraclewss_username_token_service_policyrdquo and click on the ldquoAttachrdquo
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 31
button Click on ldquoOKrdquo button to finish the policy attachment Figure 30 shows the results of attaching the
oraclewss_username_token_service_policy
Figure 29 Selecting oraclewss_username_token_service_policy
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 32
Figure 30 Result of attaching the oraclewss_username_token_service_policy
A few things to note
Starting with PS5 - we now show the security status as seen in Figure 30
Starting with PS5 ndash we now show the overall validity of the policy attachments
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 33
Test the Secured HelloWorldComposite App
To test the HelloWorldComposite ndash navigate to the HelloWorldComposite Dashboard page and click on the ldquoTestrdquo
button as shown in Figure 31 This will launch the Web Service Tester page that ships with EM as shown in Figure 32
Figure 31 Testing HelloWorldComposite
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 34
Figure 32 EM Web Service Tester page
We will do a quick negative test by not providing any authentication information Enter ldquoNegative Worldrdquo in the ldquoinputrdquo
field as show in Figure 33 and click on ldquoTest Web Servicerdquo button This will result in an Error dialog as shown in Figure 34
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 35
Figure 33 Provide Inputs for testing HelloWorldComposite
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 36
Figure 34 Results of Negative Testing
Now perform a positive test by providing the authentication information as shown in Figure 35 You can provide the
authentication information by expanding the ldquoSecurityrdquo section Enter the following information for the fields show in
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 37
Figure 35 Select an appropriate policy from the ldquoCompatible Client Policiesrdquo list (Note This is important if a policy is not
selected then no security information will be sent and thus may result in failures)
Username weblogic Passwordweblogic1
Click ldquoTest Web Servicerdquo button to test This should result in a successful response from the HelloWorldComposite as
show in Figure 36
Figure 35 Testing oraclewss_username_token_service_policy using EM Web Service Tester
Note Usernamepassword will vary by deployment Provide usernamepassword that is appropriate for your
deployment
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 38
Figure 36 Response from HelloWorldComposite
Now that we have successfully tested the HelloWorldComposite app with the OOTB OWSM authentication policy we
will now secure it with the Custom Authorization policy that was created previously
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 39
Attach Custom authorization policy to the SOA Component
1 Go to the SOA Composite you want to secure with this Authorization Policy In the SOA Composite page click on the
Component as shown in Figure 37 In Figure 37 we have a ldquoHelloWorldCompositerdquo that has a ldquoBPELProcess1rdquo SOA
Component
Figure 37 Attaching OWSM Policy to SOA Component
2 Click on the Policies tab for the SOA Component In this example the SOA Component is called ldquoBPELProcess1rdquo as
shown in Figure 38
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 40
Figure 38 Attaching Policies to a SOA Component
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 41
3 On the Policies tab click on ldquoAttachDetachrdquo button as shown in Figure 39 Select the newly created Authorization
Policy
Figure 39 Selecting the Policy to attach
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 42
4 Once done selecting the policy to attach Click ldquoOKrdquo in Figure 39 You have completed the process of attaching an
Authorization Policy to a SOA Component Figure 40 shows the results of attaching the custom authorization policy
Figure 40 Policies attached to a SOA Component
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 43
5 Test the HelloWorldComposite from the EM Web Service Tester page Provide the credentials as
weblogicwelcome1 as shown in Figure 41
Figure 41 Negative Authorization Test with correct credentials
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 44
Notice that even though the credentials weblogicwelcome1 is correct the test fails as shown in Figure 42
Figure 42 Negative Authorization Test Response
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 45
6 In order to perform a positive authorization test ndash we need to add the weblogic user to the Monitor role In order to
do this ndash we first need to log in to Weblogic Console Click on ldquoSecurity Realmsrdquo on the Left Hand Domain Structure
Tree as show in Figure 43
Figure 43 Navigating to the Security Realms in Weblogic Console
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 46
7 Weblogic ships with a default realm called ldquomyrealmrdquo Click on ldquomyrealmrdquo as show in Figure 44
Figure 44 List of Security realms
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 47
8 Click on the ldquoUsers and Groupsrdquo tab under ldquomyrealmrdquo as shown in Figure 45 Figure 46 shows the default set of
users that ship with Weblogic In this case the users are ldquoweblogicrdquo and ldquoOracleSystemUserrdquo
Figure 45 myrealm General tab
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 48
Figure 46 Default set of users that ship with Weblogic
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 49
9 Click on ldquoweblogicrdquo user in Figure 46 and then click on the ldquoGroupsrdquo tab for the user ldquoweblogicrdquo This shows the
default group membership for ldquoweblogicrdquo as shown in Figure 47 As we can see ldquoweblogicrdquo is not part of the
ldquoMonitorrdquo group
Figure 47 Default Group membership of user weblogic
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 50
10 Add the ldquoMonitorrdquo group from the Parent Groups Available in Figure 47 The result is that the ldquoweblogicrdquo user is now
a member of both ldquoAdministratorsrdquo and ldquoMonitorrdquo group as shown in Figure 48 and click ldquoSaverdquo
Figure 48 Make weblogic user a member of Monitor group
11 Now go back to the EM Web Service Tester page and test the HelloWorldComposite app
Note You may need to start the weblogic server for changes to take effect
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 51
Oracle Web Services Manager
March 2012
Author Prakash Yamuna
Oracle Corporation
World Headquarters
500 Oracle Parkway
Redwood Shores CA 94065
USA
Worldwide Inquiries
Phone +16505067000
Fax +16505067200
oraclecom
Copyright copy 2011 Oracle andor its affiliates All rights reserved This document is provided for
information purposes only and the contents hereof are subject to change without notice This
document is not warranted to be error-free nor subject to any other warranties or conditions whether
expressed orally or implied in law including implied warranties and conditions of merchantability or
fitness for a particular purpose We specifically disclaim any liability with respect to this document and
no contractual obligations are formed either directly or indirectly by this document This document may
not be reproduced or transmitted in any form or by any means electronic or mechanical for any
purpose without our prior written permission
Oracle is a registered trademark of Oracle Corporation andor its affiliates Other names may be
trademarks of their respective owners
0109
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 13
Figure 9 Expression Builder Dialog
Note JDeveloper based on the selections we had done previously creates by default a composite app that takes a single
argument (of type String) as input and returns a single value (of type String) as output
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 14
9 We construct a simple ltldquoHello ldquo+inputgt by selecting the ldquoconcat()rdquo function from the list of pre-built String functions
that are available in SOA This is show in Figure 10 Hit ldquoOKrdquo to dismiss the ldquoExpression Builderrdquo dialog
Figure 10 Using the concat function in BPEL Expression Builder
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 15
10 The previous steps will result in an automatic Copy Rule being created where in the expression that was created in
Figure 10 is assigned to the output payload as shown in Figure 11
Figure 11 Copy Rule in the Assign Activity
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 16
Build and Deploy HelloWorldComposite Application
1 Make or Build the Composite Application and ensure there are no compilation failures To Build the Composite
Application ndash ldquoright clickrdquo on the HelloWorldComposite Project and click on ldquoMake HelloWorldCompositejprrdquo as
show in Figure 12
Figure 12 Build the Composite Application
2 There are many ways to deploy the Composite Application but in this How To we will create a jar for the
HelloWorldComposite application
To create a jar ldquoRight Clickrdquo on the HelloWorldComposite project and click on Deploy from the Menu Figure 13 - Figure
16 show the steps for creating a jar (SAR) for the HelloWorldComposite app
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 17
Figure 13 Steps to create a jar for the HelloWorld Composite app
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 18
Figure 14 Select the SAR option to create a jar
Figure 15 Steps for creating a jar for HelloWorld Composite App
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 19
Figure 16 Final step in the creation of jar for HelloWorld Composite app
3 Once the jar is created we will use EM to deploy the composite app To deploy the Composite application
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 20
Log into EM
Expand the SOA folder on the Left Hand navigation tree
Click on ldquosoa-infrardquo on the Left Hand tree The Right hand panel is updated Now click on ldquoSOA Infrastructurerdquo
this will open a menu
Select ldquoSOA Deploymentrdquo and ldquoDeployrdquo from the menu as shown in Figure 17
Figure 17 Deploying HelloWorld Composite app from EM
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 21
4 This will launch the SOA Composite Deployment wizard Browse the local file system to select the jar to deploy by
created in Figure 16 as shown in Figure 18 Click ldquoNextrdquo to proceed
Figure 18 Selecting HelloWorldComposite archive in EM
5 In the sample topology there is only one target and so there are no choices Select the partition to deploy the
composite app SOA ships will a ldquodefaultrdquo partition out of the box Select the default partition (Note It is a
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 22
mandatory field) as show in Figure 19 Click ldquoNextrdquo to proceed Leave the defaults as show in Figure 20 on the
confirmation page and click on ldquoDeployrdquo to finish deployment
Figure 19 Target Selection for HelloWorldComposite
Figure 20 HelloWorldComposte deployment via EM Confirmation page
Create SOA Component level Role based Authorization Policy
1 Search for policies that can be applied to SOA Component
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 23
Figure 21 Search for SOA Component Authorization policies
2 Make a Copy of the OOTB Authorization policy using the ldquoCreate Likerdquo feature as shown in Figure 22
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 24
Figure 22 Make a Copy of the OOTB Authorization Policy using Create Like
3 Name the Policy appropriately as show in Figure 23
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 25
Figure 23 New SOA Component Authorization Policy
4 Select the Role in the settings tab of the Policy You do this by clicking on the ldquosettings tabrdquo for the Authorization
assertion and selecting the ldquoSelected Rolesrdquo radio button as shown in Figure 24
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 26
Figure 24 Select a Role as part of the creation of the new Authorization Policy
5 You can add the Role by clicking on the ldquoAddrdquo button in Figure 24 This will launch a ldquoAdd Rolerdquo dialog box as shown
in Figure 25 In this example ndash the ldquoMonitorrdquo role has been selected
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 27
Figure 25 Selecting the Monitor role to add to the Authorization policy
Click ldquoOKrdquo on the diaglog in Figure 25 after adding the role click on the ldquoSaverdquo button to save the policy
Attach OOTB authentication policy to the SOA Service
1 Before we can attach the Custom Authorization Policy created in the previous steps to the SOA Component we
need to secure the HelloWorldComposite with an authentication policy For this How-To we will use the
ldquooraclewss_username_token_service_policyrdquo Go to the HelloWorldComposite Dashboard page as shown in Figure
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 28
26 In Figure 26 we have Service ldquobpelprocess1_client_eprdquo of type Web Service Click on the
ldquobpelprocess1_client_eprdquo to navigate to the Service Dashboard page as shown in Figure 27
Figure 26 HelloWorldComposite Dashboard page in EM
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 29
Figure 27 Service Dashboard page for HelloWorldComposite in EM
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 30
2 Click on the ldquoPoliciesrdquo Tab This will show polices attached to the Service Click on the ldquoAttachDetachrdquo button to a
launch the Policy Attachment Dialog as show in Figure 28 The Policy Attachment Dialog is show in Figure 29
Figure 28 Launching OWSM Policy Attachment Dialog in EM for SOA Service
3 In the Policy Attachment Dialog in Figure 29 select ldquoNamerdquo as the search criteria and enter ldquousernamerdquo and click on
the button next to it to search Select ldquooraclewss_username_token_service_policyrdquo and click on the ldquoAttachrdquo
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 31
button Click on ldquoOKrdquo button to finish the policy attachment Figure 30 shows the results of attaching the
oraclewss_username_token_service_policy
Figure 29 Selecting oraclewss_username_token_service_policy
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 32
Figure 30 Result of attaching the oraclewss_username_token_service_policy
A few things to note
Starting with PS5 - we now show the security status as seen in Figure 30
Starting with PS5 ndash we now show the overall validity of the policy attachments
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 33
Test the Secured HelloWorldComposite App
To test the HelloWorldComposite ndash navigate to the HelloWorldComposite Dashboard page and click on the ldquoTestrdquo
button as shown in Figure 31 This will launch the Web Service Tester page that ships with EM as shown in Figure 32
Figure 31 Testing HelloWorldComposite
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 34
Figure 32 EM Web Service Tester page
We will do a quick negative test by not providing any authentication information Enter ldquoNegative Worldrdquo in the ldquoinputrdquo
field as show in Figure 33 and click on ldquoTest Web Servicerdquo button This will result in an Error dialog as shown in Figure 34
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 35
Figure 33 Provide Inputs for testing HelloWorldComposite
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 36
Figure 34 Results of Negative Testing
Now perform a positive test by providing the authentication information as shown in Figure 35 You can provide the
authentication information by expanding the ldquoSecurityrdquo section Enter the following information for the fields show in
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 37
Figure 35 Select an appropriate policy from the ldquoCompatible Client Policiesrdquo list (Note This is important if a policy is not
selected then no security information will be sent and thus may result in failures)
Username weblogic Passwordweblogic1
Click ldquoTest Web Servicerdquo button to test This should result in a successful response from the HelloWorldComposite as
show in Figure 36
Figure 35 Testing oraclewss_username_token_service_policy using EM Web Service Tester
Note Usernamepassword will vary by deployment Provide usernamepassword that is appropriate for your
deployment
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 38
Figure 36 Response from HelloWorldComposite
Now that we have successfully tested the HelloWorldComposite app with the OOTB OWSM authentication policy we
will now secure it with the Custom Authorization policy that was created previously
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 39
Attach Custom authorization policy to the SOA Component
1 Go to the SOA Composite you want to secure with this Authorization Policy In the SOA Composite page click on the
Component as shown in Figure 37 In Figure 37 we have a ldquoHelloWorldCompositerdquo that has a ldquoBPELProcess1rdquo SOA
Component
Figure 37 Attaching OWSM Policy to SOA Component
2 Click on the Policies tab for the SOA Component In this example the SOA Component is called ldquoBPELProcess1rdquo as
shown in Figure 38
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 40
Figure 38 Attaching Policies to a SOA Component
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 41
3 On the Policies tab click on ldquoAttachDetachrdquo button as shown in Figure 39 Select the newly created Authorization
Policy
Figure 39 Selecting the Policy to attach
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 42
4 Once done selecting the policy to attach Click ldquoOKrdquo in Figure 39 You have completed the process of attaching an
Authorization Policy to a SOA Component Figure 40 shows the results of attaching the custom authorization policy
Figure 40 Policies attached to a SOA Component
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 43
5 Test the HelloWorldComposite from the EM Web Service Tester page Provide the credentials as
weblogicwelcome1 as shown in Figure 41
Figure 41 Negative Authorization Test with correct credentials
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 44
Notice that even though the credentials weblogicwelcome1 is correct the test fails as shown in Figure 42
Figure 42 Negative Authorization Test Response
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 45
6 In order to perform a positive authorization test ndash we need to add the weblogic user to the Monitor role In order to
do this ndash we first need to log in to Weblogic Console Click on ldquoSecurity Realmsrdquo on the Left Hand Domain Structure
Tree as show in Figure 43
Figure 43 Navigating to the Security Realms in Weblogic Console
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 46
7 Weblogic ships with a default realm called ldquomyrealmrdquo Click on ldquomyrealmrdquo as show in Figure 44
Figure 44 List of Security realms
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 47
8 Click on the ldquoUsers and Groupsrdquo tab under ldquomyrealmrdquo as shown in Figure 45 Figure 46 shows the default set of
users that ship with Weblogic In this case the users are ldquoweblogicrdquo and ldquoOracleSystemUserrdquo
Figure 45 myrealm General tab
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 48
Figure 46 Default set of users that ship with Weblogic
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 49
9 Click on ldquoweblogicrdquo user in Figure 46 and then click on the ldquoGroupsrdquo tab for the user ldquoweblogicrdquo This shows the
default group membership for ldquoweblogicrdquo as shown in Figure 47 As we can see ldquoweblogicrdquo is not part of the
ldquoMonitorrdquo group
Figure 47 Default Group membership of user weblogic
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 50
10 Add the ldquoMonitorrdquo group from the Parent Groups Available in Figure 47 The result is that the ldquoweblogicrdquo user is now
a member of both ldquoAdministratorsrdquo and ldquoMonitorrdquo group as shown in Figure 48 and click ldquoSaverdquo
Figure 48 Make weblogic user a member of Monitor group
11 Now go back to the EM Web Service Tester page and test the HelloWorldComposite app
Note You may need to start the weblogic server for changes to take effect
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 51
Oracle Web Services Manager
March 2012
Author Prakash Yamuna
Oracle Corporation
World Headquarters
500 Oracle Parkway
Redwood Shores CA 94065
USA
Worldwide Inquiries
Phone +16505067000
Fax +16505067200
oraclecom
Copyright copy 2011 Oracle andor its affiliates All rights reserved This document is provided for
information purposes only and the contents hereof are subject to change without notice This
document is not warranted to be error-free nor subject to any other warranties or conditions whether
expressed orally or implied in law including implied warranties and conditions of merchantability or
fitness for a particular purpose We specifically disclaim any liability with respect to this document and
no contractual obligations are formed either directly or indirectly by this document This document may
not be reproduced or transmitted in any form or by any means electronic or mechanical for any
purpose without our prior written permission
Oracle is a registered trademark of Oracle Corporation andor its affiliates Other names may be
trademarks of their respective owners
0109
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 14
9 We construct a simple ltldquoHello ldquo+inputgt by selecting the ldquoconcat()rdquo function from the list of pre-built String functions
that are available in SOA This is show in Figure 10 Hit ldquoOKrdquo to dismiss the ldquoExpression Builderrdquo dialog
Figure 10 Using the concat function in BPEL Expression Builder
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 15
10 The previous steps will result in an automatic Copy Rule being created where in the expression that was created in
Figure 10 is assigned to the output payload as shown in Figure 11
Figure 11 Copy Rule in the Assign Activity
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 16
Build and Deploy HelloWorldComposite Application
1 Make or Build the Composite Application and ensure there are no compilation failures To Build the Composite
Application ndash ldquoright clickrdquo on the HelloWorldComposite Project and click on ldquoMake HelloWorldCompositejprrdquo as
show in Figure 12
Figure 12 Build the Composite Application
2 There are many ways to deploy the Composite Application but in this How To we will create a jar for the
HelloWorldComposite application
To create a jar ldquoRight Clickrdquo on the HelloWorldComposite project and click on Deploy from the Menu Figure 13 - Figure
16 show the steps for creating a jar (SAR) for the HelloWorldComposite app
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 17
Figure 13 Steps to create a jar for the HelloWorld Composite app
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 18
Figure 14 Select the SAR option to create a jar
Figure 15 Steps for creating a jar for HelloWorld Composite App
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 19
Figure 16 Final step in the creation of jar for HelloWorld Composite app
3 Once the jar is created we will use EM to deploy the composite app To deploy the Composite application
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 20
Log into EM
Expand the SOA folder on the Left Hand navigation tree
Click on ldquosoa-infrardquo on the Left Hand tree The Right hand panel is updated Now click on ldquoSOA Infrastructurerdquo
this will open a menu
Select ldquoSOA Deploymentrdquo and ldquoDeployrdquo from the menu as shown in Figure 17
Figure 17 Deploying HelloWorld Composite app from EM
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 21
4 This will launch the SOA Composite Deployment wizard Browse the local file system to select the jar to deploy by
created in Figure 16 as shown in Figure 18 Click ldquoNextrdquo to proceed
Figure 18 Selecting HelloWorldComposite archive in EM
5 In the sample topology there is only one target and so there are no choices Select the partition to deploy the
composite app SOA ships will a ldquodefaultrdquo partition out of the box Select the default partition (Note It is a
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 22
mandatory field) as show in Figure 19 Click ldquoNextrdquo to proceed Leave the defaults as show in Figure 20 on the
confirmation page and click on ldquoDeployrdquo to finish deployment
Figure 19 Target Selection for HelloWorldComposite
Figure 20 HelloWorldComposte deployment via EM Confirmation page
Create SOA Component level Role based Authorization Policy
1 Search for policies that can be applied to SOA Component
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 23
Figure 21 Search for SOA Component Authorization policies
2 Make a Copy of the OOTB Authorization policy using the ldquoCreate Likerdquo feature as shown in Figure 22
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 24
Figure 22 Make a Copy of the OOTB Authorization Policy using Create Like
3 Name the Policy appropriately as show in Figure 23
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 25
Figure 23 New SOA Component Authorization Policy
4 Select the Role in the settings tab of the Policy You do this by clicking on the ldquosettings tabrdquo for the Authorization
assertion and selecting the ldquoSelected Rolesrdquo radio button as shown in Figure 24
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 26
Figure 24 Select a Role as part of the creation of the new Authorization Policy
5 You can add the Role by clicking on the ldquoAddrdquo button in Figure 24 This will launch a ldquoAdd Rolerdquo dialog box as shown
in Figure 25 In this example ndash the ldquoMonitorrdquo role has been selected
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 27
Figure 25 Selecting the Monitor role to add to the Authorization policy
Click ldquoOKrdquo on the diaglog in Figure 25 after adding the role click on the ldquoSaverdquo button to save the policy
Attach OOTB authentication policy to the SOA Service
1 Before we can attach the Custom Authorization Policy created in the previous steps to the SOA Component we
need to secure the HelloWorldComposite with an authentication policy For this How-To we will use the
ldquooraclewss_username_token_service_policyrdquo Go to the HelloWorldComposite Dashboard page as shown in Figure
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 28
26 In Figure 26 we have Service ldquobpelprocess1_client_eprdquo of type Web Service Click on the
ldquobpelprocess1_client_eprdquo to navigate to the Service Dashboard page as shown in Figure 27
Figure 26 HelloWorldComposite Dashboard page in EM
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 29
Figure 27 Service Dashboard page for HelloWorldComposite in EM
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 30
2 Click on the ldquoPoliciesrdquo Tab This will show polices attached to the Service Click on the ldquoAttachDetachrdquo button to a
launch the Policy Attachment Dialog as show in Figure 28 The Policy Attachment Dialog is show in Figure 29
Figure 28 Launching OWSM Policy Attachment Dialog in EM for SOA Service
3 In the Policy Attachment Dialog in Figure 29 select ldquoNamerdquo as the search criteria and enter ldquousernamerdquo and click on
the button next to it to search Select ldquooraclewss_username_token_service_policyrdquo and click on the ldquoAttachrdquo
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 31
button Click on ldquoOKrdquo button to finish the policy attachment Figure 30 shows the results of attaching the
oraclewss_username_token_service_policy
Figure 29 Selecting oraclewss_username_token_service_policy
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 32
Figure 30 Result of attaching the oraclewss_username_token_service_policy
A few things to note
Starting with PS5 - we now show the security status as seen in Figure 30
Starting with PS5 ndash we now show the overall validity of the policy attachments
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 33
Test the Secured HelloWorldComposite App
To test the HelloWorldComposite ndash navigate to the HelloWorldComposite Dashboard page and click on the ldquoTestrdquo
button as shown in Figure 31 This will launch the Web Service Tester page that ships with EM as shown in Figure 32
Figure 31 Testing HelloWorldComposite
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 34
Figure 32 EM Web Service Tester page
We will do a quick negative test by not providing any authentication information Enter ldquoNegative Worldrdquo in the ldquoinputrdquo
field as show in Figure 33 and click on ldquoTest Web Servicerdquo button This will result in an Error dialog as shown in Figure 34
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 35
Figure 33 Provide Inputs for testing HelloWorldComposite
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 36
Figure 34 Results of Negative Testing
Now perform a positive test by providing the authentication information as shown in Figure 35 You can provide the
authentication information by expanding the ldquoSecurityrdquo section Enter the following information for the fields show in
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 37
Figure 35 Select an appropriate policy from the ldquoCompatible Client Policiesrdquo list (Note This is important if a policy is not
selected then no security information will be sent and thus may result in failures)
Username weblogic Passwordweblogic1
Click ldquoTest Web Servicerdquo button to test This should result in a successful response from the HelloWorldComposite as
show in Figure 36
Figure 35 Testing oraclewss_username_token_service_policy using EM Web Service Tester
Note Usernamepassword will vary by deployment Provide usernamepassword that is appropriate for your
deployment
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 38
Figure 36 Response from HelloWorldComposite
Now that we have successfully tested the HelloWorldComposite app with the OOTB OWSM authentication policy we
will now secure it with the Custom Authorization policy that was created previously
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 39
Attach Custom authorization policy to the SOA Component
1 Go to the SOA Composite you want to secure with this Authorization Policy In the SOA Composite page click on the
Component as shown in Figure 37 In Figure 37 we have a ldquoHelloWorldCompositerdquo that has a ldquoBPELProcess1rdquo SOA
Component
Figure 37 Attaching OWSM Policy to SOA Component
2 Click on the Policies tab for the SOA Component In this example the SOA Component is called ldquoBPELProcess1rdquo as
shown in Figure 38
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 40
Figure 38 Attaching Policies to a SOA Component
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 41
3 On the Policies tab click on ldquoAttachDetachrdquo button as shown in Figure 39 Select the newly created Authorization
Policy
Figure 39 Selecting the Policy to attach
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 42
4 Once done selecting the policy to attach Click ldquoOKrdquo in Figure 39 You have completed the process of attaching an
Authorization Policy to a SOA Component Figure 40 shows the results of attaching the custom authorization policy
Figure 40 Policies attached to a SOA Component
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 43
5 Test the HelloWorldComposite from the EM Web Service Tester page Provide the credentials as
weblogicwelcome1 as shown in Figure 41
Figure 41 Negative Authorization Test with correct credentials
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 44
Notice that even though the credentials weblogicwelcome1 is correct the test fails as shown in Figure 42
Figure 42 Negative Authorization Test Response
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 45
6 In order to perform a positive authorization test ndash we need to add the weblogic user to the Monitor role In order to
do this ndash we first need to log in to Weblogic Console Click on ldquoSecurity Realmsrdquo on the Left Hand Domain Structure
Tree as show in Figure 43
Figure 43 Navigating to the Security Realms in Weblogic Console
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 46
7 Weblogic ships with a default realm called ldquomyrealmrdquo Click on ldquomyrealmrdquo as show in Figure 44
Figure 44 List of Security realms
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 47
8 Click on the ldquoUsers and Groupsrdquo tab under ldquomyrealmrdquo as shown in Figure 45 Figure 46 shows the default set of
users that ship with Weblogic In this case the users are ldquoweblogicrdquo and ldquoOracleSystemUserrdquo
Figure 45 myrealm General tab
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 48
Figure 46 Default set of users that ship with Weblogic
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 49
9 Click on ldquoweblogicrdquo user in Figure 46 and then click on the ldquoGroupsrdquo tab for the user ldquoweblogicrdquo This shows the
default group membership for ldquoweblogicrdquo as shown in Figure 47 As we can see ldquoweblogicrdquo is not part of the
ldquoMonitorrdquo group
Figure 47 Default Group membership of user weblogic
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 50
10 Add the ldquoMonitorrdquo group from the Parent Groups Available in Figure 47 The result is that the ldquoweblogicrdquo user is now
a member of both ldquoAdministratorsrdquo and ldquoMonitorrdquo group as shown in Figure 48 and click ldquoSaverdquo
Figure 48 Make weblogic user a member of Monitor group
11 Now go back to the EM Web Service Tester page and test the HelloWorldComposite app
Note You may need to start the weblogic server for changes to take effect
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 51
Oracle Web Services Manager
March 2012
Author Prakash Yamuna
Oracle Corporation
World Headquarters
500 Oracle Parkway
Redwood Shores CA 94065
USA
Worldwide Inquiries
Phone +16505067000
Fax +16505067200
oraclecom
Copyright copy 2011 Oracle andor its affiliates All rights reserved This document is provided for
information purposes only and the contents hereof are subject to change without notice This
document is not warranted to be error-free nor subject to any other warranties or conditions whether
expressed orally or implied in law including implied warranties and conditions of merchantability or
fitness for a particular purpose We specifically disclaim any liability with respect to this document and
no contractual obligations are formed either directly or indirectly by this document This document may
not be reproduced or transmitted in any form or by any means electronic or mechanical for any
purpose without our prior written permission
Oracle is a registered trademark of Oracle Corporation andor its affiliates Other names may be
trademarks of their respective owners
0109
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 15
10 The previous steps will result in an automatic Copy Rule being created where in the expression that was created in
Figure 10 is assigned to the output payload as shown in Figure 11
Figure 11 Copy Rule in the Assign Activity
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 16
Build and Deploy HelloWorldComposite Application
1 Make or Build the Composite Application and ensure there are no compilation failures To Build the Composite
Application ndash ldquoright clickrdquo on the HelloWorldComposite Project and click on ldquoMake HelloWorldCompositejprrdquo as
show in Figure 12
Figure 12 Build the Composite Application
2 There are many ways to deploy the Composite Application but in this How To we will create a jar for the
HelloWorldComposite application
To create a jar ldquoRight Clickrdquo on the HelloWorldComposite project and click on Deploy from the Menu Figure 13 - Figure
16 show the steps for creating a jar (SAR) for the HelloWorldComposite app
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 17
Figure 13 Steps to create a jar for the HelloWorld Composite app
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 18
Figure 14 Select the SAR option to create a jar
Figure 15 Steps for creating a jar for HelloWorld Composite App
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 19
Figure 16 Final step in the creation of jar for HelloWorld Composite app
3 Once the jar is created we will use EM to deploy the composite app To deploy the Composite application
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 20
Log into EM
Expand the SOA folder on the Left Hand navigation tree
Click on ldquosoa-infrardquo on the Left Hand tree The Right hand panel is updated Now click on ldquoSOA Infrastructurerdquo
this will open a menu
Select ldquoSOA Deploymentrdquo and ldquoDeployrdquo from the menu as shown in Figure 17
Figure 17 Deploying HelloWorld Composite app from EM
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 21
4 This will launch the SOA Composite Deployment wizard Browse the local file system to select the jar to deploy by
created in Figure 16 as shown in Figure 18 Click ldquoNextrdquo to proceed
Figure 18 Selecting HelloWorldComposite archive in EM
5 In the sample topology there is only one target and so there are no choices Select the partition to deploy the
composite app SOA ships will a ldquodefaultrdquo partition out of the box Select the default partition (Note It is a
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 22
mandatory field) as show in Figure 19 Click ldquoNextrdquo to proceed Leave the defaults as show in Figure 20 on the
confirmation page and click on ldquoDeployrdquo to finish deployment
Figure 19 Target Selection for HelloWorldComposite
Figure 20 HelloWorldComposte deployment via EM Confirmation page
Create SOA Component level Role based Authorization Policy
1 Search for policies that can be applied to SOA Component
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 23
Figure 21 Search for SOA Component Authorization policies
2 Make a Copy of the OOTB Authorization policy using the ldquoCreate Likerdquo feature as shown in Figure 22
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 24
Figure 22 Make a Copy of the OOTB Authorization Policy using Create Like
3 Name the Policy appropriately as show in Figure 23
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 25
Figure 23 New SOA Component Authorization Policy
4 Select the Role in the settings tab of the Policy You do this by clicking on the ldquosettings tabrdquo for the Authorization
assertion and selecting the ldquoSelected Rolesrdquo radio button as shown in Figure 24
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 26
Figure 24 Select a Role as part of the creation of the new Authorization Policy
5 You can add the Role by clicking on the ldquoAddrdquo button in Figure 24 This will launch a ldquoAdd Rolerdquo dialog box as shown
in Figure 25 In this example ndash the ldquoMonitorrdquo role has been selected
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 27
Figure 25 Selecting the Monitor role to add to the Authorization policy
Click ldquoOKrdquo on the diaglog in Figure 25 after adding the role click on the ldquoSaverdquo button to save the policy
Attach OOTB authentication policy to the SOA Service
1 Before we can attach the Custom Authorization Policy created in the previous steps to the SOA Component we
need to secure the HelloWorldComposite with an authentication policy For this How-To we will use the
ldquooraclewss_username_token_service_policyrdquo Go to the HelloWorldComposite Dashboard page as shown in Figure
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 28
26 In Figure 26 we have Service ldquobpelprocess1_client_eprdquo of type Web Service Click on the
ldquobpelprocess1_client_eprdquo to navigate to the Service Dashboard page as shown in Figure 27
Figure 26 HelloWorldComposite Dashboard page in EM
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 29
Figure 27 Service Dashboard page for HelloWorldComposite in EM
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 30
2 Click on the ldquoPoliciesrdquo Tab This will show polices attached to the Service Click on the ldquoAttachDetachrdquo button to a
launch the Policy Attachment Dialog as show in Figure 28 The Policy Attachment Dialog is show in Figure 29
Figure 28 Launching OWSM Policy Attachment Dialog in EM for SOA Service
3 In the Policy Attachment Dialog in Figure 29 select ldquoNamerdquo as the search criteria and enter ldquousernamerdquo and click on
the button next to it to search Select ldquooraclewss_username_token_service_policyrdquo and click on the ldquoAttachrdquo
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 31
button Click on ldquoOKrdquo button to finish the policy attachment Figure 30 shows the results of attaching the
oraclewss_username_token_service_policy
Figure 29 Selecting oraclewss_username_token_service_policy
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 32
Figure 30 Result of attaching the oraclewss_username_token_service_policy
A few things to note
Starting with PS5 - we now show the security status as seen in Figure 30
Starting with PS5 ndash we now show the overall validity of the policy attachments
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 33
Test the Secured HelloWorldComposite App
To test the HelloWorldComposite ndash navigate to the HelloWorldComposite Dashboard page and click on the ldquoTestrdquo
button as shown in Figure 31 This will launch the Web Service Tester page that ships with EM as shown in Figure 32
Figure 31 Testing HelloWorldComposite
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 34
Figure 32 EM Web Service Tester page
We will do a quick negative test by not providing any authentication information Enter ldquoNegative Worldrdquo in the ldquoinputrdquo
field as show in Figure 33 and click on ldquoTest Web Servicerdquo button This will result in an Error dialog as shown in Figure 34
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 35
Figure 33 Provide Inputs for testing HelloWorldComposite
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 36
Figure 34 Results of Negative Testing
Now perform a positive test by providing the authentication information as shown in Figure 35 You can provide the
authentication information by expanding the ldquoSecurityrdquo section Enter the following information for the fields show in
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 37
Figure 35 Select an appropriate policy from the ldquoCompatible Client Policiesrdquo list (Note This is important if a policy is not
selected then no security information will be sent and thus may result in failures)
Username weblogic Passwordweblogic1
Click ldquoTest Web Servicerdquo button to test This should result in a successful response from the HelloWorldComposite as
show in Figure 36
Figure 35 Testing oraclewss_username_token_service_policy using EM Web Service Tester
Note Usernamepassword will vary by deployment Provide usernamepassword that is appropriate for your
deployment
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 38
Figure 36 Response from HelloWorldComposite
Now that we have successfully tested the HelloWorldComposite app with the OOTB OWSM authentication policy we
will now secure it with the Custom Authorization policy that was created previously
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 39
Attach Custom authorization policy to the SOA Component
1 Go to the SOA Composite you want to secure with this Authorization Policy In the SOA Composite page click on the
Component as shown in Figure 37 In Figure 37 we have a ldquoHelloWorldCompositerdquo that has a ldquoBPELProcess1rdquo SOA
Component
Figure 37 Attaching OWSM Policy to SOA Component
2 Click on the Policies tab for the SOA Component In this example the SOA Component is called ldquoBPELProcess1rdquo as
shown in Figure 38
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 40
Figure 38 Attaching Policies to a SOA Component
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 41
3 On the Policies tab click on ldquoAttachDetachrdquo button as shown in Figure 39 Select the newly created Authorization
Policy
Figure 39 Selecting the Policy to attach
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 42
4 Once done selecting the policy to attach Click ldquoOKrdquo in Figure 39 You have completed the process of attaching an
Authorization Policy to a SOA Component Figure 40 shows the results of attaching the custom authorization policy
Figure 40 Policies attached to a SOA Component
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 43
5 Test the HelloWorldComposite from the EM Web Service Tester page Provide the credentials as
weblogicwelcome1 as shown in Figure 41
Figure 41 Negative Authorization Test with correct credentials
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 44
Notice that even though the credentials weblogicwelcome1 is correct the test fails as shown in Figure 42
Figure 42 Negative Authorization Test Response
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 45
6 In order to perform a positive authorization test ndash we need to add the weblogic user to the Monitor role In order to
do this ndash we first need to log in to Weblogic Console Click on ldquoSecurity Realmsrdquo on the Left Hand Domain Structure
Tree as show in Figure 43
Figure 43 Navigating to the Security Realms in Weblogic Console
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 46
7 Weblogic ships with a default realm called ldquomyrealmrdquo Click on ldquomyrealmrdquo as show in Figure 44
Figure 44 List of Security realms
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 47
8 Click on the ldquoUsers and Groupsrdquo tab under ldquomyrealmrdquo as shown in Figure 45 Figure 46 shows the default set of
users that ship with Weblogic In this case the users are ldquoweblogicrdquo and ldquoOracleSystemUserrdquo
Figure 45 myrealm General tab
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 48
Figure 46 Default set of users that ship with Weblogic
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 49
9 Click on ldquoweblogicrdquo user in Figure 46 and then click on the ldquoGroupsrdquo tab for the user ldquoweblogicrdquo This shows the
default group membership for ldquoweblogicrdquo as shown in Figure 47 As we can see ldquoweblogicrdquo is not part of the
ldquoMonitorrdquo group
Figure 47 Default Group membership of user weblogic
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 50
10 Add the ldquoMonitorrdquo group from the Parent Groups Available in Figure 47 The result is that the ldquoweblogicrdquo user is now
a member of both ldquoAdministratorsrdquo and ldquoMonitorrdquo group as shown in Figure 48 and click ldquoSaverdquo
Figure 48 Make weblogic user a member of Monitor group
11 Now go back to the EM Web Service Tester page and test the HelloWorldComposite app
Note You may need to start the weblogic server for changes to take effect
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 51
Oracle Web Services Manager
March 2012
Author Prakash Yamuna
Oracle Corporation
World Headquarters
500 Oracle Parkway
Redwood Shores CA 94065
USA
Worldwide Inquiries
Phone +16505067000
Fax +16505067200
oraclecom
Copyright copy 2011 Oracle andor its affiliates All rights reserved This document is provided for
information purposes only and the contents hereof are subject to change without notice This
document is not warranted to be error-free nor subject to any other warranties or conditions whether
expressed orally or implied in law including implied warranties and conditions of merchantability or
fitness for a particular purpose We specifically disclaim any liability with respect to this document and
no contractual obligations are formed either directly or indirectly by this document This document may
not be reproduced or transmitted in any form or by any means electronic or mechanical for any
purpose without our prior written permission
Oracle is a registered trademark of Oracle Corporation andor its affiliates Other names may be
trademarks of their respective owners
0109
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 16
Build and Deploy HelloWorldComposite Application
1 Make or Build the Composite Application and ensure there are no compilation failures To Build the Composite
Application ndash ldquoright clickrdquo on the HelloWorldComposite Project and click on ldquoMake HelloWorldCompositejprrdquo as
show in Figure 12
Figure 12 Build the Composite Application
2 There are many ways to deploy the Composite Application but in this How To we will create a jar for the
HelloWorldComposite application
To create a jar ldquoRight Clickrdquo on the HelloWorldComposite project and click on Deploy from the Menu Figure 13 - Figure
16 show the steps for creating a jar (SAR) for the HelloWorldComposite app
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 17
Figure 13 Steps to create a jar for the HelloWorld Composite app
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 18
Figure 14 Select the SAR option to create a jar
Figure 15 Steps for creating a jar for HelloWorld Composite App
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 19
Figure 16 Final step in the creation of jar for HelloWorld Composite app
3 Once the jar is created we will use EM to deploy the composite app To deploy the Composite application
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 20
Log into EM
Expand the SOA folder on the Left Hand navigation tree
Click on ldquosoa-infrardquo on the Left Hand tree The Right hand panel is updated Now click on ldquoSOA Infrastructurerdquo
this will open a menu
Select ldquoSOA Deploymentrdquo and ldquoDeployrdquo from the menu as shown in Figure 17
Figure 17 Deploying HelloWorld Composite app from EM
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 21
4 This will launch the SOA Composite Deployment wizard Browse the local file system to select the jar to deploy by
created in Figure 16 as shown in Figure 18 Click ldquoNextrdquo to proceed
Figure 18 Selecting HelloWorldComposite archive in EM
5 In the sample topology there is only one target and so there are no choices Select the partition to deploy the
composite app SOA ships will a ldquodefaultrdquo partition out of the box Select the default partition (Note It is a
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 22
mandatory field) as show in Figure 19 Click ldquoNextrdquo to proceed Leave the defaults as show in Figure 20 on the
confirmation page and click on ldquoDeployrdquo to finish deployment
Figure 19 Target Selection for HelloWorldComposite
Figure 20 HelloWorldComposte deployment via EM Confirmation page
Create SOA Component level Role based Authorization Policy
1 Search for policies that can be applied to SOA Component
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 23
Figure 21 Search for SOA Component Authorization policies
2 Make a Copy of the OOTB Authorization policy using the ldquoCreate Likerdquo feature as shown in Figure 22
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 24
Figure 22 Make a Copy of the OOTB Authorization Policy using Create Like
3 Name the Policy appropriately as show in Figure 23
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 25
Figure 23 New SOA Component Authorization Policy
4 Select the Role in the settings tab of the Policy You do this by clicking on the ldquosettings tabrdquo for the Authorization
assertion and selecting the ldquoSelected Rolesrdquo radio button as shown in Figure 24
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 26
Figure 24 Select a Role as part of the creation of the new Authorization Policy
5 You can add the Role by clicking on the ldquoAddrdquo button in Figure 24 This will launch a ldquoAdd Rolerdquo dialog box as shown
in Figure 25 In this example ndash the ldquoMonitorrdquo role has been selected
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 27
Figure 25 Selecting the Monitor role to add to the Authorization policy
Click ldquoOKrdquo on the diaglog in Figure 25 after adding the role click on the ldquoSaverdquo button to save the policy
Attach OOTB authentication policy to the SOA Service
1 Before we can attach the Custom Authorization Policy created in the previous steps to the SOA Component we
need to secure the HelloWorldComposite with an authentication policy For this How-To we will use the
ldquooraclewss_username_token_service_policyrdquo Go to the HelloWorldComposite Dashboard page as shown in Figure
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 28
26 In Figure 26 we have Service ldquobpelprocess1_client_eprdquo of type Web Service Click on the
ldquobpelprocess1_client_eprdquo to navigate to the Service Dashboard page as shown in Figure 27
Figure 26 HelloWorldComposite Dashboard page in EM
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 29
Figure 27 Service Dashboard page for HelloWorldComposite in EM
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 30
2 Click on the ldquoPoliciesrdquo Tab This will show polices attached to the Service Click on the ldquoAttachDetachrdquo button to a
launch the Policy Attachment Dialog as show in Figure 28 The Policy Attachment Dialog is show in Figure 29
Figure 28 Launching OWSM Policy Attachment Dialog in EM for SOA Service
3 In the Policy Attachment Dialog in Figure 29 select ldquoNamerdquo as the search criteria and enter ldquousernamerdquo and click on
the button next to it to search Select ldquooraclewss_username_token_service_policyrdquo and click on the ldquoAttachrdquo
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 31
button Click on ldquoOKrdquo button to finish the policy attachment Figure 30 shows the results of attaching the
oraclewss_username_token_service_policy
Figure 29 Selecting oraclewss_username_token_service_policy
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 32
Figure 30 Result of attaching the oraclewss_username_token_service_policy
A few things to note
Starting with PS5 - we now show the security status as seen in Figure 30
Starting with PS5 ndash we now show the overall validity of the policy attachments
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 33
Test the Secured HelloWorldComposite App
To test the HelloWorldComposite ndash navigate to the HelloWorldComposite Dashboard page and click on the ldquoTestrdquo
button as shown in Figure 31 This will launch the Web Service Tester page that ships with EM as shown in Figure 32
Figure 31 Testing HelloWorldComposite
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 34
Figure 32 EM Web Service Tester page
We will do a quick negative test by not providing any authentication information Enter ldquoNegative Worldrdquo in the ldquoinputrdquo
field as show in Figure 33 and click on ldquoTest Web Servicerdquo button This will result in an Error dialog as shown in Figure 34
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 35
Figure 33 Provide Inputs for testing HelloWorldComposite
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 36
Figure 34 Results of Negative Testing
Now perform a positive test by providing the authentication information as shown in Figure 35 You can provide the
authentication information by expanding the ldquoSecurityrdquo section Enter the following information for the fields show in
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 37
Figure 35 Select an appropriate policy from the ldquoCompatible Client Policiesrdquo list (Note This is important if a policy is not
selected then no security information will be sent and thus may result in failures)
Username weblogic Passwordweblogic1
Click ldquoTest Web Servicerdquo button to test This should result in a successful response from the HelloWorldComposite as
show in Figure 36
Figure 35 Testing oraclewss_username_token_service_policy using EM Web Service Tester
Note Usernamepassword will vary by deployment Provide usernamepassword that is appropriate for your
deployment
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 38
Figure 36 Response from HelloWorldComposite
Now that we have successfully tested the HelloWorldComposite app with the OOTB OWSM authentication policy we
will now secure it with the Custom Authorization policy that was created previously
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 39
Attach Custom authorization policy to the SOA Component
1 Go to the SOA Composite you want to secure with this Authorization Policy In the SOA Composite page click on the
Component as shown in Figure 37 In Figure 37 we have a ldquoHelloWorldCompositerdquo that has a ldquoBPELProcess1rdquo SOA
Component
Figure 37 Attaching OWSM Policy to SOA Component
2 Click on the Policies tab for the SOA Component In this example the SOA Component is called ldquoBPELProcess1rdquo as
shown in Figure 38
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 40
Figure 38 Attaching Policies to a SOA Component
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 41
3 On the Policies tab click on ldquoAttachDetachrdquo button as shown in Figure 39 Select the newly created Authorization
Policy
Figure 39 Selecting the Policy to attach
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 42
4 Once done selecting the policy to attach Click ldquoOKrdquo in Figure 39 You have completed the process of attaching an
Authorization Policy to a SOA Component Figure 40 shows the results of attaching the custom authorization policy
Figure 40 Policies attached to a SOA Component
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 43
5 Test the HelloWorldComposite from the EM Web Service Tester page Provide the credentials as
weblogicwelcome1 as shown in Figure 41
Figure 41 Negative Authorization Test with correct credentials
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 44
Notice that even though the credentials weblogicwelcome1 is correct the test fails as shown in Figure 42
Figure 42 Negative Authorization Test Response
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 45
6 In order to perform a positive authorization test ndash we need to add the weblogic user to the Monitor role In order to
do this ndash we first need to log in to Weblogic Console Click on ldquoSecurity Realmsrdquo on the Left Hand Domain Structure
Tree as show in Figure 43
Figure 43 Navigating to the Security Realms in Weblogic Console
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 46
7 Weblogic ships with a default realm called ldquomyrealmrdquo Click on ldquomyrealmrdquo as show in Figure 44
Figure 44 List of Security realms
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 47
8 Click on the ldquoUsers and Groupsrdquo tab under ldquomyrealmrdquo as shown in Figure 45 Figure 46 shows the default set of
users that ship with Weblogic In this case the users are ldquoweblogicrdquo and ldquoOracleSystemUserrdquo
Figure 45 myrealm General tab
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 48
Figure 46 Default set of users that ship with Weblogic
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 49
9 Click on ldquoweblogicrdquo user in Figure 46 and then click on the ldquoGroupsrdquo tab for the user ldquoweblogicrdquo This shows the
default group membership for ldquoweblogicrdquo as shown in Figure 47 As we can see ldquoweblogicrdquo is not part of the
ldquoMonitorrdquo group
Figure 47 Default Group membership of user weblogic
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 50
10 Add the ldquoMonitorrdquo group from the Parent Groups Available in Figure 47 The result is that the ldquoweblogicrdquo user is now
a member of both ldquoAdministratorsrdquo and ldquoMonitorrdquo group as shown in Figure 48 and click ldquoSaverdquo
Figure 48 Make weblogic user a member of Monitor group
11 Now go back to the EM Web Service Tester page and test the HelloWorldComposite app
Note You may need to start the weblogic server for changes to take effect
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 51
Oracle Web Services Manager
March 2012
Author Prakash Yamuna
Oracle Corporation
World Headquarters
500 Oracle Parkway
Redwood Shores CA 94065
USA
Worldwide Inquiries
Phone +16505067000
Fax +16505067200
oraclecom
Copyright copy 2011 Oracle andor its affiliates All rights reserved This document is provided for
information purposes only and the contents hereof are subject to change without notice This
document is not warranted to be error-free nor subject to any other warranties or conditions whether
expressed orally or implied in law including implied warranties and conditions of merchantability or
fitness for a particular purpose We specifically disclaim any liability with respect to this document and
no contractual obligations are formed either directly or indirectly by this document This document may
not be reproduced or transmitted in any form or by any means electronic or mechanical for any
purpose without our prior written permission
Oracle is a registered trademark of Oracle Corporation andor its affiliates Other names may be
trademarks of their respective owners
0109
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 17
Figure 13 Steps to create a jar for the HelloWorld Composite app
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 18
Figure 14 Select the SAR option to create a jar
Figure 15 Steps for creating a jar for HelloWorld Composite App
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 19
Figure 16 Final step in the creation of jar for HelloWorld Composite app
3 Once the jar is created we will use EM to deploy the composite app To deploy the Composite application
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 20
Log into EM
Expand the SOA folder on the Left Hand navigation tree
Click on ldquosoa-infrardquo on the Left Hand tree The Right hand panel is updated Now click on ldquoSOA Infrastructurerdquo
this will open a menu
Select ldquoSOA Deploymentrdquo and ldquoDeployrdquo from the menu as shown in Figure 17
Figure 17 Deploying HelloWorld Composite app from EM
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 21
4 This will launch the SOA Composite Deployment wizard Browse the local file system to select the jar to deploy by
created in Figure 16 as shown in Figure 18 Click ldquoNextrdquo to proceed
Figure 18 Selecting HelloWorldComposite archive in EM
5 In the sample topology there is only one target and so there are no choices Select the partition to deploy the
composite app SOA ships will a ldquodefaultrdquo partition out of the box Select the default partition (Note It is a
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 22
mandatory field) as show in Figure 19 Click ldquoNextrdquo to proceed Leave the defaults as show in Figure 20 on the
confirmation page and click on ldquoDeployrdquo to finish deployment
Figure 19 Target Selection for HelloWorldComposite
Figure 20 HelloWorldComposte deployment via EM Confirmation page
Create SOA Component level Role based Authorization Policy
1 Search for policies that can be applied to SOA Component
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 23
Figure 21 Search for SOA Component Authorization policies
2 Make a Copy of the OOTB Authorization policy using the ldquoCreate Likerdquo feature as shown in Figure 22
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 24
Figure 22 Make a Copy of the OOTB Authorization Policy using Create Like
3 Name the Policy appropriately as show in Figure 23
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 25
Figure 23 New SOA Component Authorization Policy
4 Select the Role in the settings tab of the Policy You do this by clicking on the ldquosettings tabrdquo for the Authorization
assertion and selecting the ldquoSelected Rolesrdquo radio button as shown in Figure 24
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 26
Figure 24 Select a Role as part of the creation of the new Authorization Policy
5 You can add the Role by clicking on the ldquoAddrdquo button in Figure 24 This will launch a ldquoAdd Rolerdquo dialog box as shown
in Figure 25 In this example ndash the ldquoMonitorrdquo role has been selected
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 27
Figure 25 Selecting the Monitor role to add to the Authorization policy
Click ldquoOKrdquo on the diaglog in Figure 25 after adding the role click on the ldquoSaverdquo button to save the policy
Attach OOTB authentication policy to the SOA Service
1 Before we can attach the Custom Authorization Policy created in the previous steps to the SOA Component we
need to secure the HelloWorldComposite with an authentication policy For this How-To we will use the
ldquooraclewss_username_token_service_policyrdquo Go to the HelloWorldComposite Dashboard page as shown in Figure
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 28
26 In Figure 26 we have Service ldquobpelprocess1_client_eprdquo of type Web Service Click on the
ldquobpelprocess1_client_eprdquo to navigate to the Service Dashboard page as shown in Figure 27
Figure 26 HelloWorldComposite Dashboard page in EM
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 29
Figure 27 Service Dashboard page for HelloWorldComposite in EM
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 30
2 Click on the ldquoPoliciesrdquo Tab This will show polices attached to the Service Click on the ldquoAttachDetachrdquo button to a
launch the Policy Attachment Dialog as show in Figure 28 The Policy Attachment Dialog is show in Figure 29
Figure 28 Launching OWSM Policy Attachment Dialog in EM for SOA Service
3 In the Policy Attachment Dialog in Figure 29 select ldquoNamerdquo as the search criteria and enter ldquousernamerdquo and click on
the button next to it to search Select ldquooraclewss_username_token_service_policyrdquo and click on the ldquoAttachrdquo
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 31
button Click on ldquoOKrdquo button to finish the policy attachment Figure 30 shows the results of attaching the
oraclewss_username_token_service_policy
Figure 29 Selecting oraclewss_username_token_service_policy
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 32
Figure 30 Result of attaching the oraclewss_username_token_service_policy
A few things to note
Starting with PS5 - we now show the security status as seen in Figure 30
Starting with PS5 ndash we now show the overall validity of the policy attachments
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 33
Test the Secured HelloWorldComposite App
To test the HelloWorldComposite ndash navigate to the HelloWorldComposite Dashboard page and click on the ldquoTestrdquo
button as shown in Figure 31 This will launch the Web Service Tester page that ships with EM as shown in Figure 32
Figure 31 Testing HelloWorldComposite
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 34
Figure 32 EM Web Service Tester page
We will do a quick negative test by not providing any authentication information Enter ldquoNegative Worldrdquo in the ldquoinputrdquo
field as show in Figure 33 and click on ldquoTest Web Servicerdquo button This will result in an Error dialog as shown in Figure 34
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 35
Figure 33 Provide Inputs for testing HelloWorldComposite
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 36
Figure 34 Results of Negative Testing
Now perform a positive test by providing the authentication information as shown in Figure 35 You can provide the
authentication information by expanding the ldquoSecurityrdquo section Enter the following information for the fields show in
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 37
Figure 35 Select an appropriate policy from the ldquoCompatible Client Policiesrdquo list (Note This is important if a policy is not
selected then no security information will be sent and thus may result in failures)
Username weblogic Passwordweblogic1
Click ldquoTest Web Servicerdquo button to test This should result in a successful response from the HelloWorldComposite as
show in Figure 36
Figure 35 Testing oraclewss_username_token_service_policy using EM Web Service Tester
Note Usernamepassword will vary by deployment Provide usernamepassword that is appropriate for your
deployment
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 38
Figure 36 Response from HelloWorldComposite
Now that we have successfully tested the HelloWorldComposite app with the OOTB OWSM authentication policy we
will now secure it with the Custom Authorization policy that was created previously
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 39
Attach Custom authorization policy to the SOA Component
1 Go to the SOA Composite you want to secure with this Authorization Policy In the SOA Composite page click on the
Component as shown in Figure 37 In Figure 37 we have a ldquoHelloWorldCompositerdquo that has a ldquoBPELProcess1rdquo SOA
Component
Figure 37 Attaching OWSM Policy to SOA Component
2 Click on the Policies tab for the SOA Component In this example the SOA Component is called ldquoBPELProcess1rdquo as
shown in Figure 38
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 40
Figure 38 Attaching Policies to a SOA Component
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 41
3 On the Policies tab click on ldquoAttachDetachrdquo button as shown in Figure 39 Select the newly created Authorization
Policy
Figure 39 Selecting the Policy to attach
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 42
4 Once done selecting the policy to attach Click ldquoOKrdquo in Figure 39 You have completed the process of attaching an
Authorization Policy to a SOA Component Figure 40 shows the results of attaching the custom authorization policy
Figure 40 Policies attached to a SOA Component
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 43
5 Test the HelloWorldComposite from the EM Web Service Tester page Provide the credentials as
weblogicwelcome1 as shown in Figure 41
Figure 41 Negative Authorization Test with correct credentials
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 44
Notice that even though the credentials weblogicwelcome1 is correct the test fails as shown in Figure 42
Figure 42 Negative Authorization Test Response
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 45
6 In order to perform a positive authorization test ndash we need to add the weblogic user to the Monitor role In order to
do this ndash we first need to log in to Weblogic Console Click on ldquoSecurity Realmsrdquo on the Left Hand Domain Structure
Tree as show in Figure 43
Figure 43 Navigating to the Security Realms in Weblogic Console
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 46
7 Weblogic ships with a default realm called ldquomyrealmrdquo Click on ldquomyrealmrdquo as show in Figure 44
Figure 44 List of Security realms
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 47
8 Click on the ldquoUsers and Groupsrdquo tab under ldquomyrealmrdquo as shown in Figure 45 Figure 46 shows the default set of
users that ship with Weblogic In this case the users are ldquoweblogicrdquo and ldquoOracleSystemUserrdquo
Figure 45 myrealm General tab
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 48
Figure 46 Default set of users that ship with Weblogic
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 49
9 Click on ldquoweblogicrdquo user in Figure 46 and then click on the ldquoGroupsrdquo tab for the user ldquoweblogicrdquo This shows the
default group membership for ldquoweblogicrdquo as shown in Figure 47 As we can see ldquoweblogicrdquo is not part of the
ldquoMonitorrdquo group
Figure 47 Default Group membership of user weblogic
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 50
10 Add the ldquoMonitorrdquo group from the Parent Groups Available in Figure 47 The result is that the ldquoweblogicrdquo user is now
a member of both ldquoAdministratorsrdquo and ldquoMonitorrdquo group as shown in Figure 48 and click ldquoSaverdquo
Figure 48 Make weblogic user a member of Monitor group
11 Now go back to the EM Web Service Tester page and test the HelloWorldComposite app
Note You may need to start the weblogic server for changes to take effect
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 51
Oracle Web Services Manager
March 2012
Author Prakash Yamuna
Oracle Corporation
World Headquarters
500 Oracle Parkway
Redwood Shores CA 94065
USA
Worldwide Inquiries
Phone +16505067000
Fax +16505067200
oraclecom
Copyright copy 2011 Oracle andor its affiliates All rights reserved This document is provided for
information purposes only and the contents hereof are subject to change without notice This
document is not warranted to be error-free nor subject to any other warranties or conditions whether
expressed orally or implied in law including implied warranties and conditions of merchantability or
fitness for a particular purpose We specifically disclaim any liability with respect to this document and
no contractual obligations are formed either directly or indirectly by this document This document may
not be reproduced or transmitted in any form or by any means electronic or mechanical for any
purpose without our prior written permission
Oracle is a registered trademark of Oracle Corporation andor its affiliates Other names may be
trademarks of their respective owners
0109
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 18
Figure 14 Select the SAR option to create a jar
Figure 15 Steps for creating a jar for HelloWorld Composite App
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 19
Figure 16 Final step in the creation of jar for HelloWorld Composite app
3 Once the jar is created we will use EM to deploy the composite app To deploy the Composite application
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 20
Log into EM
Expand the SOA folder on the Left Hand navigation tree
Click on ldquosoa-infrardquo on the Left Hand tree The Right hand panel is updated Now click on ldquoSOA Infrastructurerdquo
this will open a menu
Select ldquoSOA Deploymentrdquo and ldquoDeployrdquo from the menu as shown in Figure 17
Figure 17 Deploying HelloWorld Composite app from EM
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 21
4 This will launch the SOA Composite Deployment wizard Browse the local file system to select the jar to deploy by
created in Figure 16 as shown in Figure 18 Click ldquoNextrdquo to proceed
Figure 18 Selecting HelloWorldComposite archive in EM
5 In the sample topology there is only one target and so there are no choices Select the partition to deploy the
composite app SOA ships will a ldquodefaultrdquo partition out of the box Select the default partition (Note It is a
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 22
mandatory field) as show in Figure 19 Click ldquoNextrdquo to proceed Leave the defaults as show in Figure 20 on the
confirmation page and click on ldquoDeployrdquo to finish deployment
Figure 19 Target Selection for HelloWorldComposite
Figure 20 HelloWorldComposte deployment via EM Confirmation page
Create SOA Component level Role based Authorization Policy
1 Search for policies that can be applied to SOA Component
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 23
Figure 21 Search for SOA Component Authorization policies
2 Make a Copy of the OOTB Authorization policy using the ldquoCreate Likerdquo feature as shown in Figure 22
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 24
Figure 22 Make a Copy of the OOTB Authorization Policy using Create Like
3 Name the Policy appropriately as show in Figure 23
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 25
Figure 23 New SOA Component Authorization Policy
4 Select the Role in the settings tab of the Policy You do this by clicking on the ldquosettings tabrdquo for the Authorization
assertion and selecting the ldquoSelected Rolesrdquo radio button as shown in Figure 24
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 26
Figure 24 Select a Role as part of the creation of the new Authorization Policy
5 You can add the Role by clicking on the ldquoAddrdquo button in Figure 24 This will launch a ldquoAdd Rolerdquo dialog box as shown
in Figure 25 In this example ndash the ldquoMonitorrdquo role has been selected
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 27
Figure 25 Selecting the Monitor role to add to the Authorization policy
Click ldquoOKrdquo on the diaglog in Figure 25 after adding the role click on the ldquoSaverdquo button to save the policy
Attach OOTB authentication policy to the SOA Service
1 Before we can attach the Custom Authorization Policy created in the previous steps to the SOA Component we
need to secure the HelloWorldComposite with an authentication policy For this How-To we will use the
ldquooraclewss_username_token_service_policyrdquo Go to the HelloWorldComposite Dashboard page as shown in Figure
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 28
26 In Figure 26 we have Service ldquobpelprocess1_client_eprdquo of type Web Service Click on the
ldquobpelprocess1_client_eprdquo to navigate to the Service Dashboard page as shown in Figure 27
Figure 26 HelloWorldComposite Dashboard page in EM
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 29
Figure 27 Service Dashboard page for HelloWorldComposite in EM
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 30
2 Click on the ldquoPoliciesrdquo Tab This will show polices attached to the Service Click on the ldquoAttachDetachrdquo button to a
launch the Policy Attachment Dialog as show in Figure 28 The Policy Attachment Dialog is show in Figure 29
Figure 28 Launching OWSM Policy Attachment Dialog in EM for SOA Service
3 In the Policy Attachment Dialog in Figure 29 select ldquoNamerdquo as the search criteria and enter ldquousernamerdquo and click on
the button next to it to search Select ldquooraclewss_username_token_service_policyrdquo and click on the ldquoAttachrdquo
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 31
button Click on ldquoOKrdquo button to finish the policy attachment Figure 30 shows the results of attaching the
oraclewss_username_token_service_policy
Figure 29 Selecting oraclewss_username_token_service_policy
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 32
Figure 30 Result of attaching the oraclewss_username_token_service_policy
A few things to note
Starting with PS5 - we now show the security status as seen in Figure 30
Starting with PS5 ndash we now show the overall validity of the policy attachments
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 33
Test the Secured HelloWorldComposite App
To test the HelloWorldComposite ndash navigate to the HelloWorldComposite Dashboard page and click on the ldquoTestrdquo
button as shown in Figure 31 This will launch the Web Service Tester page that ships with EM as shown in Figure 32
Figure 31 Testing HelloWorldComposite
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 34
Figure 32 EM Web Service Tester page
We will do a quick negative test by not providing any authentication information Enter ldquoNegative Worldrdquo in the ldquoinputrdquo
field as show in Figure 33 and click on ldquoTest Web Servicerdquo button This will result in an Error dialog as shown in Figure 34
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 35
Figure 33 Provide Inputs for testing HelloWorldComposite
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 36
Figure 34 Results of Negative Testing
Now perform a positive test by providing the authentication information as shown in Figure 35 You can provide the
authentication information by expanding the ldquoSecurityrdquo section Enter the following information for the fields show in
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 37
Figure 35 Select an appropriate policy from the ldquoCompatible Client Policiesrdquo list (Note This is important if a policy is not
selected then no security information will be sent and thus may result in failures)
Username weblogic Passwordweblogic1
Click ldquoTest Web Servicerdquo button to test This should result in a successful response from the HelloWorldComposite as
show in Figure 36
Figure 35 Testing oraclewss_username_token_service_policy using EM Web Service Tester
Note Usernamepassword will vary by deployment Provide usernamepassword that is appropriate for your
deployment
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 38
Figure 36 Response from HelloWorldComposite
Now that we have successfully tested the HelloWorldComposite app with the OOTB OWSM authentication policy we
will now secure it with the Custom Authorization policy that was created previously
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 39
Attach Custom authorization policy to the SOA Component
1 Go to the SOA Composite you want to secure with this Authorization Policy In the SOA Composite page click on the
Component as shown in Figure 37 In Figure 37 we have a ldquoHelloWorldCompositerdquo that has a ldquoBPELProcess1rdquo SOA
Component
Figure 37 Attaching OWSM Policy to SOA Component
2 Click on the Policies tab for the SOA Component In this example the SOA Component is called ldquoBPELProcess1rdquo as
shown in Figure 38
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 40
Figure 38 Attaching Policies to a SOA Component
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 41
3 On the Policies tab click on ldquoAttachDetachrdquo button as shown in Figure 39 Select the newly created Authorization
Policy
Figure 39 Selecting the Policy to attach
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 42
4 Once done selecting the policy to attach Click ldquoOKrdquo in Figure 39 You have completed the process of attaching an
Authorization Policy to a SOA Component Figure 40 shows the results of attaching the custom authorization policy
Figure 40 Policies attached to a SOA Component
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 43
5 Test the HelloWorldComposite from the EM Web Service Tester page Provide the credentials as
weblogicwelcome1 as shown in Figure 41
Figure 41 Negative Authorization Test with correct credentials
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 44
Notice that even though the credentials weblogicwelcome1 is correct the test fails as shown in Figure 42
Figure 42 Negative Authorization Test Response
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 45
6 In order to perform a positive authorization test ndash we need to add the weblogic user to the Monitor role In order to
do this ndash we first need to log in to Weblogic Console Click on ldquoSecurity Realmsrdquo on the Left Hand Domain Structure
Tree as show in Figure 43
Figure 43 Navigating to the Security Realms in Weblogic Console
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 46
7 Weblogic ships with a default realm called ldquomyrealmrdquo Click on ldquomyrealmrdquo as show in Figure 44
Figure 44 List of Security realms
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 47
8 Click on the ldquoUsers and Groupsrdquo tab under ldquomyrealmrdquo as shown in Figure 45 Figure 46 shows the default set of
users that ship with Weblogic In this case the users are ldquoweblogicrdquo and ldquoOracleSystemUserrdquo
Figure 45 myrealm General tab
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 48
Figure 46 Default set of users that ship with Weblogic
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 49
9 Click on ldquoweblogicrdquo user in Figure 46 and then click on the ldquoGroupsrdquo tab for the user ldquoweblogicrdquo This shows the
default group membership for ldquoweblogicrdquo as shown in Figure 47 As we can see ldquoweblogicrdquo is not part of the
ldquoMonitorrdquo group
Figure 47 Default Group membership of user weblogic
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 50
10 Add the ldquoMonitorrdquo group from the Parent Groups Available in Figure 47 The result is that the ldquoweblogicrdquo user is now
a member of both ldquoAdministratorsrdquo and ldquoMonitorrdquo group as shown in Figure 48 and click ldquoSaverdquo
Figure 48 Make weblogic user a member of Monitor group
11 Now go back to the EM Web Service Tester page and test the HelloWorldComposite app
Note You may need to start the weblogic server for changes to take effect
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 51
Oracle Web Services Manager
March 2012
Author Prakash Yamuna
Oracle Corporation
World Headquarters
500 Oracle Parkway
Redwood Shores CA 94065
USA
Worldwide Inquiries
Phone +16505067000
Fax +16505067200
oraclecom
Copyright copy 2011 Oracle andor its affiliates All rights reserved This document is provided for
information purposes only and the contents hereof are subject to change without notice This
document is not warranted to be error-free nor subject to any other warranties or conditions whether
expressed orally or implied in law including implied warranties and conditions of merchantability or
fitness for a particular purpose We specifically disclaim any liability with respect to this document and
no contractual obligations are formed either directly or indirectly by this document This document may
not be reproduced or transmitted in any form or by any means electronic or mechanical for any
purpose without our prior written permission
Oracle is a registered trademark of Oracle Corporation andor its affiliates Other names may be
trademarks of their respective owners
0109
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 19
Figure 16 Final step in the creation of jar for HelloWorld Composite app
3 Once the jar is created we will use EM to deploy the composite app To deploy the Composite application
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 20
Log into EM
Expand the SOA folder on the Left Hand navigation tree
Click on ldquosoa-infrardquo on the Left Hand tree The Right hand panel is updated Now click on ldquoSOA Infrastructurerdquo
this will open a menu
Select ldquoSOA Deploymentrdquo and ldquoDeployrdquo from the menu as shown in Figure 17
Figure 17 Deploying HelloWorld Composite app from EM
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 21
4 This will launch the SOA Composite Deployment wizard Browse the local file system to select the jar to deploy by
created in Figure 16 as shown in Figure 18 Click ldquoNextrdquo to proceed
Figure 18 Selecting HelloWorldComposite archive in EM
5 In the sample topology there is only one target and so there are no choices Select the partition to deploy the
composite app SOA ships will a ldquodefaultrdquo partition out of the box Select the default partition (Note It is a
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 22
mandatory field) as show in Figure 19 Click ldquoNextrdquo to proceed Leave the defaults as show in Figure 20 on the
confirmation page and click on ldquoDeployrdquo to finish deployment
Figure 19 Target Selection for HelloWorldComposite
Figure 20 HelloWorldComposte deployment via EM Confirmation page
Create SOA Component level Role based Authorization Policy
1 Search for policies that can be applied to SOA Component
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 23
Figure 21 Search for SOA Component Authorization policies
2 Make a Copy of the OOTB Authorization policy using the ldquoCreate Likerdquo feature as shown in Figure 22
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 24
Figure 22 Make a Copy of the OOTB Authorization Policy using Create Like
3 Name the Policy appropriately as show in Figure 23
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 25
Figure 23 New SOA Component Authorization Policy
4 Select the Role in the settings tab of the Policy You do this by clicking on the ldquosettings tabrdquo for the Authorization
assertion and selecting the ldquoSelected Rolesrdquo radio button as shown in Figure 24
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 26
Figure 24 Select a Role as part of the creation of the new Authorization Policy
5 You can add the Role by clicking on the ldquoAddrdquo button in Figure 24 This will launch a ldquoAdd Rolerdquo dialog box as shown
in Figure 25 In this example ndash the ldquoMonitorrdquo role has been selected
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 27
Figure 25 Selecting the Monitor role to add to the Authorization policy
Click ldquoOKrdquo on the diaglog in Figure 25 after adding the role click on the ldquoSaverdquo button to save the policy
Attach OOTB authentication policy to the SOA Service
1 Before we can attach the Custom Authorization Policy created in the previous steps to the SOA Component we
need to secure the HelloWorldComposite with an authentication policy For this How-To we will use the
ldquooraclewss_username_token_service_policyrdquo Go to the HelloWorldComposite Dashboard page as shown in Figure
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 28
26 In Figure 26 we have Service ldquobpelprocess1_client_eprdquo of type Web Service Click on the
ldquobpelprocess1_client_eprdquo to navigate to the Service Dashboard page as shown in Figure 27
Figure 26 HelloWorldComposite Dashboard page in EM
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 29
Figure 27 Service Dashboard page for HelloWorldComposite in EM
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 30
2 Click on the ldquoPoliciesrdquo Tab This will show polices attached to the Service Click on the ldquoAttachDetachrdquo button to a
launch the Policy Attachment Dialog as show in Figure 28 The Policy Attachment Dialog is show in Figure 29
Figure 28 Launching OWSM Policy Attachment Dialog in EM for SOA Service
3 In the Policy Attachment Dialog in Figure 29 select ldquoNamerdquo as the search criteria and enter ldquousernamerdquo and click on
the button next to it to search Select ldquooraclewss_username_token_service_policyrdquo and click on the ldquoAttachrdquo
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 31
button Click on ldquoOKrdquo button to finish the policy attachment Figure 30 shows the results of attaching the
oraclewss_username_token_service_policy
Figure 29 Selecting oraclewss_username_token_service_policy
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 32
Figure 30 Result of attaching the oraclewss_username_token_service_policy
A few things to note
Starting with PS5 - we now show the security status as seen in Figure 30
Starting with PS5 ndash we now show the overall validity of the policy attachments
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 33
Test the Secured HelloWorldComposite App
To test the HelloWorldComposite ndash navigate to the HelloWorldComposite Dashboard page and click on the ldquoTestrdquo
button as shown in Figure 31 This will launch the Web Service Tester page that ships with EM as shown in Figure 32
Figure 31 Testing HelloWorldComposite
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 34
Figure 32 EM Web Service Tester page
We will do a quick negative test by not providing any authentication information Enter ldquoNegative Worldrdquo in the ldquoinputrdquo
field as show in Figure 33 and click on ldquoTest Web Servicerdquo button This will result in an Error dialog as shown in Figure 34
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 35
Figure 33 Provide Inputs for testing HelloWorldComposite
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 36
Figure 34 Results of Negative Testing
Now perform a positive test by providing the authentication information as shown in Figure 35 You can provide the
authentication information by expanding the ldquoSecurityrdquo section Enter the following information for the fields show in
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 37
Figure 35 Select an appropriate policy from the ldquoCompatible Client Policiesrdquo list (Note This is important if a policy is not
selected then no security information will be sent and thus may result in failures)
Username weblogic Passwordweblogic1
Click ldquoTest Web Servicerdquo button to test This should result in a successful response from the HelloWorldComposite as
show in Figure 36
Figure 35 Testing oraclewss_username_token_service_policy using EM Web Service Tester
Note Usernamepassword will vary by deployment Provide usernamepassword that is appropriate for your
deployment
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 38
Figure 36 Response from HelloWorldComposite
Now that we have successfully tested the HelloWorldComposite app with the OOTB OWSM authentication policy we
will now secure it with the Custom Authorization policy that was created previously
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 39
Attach Custom authorization policy to the SOA Component
1 Go to the SOA Composite you want to secure with this Authorization Policy In the SOA Composite page click on the
Component as shown in Figure 37 In Figure 37 we have a ldquoHelloWorldCompositerdquo that has a ldquoBPELProcess1rdquo SOA
Component
Figure 37 Attaching OWSM Policy to SOA Component
2 Click on the Policies tab for the SOA Component In this example the SOA Component is called ldquoBPELProcess1rdquo as
shown in Figure 38
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 40
Figure 38 Attaching Policies to a SOA Component
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 41
3 On the Policies tab click on ldquoAttachDetachrdquo button as shown in Figure 39 Select the newly created Authorization
Policy
Figure 39 Selecting the Policy to attach
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 42
4 Once done selecting the policy to attach Click ldquoOKrdquo in Figure 39 You have completed the process of attaching an
Authorization Policy to a SOA Component Figure 40 shows the results of attaching the custom authorization policy
Figure 40 Policies attached to a SOA Component
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 43
5 Test the HelloWorldComposite from the EM Web Service Tester page Provide the credentials as
weblogicwelcome1 as shown in Figure 41
Figure 41 Negative Authorization Test with correct credentials
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 44
Notice that even though the credentials weblogicwelcome1 is correct the test fails as shown in Figure 42
Figure 42 Negative Authorization Test Response
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 45
6 In order to perform a positive authorization test ndash we need to add the weblogic user to the Monitor role In order to
do this ndash we first need to log in to Weblogic Console Click on ldquoSecurity Realmsrdquo on the Left Hand Domain Structure
Tree as show in Figure 43
Figure 43 Navigating to the Security Realms in Weblogic Console
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 46
7 Weblogic ships with a default realm called ldquomyrealmrdquo Click on ldquomyrealmrdquo as show in Figure 44
Figure 44 List of Security realms
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 47
8 Click on the ldquoUsers and Groupsrdquo tab under ldquomyrealmrdquo as shown in Figure 45 Figure 46 shows the default set of
users that ship with Weblogic In this case the users are ldquoweblogicrdquo and ldquoOracleSystemUserrdquo
Figure 45 myrealm General tab
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 48
Figure 46 Default set of users that ship with Weblogic
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 49
9 Click on ldquoweblogicrdquo user in Figure 46 and then click on the ldquoGroupsrdquo tab for the user ldquoweblogicrdquo This shows the
default group membership for ldquoweblogicrdquo as shown in Figure 47 As we can see ldquoweblogicrdquo is not part of the
ldquoMonitorrdquo group
Figure 47 Default Group membership of user weblogic
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 50
10 Add the ldquoMonitorrdquo group from the Parent Groups Available in Figure 47 The result is that the ldquoweblogicrdquo user is now
a member of both ldquoAdministratorsrdquo and ldquoMonitorrdquo group as shown in Figure 48 and click ldquoSaverdquo
Figure 48 Make weblogic user a member of Monitor group
11 Now go back to the EM Web Service Tester page and test the HelloWorldComposite app
Note You may need to start the weblogic server for changes to take effect
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 51
Oracle Web Services Manager
March 2012
Author Prakash Yamuna
Oracle Corporation
World Headquarters
500 Oracle Parkway
Redwood Shores CA 94065
USA
Worldwide Inquiries
Phone +16505067000
Fax +16505067200
oraclecom
Copyright copy 2011 Oracle andor its affiliates All rights reserved This document is provided for
information purposes only and the contents hereof are subject to change without notice This
document is not warranted to be error-free nor subject to any other warranties or conditions whether
expressed orally or implied in law including implied warranties and conditions of merchantability or
fitness for a particular purpose We specifically disclaim any liability with respect to this document and
no contractual obligations are formed either directly or indirectly by this document This document may
not be reproduced or transmitted in any form or by any means electronic or mechanical for any
purpose without our prior written permission
Oracle is a registered trademark of Oracle Corporation andor its affiliates Other names may be
trademarks of their respective owners
0109
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 20
Log into EM
Expand the SOA folder on the Left Hand navigation tree
Click on ldquosoa-infrardquo on the Left Hand tree The Right hand panel is updated Now click on ldquoSOA Infrastructurerdquo
this will open a menu
Select ldquoSOA Deploymentrdquo and ldquoDeployrdquo from the menu as shown in Figure 17
Figure 17 Deploying HelloWorld Composite app from EM
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 21
4 This will launch the SOA Composite Deployment wizard Browse the local file system to select the jar to deploy by
created in Figure 16 as shown in Figure 18 Click ldquoNextrdquo to proceed
Figure 18 Selecting HelloWorldComposite archive in EM
5 In the sample topology there is only one target and so there are no choices Select the partition to deploy the
composite app SOA ships will a ldquodefaultrdquo partition out of the box Select the default partition (Note It is a
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 22
mandatory field) as show in Figure 19 Click ldquoNextrdquo to proceed Leave the defaults as show in Figure 20 on the
confirmation page and click on ldquoDeployrdquo to finish deployment
Figure 19 Target Selection for HelloWorldComposite
Figure 20 HelloWorldComposte deployment via EM Confirmation page
Create SOA Component level Role based Authorization Policy
1 Search for policies that can be applied to SOA Component
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 23
Figure 21 Search for SOA Component Authorization policies
2 Make a Copy of the OOTB Authorization policy using the ldquoCreate Likerdquo feature as shown in Figure 22
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 24
Figure 22 Make a Copy of the OOTB Authorization Policy using Create Like
3 Name the Policy appropriately as show in Figure 23
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 25
Figure 23 New SOA Component Authorization Policy
4 Select the Role in the settings tab of the Policy You do this by clicking on the ldquosettings tabrdquo for the Authorization
assertion and selecting the ldquoSelected Rolesrdquo radio button as shown in Figure 24
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 26
Figure 24 Select a Role as part of the creation of the new Authorization Policy
5 You can add the Role by clicking on the ldquoAddrdquo button in Figure 24 This will launch a ldquoAdd Rolerdquo dialog box as shown
in Figure 25 In this example ndash the ldquoMonitorrdquo role has been selected
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 27
Figure 25 Selecting the Monitor role to add to the Authorization policy
Click ldquoOKrdquo on the diaglog in Figure 25 after adding the role click on the ldquoSaverdquo button to save the policy
Attach OOTB authentication policy to the SOA Service
1 Before we can attach the Custom Authorization Policy created in the previous steps to the SOA Component we
need to secure the HelloWorldComposite with an authentication policy For this How-To we will use the
ldquooraclewss_username_token_service_policyrdquo Go to the HelloWorldComposite Dashboard page as shown in Figure
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 28
26 In Figure 26 we have Service ldquobpelprocess1_client_eprdquo of type Web Service Click on the
ldquobpelprocess1_client_eprdquo to navigate to the Service Dashboard page as shown in Figure 27
Figure 26 HelloWorldComposite Dashboard page in EM
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 29
Figure 27 Service Dashboard page for HelloWorldComposite in EM
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 30
2 Click on the ldquoPoliciesrdquo Tab This will show polices attached to the Service Click on the ldquoAttachDetachrdquo button to a
launch the Policy Attachment Dialog as show in Figure 28 The Policy Attachment Dialog is show in Figure 29
Figure 28 Launching OWSM Policy Attachment Dialog in EM for SOA Service
3 In the Policy Attachment Dialog in Figure 29 select ldquoNamerdquo as the search criteria and enter ldquousernamerdquo and click on
the button next to it to search Select ldquooraclewss_username_token_service_policyrdquo and click on the ldquoAttachrdquo
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 31
button Click on ldquoOKrdquo button to finish the policy attachment Figure 30 shows the results of attaching the
oraclewss_username_token_service_policy
Figure 29 Selecting oraclewss_username_token_service_policy
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 32
Figure 30 Result of attaching the oraclewss_username_token_service_policy
A few things to note
Starting with PS5 - we now show the security status as seen in Figure 30
Starting with PS5 ndash we now show the overall validity of the policy attachments
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 33
Test the Secured HelloWorldComposite App
To test the HelloWorldComposite ndash navigate to the HelloWorldComposite Dashboard page and click on the ldquoTestrdquo
button as shown in Figure 31 This will launch the Web Service Tester page that ships with EM as shown in Figure 32
Figure 31 Testing HelloWorldComposite
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 34
Figure 32 EM Web Service Tester page
We will do a quick negative test by not providing any authentication information Enter ldquoNegative Worldrdquo in the ldquoinputrdquo
field as show in Figure 33 and click on ldquoTest Web Servicerdquo button This will result in an Error dialog as shown in Figure 34
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 35
Figure 33 Provide Inputs for testing HelloWorldComposite
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 36
Figure 34 Results of Negative Testing
Now perform a positive test by providing the authentication information as shown in Figure 35 You can provide the
authentication information by expanding the ldquoSecurityrdquo section Enter the following information for the fields show in
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 37
Figure 35 Select an appropriate policy from the ldquoCompatible Client Policiesrdquo list (Note This is important if a policy is not
selected then no security information will be sent and thus may result in failures)
Username weblogic Passwordweblogic1
Click ldquoTest Web Servicerdquo button to test This should result in a successful response from the HelloWorldComposite as
show in Figure 36
Figure 35 Testing oraclewss_username_token_service_policy using EM Web Service Tester
Note Usernamepassword will vary by deployment Provide usernamepassword that is appropriate for your
deployment
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 38
Figure 36 Response from HelloWorldComposite
Now that we have successfully tested the HelloWorldComposite app with the OOTB OWSM authentication policy we
will now secure it with the Custom Authorization policy that was created previously
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 39
Attach Custom authorization policy to the SOA Component
1 Go to the SOA Composite you want to secure with this Authorization Policy In the SOA Composite page click on the
Component as shown in Figure 37 In Figure 37 we have a ldquoHelloWorldCompositerdquo that has a ldquoBPELProcess1rdquo SOA
Component
Figure 37 Attaching OWSM Policy to SOA Component
2 Click on the Policies tab for the SOA Component In this example the SOA Component is called ldquoBPELProcess1rdquo as
shown in Figure 38
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 40
Figure 38 Attaching Policies to a SOA Component
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 41
3 On the Policies tab click on ldquoAttachDetachrdquo button as shown in Figure 39 Select the newly created Authorization
Policy
Figure 39 Selecting the Policy to attach
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 42
4 Once done selecting the policy to attach Click ldquoOKrdquo in Figure 39 You have completed the process of attaching an
Authorization Policy to a SOA Component Figure 40 shows the results of attaching the custom authorization policy
Figure 40 Policies attached to a SOA Component
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 43
5 Test the HelloWorldComposite from the EM Web Service Tester page Provide the credentials as
weblogicwelcome1 as shown in Figure 41
Figure 41 Negative Authorization Test with correct credentials
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 44
Notice that even though the credentials weblogicwelcome1 is correct the test fails as shown in Figure 42
Figure 42 Negative Authorization Test Response
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 45
6 In order to perform a positive authorization test ndash we need to add the weblogic user to the Monitor role In order to
do this ndash we first need to log in to Weblogic Console Click on ldquoSecurity Realmsrdquo on the Left Hand Domain Structure
Tree as show in Figure 43
Figure 43 Navigating to the Security Realms in Weblogic Console
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 46
7 Weblogic ships with a default realm called ldquomyrealmrdquo Click on ldquomyrealmrdquo as show in Figure 44
Figure 44 List of Security realms
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 47
8 Click on the ldquoUsers and Groupsrdquo tab under ldquomyrealmrdquo as shown in Figure 45 Figure 46 shows the default set of
users that ship with Weblogic In this case the users are ldquoweblogicrdquo and ldquoOracleSystemUserrdquo
Figure 45 myrealm General tab
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 48
Figure 46 Default set of users that ship with Weblogic
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 49
9 Click on ldquoweblogicrdquo user in Figure 46 and then click on the ldquoGroupsrdquo tab for the user ldquoweblogicrdquo This shows the
default group membership for ldquoweblogicrdquo as shown in Figure 47 As we can see ldquoweblogicrdquo is not part of the
ldquoMonitorrdquo group
Figure 47 Default Group membership of user weblogic
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 50
10 Add the ldquoMonitorrdquo group from the Parent Groups Available in Figure 47 The result is that the ldquoweblogicrdquo user is now
a member of both ldquoAdministratorsrdquo and ldquoMonitorrdquo group as shown in Figure 48 and click ldquoSaverdquo
Figure 48 Make weblogic user a member of Monitor group
11 Now go back to the EM Web Service Tester page and test the HelloWorldComposite app
Note You may need to start the weblogic server for changes to take effect
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 51
Oracle Web Services Manager
March 2012
Author Prakash Yamuna
Oracle Corporation
World Headquarters
500 Oracle Parkway
Redwood Shores CA 94065
USA
Worldwide Inquiries
Phone +16505067000
Fax +16505067200
oraclecom
Copyright copy 2011 Oracle andor its affiliates All rights reserved This document is provided for
information purposes only and the contents hereof are subject to change without notice This
document is not warranted to be error-free nor subject to any other warranties or conditions whether
expressed orally or implied in law including implied warranties and conditions of merchantability or
fitness for a particular purpose We specifically disclaim any liability with respect to this document and
no contractual obligations are formed either directly or indirectly by this document This document may
not be reproduced or transmitted in any form or by any means electronic or mechanical for any
purpose without our prior written permission
Oracle is a registered trademark of Oracle Corporation andor its affiliates Other names may be
trademarks of their respective owners
0109
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 21
4 This will launch the SOA Composite Deployment wizard Browse the local file system to select the jar to deploy by
created in Figure 16 as shown in Figure 18 Click ldquoNextrdquo to proceed
Figure 18 Selecting HelloWorldComposite archive in EM
5 In the sample topology there is only one target and so there are no choices Select the partition to deploy the
composite app SOA ships will a ldquodefaultrdquo partition out of the box Select the default partition (Note It is a
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 22
mandatory field) as show in Figure 19 Click ldquoNextrdquo to proceed Leave the defaults as show in Figure 20 on the
confirmation page and click on ldquoDeployrdquo to finish deployment
Figure 19 Target Selection for HelloWorldComposite
Figure 20 HelloWorldComposte deployment via EM Confirmation page
Create SOA Component level Role based Authorization Policy
1 Search for policies that can be applied to SOA Component
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 23
Figure 21 Search for SOA Component Authorization policies
2 Make a Copy of the OOTB Authorization policy using the ldquoCreate Likerdquo feature as shown in Figure 22
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 24
Figure 22 Make a Copy of the OOTB Authorization Policy using Create Like
3 Name the Policy appropriately as show in Figure 23
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 25
Figure 23 New SOA Component Authorization Policy
4 Select the Role in the settings tab of the Policy You do this by clicking on the ldquosettings tabrdquo for the Authorization
assertion and selecting the ldquoSelected Rolesrdquo radio button as shown in Figure 24
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 26
Figure 24 Select a Role as part of the creation of the new Authorization Policy
5 You can add the Role by clicking on the ldquoAddrdquo button in Figure 24 This will launch a ldquoAdd Rolerdquo dialog box as shown
in Figure 25 In this example ndash the ldquoMonitorrdquo role has been selected
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 27
Figure 25 Selecting the Monitor role to add to the Authorization policy
Click ldquoOKrdquo on the diaglog in Figure 25 after adding the role click on the ldquoSaverdquo button to save the policy
Attach OOTB authentication policy to the SOA Service
1 Before we can attach the Custom Authorization Policy created in the previous steps to the SOA Component we
need to secure the HelloWorldComposite with an authentication policy For this How-To we will use the
ldquooraclewss_username_token_service_policyrdquo Go to the HelloWorldComposite Dashboard page as shown in Figure
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 28
26 In Figure 26 we have Service ldquobpelprocess1_client_eprdquo of type Web Service Click on the
ldquobpelprocess1_client_eprdquo to navigate to the Service Dashboard page as shown in Figure 27
Figure 26 HelloWorldComposite Dashboard page in EM
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 29
Figure 27 Service Dashboard page for HelloWorldComposite in EM
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 30
2 Click on the ldquoPoliciesrdquo Tab This will show polices attached to the Service Click on the ldquoAttachDetachrdquo button to a
launch the Policy Attachment Dialog as show in Figure 28 The Policy Attachment Dialog is show in Figure 29
Figure 28 Launching OWSM Policy Attachment Dialog in EM for SOA Service
3 In the Policy Attachment Dialog in Figure 29 select ldquoNamerdquo as the search criteria and enter ldquousernamerdquo and click on
the button next to it to search Select ldquooraclewss_username_token_service_policyrdquo and click on the ldquoAttachrdquo
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 31
button Click on ldquoOKrdquo button to finish the policy attachment Figure 30 shows the results of attaching the
oraclewss_username_token_service_policy
Figure 29 Selecting oraclewss_username_token_service_policy
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 32
Figure 30 Result of attaching the oraclewss_username_token_service_policy
A few things to note
Starting with PS5 - we now show the security status as seen in Figure 30
Starting with PS5 ndash we now show the overall validity of the policy attachments
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 33
Test the Secured HelloWorldComposite App
To test the HelloWorldComposite ndash navigate to the HelloWorldComposite Dashboard page and click on the ldquoTestrdquo
button as shown in Figure 31 This will launch the Web Service Tester page that ships with EM as shown in Figure 32
Figure 31 Testing HelloWorldComposite
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 34
Figure 32 EM Web Service Tester page
We will do a quick negative test by not providing any authentication information Enter ldquoNegative Worldrdquo in the ldquoinputrdquo
field as show in Figure 33 and click on ldquoTest Web Servicerdquo button This will result in an Error dialog as shown in Figure 34
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 35
Figure 33 Provide Inputs for testing HelloWorldComposite
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 36
Figure 34 Results of Negative Testing
Now perform a positive test by providing the authentication information as shown in Figure 35 You can provide the
authentication information by expanding the ldquoSecurityrdquo section Enter the following information for the fields show in
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 37
Figure 35 Select an appropriate policy from the ldquoCompatible Client Policiesrdquo list (Note This is important if a policy is not
selected then no security information will be sent and thus may result in failures)
Username weblogic Passwordweblogic1
Click ldquoTest Web Servicerdquo button to test This should result in a successful response from the HelloWorldComposite as
show in Figure 36
Figure 35 Testing oraclewss_username_token_service_policy using EM Web Service Tester
Note Usernamepassword will vary by deployment Provide usernamepassword that is appropriate for your
deployment
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 38
Figure 36 Response from HelloWorldComposite
Now that we have successfully tested the HelloWorldComposite app with the OOTB OWSM authentication policy we
will now secure it with the Custom Authorization policy that was created previously
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 39
Attach Custom authorization policy to the SOA Component
1 Go to the SOA Composite you want to secure with this Authorization Policy In the SOA Composite page click on the
Component as shown in Figure 37 In Figure 37 we have a ldquoHelloWorldCompositerdquo that has a ldquoBPELProcess1rdquo SOA
Component
Figure 37 Attaching OWSM Policy to SOA Component
2 Click on the Policies tab for the SOA Component In this example the SOA Component is called ldquoBPELProcess1rdquo as
shown in Figure 38
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 40
Figure 38 Attaching Policies to a SOA Component
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 41
3 On the Policies tab click on ldquoAttachDetachrdquo button as shown in Figure 39 Select the newly created Authorization
Policy
Figure 39 Selecting the Policy to attach
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 42
4 Once done selecting the policy to attach Click ldquoOKrdquo in Figure 39 You have completed the process of attaching an
Authorization Policy to a SOA Component Figure 40 shows the results of attaching the custom authorization policy
Figure 40 Policies attached to a SOA Component
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 43
5 Test the HelloWorldComposite from the EM Web Service Tester page Provide the credentials as
weblogicwelcome1 as shown in Figure 41
Figure 41 Negative Authorization Test with correct credentials
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 44
Notice that even though the credentials weblogicwelcome1 is correct the test fails as shown in Figure 42
Figure 42 Negative Authorization Test Response
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 45
6 In order to perform a positive authorization test ndash we need to add the weblogic user to the Monitor role In order to
do this ndash we first need to log in to Weblogic Console Click on ldquoSecurity Realmsrdquo on the Left Hand Domain Structure
Tree as show in Figure 43
Figure 43 Navigating to the Security Realms in Weblogic Console
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 46
7 Weblogic ships with a default realm called ldquomyrealmrdquo Click on ldquomyrealmrdquo as show in Figure 44
Figure 44 List of Security realms
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 47
8 Click on the ldquoUsers and Groupsrdquo tab under ldquomyrealmrdquo as shown in Figure 45 Figure 46 shows the default set of
users that ship with Weblogic In this case the users are ldquoweblogicrdquo and ldquoOracleSystemUserrdquo
Figure 45 myrealm General tab
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 48
Figure 46 Default set of users that ship with Weblogic
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 49
9 Click on ldquoweblogicrdquo user in Figure 46 and then click on the ldquoGroupsrdquo tab for the user ldquoweblogicrdquo This shows the
default group membership for ldquoweblogicrdquo as shown in Figure 47 As we can see ldquoweblogicrdquo is not part of the
ldquoMonitorrdquo group
Figure 47 Default Group membership of user weblogic
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 50
10 Add the ldquoMonitorrdquo group from the Parent Groups Available in Figure 47 The result is that the ldquoweblogicrdquo user is now
a member of both ldquoAdministratorsrdquo and ldquoMonitorrdquo group as shown in Figure 48 and click ldquoSaverdquo
Figure 48 Make weblogic user a member of Monitor group
11 Now go back to the EM Web Service Tester page and test the HelloWorldComposite app
Note You may need to start the weblogic server for changes to take effect
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 51
Oracle Web Services Manager
March 2012
Author Prakash Yamuna
Oracle Corporation
World Headquarters
500 Oracle Parkway
Redwood Shores CA 94065
USA
Worldwide Inquiries
Phone +16505067000
Fax +16505067200
oraclecom
Copyright copy 2011 Oracle andor its affiliates All rights reserved This document is provided for
information purposes only and the contents hereof are subject to change without notice This
document is not warranted to be error-free nor subject to any other warranties or conditions whether
expressed orally or implied in law including implied warranties and conditions of merchantability or
fitness for a particular purpose We specifically disclaim any liability with respect to this document and
no contractual obligations are formed either directly or indirectly by this document This document may
not be reproduced or transmitted in any form or by any means electronic or mechanical for any
purpose without our prior written permission
Oracle is a registered trademark of Oracle Corporation andor its affiliates Other names may be
trademarks of their respective owners
0109
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 22
mandatory field) as show in Figure 19 Click ldquoNextrdquo to proceed Leave the defaults as show in Figure 20 on the
confirmation page and click on ldquoDeployrdquo to finish deployment
Figure 19 Target Selection for HelloWorldComposite
Figure 20 HelloWorldComposte deployment via EM Confirmation page
Create SOA Component level Role based Authorization Policy
1 Search for policies that can be applied to SOA Component
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 23
Figure 21 Search for SOA Component Authorization policies
2 Make a Copy of the OOTB Authorization policy using the ldquoCreate Likerdquo feature as shown in Figure 22
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 24
Figure 22 Make a Copy of the OOTB Authorization Policy using Create Like
3 Name the Policy appropriately as show in Figure 23
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 25
Figure 23 New SOA Component Authorization Policy
4 Select the Role in the settings tab of the Policy You do this by clicking on the ldquosettings tabrdquo for the Authorization
assertion and selecting the ldquoSelected Rolesrdquo radio button as shown in Figure 24
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 26
Figure 24 Select a Role as part of the creation of the new Authorization Policy
5 You can add the Role by clicking on the ldquoAddrdquo button in Figure 24 This will launch a ldquoAdd Rolerdquo dialog box as shown
in Figure 25 In this example ndash the ldquoMonitorrdquo role has been selected
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 27
Figure 25 Selecting the Monitor role to add to the Authorization policy
Click ldquoOKrdquo on the diaglog in Figure 25 after adding the role click on the ldquoSaverdquo button to save the policy
Attach OOTB authentication policy to the SOA Service
1 Before we can attach the Custom Authorization Policy created in the previous steps to the SOA Component we
need to secure the HelloWorldComposite with an authentication policy For this How-To we will use the
ldquooraclewss_username_token_service_policyrdquo Go to the HelloWorldComposite Dashboard page as shown in Figure
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 28
26 In Figure 26 we have Service ldquobpelprocess1_client_eprdquo of type Web Service Click on the
ldquobpelprocess1_client_eprdquo to navigate to the Service Dashboard page as shown in Figure 27
Figure 26 HelloWorldComposite Dashboard page in EM
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 29
Figure 27 Service Dashboard page for HelloWorldComposite in EM
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 30
2 Click on the ldquoPoliciesrdquo Tab This will show polices attached to the Service Click on the ldquoAttachDetachrdquo button to a
launch the Policy Attachment Dialog as show in Figure 28 The Policy Attachment Dialog is show in Figure 29
Figure 28 Launching OWSM Policy Attachment Dialog in EM for SOA Service
3 In the Policy Attachment Dialog in Figure 29 select ldquoNamerdquo as the search criteria and enter ldquousernamerdquo and click on
the button next to it to search Select ldquooraclewss_username_token_service_policyrdquo and click on the ldquoAttachrdquo
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 31
button Click on ldquoOKrdquo button to finish the policy attachment Figure 30 shows the results of attaching the
oraclewss_username_token_service_policy
Figure 29 Selecting oraclewss_username_token_service_policy
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 32
Figure 30 Result of attaching the oraclewss_username_token_service_policy
A few things to note
Starting with PS5 - we now show the security status as seen in Figure 30
Starting with PS5 ndash we now show the overall validity of the policy attachments
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 33
Test the Secured HelloWorldComposite App
To test the HelloWorldComposite ndash navigate to the HelloWorldComposite Dashboard page and click on the ldquoTestrdquo
button as shown in Figure 31 This will launch the Web Service Tester page that ships with EM as shown in Figure 32
Figure 31 Testing HelloWorldComposite
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 34
Figure 32 EM Web Service Tester page
We will do a quick negative test by not providing any authentication information Enter ldquoNegative Worldrdquo in the ldquoinputrdquo
field as show in Figure 33 and click on ldquoTest Web Servicerdquo button This will result in an Error dialog as shown in Figure 34
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 35
Figure 33 Provide Inputs for testing HelloWorldComposite
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 36
Figure 34 Results of Negative Testing
Now perform a positive test by providing the authentication information as shown in Figure 35 You can provide the
authentication information by expanding the ldquoSecurityrdquo section Enter the following information for the fields show in
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 37
Figure 35 Select an appropriate policy from the ldquoCompatible Client Policiesrdquo list (Note This is important if a policy is not
selected then no security information will be sent and thus may result in failures)
Username weblogic Passwordweblogic1
Click ldquoTest Web Servicerdquo button to test This should result in a successful response from the HelloWorldComposite as
show in Figure 36
Figure 35 Testing oraclewss_username_token_service_policy using EM Web Service Tester
Note Usernamepassword will vary by deployment Provide usernamepassword that is appropriate for your
deployment
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 38
Figure 36 Response from HelloWorldComposite
Now that we have successfully tested the HelloWorldComposite app with the OOTB OWSM authentication policy we
will now secure it with the Custom Authorization policy that was created previously
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 39
Attach Custom authorization policy to the SOA Component
1 Go to the SOA Composite you want to secure with this Authorization Policy In the SOA Composite page click on the
Component as shown in Figure 37 In Figure 37 we have a ldquoHelloWorldCompositerdquo that has a ldquoBPELProcess1rdquo SOA
Component
Figure 37 Attaching OWSM Policy to SOA Component
2 Click on the Policies tab for the SOA Component In this example the SOA Component is called ldquoBPELProcess1rdquo as
shown in Figure 38
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 40
Figure 38 Attaching Policies to a SOA Component
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 41
3 On the Policies tab click on ldquoAttachDetachrdquo button as shown in Figure 39 Select the newly created Authorization
Policy
Figure 39 Selecting the Policy to attach
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 42
4 Once done selecting the policy to attach Click ldquoOKrdquo in Figure 39 You have completed the process of attaching an
Authorization Policy to a SOA Component Figure 40 shows the results of attaching the custom authorization policy
Figure 40 Policies attached to a SOA Component
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 43
5 Test the HelloWorldComposite from the EM Web Service Tester page Provide the credentials as
weblogicwelcome1 as shown in Figure 41
Figure 41 Negative Authorization Test with correct credentials
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 44
Notice that even though the credentials weblogicwelcome1 is correct the test fails as shown in Figure 42
Figure 42 Negative Authorization Test Response
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 45
6 In order to perform a positive authorization test ndash we need to add the weblogic user to the Monitor role In order to
do this ndash we first need to log in to Weblogic Console Click on ldquoSecurity Realmsrdquo on the Left Hand Domain Structure
Tree as show in Figure 43
Figure 43 Navigating to the Security Realms in Weblogic Console
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 46
7 Weblogic ships with a default realm called ldquomyrealmrdquo Click on ldquomyrealmrdquo as show in Figure 44
Figure 44 List of Security realms
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 47
8 Click on the ldquoUsers and Groupsrdquo tab under ldquomyrealmrdquo as shown in Figure 45 Figure 46 shows the default set of
users that ship with Weblogic In this case the users are ldquoweblogicrdquo and ldquoOracleSystemUserrdquo
Figure 45 myrealm General tab
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 48
Figure 46 Default set of users that ship with Weblogic
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 49
9 Click on ldquoweblogicrdquo user in Figure 46 and then click on the ldquoGroupsrdquo tab for the user ldquoweblogicrdquo This shows the
default group membership for ldquoweblogicrdquo as shown in Figure 47 As we can see ldquoweblogicrdquo is not part of the
ldquoMonitorrdquo group
Figure 47 Default Group membership of user weblogic
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 50
10 Add the ldquoMonitorrdquo group from the Parent Groups Available in Figure 47 The result is that the ldquoweblogicrdquo user is now
a member of both ldquoAdministratorsrdquo and ldquoMonitorrdquo group as shown in Figure 48 and click ldquoSaverdquo
Figure 48 Make weblogic user a member of Monitor group
11 Now go back to the EM Web Service Tester page and test the HelloWorldComposite app
Note You may need to start the weblogic server for changes to take effect
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 51
Oracle Web Services Manager
March 2012
Author Prakash Yamuna
Oracle Corporation
World Headquarters
500 Oracle Parkway
Redwood Shores CA 94065
USA
Worldwide Inquiries
Phone +16505067000
Fax +16505067200
oraclecom
Copyright copy 2011 Oracle andor its affiliates All rights reserved This document is provided for
information purposes only and the contents hereof are subject to change without notice This
document is not warranted to be error-free nor subject to any other warranties or conditions whether
expressed orally or implied in law including implied warranties and conditions of merchantability or
fitness for a particular purpose We specifically disclaim any liability with respect to this document and
no contractual obligations are formed either directly or indirectly by this document This document may
not be reproduced or transmitted in any form or by any means electronic or mechanical for any
purpose without our prior written permission
Oracle is a registered trademark of Oracle Corporation andor its affiliates Other names may be
trademarks of their respective owners
0109
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 23
Figure 21 Search for SOA Component Authorization policies
2 Make a Copy of the OOTB Authorization policy using the ldquoCreate Likerdquo feature as shown in Figure 22
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 24
Figure 22 Make a Copy of the OOTB Authorization Policy using Create Like
3 Name the Policy appropriately as show in Figure 23
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 25
Figure 23 New SOA Component Authorization Policy
4 Select the Role in the settings tab of the Policy You do this by clicking on the ldquosettings tabrdquo for the Authorization
assertion and selecting the ldquoSelected Rolesrdquo radio button as shown in Figure 24
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 26
Figure 24 Select a Role as part of the creation of the new Authorization Policy
5 You can add the Role by clicking on the ldquoAddrdquo button in Figure 24 This will launch a ldquoAdd Rolerdquo dialog box as shown
in Figure 25 In this example ndash the ldquoMonitorrdquo role has been selected
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 27
Figure 25 Selecting the Monitor role to add to the Authorization policy
Click ldquoOKrdquo on the diaglog in Figure 25 after adding the role click on the ldquoSaverdquo button to save the policy
Attach OOTB authentication policy to the SOA Service
1 Before we can attach the Custom Authorization Policy created in the previous steps to the SOA Component we
need to secure the HelloWorldComposite with an authentication policy For this How-To we will use the
ldquooraclewss_username_token_service_policyrdquo Go to the HelloWorldComposite Dashboard page as shown in Figure
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 28
26 In Figure 26 we have Service ldquobpelprocess1_client_eprdquo of type Web Service Click on the
ldquobpelprocess1_client_eprdquo to navigate to the Service Dashboard page as shown in Figure 27
Figure 26 HelloWorldComposite Dashboard page in EM
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 29
Figure 27 Service Dashboard page for HelloWorldComposite in EM
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 30
2 Click on the ldquoPoliciesrdquo Tab This will show polices attached to the Service Click on the ldquoAttachDetachrdquo button to a
launch the Policy Attachment Dialog as show in Figure 28 The Policy Attachment Dialog is show in Figure 29
Figure 28 Launching OWSM Policy Attachment Dialog in EM for SOA Service
3 In the Policy Attachment Dialog in Figure 29 select ldquoNamerdquo as the search criteria and enter ldquousernamerdquo and click on
the button next to it to search Select ldquooraclewss_username_token_service_policyrdquo and click on the ldquoAttachrdquo
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 31
button Click on ldquoOKrdquo button to finish the policy attachment Figure 30 shows the results of attaching the
oraclewss_username_token_service_policy
Figure 29 Selecting oraclewss_username_token_service_policy
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 32
Figure 30 Result of attaching the oraclewss_username_token_service_policy
A few things to note
Starting with PS5 - we now show the security status as seen in Figure 30
Starting with PS5 ndash we now show the overall validity of the policy attachments
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 33
Test the Secured HelloWorldComposite App
To test the HelloWorldComposite ndash navigate to the HelloWorldComposite Dashboard page and click on the ldquoTestrdquo
button as shown in Figure 31 This will launch the Web Service Tester page that ships with EM as shown in Figure 32
Figure 31 Testing HelloWorldComposite
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 34
Figure 32 EM Web Service Tester page
We will do a quick negative test by not providing any authentication information Enter ldquoNegative Worldrdquo in the ldquoinputrdquo
field as show in Figure 33 and click on ldquoTest Web Servicerdquo button This will result in an Error dialog as shown in Figure 34
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 35
Figure 33 Provide Inputs for testing HelloWorldComposite
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 36
Figure 34 Results of Negative Testing
Now perform a positive test by providing the authentication information as shown in Figure 35 You can provide the
authentication information by expanding the ldquoSecurityrdquo section Enter the following information for the fields show in
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 37
Figure 35 Select an appropriate policy from the ldquoCompatible Client Policiesrdquo list (Note This is important if a policy is not
selected then no security information will be sent and thus may result in failures)
Username weblogic Passwordweblogic1
Click ldquoTest Web Servicerdquo button to test This should result in a successful response from the HelloWorldComposite as
show in Figure 36
Figure 35 Testing oraclewss_username_token_service_policy using EM Web Service Tester
Note Usernamepassword will vary by deployment Provide usernamepassword that is appropriate for your
deployment
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 38
Figure 36 Response from HelloWorldComposite
Now that we have successfully tested the HelloWorldComposite app with the OOTB OWSM authentication policy we
will now secure it with the Custom Authorization policy that was created previously
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 39
Attach Custom authorization policy to the SOA Component
1 Go to the SOA Composite you want to secure with this Authorization Policy In the SOA Composite page click on the
Component as shown in Figure 37 In Figure 37 we have a ldquoHelloWorldCompositerdquo that has a ldquoBPELProcess1rdquo SOA
Component
Figure 37 Attaching OWSM Policy to SOA Component
2 Click on the Policies tab for the SOA Component In this example the SOA Component is called ldquoBPELProcess1rdquo as
shown in Figure 38
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 40
Figure 38 Attaching Policies to a SOA Component
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 41
3 On the Policies tab click on ldquoAttachDetachrdquo button as shown in Figure 39 Select the newly created Authorization
Policy
Figure 39 Selecting the Policy to attach
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 42
4 Once done selecting the policy to attach Click ldquoOKrdquo in Figure 39 You have completed the process of attaching an
Authorization Policy to a SOA Component Figure 40 shows the results of attaching the custom authorization policy
Figure 40 Policies attached to a SOA Component
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 43
5 Test the HelloWorldComposite from the EM Web Service Tester page Provide the credentials as
weblogicwelcome1 as shown in Figure 41
Figure 41 Negative Authorization Test with correct credentials
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 44
Notice that even though the credentials weblogicwelcome1 is correct the test fails as shown in Figure 42
Figure 42 Negative Authorization Test Response
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 45
6 In order to perform a positive authorization test ndash we need to add the weblogic user to the Monitor role In order to
do this ndash we first need to log in to Weblogic Console Click on ldquoSecurity Realmsrdquo on the Left Hand Domain Structure
Tree as show in Figure 43
Figure 43 Navigating to the Security Realms in Weblogic Console
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 46
7 Weblogic ships with a default realm called ldquomyrealmrdquo Click on ldquomyrealmrdquo as show in Figure 44
Figure 44 List of Security realms
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 47
8 Click on the ldquoUsers and Groupsrdquo tab under ldquomyrealmrdquo as shown in Figure 45 Figure 46 shows the default set of
users that ship with Weblogic In this case the users are ldquoweblogicrdquo and ldquoOracleSystemUserrdquo
Figure 45 myrealm General tab
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 48
Figure 46 Default set of users that ship with Weblogic
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 49
9 Click on ldquoweblogicrdquo user in Figure 46 and then click on the ldquoGroupsrdquo tab for the user ldquoweblogicrdquo This shows the
default group membership for ldquoweblogicrdquo as shown in Figure 47 As we can see ldquoweblogicrdquo is not part of the
ldquoMonitorrdquo group
Figure 47 Default Group membership of user weblogic
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 50
10 Add the ldquoMonitorrdquo group from the Parent Groups Available in Figure 47 The result is that the ldquoweblogicrdquo user is now
a member of both ldquoAdministratorsrdquo and ldquoMonitorrdquo group as shown in Figure 48 and click ldquoSaverdquo
Figure 48 Make weblogic user a member of Monitor group
11 Now go back to the EM Web Service Tester page and test the HelloWorldComposite app
Note You may need to start the weblogic server for changes to take effect
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 51
Oracle Web Services Manager
March 2012
Author Prakash Yamuna
Oracle Corporation
World Headquarters
500 Oracle Parkway
Redwood Shores CA 94065
USA
Worldwide Inquiries
Phone +16505067000
Fax +16505067200
oraclecom
Copyright copy 2011 Oracle andor its affiliates All rights reserved This document is provided for
information purposes only and the contents hereof are subject to change without notice This
document is not warranted to be error-free nor subject to any other warranties or conditions whether
expressed orally or implied in law including implied warranties and conditions of merchantability or
fitness for a particular purpose We specifically disclaim any liability with respect to this document and
no contractual obligations are formed either directly or indirectly by this document This document may
not be reproduced or transmitted in any form or by any means electronic or mechanical for any
purpose without our prior written permission
Oracle is a registered trademark of Oracle Corporation andor its affiliates Other names may be
trademarks of their respective owners
0109
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 24
Figure 22 Make a Copy of the OOTB Authorization Policy using Create Like
3 Name the Policy appropriately as show in Figure 23
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 25
Figure 23 New SOA Component Authorization Policy
4 Select the Role in the settings tab of the Policy You do this by clicking on the ldquosettings tabrdquo for the Authorization
assertion and selecting the ldquoSelected Rolesrdquo radio button as shown in Figure 24
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 26
Figure 24 Select a Role as part of the creation of the new Authorization Policy
5 You can add the Role by clicking on the ldquoAddrdquo button in Figure 24 This will launch a ldquoAdd Rolerdquo dialog box as shown
in Figure 25 In this example ndash the ldquoMonitorrdquo role has been selected
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 27
Figure 25 Selecting the Monitor role to add to the Authorization policy
Click ldquoOKrdquo on the diaglog in Figure 25 after adding the role click on the ldquoSaverdquo button to save the policy
Attach OOTB authentication policy to the SOA Service
1 Before we can attach the Custom Authorization Policy created in the previous steps to the SOA Component we
need to secure the HelloWorldComposite with an authentication policy For this How-To we will use the
ldquooraclewss_username_token_service_policyrdquo Go to the HelloWorldComposite Dashboard page as shown in Figure
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 28
26 In Figure 26 we have Service ldquobpelprocess1_client_eprdquo of type Web Service Click on the
ldquobpelprocess1_client_eprdquo to navigate to the Service Dashboard page as shown in Figure 27
Figure 26 HelloWorldComposite Dashboard page in EM
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 29
Figure 27 Service Dashboard page for HelloWorldComposite in EM
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 30
2 Click on the ldquoPoliciesrdquo Tab This will show polices attached to the Service Click on the ldquoAttachDetachrdquo button to a
launch the Policy Attachment Dialog as show in Figure 28 The Policy Attachment Dialog is show in Figure 29
Figure 28 Launching OWSM Policy Attachment Dialog in EM for SOA Service
3 In the Policy Attachment Dialog in Figure 29 select ldquoNamerdquo as the search criteria and enter ldquousernamerdquo and click on
the button next to it to search Select ldquooraclewss_username_token_service_policyrdquo and click on the ldquoAttachrdquo
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 31
button Click on ldquoOKrdquo button to finish the policy attachment Figure 30 shows the results of attaching the
oraclewss_username_token_service_policy
Figure 29 Selecting oraclewss_username_token_service_policy
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 32
Figure 30 Result of attaching the oraclewss_username_token_service_policy
A few things to note
Starting with PS5 - we now show the security status as seen in Figure 30
Starting with PS5 ndash we now show the overall validity of the policy attachments
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 33
Test the Secured HelloWorldComposite App
To test the HelloWorldComposite ndash navigate to the HelloWorldComposite Dashboard page and click on the ldquoTestrdquo
button as shown in Figure 31 This will launch the Web Service Tester page that ships with EM as shown in Figure 32
Figure 31 Testing HelloWorldComposite
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 34
Figure 32 EM Web Service Tester page
We will do a quick negative test by not providing any authentication information Enter ldquoNegative Worldrdquo in the ldquoinputrdquo
field as show in Figure 33 and click on ldquoTest Web Servicerdquo button This will result in an Error dialog as shown in Figure 34
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 35
Figure 33 Provide Inputs for testing HelloWorldComposite
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 36
Figure 34 Results of Negative Testing
Now perform a positive test by providing the authentication information as shown in Figure 35 You can provide the
authentication information by expanding the ldquoSecurityrdquo section Enter the following information for the fields show in
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 37
Figure 35 Select an appropriate policy from the ldquoCompatible Client Policiesrdquo list (Note This is important if a policy is not
selected then no security information will be sent and thus may result in failures)
Username weblogic Passwordweblogic1
Click ldquoTest Web Servicerdquo button to test This should result in a successful response from the HelloWorldComposite as
show in Figure 36
Figure 35 Testing oraclewss_username_token_service_policy using EM Web Service Tester
Note Usernamepassword will vary by deployment Provide usernamepassword that is appropriate for your
deployment
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 38
Figure 36 Response from HelloWorldComposite
Now that we have successfully tested the HelloWorldComposite app with the OOTB OWSM authentication policy we
will now secure it with the Custom Authorization policy that was created previously
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 39
Attach Custom authorization policy to the SOA Component
1 Go to the SOA Composite you want to secure with this Authorization Policy In the SOA Composite page click on the
Component as shown in Figure 37 In Figure 37 we have a ldquoHelloWorldCompositerdquo that has a ldquoBPELProcess1rdquo SOA
Component
Figure 37 Attaching OWSM Policy to SOA Component
2 Click on the Policies tab for the SOA Component In this example the SOA Component is called ldquoBPELProcess1rdquo as
shown in Figure 38
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 40
Figure 38 Attaching Policies to a SOA Component
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 41
3 On the Policies tab click on ldquoAttachDetachrdquo button as shown in Figure 39 Select the newly created Authorization
Policy
Figure 39 Selecting the Policy to attach
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 42
4 Once done selecting the policy to attach Click ldquoOKrdquo in Figure 39 You have completed the process of attaching an
Authorization Policy to a SOA Component Figure 40 shows the results of attaching the custom authorization policy
Figure 40 Policies attached to a SOA Component
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 43
5 Test the HelloWorldComposite from the EM Web Service Tester page Provide the credentials as
weblogicwelcome1 as shown in Figure 41
Figure 41 Negative Authorization Test with correct credentials
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 44
Notice that even though the credentials weblogicwelcome1 is correct the test fails as shown in Figure 42
Figure 42 Negative Authorization Test Response
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 45
6 In order to perform a positive authorization test ndash we need to add the weblogic user to the Monitor role In order to
do this ndash we first need to log in to Weblogic Console Click on ldquoSecurity Realmsrdquo on the Left Hand Domain Structure
Tree as show in Figure 43
Figure 43 Navigating to the Security Realms in Weblogic Console
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 46
7 Weblogic ships with a default realm called ldquomyrealmrdquo Click on ldquomyrealmrdquo as show in Figure 44
Figure 44 List of Security realms
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 47
8 Click on the ldquoUsers and Groupsrdquo tab under ldquomyrealmrdquo as shown in Figure 45 Figure 46 shows the default set of
users that ship with Weblogic In this case the users are ldquoweblogicrdquo and ldquoOracleSystemUserrdquo
Figure 45 myrealm General tab
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 48
Figure 46 Default set of users that ship with Weblogic
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 49
9 Click on ldquoweblogicrdquo user in Figure 46 and then click on the ldquoGroupsrdquo tab for the user ldquoweblogicrdquo This shows the
default group membership for ldquoweblogicrdquo as shown in Figure 47 As we can see ldquoweblogicrdquo is not part of the
ldquoMonitorrdquo group
Figure 47 Default Group membership of user weblogic
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 50
10 Add the ldquoMonitorrdquo group from the Parent Groups Available in Figure 47 The result is that the ldquoweblogicrdquo user is now
a member of both ldquoAdministratorsrdquo and ldquoMonitorrdquo group as shown in Figure 48 and click ldquoSaverdquo
Figure 48 Make weblogic user a member of Monitor group
11 Now go back to the EM Web Service Tester page and test the HelloWorldComposite app
Note You may need to start the weblogic server for changes to take effect
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 51
Oracle Web Services Manager
March 2012
Author Prakash Yamuna
Oracle Corporation
World Headquarters
500 Oracle Parkway
Redwood Shores CA 94065
USA
Worldwide Inquiries
Phone +16505067000
Fax +16505067200
oraclecom
Copyright copy 2011 Oracle andor its affiliates All rights reserved This document is provided for
information purposes only and the contents hereof are subject to change without notice This
document is not warranted to be error-free nor subject to any other warranties or conditions whether
expressed orally or implied in law including implied warranties and conditions of merchantability or
fitness for a particular purpose We specifically disclaim any liability with respect to this document and
no contractual obligations are formed either directly or indirectly by this document This document may
not be reproduced or transmitted in any form or by any means electronic or mechanical for any
purpose without our prior written permission
Oracle is a registered trademark of Oracle Corporation andor its affiliates Other names may be
trademarks of their respective owners
0109
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 25
Figure 23 New SOA Component Authorization Policy
4 Select the Role in the settings tab of the Policy You do this by clicking on the ldquosettings tabrdquo for the Authorization
assertion and selecting the ldquoSelected Rolesrdquo radio button as shown in Figure 24
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 26
Figure 24 Select a Role as part of the creation of the new Authorization Policy
5 You can add the Role by clicking on the ldquoAddrdquo button in Figure 24 This will launch a ldquoAdd Rolerdquo dialog box as shown
in Figure 25 In this example ndash the ldquoMonitorrdquo role has been selected
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 27
Figure 25 Selecting the Monitor role to add to the Authorization policy
Click ldquoOKrdquo on the diaglog in Figure 25 after adding the role click on the ldquoSaverdquo button to save the policy
Attach OOTB authentication policy to the SOA Service
1 Before we can attach the Custom Authorization Policy created in the previous steps to the SOA Component we
need to secure the HelloWorldComposite with an authentication policy For this How-To we will use the
ldquooraclewss_username_token_service_policyrdquo Go to the HelloWorldComposite Dashboard page as shown in Figure
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 28
26 In Figure 26 we have Service ldquobpelprocess1_client_eprdquo of type Web Service Click on the
ldquobpelprocess1_client_eprdquo to navigate to the Service Dashboard page as shown in Figure 27
Figure 26 HelloWorldComposite Dashboard page in EM
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 29
Figure 27 Service Dashboard page for HelloWorldComposite in EM
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 30
2 Click on the ldquoPoliciesrdquo Tab This will show polices attached to the Service Click on the ldquoAttachDetachrdquo button to a
launch the Policy Attachment Dialog as show in Figure 28 The Policy Attachment Dialog is show in Figure 29
Figure 28 Launching OWSM Policy Attachment Dialog in EM for SOA Service
3 In the Policy Attachment Dialog in Figure 29 select ldquoNamerdquo as the search criteria and enter ldquousernamerdquo and click on
the button next to it to search Select ldquooraclewss_username_token_service_policyrdquo and click on the ldquoAttachrdquo
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 31
button Click on ldquoOKrdquo button to finish the policy attachment Figure 30 shows the results of attaching the
oraclewss_username_token_service_policy
Figure 29 Selecting oraclewss_username_token_service_policy
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 32
Figure 30 Result of attaching the oraclewss_username_token_service_policy
A few things to note
Starting with PS5 - we now show the security status as seen in Figure 30
Starting with PS5 ndash we now show the overall validity of the policy attachments
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 33
Test the Secured HelloWorldComposite App
To test the HelloWorldComposite ndash navigate to the HelloWorldComposite Dashboard page and click on the ldquoTestrdquo
button as shown in Figure 31 This will launch the Web Service Tester page that ships with EM as shown in Figure 32
Figure 31 Testing HelloWorldComposite
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 34
Figure 32 EM Web Service Tester page
We will do a quick negative test by not providing any authentication information Enter ldquoNegative Worldrdquo in the ldquoinputrdquo
field as show in Figure 33 and click on ldquoTest Web Servicerdquo button This will result in an Error dialog as shown in Figure 34
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 35
Figure 33 Provide Inputs for testing HelloWorldComposite
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 36
Figure 34 Results of Negative Testing
Now perform a positive test by providing the authentication information as shown in Figure 35 You can provide the
authentication information by expanding the ldquoSecurityrdquo section Enter the following information for the fields show in
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 37
Figure 35 Select an appropriate policy from the ldquoCompatible Client Policiesrdquo list (Note This is important if a policy is not
selected then no security information will be sent and thus may result in failures)
Username weblogic Passwordweblogic1
Click ldquoTest Web Servicerdquo button to test This should result in a successful response from the HelloWorldComposite as
show in Figure 36
Figure 35 Testing oraclewss_username_token_service_policy using EM Web Service Tester
Note Usernamepassword will vary by deployment Provide usernamepassword that is appropriate for your
deployment
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 38
Figure 36 Response from HelloWorldComposite
Now that we have successfully tested the HelloWorldComposite app with the OOTB OWSM authentication policy we
will now secure it with the Custom Authorization policy that was created previously
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 39
Attach Custom authorization policy to the SOA Component
1 Go to the SOA Composite you want to secure with this Authorization Policy In the SOA Composite page click on the
Component as shown in Figure 37 In Figure 37 we have a ldquoHelloWorldCompositerdquo that has a ldquoBPELProcess1rdquo SOA
Component
Figure 37 Attaching OWSM Policy to SOA Component
2 Click on the Policies tab for the SOA Component In this example the SOA Component is called ldquoBPELProcess1rdquo as
shown in Figure 38
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 40
Figure 38 Attaching Policies to a SOA Component
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 41
3 On the Policies tab click on ldquoAttachDetachrdquo button as shown in Figure 39 Select the newly created Authorization
Policy
Figure 39 Selecting the Policy to attach
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 42
4 Once done selecting the policy to attach Click ldquoOKrdquo in Figure 39 You have completed the process of attaching an
Authorization Policy to a SOA Component Figure 40 shows the results of attaching the custom authorization policy
Figure 40 Policies attached to a SOA Component
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 43
5 Test the HelloWorldComposite from the EM Web Service Tester page Provide the credentials as
weblogicwelcome1 as shown in Figure 41
Figure 41 Negative Authorization Test with correct credentials
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 44
Notice that even though the credentials weblogicwelcome1 is correct the test fails as shown in Figure 42
Figure 42 Negative Authorization Test Response
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 45
6 In order to perform a positive authorization test ndash we need to add the weblogic user to the Monitor role In order to
do this ndash we first need to log in to Weblogic Console Click on ldquoSecurity Realmsrdquo on the Left Hand Domain Structure
Tree as show in Figure 43
Figure 43 Navigating to the Security Realms in Weblogic Console
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 46
7 Weblogic ships with a default realm called ldquomyrealmrdquo Click on ldquomyrealmrdquo as show in Figure 44
Figure 44 List of Security realms
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 47
8 Click on the ldquoUsers and Groupsrdquo tab under ldquomyrealmrdquo as shown in Figure 45 Figure 46 shows the default set of
users that ship with Weblogic In this case the users are ldquoweblogicrdquo and ldquoOracleSystemUserrdquo
Figure 45 myrealm General tab
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 48
Figure 46 Default set of users that ship with Weblogic
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 49
9 Click on ldquoweblogicrdquo user in Figure 46 and then click on the ldquoGroupsrdquo tab for the user ldquoweblogicrdquo This shows the
default group membership for ldquoweblogicrdquo as shown in Figure 47 As we can see ldquoweblogicrdquo is not part of the
ldquoMonitorrdquo group
Figure 47 Default Group membership of user weblogic
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 50
10 Add the ldquoMonitorrdquo group from the Parent Groups Available in Figure 47 The result is that the ldquoweblogicrdquo user is now
a member of both ldquoAdministratorsrdquo and ldquoMonitorrdquo group as shown in Figure 48 and click ldquoSaverdquo
Figure 48 Make weblogic user a member of Monitor group
11 Now go back to the EM Web Service Tester page and test the HelloWorldComposite app
Note You may need to start the weblogic server for changes to take effect
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 51
Oracle Web Services Manager
March 2012
Author Prakash Yamuna
Oracle Corporation
World Headquarters
500 Oracle Parkway
Redwood Shores CA 94065
USA
Worldwide Inquiries
Phone +16505067000
Fax +16505067200
oraclecom
Copyright copy 2011 Oracle andor its affiliates All rights reserved This document is provided for
information purposes only and the contents hereof are subject to change without notice This
document is not warranted to be error-free nor subject to any other warranties or conditions whether
expressed orally or implied in law including implied warranties and conditions of merchantability or
fitness for a particular purpose We specifically disclaim any liability with respect to this document and
no contractual obligations are formed either directly or indirectly by this document This document may
not be reproduced or transmitted in any form or by any means electronic or mechanical for any
purpose without our prior written permission
Oracle is a registered trademark of Oracle Corporation andor its affiliates Other names may be
trademarks of their respective owners
0109
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 26
Figure 24 Select a Role as part of the creation of the new Authorization Policy
5 You can add the Role by clicking on the ldquoAddrdquo button in Figure 24 This will launch a ldquoAdd Rolerdquo dialog box as shown
in Figure 25 In this example ndash the ldquoMonitorrdquo role has been selected
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 27
Figure 25 Selecting the Monitor role to add to the Authorization policy
Click ldquoOKrdquo on the diaglog in Figure 25 after adding the role click on the ldquoSaverdquo button to save the policy
Attach OOTB authentication policy to the SOA Service
1 Before we can attach the Custom Authorization Policy created in the previous steps to the SOA Component we
need to secure the HelloWorldComposite with an authentication policy For this How-To we will use the
ldquooraclewss_username_token_service_policyrdquo Go to the HelloWorldComposite Dashboard page as shown in Figure
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 28
26 In Figure 26 we have Service ldquobpelprocess1_client_eprdquo of type Web Service Click on the
ldquobpelprocess1_client_eprdquo to navigate to the Service Dashboard page as shown in Figure 27
Figure 26 HelloWorldComposite Dashboard page in EM
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 29
Figure 27 Service Dashboard page for HelloWorldComposite in EM
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 30
2 Click on the ldquoPoliciesrdquo Tab This will show polices attached to the Service Click on the ldquoAttachDetachrdquo button to a
launch the Policy Attachment Dialog as show in Figure 28 The Policy Attachment Dialog is show in Figure 29
Figure 28 Launching OWSM Policy Attachment Dialog in EM for SOA Service
3 In the Policy Attachment Dialog in Figure 29 select ldquoNamerdquo as the search criteria and enter ldquousernamerdquo and click on
the button next to it to search Select ldquooraclewss_username_token_service_policyrdquo and click on the ldquoAttachrdquo
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 31
button Click on ldquoOKrdquo button to finish the policy attachment Figure 30 shows the results of attaching the
oraclewss_username_token_service_policy
Figure 29 Selecting oraclewss_username_token_service_policy
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 32
Figure 30 Result of attaching the oraclewss_username_token_service_policy
A few things to note
Starting with PS5 - we now show the security status as seen in Figure 30
Starting with PS5 ndash we now show the overall validity of the policy attachments
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 33
Test the Secured HelloWorldComposite App
To test the HelloWorldComposite ndash navigate to the HelloWorldComposite Dashboard page and click on the ldquoTestrdquo
button as shown in Figure 31 This will launch the Web Service Tester page that ships with EM as shown in Figure 32
Figure 31 Testing HelloWorldComposite
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 34
Figure 32 EM Web Service Tester page
We will do a quick negative test by not providing any authentication information Enter ldquoNegative Worldrdquo in the ldquoinputrdquo
field as show in Figure 33 and click on ldquoTest Web Servicerdquo button This will result in an Error dialog as shown in Figure 34
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 35
Figure 33 Provide Inputs for testing HelloWorldComposite
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 36
Figure 34 Results of Negative Testing
Now perform a positive test by providing the authentication information as shown in Figure 35 You can provide the
authentication information by expanding the ldquoSecurityrdquo section Enter the following information for the fields show in
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 37
Figure 35 Select an appropriate policy from the ldquoCompatible Client Policiesrdquo list (Note This is important if a policy is not
selected then no security information will be sent and thus may result in failures)
Username weblogic Passwordweblogic1
Click ldquoTest Web Servicerdquo button to test This should result in a successful response from the HelloWorldComposite as
show in Figure 36
Figure 35 Testing oraclewss_username_token_service_policy using EM Web Service Tester
Note Usernamepassword will vary by deployment Provide usernamepassword that is appropriate for your
deployment
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 38
Figure 36 Response from HelloWorldComposite
Now that we have successfully tested the HelloWorldComposite app with the OOTB OWSM authentication policy we
will now secure it with the Custom Authorization policy that was created previously
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 39
Attach Custom authorization policy to the SOA Component
1 Go to the SOA Composite you want to secure with this Authorization Policy In the SOA Composite page click on the
Component as shown in Figure 37 In Figure 37 we have a ldquoHelloWorldCompositerdquo that has a ldquoBPELProcess1rdquo SOA
Component
Figure 37 Attaching OWSM Policy to SOA Component
2 Click on the Policies tab for the SOA Component In this example the SOA Component is called ldquoBPELProcess1rdquo as
shown in Figure 38
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 40
Figure 38 Attaching Policies to a SOA Component
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 41
3 On the Policies tab click on ldquoAttachDetachrdquo button as shown in Figure 39 Select the newly created Authorization
Policy
Figure 39 Selecting the Policy to attach
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 42
4 Once done selecting the policy to attach Click ldquoOKrdquo in Figure 39 You have completed the process of attaching an
Authorization Policy to a SOA Component Figure 40 shows the results of attaching the custom authorization policy
Figure 40 Policies attached to a SOA Component
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 43
5 Test the HelloWorldComposite from the EM Web Service Tester page Provide the credentials as
weblogicwelcome1 as shown in Figure 41
Figure 41 Negative Authorization Test with correct credentials
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 44
Notice that even though the credentials weblogicwelcome1 is correct the test fails as shown in Figure 42
Figure 42 Negative Authorization Test Response
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 45
6 In order to perform a positive authorization test ndash we need to add the weblogic user to the Monitor role In order to
do this ndash we first need to log in to Weblogic Console Click on ldquoSecurity Realmsrdquo on the Left Hand Domain Structure
Tree as show in Figure 43
Figure 43 Navigating to the Security Realms in Weblogic Console
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 46
7 Weblogic ships with a default realm called ldquomyrealmrdquo Click on ldquomyrealmrdquo as show in Figure 44
Figure 44 List of Security realms
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 47
8 Click on the ldquoUsers and Groupsrdquo tab under ldquomyrealmrdquo as shown in Figure 45 Figure 46 shows the default set of
users that ship with Weblogic In this case the users are ldquoweblogicrdquo and ldquoOracleSystemUserrdquo
Figure 45 myrealm General tab
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 48
Figure 46 Default set of users that ship with Weblogic
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 49
9 Click on ldquoweblogicrdquo user in Figure 46 and then click on the ldquoGroupsrdquo tab for the user ldquoweblogicrdquo This shows the
default group membership for ldquoweblogicrdquo as shown in Figure 47 As we can see ldquoweblogicrdquo is not part of the
ldquoMonitorrdquo group
Figure 47 Default Group membership of user weblogic
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 50
10 Add the ldquoMonitorrdquo group from the Parent Groups Available in Figure 47 The result is that the ldquoweblogicrdquo user is now
a member of both ldquoAdministratorsrdquo and ldquoMonitorrdquo group as shown in Figure 48 and click ldquoSaverdquo
Figure 48 Make weblogic user a member of Monitor group
11 Now go back to the EM Web Service Tester page and test the HelloWorldComposite app
Note You may need to start the weblogic server for changes to take effect
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 51
Oracle Web Services Manager
March 2012
Author Prakash Yamuna
Oracle Corporation
World Headquarters
500 Oracle Parkway
Redwood Shores CA 94065
USA
Worldwide Inquiries
Phone +16505067000
Fax +16505067200
oraclecom
Copyright copy 2011 Oracle andor its affiliates All rights reserved This document is provided for
information purposes only and the contents hereof are subject to change without notice This
document is not warranted to be error-free nor subject to any other warranties or conditions whether
expressed orally or implied in law including implied warranties and conditions of merchantability or
fitness for a particular purpose We specifically disclaim any liability with respect to this document and
no contractual obligations are formed either directly or indirectly by this document This document may
not be reproduced or transmitted in any form or by any means electronic or mechanical for any
purpose without our prior written permission
Oracle is a registered trademark of Oracle Corporation andor its affiliates Other names may be
trademarks of their respective owners
0109
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 27
Figure 25 Selecting the Monitor role to add to the Authorization policy
Click ldquoOKrdquo on the diaglog in Figure 25 after adding the role click on the ldquoSaverdquo button to save the policy
Attach OOTB authentication policy to the SOA Service
1 Before we can attach the Custom Authorization Policy created in the previous steps to the SOA Component we
need to secure the HelloWorldComposite with an authentication policy For this How-To we will use the
ldquooraclewss_username_token_service_policyrdquo Go to the HelloWorldComposite Dashboard page as shown in Figure
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 28
26 In Figure 26 we have Service ldquobpelprocess1_client_eprdquo of type Web Service Click on the
ldquobpelprocess1_client_eprdquo to navigate to the Service Dashboard page as shown in Figure 27
Figure 26 HelloWorldComposite Dashboard page in EM
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 29
Figure 27 Service Dashboard page for HelloWorldComposite in EM
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 30
2 Click on the ldquoPoliciesrdquo Tab This will show polices attached to the Service Click on the ldquoAttachDetachrdquo button to a
launch the Policy Attachment Dialog as show in Figure 28 The Policy Attachment Dialog is show in Figure 29
Figure 28 Launching OWSM Policy Attachment Dialog in EM for SOA Service
3 In the Policy Attachment Dialog in Figure 29 select ldquoNamerdquo as the search criteria and enter ldquousernamerdquo and click on
the button next to it to search Select ldquooraclewss_username_token_service_policyrdquo and click on the ldquoAttachrdquo
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 31
button Click on ldquoOKrdquo button to finish the policy attachment Figure 30 shows the results of attaching the
oraclewss_username_token_service_policy
Figure 29 Selecting oraclewss_username_token_service_policy
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 32
Figure 30 Result of attaching the oraclewss_username_token_service_policy
A few things to note
Starting with PS5 - we now show the security status as seen in Figure 30
Starting with PS5 ndash we now show the overall validity of the policy attachments
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 33
Test the Secured HelloWorldComposite App
To test the HelloWorldComposite ndash navigate to the HelloWorldComposite Dashboard page and click on the ldquoTestrdquo
button as shown in Figure 31 This will launch the Web Service Tester page that ships with EM as shown in Figure 32
Figure 31 Testing HelloWorldComposite
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 34
Figure 32 EM Web Service Tester page
We will do a quick negative test by not providing any authentication information Enter ldquoNegative Worldrdquo in the ldquoinputrdquo
field as show in Figure 33 and click on ldquoTest Web Servicerdquo button This will result in an Error dialog as shown in Figure 34
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 35
Figure 33 Provide Inputs for testing HelloWorldComposite
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 36
Figure 34 Results of Negative Testing
Now perform a positive test by providing the authentication information as shown in Figure 35 You can provide the
authentication information by expanding the ldquoSecurityrdquo section Enter the following information for the fields show in
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 37
Figure 35 Select an appropriate policy from the ldquoCompatible Client Policiesrdquo list (Note This is important if a policy is not
selected then no security information will be sent and thus may result in failures)
Username weblogic Passwordweblogic1
Click ldquoTest Web Servicerdquo button to test This should result in a successful response from the HelloWorldComposite as
show in Figure 36
Figure 35 Testing oraclewss_username_token_service_policy using EM Web Service Tester
Note Usernamepassword will vary by deployment Provide usernamepassword that is appropriate for your
deployment
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 38
Figure 36 Response from HelloWorldComposite
Now that we have successfully tested the HelloWorldComposite app with the OOTB OWSM authentication policy we
will now secure it with the Custom Authorization policy that was created previously
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 39
Attach Custom authorization policy to the SOA Component
1 Go to the SOA Composite you want to secure with this Authorization Policy In the SOA Composite page click on the
Component as shown in Figure 37 In Figure 37 we have a ldquoHelloWorldCompositerdquo that has a ldquoBPELProcess1rdquo SOA
Component
Figure 37 Attaching OWSM Policy to SOA Component
2 Click on the Policies tab for the SOA Component In this example the SOA Component is called ldquoBPELProcess1rdquo as
shown in Figure 38
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 40
Figure 38 Attaching Policies to a SOA Component
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 41
3 On the Policies tab click on ldquoAttachDetachrdquo button as shown in Figure 39 Select the newly created Authorization
Policy
Figure 39 Selecting the Policy to attach
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 42
4 Once done selecting the policy to attach Click ldquoOKrdquo in Figure 39 You have completed the process of attaching an
Authorization Policy to a SOA Component Figure 40 shows the results of attaching the custom authorization policy
Figure 40 Policies attached to a SOA Component
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 43
5 Test the HelloWorldComposite from the EM Web Service Tester page Provide the credentials as
weblogicwelcome1 as shown in Figure 41
Figure 41 Negative Authorization Test with correct credentials
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 44
Notice that even though the credentials weblogicwelcome1 is correct the test fails as shown in Figure 42
Figure 42 Negative Authorization Test Response
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 45
6 In order to perform a positive authorization test ndash we need to add the weblogic user to the Monitor role In order to
do this ndash we first need to log in to Weblogic Console Click on ldquoSecurity Realmsrdquo on the Left Hand Domain Structure
Tree as show in Figure 43
Figure 43 Navigating to the Security Realms in Weblogic Console
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 46
7 Weblogic ships with a default realm called ldquomyrealmrdquo Click on ldquomyrealmrdquo as show in Figure 44
Figure 44 List of Security realms
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 47
8 Click on the ldquoUsers and Groupsrdquo tab under ldquomyrealmrdquo as shown in Figure 45 Figure 46 shows the default set of
users that ship with Weblogic In this case the users are ldquoweblogicrdquo and ldquoOracleSystemUserrdquo
Figure 45 myrealm General tab
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 48
Figure 46 Default set of users that ship with Weblogic
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 49
9 Click on ldquoweblogicrdquo user in Figure 46 and then click on the ldquoGroupsrdquo tab for the user ldquoweblogicrdquo This shows the
default group membership for ldquoweblogicrdquo as shown in Figure 47 As we can see ldquoweblogicrdquo is not part of the
ldquoMonitorrdquo group
Figure 47 Default Group membership of user weblogic
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 50
10 Add the ldquoMonitorrdquo group from the Parent Groups Available in Figure 47 The result is that the ldquoweblogicrdquo user is now
a member of both ldquoAdministratorsrdquo and ldquoMonitorrdquo group as shown in Figure 48 and click ldquoSaverdquo
Figure 48 Make weblogic user a member of Monitor group
11 Now go back to the EM Web Service Tester page and test the HelloWorldComposite app
Note You may need to start the weblogic server for changes to take effect
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 51
Oracle Web Services Manager
March 2012
Author Prakash Yamuna
Oracle Corporation
World Headquarters
500 Oracle Parkway
Redwood Shores CA 94065
USA
Worldwide Inquiries
Phone +16505067000
Fax +16505067200
oraclecom
Copyright copy 2011 Oracle andor its affiliates All rights reserved This document is provided for
information purposes only and the contents hereof are subject to change without notice This
document is not warranted to be error-free nor subject to any other warranties or conditions whether
expressed orally or implied in law including implied warranties and conditions of merchantability or
fitness for a particular purpose We specifically disclaim any liability with respect to this document and
no contractual obligations are formed either directly or indirectly by this document This document may
not be reproduced or transmitted in any form or by any means electronic or mechanical for any
purpose without our prior written permission
Oracle is a registered trademark of Oracle Corporation andor its affiliates Other names may be
trademarks of their respective owners
0109
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 28
26 In Figure 26 we have Service ldquobpelprocess1_client_eprdquo of type Web Service Click on the
ldquobpelprocess1_client_eprdquo to navigate to the Service Dashboard page as shown in Figure 27
Figure 26 HelloWorldComposite Dashboard page in EM
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 29
Figure 27 Service Dashboard page for HelloWorldComposite in EM
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 30
2 Click on the ldquoPoliciesrdquo Tab This will show polices attached to the Service Click on the ldquoAttachDetachrdquo button to a
launch the Policy Attachment Dialog as show in Figure 28 The Policy Attachment Dialog is show in Figure 29
Figure 28 Launching OWSM Policy Attachment Dialog in EM for SOA Service
3 In the Policy Attachment Dialog in Figure 29 select ldquoNamerdquo as the search criteria and enter ldquousernamerdquo and click on
the button next to it to search Select ldquooraclewss_username_token_service_policyrdquo and click on the ldquoAttachrdquo
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 31
button Click on ldquoOKrdquo button to finish the policy attachment Figure 30 shows the results of attaching the
oraclewss_username_token_service_policy
Figure 29 Selecting oraclewss_username_token_service_policy
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 32
Figure 30 Result of attaching the oraclewss_username_token_service_policy
A few things to note
Starting with PS5 - we now show the security status as seen in Figure 30
Starting with PS5 ndash we now show the overall validity of the policy attachments
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 33
Test the Secured HelloWorldComposite App
To test the HelloWorldComposite ndash navigate to the HelloWorldComposite Dashboard page and click on the ldquoTestrdquo
button as shown in Figure 31 This will launch the Web Service Tester page that ships with EM as shown in Figure 32
Figure 31 Testing HelloWorldComposite
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 34
Figure 32 EM Web Service Tester page
We will do a quick negative test by not providing any authentication information Enter ldquoNegative Worldrdquo in the ldquoinputrdquo
field as show in Figure 33 and click on ldquoTest Web Servicerdquo button This will result in an Error dialog as shown in Figure 34
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 35
Figure 33 Provide Inputs for testing HelloWorldComposite
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 36
Figure 34 Results of Negative Testing
Now perform a positive test by providing the authentication information as shown in Figure 35 You can provide the
authentication information by expanding the ldquoSecurityrdquo section Enter the following information for the fields show in
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 37
Figure 35 Select an appropriate policy from the ldquoCompatible Client Policiesrdquo list (Note This is important if a policy is not
selected then no security information will be sent and thus may result in failures)
Username weblogic Passwordweblogic1
Click ldquoTest Web Servicerdquo button to test This should result in a successful response from the HelloWorldComposite as
show in Figure 36
Figure 35 Testing oraclewss_username_token_service_policy using EM Web Service Tester
Note Usernamepassword will vary by deployment Provide usernamepassword that is appropriate for your
deployment
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 38
Figure 36 Response from HelloWorldComposite
Now that we have successfully tested the HelloWorldComposite app with the OOTB OWSM authentication policy we
will now secure it with the Custom Authorization policy that was created previously
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 39
Attach Custom authorization policy to the SOA Component
1 Go to the SOA Composite you want to secure with this Authorization Policy In the SOA Composite page click on the
Component as shown in Figure 37 In Figure 37 we have a ldquoHelloWorldCompositerdquo that has a ldquoBPELProcess1rdquo SOA
Component
Figure 37 Attaching OWSM Policy to SOA Component
2 Click on the Policies tab for the SOA Component In this example the SOA Component is called ldquoBPELProcess1rdquo as
shown in Figure 38
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 40
Figure 38 Attaching Policies to a SOA Component
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 41
3 On the Policies tab click on ldquoAttachDetachrdquo button as shown in Figure 39 Select the newly created Authorization
Policy
Figure 39 Selecting the Policy to attach
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 42
4 Once done selecting the policy to attach Click ldquoOKrdquo in Figure 39 You have completed the process of attaching an
Authorization Policy to a SOA Component Figure 40 shows the results of attaching the custom authorization policy
Figure 40 Policies attached to a SOA Component
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 43
5 Test the HelloWorldComposite from the EM Web Service Tester page Provide the credentials as
weblogicwelcome1 as shown in Figure 41
Figure 41 Negative Authorization Test with correct credentials
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 44
Notice that even though the credentials weblogicwelcome1 is correct the test fails as shown in Figure 42
Figure 42 Negative Authorization Test Response
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 45
6 In order to perform a positive authorization test ndash we need to add the weblogic user to the Monitor role In order to
do this ndash we first need to log in to Weblogic Console Click on ldquoSecurity Realmsrdquo on the Left Hand Domain Structure
Tree as show in Figure 43
Figure 43 Navigating to the Security Realms in Weblogic Console
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 46
7 Weblogic ships with a default realm called ldquomyrealmrdquo Click on ldquomyrealmrdquo as show in Figure 44
Figure 44 List of Security realms
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 47
8 Click on the ldquoUsers and Groupsrdquo tab under ldquomyrealmrdquo as shown in Figure 45 Figure 46 shows the default set of
users that ship with Weblogic In this case the users are ldquoweblogicrdquo and ldquoOracleSystemUserrdquo
Figure 45 myrealm General tab
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 48
Figure 46 Default set of users that ship with Weblogic
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 49
9 Click on ldquoweblogicrdquo user in Figure 46 and then click on the ldquoGroupsrdquo tab for the user ldquoweblogicrdquo This shows the
default group membership for ldquoweblogicrdquo as shown in Figure 47 As we can see ldquoweblogicrdquo is not part of the
ldquoMonitorrdquo group
Figure 47 Default Group membership of user weblogic
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 50
10 Add the ldquoMonitorrdquo group from the Parent Groups Available in Figure 47 The result is that the ldquoweblogicrdquo user is now
a member of both ldquoAdministratorsrdquo and ldquoMonitorrdquo group as shown in Figure 48 and click ldquoSaverdquo
Figure 48 Make weblogic user a member of Monitor group
11 Now go back to the EM Web Service Tester page and test the HelloWorldComposite app
Note You may need to start the weblogic server for changes to take effect
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 51
Oracle Web Services Manager
March 2012
Author Prakash Yamuna
Oracle Corporation
World Headquarters
500 Oracle Parkway
Redwood Shores CA 94065
USA
Worldwide Inquiries
Phone +16505067000
Fax +16505067200
oraclecom
Copyright copy 2011 Oracle andor its affiliates All rights reserved This document is provided for
information purposes only and the contents hereof are subject to change without notice This
document is not warranted to be error-free nor subject to any other warranties or conditions whether
expressed orally or implied in law including implied warranties and conditions of merchantability or
fitness for a particular purpose We specifically disclaim any liability with respect to this document and
no contractual obligations are formed either directly or indirectly by this document This document may
not be reproduced or transmitted in any form or by any means electronic or mechanical for any
purpose without our prior written permission
Oracle is a registered trademark of Oracle Corporation andor its affiliates Other names may be
trademarks of their respective owners
0109
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 29
Figure 27 Service Dashboard page for HelloWorldComposite in EM
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 30
2 Click on the ldquoPoliciesrdquo Tab This will show polices attached to the Service Click on the ldquoAttachDetachrdquo button to a
launch the Policy Attachment Dialog as show in Figure 28 The Policy Attachment Dialog is show in Figure 29
Figure 28 Launching OWSM Policy Attachment Dialog in EM for SOA Service
3 In the Policy Attachment Dialog in Figure 29 select ldquoNamerdquo as the search criteria and enter ldquousernamerdquo and click on
the button next to it to search Select ldquooraclewss_username_token_service_policyrdquo and click on the ldquoAttachrdquo
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 31
button Click on ldquoOKrdquo button to finish the policy attachment Figure 30 shows the results of attaching the
oraclewss_username_token_service_policy
Figure 29 Selecting oraclewss_username_token_service_policy
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 32
Figure 30 Result of attaching the oraclewss_username_token_service_policy
A few things to note
Starting with PS5 - we now show the security status as seen in Figure 30
Starting with PS5 ndash we now show the overall validity of the policy attachments
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 33
Test the Secured HelloWorldComposite App
To test the HelloWorldComposite ndash navigate to the HelloWorldComposite Dashboard page and click on the ldquoTestrdquo
button as shown in Figure 31 This will launch the Web Service Tester page that ships with EM as shown in Figure 32
Figure 31 Testing HelloWorldComposite
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 34
Figure 32 EM Web Service Tester page
We will do a quick negative test by not providing any authentication information Enter ldquoNegative Worldrdquo in the ldquoinputrdquo
field as show in Figure 33 and click on ldquoTest Web Servicerdquo button This will result in an Error dialog as shown in Figure 34
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 35
Figure 33 Provide Inputs for testing HelloWorldComposite
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 36
Figure 34 Results of Negative Testing
Now perform a positive test by providing the authentication information as shown in Figure 35 You can provide the
authentication information by expanding the ldquoSecurityrdquo section Enter the following information for the fields show in
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 37
Figure 35 Select an appropriate policy from the ldquoCompatible Client Policiesrdquo list (Note This is important if a policy is not
selected then no security information will be sent and thus may result in failures)
Username weblogic Passwordweblogic1
Click ldquoTest Web Servicerdquo button to test This should result in a successful response from the HelloWorldComposite as
show in Figure 36
Figure 35 Testing oraclewss_username_token_service_policy using EM Web Service Tester
Note Usernamepassword will vary by deployment Provide usernamepassword that is appropriate for your
deployment
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 38
Figure 36 Response from HelloWorldComposite
Now that we have successfully tested the HelloWorldComposite app with the OOTB OWSM authentication policy we
will now secure it with the Custom Authorization policy that was created previously
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 39
Attach Custom authorization policy to the SOA Component
1 Go to the SOA Composite you want to secure with this Authorization Policy In the SOA Composite page click on the
Component as shown in Figure 37 In Figure 37 we have a ldquoHelloWorldCompositerdquo that has a ldquoBPELProcess1rdquo SOA
Component
Figure 37 Attaching OWSM Policy to SOA Component
2 Click on the Policies tab for the SOA Component In this example the SOA Component is called ldquoBPELProcess1rdquo as
shown in Figure 38
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 40
Figure 38 Attaching Policies to a SOA Component
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 41
3 On the Policies tab click on ldquoAttachDetachrdquo button as shown in Figure 39 Select the newly created Authorization
Policy
Figure 39 Selecting the Policy to attach
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 42
4 Once done selecting the policy to attach Click ldquoOKrdquo in Figure 39 You have completed the process of attaching an
Authorization Policy to a SOA Component Figure 40 shows the results of attaching the custom authorization policy
Figure 40 Policies attached to a SOA Component
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 43
5 Test the HelloWorldComposite from the EM Web Service Tester page Provide the credentials as
weblogicwelcome1 as shown in Figure 41
Figure 41 Negative Authorization Test with correct credentials
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 44
Notice that even though the credentials weblogicwelcome1 is correct the test fails as shown in Figure 42
Figure 42 Negative Authorization Test Response
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 45
6 In order to perform a positive authorization test ndash we need to add the weblogic user to the Monitor role In order to
do this ndash we first need to log in to Weblogic Console Click on ldquoSecurity Realmsrdquo on the Left Hand Domain Structure
Tree as show in Figure 43
Figure 43 Navigating to the Security Realms in Weblogic Console
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 46
7 Weblogic ships with a default realm called ldquomyrealmrdquo Click on ldquomyrealmrdquo as show in Figure 44
Figure 44 List of Security realms
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 47
8 Click on the ldquoUsers and Groupsrdquo tab under ldquomyrealmrdquo as shown in Figure 45 Figure 46 shows the default set of
users that ship with Weblogic In this case the users are ldquoweblogicrdquo and ldquoOracleSystemUserrdquo
Figure 45 myrealm General tab
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 48
Figure 46 Default set of users that ship with Weblogic
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 49
9 Click on ldquoweblogicrdquo user in Figure 46 and then click on the ldquoGroupsrdquo tab for the user ldquoweblogicrdquo This shows the
default group membership for ldquoweblogicrdquo as shown in Figure 47 As we can see ldquoweblogicrdquo is not part of the
ldquoMonitorrdquo group
Figure 47 Default Group membership of user weblogic
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 50
10 Add the ldquoMonitorrdquo group from the Parent Groups Available in Figure 47 The result is that the ldquoweblogicrdquo user is now
a member of both ldquoAdministratorsrdquo and ldquoMonitorrdquo group as shown in Figure 48 and click ldquoSaverdquo
Figure 48 Make weblogic user a member of Monitor group
11 Now go back to the EM Web Service Tester page and test the HelloWorldComposite app
Note You may need to start the weblogic server for changes to take effect
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 51
Oracle Web Services Manager
March 2012
Author Prakash Yamuna
Oracle Corporation
World Headquarters
500 Oracle Parkway
Redwood Shores CA 94065
USA
Worldwide Inquiries
Phone +16505067000
Fax +16505067200
oraclecom
Copyright copy 2011 Oracle andor its affiliates All rights reserved This document is provided for
information purposes only and the contents hereof are subject to change without notice This
document is not warranted to be error-free nor subject to any other warranties or conditions whether
expressed orally or implied in law including implied warranties and conditions of merchantability or
fitness for a particular purpose We specifically disclaim any liability with respect to this document and
no contractual obligations are formed either directly or indirectly by this document This document may
not be reproduced or transmitted in any form or by any means electronic or mechanical for any
purpose without our prior written permission
Oracle is a registered trademark of Oracle Corporation andor its affiliates Other names may be
trademarks of their respective owners
0109
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 30
2 Click on the ldquoPoliciesrdquo Tab This will show polices attached to the Service Click on the ldquoAttachDetachrdquo button to a
launch the Policy Attachment Dialog as show in Figure 28 The Policy Attachment Dialog is show in Figure 29
Figure 28 Launching OWSM Policy Attachment Dialog in EM for SOA Service
3 In the Policy Attachment Dialog in Figure 29 select ldquoNamerdquo as the search criteria and enter ldquousernamerdquo and click on
the button next to it to search Select ldquooraclewss_username_token_service_policyrdquo and click on the ldquoAttachrdquo
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 31
button Click on ldquoOKrdquo button to finish the policy attachment Figure 30 shows the results of attaching the
oraclewss_username_token_service_policy
Figure 29 Selecting oraclewss_username_token_service_policy
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 32
Figure 30 Result of attaching the oraclewss_username_token_service_policy
A few things to note
Starting with PS5 - we now show the security status as seen in Figure 30
Starting with PS5 ndash we now show the overall validity of the policy attachments
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 33
Test the Secured HelloWorldComposite App
To test the HelloWorldComposite ndash navigate to the HelloWorldComposite Dashboard page and click on the ldquoTestrdquo
button as shown in Figure 31 This will launch the Web Service Tester page that ships with EM as shown in Figure 32
Figure 31 Testing HelloWorldComposite
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 34
Figure 32 EM Web Service Tester page
We will do a quick negative test by not providing any authentication information Enter ldquoNegative Worldrdquo in the ldquoinputrdquo
field as show in Figure 33 and click on ldquoTest Web Servicerdquo button This will result in an Error dialog as shown in Figure 34
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 35
Figure 33 Provide Inputs for testing HelloWorldComposite
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 36
Figure 34 Results of Negative Testing
Now perform a positive test by providing the authentication information as shown in Figure 35 You can provide the
authentication information by expanding the ldquoSecurityrdquo section Enter the following information for the fields show in
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 37
Figure 35 Select an appropriate policy from the ldquoCompatible Client Policiesrdquo list (Note This is important if a policy is not
selected then no security information will be sent and thus may result in failures)
Username weblogic Passwordweblogic1
Click ldquoTest Web Servicerdquo button to test This should result in a successful response from the HelloWorldComposite as
show in Figure 36
Figure 35 Testing oraclewss_username_token_service_policy using EM Web Service Tester
Note Usernamepassword will vary by deployment Provide usernamepassword that is appropriate for your
deployment
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 38
Figure 36 Response from HelloWorldComposite
Now that we have successfully tested the HelloWorldComposite app with the OOTB OWSM authentication policy we
will now secure it with the Custom Authorization policy that was created previously
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 39
Attach Custom authorization policy to the SOA Component
1 Go to the SOA Composite you want to secure with this Authorization Policy In the SOA Composite page click on the
Component as shown in Figure 37 In Figure 37 we have a ldquoHelloWorldCompositerdquo that has a ldquoBPELProcess1rdquo SOA
Component
Figure 37 Attaching OWSM Policy to SOA Component
2 Click on the Policies tab for the SOA Component In this example the SOA Component is called ldquoBPELProcess1rdquo as
shown in Figure 38
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 40
Figure 38 Attaching Policies to a SOA Component
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 41
3 On the Policies tab click on ldquoAttachDetachrdquo button as shown in Figure 39 Select the newly created Authorization
Policy
Figure 39 Selecting the Policy to attach
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 42
4 Once done selecting the policy to attach Click ldquoOKrdquo in Figure 39 You have completed the process of attaching an
Authorization Policy to a SOA Component Figure 40 shows the results of attaching the custom authorization policy
Figure 40 Policies attached to a SOA Component
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 43
5 Test the HelloWorldComposite from the EM Web Service Tester page Provide the credentials as
weblogicwelcome1 as shown in Figure 41
Figure 41 Negative Authorization Test with correct credentials
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 44
Notice that even though the credentials weblogicwelcome1 is correct the test fails as shown in Figure 42
Figure 42 Negative Authorization Test Response
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 45
6 In order to perform a positive authorization test ndash we need to add the weblogic user to the Monitor role In order to
do this ndash we first need to log in to Weblogic Console Click on ldquoSecurity Realmsrdquo on the Left Hand Domain Structure
Tree as show in Figure 43
Figure 43 Navigating to the Security Realms in Weblogic Console
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 46
7 Weblogic ships with a default realm called ldquomyrealmrdquo Click on ldquomyrealmrdquo as show in Figure 44
Figure 44 List of Security realms
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 47
8 Click on the ldquoUsers and Groupsrdquo tab under ldquomyrealmrdquo as shown in Figure 45 Figure 46 shows the default set of
users that ship with Weblogic In this case the users are ldquoweblogicrdquo and ldquoOracleSystemUserrdquo
Figure 45 myrealm General tab
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 48
Figure 46 Default set of users that ship with Weblogic
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 49
9 Click on ldquoweblogicrdquo user in Figure 46 and then click on the ldquoGroupsrdquo tab for the user ldquoweblogicrdquo This shows the
default group membership for ldquoweblogicrdquo as shown in Figure 47 As we can see ldquoweblogicrdquo is not part of the
ldquoMonitorrdquo group
Figure 47 Default Group membership of user weblogic
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 50
10 Add the ldquoMonitorrdquo group from the Parent Groups Available in Figure 47 The result is that the ldquoweblogicrdquo user is now
a member of both ldquoAdministratorsrdquo and ldquoMonitorrdquo group as shown in Figure 48 and click ldquoSaverdquo
Figure 48 Make weblogic user a member of Monitor group
11 Now go back to the EM Web Service Tester page and test the HelloWorldComposite app
Note You may need to start the weblogic server for changes to take effect
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 51
Oracle Web Services Manager
March 2012
Author Prakash Yamuna
Oracle Corporation
World Headquarters
500 Oracle Parkway
Redwood Shores CA 94065
USA
Worldwide Inquiries
Phone +16505067000
Fax +16505067200
oraclecom
Copyright copy 2011 Oracle andor its affiliates All rights reserved This document is provided for
information purposes only and the contents hereof are subject to change without notice This
document is not warranted to be error-free nor subject to any other warranties or conditions whether
expressed orally or implied in law including implied warranties and conditions of merchantability or
fitness for a particular purpose We specifically disclaim any liability with respect to this document and
no contractual obligations are formed either directly or indirectly by this document This document may
not be reproduced or transmitted in any form or by any means electronic or mechanical for any
purpose without our prior written permission
Oracle is a registered trademark of Oracle Corporation andor its affiliates Other names may be
trademarks of their respective owners
0109
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 31
button Click on ldquoOKrdquo button to finish the policy attachment Figure 30 shows the results of attaching the
oraclewss_username_token_service_policy
Figure 29 Selecting oraclewss_username_token_service_policy
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 32
Figure 30 Result of attaching the oraclewss_username_token_service_policy
A few things to note
Starting with PS5 - we now show the security status as seen in Figure 30
Starting with PS5 ndash we now show the overall validity of the policy attachments
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 33
Test the Secured HelloWorldComposite App
To test the HelloWorldComposite ndash navigate to the HelloWorldComposite Dashboard page and click on the ldquoTestrdquo
button as shown in Figure 31 This will launch the Web Service Tester page that ships with EM as shown in Figure 32
Figure 31 Testing HelloWorldComposite
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 34
Figure 32 EM Web Service Tester page
We will do a quick negative test by not providing any authentication information Enter ldquoNegative Worldrdquo in the ldquoinputrdquo
field as show in Figure 33 and click on ldquoTest Web Servicerdquo button This will result in an Error dialog as shown in Figure 34
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 35
Figure 33 Provide Inputs for testing HelloWorldComposite
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 36
Figure 34 Results of Negative Testing
Now perform a positive test by providing the authentication information as shown in Figure 35 You can provide the
authentication information by expanding the ldquoSecurityrdquo section Enter the following information for the fields show in
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 37
Figure 35 Select an appropriate policy from the ldquoCompatible Client Policiesrdquo list (Note This is important if a policy is not
selected then no security information will be sent and thus may result in failures)
Username weblogic Passwordweblogic1
Click ldquoTest Web Servicerdquo button to test This should result in a successful response from the HelloWorldComposite as
show in Figure 36
Figure 35 Testing oraclewss_username_token_service_policy using EM Web Service Tester
Note Usernamepassword will vary by deployment Provide usernamepassword that is appropriate for your
deployment
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 38
Figure 36 Response from HelloWorldComposite
Now that we have successfully tested the HelloWorldComposite app with the OOTB OWSM authentication policy we
will now secure it with the Custom Authorization policy that was created previously
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 39
Attach Custom authorization policy to the SOA Component
1 Go to the SOA Composite you want to secure with this Authorization Policy In the SOA Composite page click on the
Component as shown in Figure 37 In Figure 37 we have a ldquoHelloWorldCompositerdquo that has a ldquoBPELProcess1rdquo SOA
Component
Figure 37 Attaching OWSM Policy to SOA Component
2 Click on the Policies tab for the SOA Component In this example the SOA Component is called ldquoBPELProcess1rdquo as
shown in Figure 38
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 40
Figure 38 Attaching Policies to a SOA Component
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 41
3 On the Policies tab click on ldquoAttachDetachrdquo button as shown in Figure 39 Select the newly created Authorization
Policy
Figure 39 Selecting the Policy to attach
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 42
4 Once done selecting the policy to attach Click ldquoOKrdquo in Figure 39 You have completed the process of attaching an
Authorization Policy to a SOA Component Figure 40 shows the results of attaching the custom authorization policy
Figure 40 Policies attached to a SOA Component
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 43
5 Test the HelloWorldComposite from the EM Web Service Tester page Provide the credentials as
weblogicwelcome1 as shown in Figure 41
Figure 41 Negative Authorization Test with correct credentials
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 44
Notice that even though the credentials weblogicwelcome1 is correct the test fails as shown in Figure 42
Figure 42 Negative Authorization Test Response
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 45
6 In order to perform a positive authorization test ndash we need to add the weblogic user to the Monitor role In order to
do this ndash we first need to log in to Weblogic Console Click on ldquoSecurity Realmsrdquo on the Left Hand Domain Structure
Tree as show in Figure 43
Figure 43 Navigating to the Security Realms in Weblogic Console
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 46
7 Weblogic ships with a default realm called ldquomyrealmrdquo Click on ldquomyrealmrdquo as show in Figure 44
Figure 44 List of Security realms
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 47
8 Click on the ldquoUsers and Groupsrdquo tab under ldquomyrealmrdquo as shown in Figure 45 Figure 46 shows the default set of
users that ship with Weblogic In this case the users are ldquoweblogicrdquo and ldquoOracleSystemUserrdquo
Figure 45 myrealm General tab
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 48
Figure 46 Default set of users that ship with Weblogic
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 49
9 Click on ldquoweblogicrdquo user in Figure 46 and then click on the ldquoGroupsrdquo tab for the user ldquoweblogicrdquo This shows the
default group membership for ldquoweblogicrdquo as shown in Figure 47 As we can see ldquoweblogicrdquo is not part of the
ldquoMonitorrdquo group
Figure 47 Default Group membership of user weblogic
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 50
10 Add the ldquoMonitorrdquo group from the Parent Groups Available in Figure 47 The result is that the ldquoweblogicrdquo user is now
a member of both ldquoAdministratorsrdquo and ldquoMonitorrdquo group as shown in Figure 48 and click ldquoSaverdquo
Figure 48 Make weblogic user a member of Monitor group
11 Now go back to the EM Web Service Tester page and test the HelloWorldComposite app
Note You may need to start the weblogic server for changes to take effect
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 51
Oracle Web Services Manager
March 2012
Author Prakash Yamuna
Oracle Corporation
World Headquarters
500 Oracle Parkway
Redwood Shores CA 94065
USA
Worldwide Inquiries
Phone +16505067000
Fax +16505067200
oraclecom
Copyright copy 2011 Oracle andor its affiliates All rights reserved This document is provided for
information purposes only and the contents hereof are subject to change without notice This
document is not warranted to be error-free nor subject to any other warranties or conditions whether
expressed orally or implied in law including implied warranties and conditions of merchantability or
fitness for a particular purpose We specifically disclaim any liability with respect to this document and
no contractual obligations are formed either directly or indirectly by this document This document may
not be reproduced or transmitted in any form or by any means electronic or mechanical for any
purpose without our prior written permission
Oracle is a registered trademark of Oracle Corporation andor its affiliates Other names may be
trademarks of their respective owners
0109
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 32
Figure 30 Result of attaching the oraclewss_username_token_service_policy
A few things to note
Starting with PS5 - we now show the security status as seen in Figure 30
Starting with PS5 ndash we now show the overall validity of the policy attachments
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 33
Test the Secured HelloWorldComposite App
To test the HelloWorldComposite ndash navigate to the HelloWorldComposite Dashboard page and click on the ldquoTestrdquo
button as shown in Figure 31 This will launch the Web Service Tester page that ships with EM as shown in Figure 32
Figure 31 Testing HelloWorldComposite
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 34
Figure 32 EM Web Service Tester page
We will do a quick negative test by not providing any authentication information Enter ldquoNegative Worldrdquo in the ldquoinputrdquo
field as show in Figure 33 and click on ldquoTest Web Servicerdquo button This will result in an Error dialog as shown in Figure 34
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 35
Figure 33 Provide Inputs for testing HelloWorldComposite
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 36
Figure 34 Results of Negative Testing
Now perform a positive test by providing the authentication information as shown in Figure 35 You can provide the
authentication information by expanding the ldquoSecurityrdquo section Enter the following information for the fields show in
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 37
Figure 35 Select an appropriate policy from the ldquoCompatible Client Policiesrdquo list (Note This is important if a policy is not
selected then no security information will be sent and thus may result in failures)
Username weblogic Passwordweblogic1
Click ldquoTest Web Servicerdquo button to test This should result in a successful response from the HelloWorldComposite as
show in Figure 36
Figure 35 Testing oraclewss_username_token_service_policy using EM Web Service Tester
Note Usernamepassword will vary by deployment Provide usernamepassword that is appropriate for your
deployment
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 38
Figure 36 Response from HelloWorldComposite
Now that we have successfully tested the HelloWorldComposite app with the OOTB OWSM authentication policy we
will now secure it with the Custom Authorization policy that was created previously
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 39
Attach Custom authorization policy to the SOA Component
1 Go to the SOA Composite you want to secure with this Authorization Policy In the SOA Composite page click on the
Component as shown in Figure 37 In Figure 37 we have a ldquoHelloWorldCompositerdquo that has a ldquoBPELProcess1rdquo SOA
Component
Figure 37 Attaching OWSM Policy to SOA Component
2 Click on the Policies tab for the SOA Component In this example the SOA Component is called ldquoBPELProcess1rdquo as
shown in Figure 38
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 40
Figure 38 Attaching Policies to a SOA Component
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 41
3 On the Policies tab click on ldquoAttachDetachrdquo button as shown in Figure 39 Select the newly created Authorization
Policy
Figure 39 Selecting the Policy to attach
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 42
4 Once done selecting the policy to attach Click ldquoOKrdquo in Figure 39 You have completed the process of attaching an
Authorization Policy to a SOA Component Figure 40 shows the results of attaching the custom authorization policy
Figure 40 Policies attached to a SOA Component
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 43
5 Test the HelloWorldComposite from the EM Web Service Tester page Provide the credentials as
weblogicwelcome1 as shown in Figure 41
Figure 41 Negative Authorization Test with correct credentials
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 44
Notice that even though the credentials weblogicwelcome1 is correct the test fails as shown in Figure 42
Figure 42 Negative Authorization Test Response
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 45
6 In order to perform a positive authorization test ndash we need to add the weblogic user to the Monitor role In order to
do this ndash we first need to log in to Weblogic Console Click on ldquoSecurity Realmsrdquo on the Left Hand Domain Structure
Tree as show in Figure 43
Figure 43 Navigating to the Security Realms in Weblogic Console
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 46
7 Weblogic ships with a default realm called ldquomyrealmrdquo Click on ldquomyrealmrdquo as show in Figure 44
Figure 44 List of Security realms
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 47
8 Click on the ldquoUsers and Groupsrdquo tab under ldquomyrealmrdquo as shown in Figure 45 Figure 46 shows the default set of
users that ship with Weblogic In this case the users are ldquoweblogicrdquo and ldquoOracleSystemUserrdquo
Figure 45 myrealm General tab
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 48
Figure 46 Default set of users that ship with Weblogic
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 49
9 Click on ldquoweblogicrdquo user in Figure 46 and then click on the ldquoGroupsrdquo tab for the user ldquoweblogicrdquo This shows the
default group membership for ldquoweblogicrdquo as shown in Figure 47 As we can see ldquoweblogicrdquo is not part of the
ldquoMonitorrdquo group
Figure 47 Default Group membership of user weblogic
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 50
10 Add the ldquoMonitorrdquo group from the Parent Groups Available in Figure 47 The result is that the ldquoweblogicrdquo user is now
a member of both ldquoAdministratorsrdquo and ldquoMonitorrdquo group as shown in Figure 48 and click ldquoSaverdquo
Figure 48 Make weblogic user a member of Monitor group
11 Now go back to the EM Web Service Tester page and test the HelloWorldComposite app
Note You may need to start the weblogic server for changes to take effect
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 51
Oracle Web Services Manager
March 2012
Author Prakash Yamuna
Oracle Corporation
World Headquarters
500 Oracle Parkway
Redwood Shores CA 94065
USA
Worldwide Inquiries
Phone +16505067000
Fax +16505067200
oraclecom
Copyright copy 2011 Oracle andor its affiliates All rights reserved This document is provided for
information purposes only and the contents hereof are subject to change without notice This
document is not warranted to be error-free nor subject to any other warranties or conditions whether
expressed orally or implied in law including implied warranties and conditions of merchantability or
fitness for a particular purpose We specifically disclaim any liability with respect to this document and
no contractual obligations are formed either directly or indirectly by this document This document may
not be reproduced or transmitted in any form or by any means electronic or mechanical for any
purpose without our prior written permission
Oracle is a registered trademark of Oracle Corporation andor its affiliates Other names may be
trademarks of their respective owners
0109
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 33
Test the Secured HelloWorldComposite App
To test the HelloWorldComposite ndash navigate to the HelloWorldComposite Dashboard page and click on the ldquoTestrdquo
button as shown in Figure 31 This will launch the Web Service Tester page that ships with EM as shown in Figure 32
Figure 31 Testing HelloWorldComposite
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 34
Figure 32 EM Web Service Tester page
We will do a quick negative test by not providing any authentication information Enter ldquoNegative Worldrdquo in the ldquoinputrdquo
field as show in Figure 33 and click on ldquoTest Web Servicerdquo button This will result in an Error dialog as shown in Figure 34
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 35
Figure 33 Provide Inputs for testing HelloWorldComposite
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 36
Figure 34 Results of Negative Testing
Now perform a positive test by providing the authentication information as shown in Figure 35 You can provide the
authentication information by expanding the ldquoSecurityrdquo section Enter the following information for the fields show in
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 37
Figure 35 Select an appropriate policy from the ldquoCompatible Client Policiesrdquo list (Note This is important if a policy is not
selected then no security information will be sent and thus may result in failures)
Username weblogic Passwordweblogic1
Click ldquoTest Web Servicerdquo button to test This should result in a successful response from the HelloWorldComposite as
show in Figure 36
Figure 35 Testing oraclewss_username_token_service_policy using EM Web Service Tester
Note Usernamepassword will vary by deployment Provide usernamepassword that is appropriate for your
deployment
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 38
Figure 36 Response from HelloWorldComposite
Now that we have successfully tested the HelloWorldComposite app with the OOTB OWSM authentication policy we
will now secure it with the Custom Authorization policy that was created previously
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 39
Attach Custom authorization policy to the SOA Component
1 Go to the SOA Composite you want to secure with this Authorization Policy In the SOA Composite page click on the
Component as shown in Figure 37 In Figure 37 we have a ldquoHelloWorldCompositerdquo that has a ldquoBPELProcess1rdquo SOA
Component
Figure 37 Attaching OWSM Policy to SOA Component
2 Click on the Policies tab for the SOA Component In this example the SOA Component is called ldquoBPELProcess1rdquo as
shown in Figure 38
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 40
Figure 38 Attaching Policies to a SOA Component
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 41
3 On the Policies tab click on ldquoAttachDetachrdquo button as shown in Figure 39 Select the newly created Authorization
Policy
Figure 39 Selecting the Policy to attach
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 42
4 Once done selecting the policy to attach Click ldquoOKrdquo in Figure 39 You have completed the process of attaching an
Authorization Policy to a SOA Component Figure 40 shows the results of attaching the custom authorization policy
Figure 40 Policies attached to a SOA Component
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 43
5 Test the HelloWorldComposite from the EM Web Service Tester page Provide the credentials as
weblogicwelcome1 as shown in Figure 41
Figure 41 Negative Authorization Test with correct credentials
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 44
Notice that even though the credentials weblogicwelcome1 is correct the test fails as shown in Figure 42
Figure 42 Negative Authorization Test Response
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 45
6 In order to perform a positive authorization test ndash we need to add the weblogic user to the Monitor role In order to
do this ndash we first need to log in to Weblogic Console Click on ldquoSecurity Realmsrdquo on the Left Hand Domain Structure
Tree as show in Figure 43
Figure 43 Navigating to the Security Realms in Weblogic Console
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 46
7 Weblogic ships with a default realm called ldquomyrealmrdquo Click on ldquomyrealmrdquo as show in Figure 44
Figure 44 List of Security realms
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 47
8 Click on the ldquoUsers and Groupsrdquo tab under ldquomyrealmrdquo as shown in Figure 45 Figure 46 shows the default set of
users that ship with Weblogic In this case the users are ldquoweblogicrdquo and ldquoOracleSystemUserrdquo
Figure 45 myrealm General tab
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 48
Figure 46 Default set of users that ship with Weblogic
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 49
9 Click on ldquoweblogicrdquo user in Figure 46 and then click on the ldquoGroupsrdquo tab for the user ldquoweblogicrdquo This shows the
default group membership for ldquoweblogicrdquo as shown in Figure 47 As we can see ldquoweblogicrdquo is not part of the
ldquoMonitorrdquo group
Figure 47 Default Group membership of user weblogic
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 50
10 Add the ldquoMonitorrdquo group from the Parent Groups Available in Figure 47 The result is that the ldquoweblogicrdquo user is now
a member of both ldquoAdministratorsrdquo and ldquoMonitorrdquo group as shown in Figure 48 and click ldquoSaverdquo
Figure 48 Make weblogic user a member of Monitor group
11 Now go back to the EM Web Service Tester page and test the HelloWorldComposite app
Note You may need to start the weblogic server for changes to take effect
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 51
Oracle Web Services Manager
March 2012
Author Prakash Yamuna
Oracle Corporation
World Headquarters
500 Oracle Parkway
Redwood Shores CA 94065
USA
Worldwide Inquiries
Phone +16505067000
Fax +16505067200
oraclecom
Copyright copy 2011 Oracle andor its affiliates All rights reserved This document is provided for
information purposes only and the contents hereof are subject to change without notice This
document is not warranted to be error-free nor subject to any other warranties or conditions whether
expressed orally or implied in law including implied warranties and conditions of merchantability or
fitness for a particular purpose We specifically disclaim any liability with respect to this document and
no contractual obligations are formed either directly or indirectly by this document This document may
not be reproduced or transmitted in any form or by any means electronic or mechanical for any
purpose without our prior written permission
Oracle is a registered trademark of Oracle Corporation andor its affiliates Other names may be
trademarks of their respective owners
0109
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 34
Figure 32 EM Web Service Tester page
We will do a quick negative test by not providing any authentication information Enter ldquoNegative Worldrdquo in the ldquoinputrdquo
field as show in Figure 33 and click on ldquoTest Web Servicerdquo button This will result in an Error dialog as shown in Figure 34
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 35
Figure 33 Provide Inputs for testing HelloWorldComposite
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 36
Figure 34 Results of Negative Testing
Now perform a positive test by providing the authentication information as shown in Figure 35 You can provide the
authentication information by expanding the ldquoSecurityrdquo section Enter the following information for the fields show in
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 37
Figure 35 Select an appropriate policy from the ldquoCompatible Client Policiesrdquo list (Note This is important if a policy is not
selected then no security information will be sent and thus may result in failures)
Username weblogic Passwordweblogic1
Click ldquoTest Web Servicerdquo button to test This should result in a successful response from the HelloWorldComposite as
show in Figure 36
Figure 35 Testing oraclewss_username_token_service_policy using EM Web Service Tester
Note Usernamepassword will vary by deployment Provide usernamepassword that is appropriate for your
deployment
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 38
Figure 36 Response from HelloWorldComposite
Now that we have successfully tested the HelloWorldComposite app with the OOTB OWSM authentication policy we
will now secure it with the Custom Authorization policy that was created previously
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 39
Attach Custom authorization policy to the SOA Component
1 Go to the SOA Composite you want to secure with this Authorization Policy In the SOA Composite page click on the
Component as shown in Figure 37 In Figure 37 we have a ldquoHelloWorldCompositerdquo that has a ldquoBPELProcess1rdquo SOA
Component
Figure 37 Attaching OWSM Policy to SOA Component
2 Click on the Policies tab for the SOA Component In this example the SOA Component is called ldquoBPELProcess1rdquo as
shown in Figure 38
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 40
Figure 38 Attaching Policies to a SOA Component
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 41
3 On the Policies tab click on ldquoAttachDetachrdquo button as shown in Figure 39 Select the newly created Authorization
Policy
Figure 39 Selecting the Policy to attach
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 42
4 Once done selecting the policy to attach Click ldquoOKrdquo in Figure 39 You have completed the process of attaching an
Authorization Policy to a SOA Component Figure 40 shows the results of attaching the custom authorization policy
Figure 40 Policies attached to a SOA Component
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 43
5 Test the HelloWorldComposite from the EM Web Service Tester page Provide the credentials as
weblogicwelcome1 as shown in Figure 41
Figure 41 Negative Authorization Test with correct credentials
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 44
Notice that even though the credentials weblogicwelcome1 is correct the test fails as shown in Figure 42
Figure 42 Negative Authorization Test Response
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 45
6 In order to perform a positive authorization test ndash we need to add the weblogic user to the Monitor role In order to
do this ndash we first need to log in to Weblogic Console Click on ldquoSecurity Realmsrdquo on the Left Hand Domain Structure
Tree as show in Figure 43
Figure 43 Navigating to the Security Realms in Weblogic Console
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 46
7 Weblogic ships with a default realm called ldquomyrealmrdquo Click on ldquomyrealmrdquo as show in Figure 44
Figure 44 List of Security realms
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 47
8 Click on the ldquoUsers and Groupsrdquo tab under ldquomyrealmrdquo as shown in Figure 45 Figure 46 shows the default set of
users that ship with Weblogic In this case the users are ldquoweblogicrdquo and ldquoOracleSystemUserrdquo
Figure 45 myrealm General tab
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 48
Figure 46 Default set of users that ship with Weblogic
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 49
9 Click on ldquoweblogicrdquo user in Figure 46 and then click on the ldquoGroupsrdquo tab for the user ldquoweblogicrdquo This shows the
default group membership for ldquoweblogicrdquo as shown in Figure 47 As we can see ldquoweblogicrdquo is not part of the
ldquoMonitorrdquo group
Figure 47 Default Group membership of user weblogic
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 50
10 Add the ldquoMonitorrdquo group from the Parent Groups Available in Figure 47 The result is that the ldquoweblogicrdquo user is now
a member of both ldquoAdministratorsrdquo and ldquoMonitorrdquo group as shown in Figure 48 and click ldquoSaverdquo
Figure 48 Make weblogic user a member of Monitor group
11 Now go back to the EM Web Service Tester page and test the HelloWorldComposite app
Note You may need to start the weblogic server for changes to take effect
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 51
Oracle Web Services Manager
March 2012
Author Prakash Yamuna
Oracle Corporation
World Headquarters
500 Oracle Parkway
Redwood Shores CA 94065
USA
Worldwide Inquiries
Phone +16505067000
Fax +16505067200
oraclecom
Copyright copy 2011 Oracle andor its affiliates All rights reserved This document is provided for
information purposes only and the contents hereof are subject to change without notice This
document is not warranted to be error-free nor subject to any other warranties or conditions whether
expressed orally or implied in law including implied warranties and conditions of merchantability or
fitness for a particular purpose We specifically disclaim any liability with respect to this document and
no contractual obligations are formed either directly or indirectly by this document This document may
not be reproduced or transmitted in any form or by any means electronic or mechanical for any
purpose without our prior written permission
Oracle is a registered trademark of Oracle Corporation andor its affiliates Other names may be
trademarks of their respective owners
0109
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 35
Figure 33 Provide Inputs for testing HelloWorldComposite
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 36
Figure 34 Results of Negative Testing
Now perform a positive test by providing the authentication information as shown in Figure 35 You can provide the
authentication information by expanding the ldquoSecurityrdquo section Enter the following information for the fields show in
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 37
Figure 35 Select an appropriate policy from the ldquoCompatible Client Policiesrdquo list (Note This is important if a policy is not
selected then no security information will be sent and thus may result in failures)
Username weblogic Passwordweblogic1
Click ldquoTest Web Servicerdquo button to test This should result in a successful response from the HelloWorldComposite as
show in Figure 36
Figure 35 Testing oraclewss_username_token_service_policy using EM Web Service Tester
Note Usernamepassword will vary by deployment Provide usernamepassword that is appropriate for your
deployment
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 38
Figure 36 Response from HelloWorldComposite
Now that we have successfully tested the HelloWorldComposite app with the OOTB OWSM authentication policy we
will now secure it with the Custom Authorization policy that was created previously
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 39
Attach Custom authorization policy to the SOA Component
1 Go to the SOA Composite you want to secure with this Authorization Policy In the SOA Composite page click on the
Component as shown in Figure 37 In Figure 37 we have a ldquoHelloWorldCompositerdquo that has a ldquoBPELProcess1rdquo SOA
Component
Figure 37 Attaching OWSM Policy to SOA Component
2 Click on the Policies tab for the SOA Component In this example the SOA Component is called ldquoBPELProcess1rdquo as
shown in Figure 38
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 40
Figure 38 Attaching Policies to a SOA Component
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 41
3 On the Policies tab click on ldquoAttachDetachrdquo button as shown in Figure 39 Select the newly created Authorization
Policy
Figure 39 Selecting the Policy to attach
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 42
4 Once done selecting the policy to attach Click ldquoOKrdquo in Figure 39 You have completed the process of attaching an
Authorization Policy to a SOA Component Figure 40 shows the results of attaching the custom authorization policy
Figure 40 Policies attached to a SOA Component
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 43
5 Test the HelloWorldComposite from the EM Web Service Tester page Provide the credentials as
weblogicwelcome1 as shown in Figure 41
Figure 41 Negative Authorization Test with correct credentials
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 44
Notice that even though the credentials weblogicwelcome1 is correct the test fails as shown in Figure 42
Figure 42 Negative Authorization Test Response
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 45
6 In order to perform a positive authorization test ndash we need to add the weblogic user to the Monitor role In order to
do this ndash we first need to log in to Weblogic Console Click on ldquoSecurity Realmsrdquo on the Left Hand Domain Structure
Tree as show in Figure 43
Figure 43 Navigating to the Security Realms in Weblogic Console
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 46
7 Weblogic ships with a default realm called ldquomyrealmrdquo Click on ldquomyrealmrdquo as show in Figure 44
Figure 44 List of Security realms
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 47
8 Click on the ldquoUsers and Groupsrdquo tab under ldquomyrealmrdquo as shown in Figure 45 Figure 46 shows the default set of
users that ship with Weblogic In this case the users are ldquoweblogicrdquo and ldquoOracleSystemUserrdquo
Figure 45 myrealm General tab
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 48
Figure 46 Default set of users that ship with Weblogic
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 49
9 Click on ldquoweblogicrdquo user in Figure 46 and then click on the ldquoGroupsrdquo tab for the user ldquoweblogicrdquo This shows the
default group membership for ldquoweblogicrdquo as shown in Figure 47 As we can see ldquoweblogicrdquo is not part of the
ldquoMonitorrdquo group
Figure 47 Default Group membership of user weblogic
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 50
10 Add the ldquoMonitorrdquo group from the Parent Groups Available in Figure 47 The result is that the ldquoweblogicrdquo user is now
a member of both ldquoAdministratorsrdquo and ldquoMonitorrdquo group as shown in Figure 48 and click ldquoSaverdquo
Figure 48 Make weblogic user a member of Monitor group
11 Now go back to the EM Web Service Tester page and test the HelloWorldComposite app
Note You may need to start the weblogic server for changes to take effect
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 51
Oracle Web Services Manager
March 2012
Author Prakash Yamuna
Oracle Corporation
World Headquarters
500 Oracle Parkway
Redwood Shores CA 94065
USA
Worldwide Inquiries
Phone +16505067000
Fax +16505067200
oraclecom
Copyright copy 2011 Oracle andor its affiliates All rights reserved This document is provided for
information purposes only and the contents hereof are subject to change without notice This
document is not warranted to be error-free nor subject to any other warranties or conditions whether
expressed orally or implied in law including implied warranties and conditions of merchantability or
fitness for a particular purpose We specifically disclaim any liability with respect to this document and
no contractual obligations are formed either directly or indirectly by this document This document may
not be reproduced or transmitted in any form or by any means electronic or mechanical for any
purpose without our prior written permission
Oracle is a registered trademark of Oracle Corporation andor its affiliates Other names may be
trademarks of their respective owners
0109
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 36
Figure 34 Results of Negative Testing
Now perform a positive test by providing the authentication information as shown in Figure 35 You can provide the
authentication information by expanding the ldquoSecurityrdquo section Enter the following information for the fields show in
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 37
Figure 35 Select an appropriate policy from the ldquoCompatible Client Policiesrdquo list (Note This is important if a policy is not
selected then no security information will be sent and thus may result in failures)
Username weblogic Passwordweblogic1
Click ldquoTest Web Servicerdquo button to test This should result in a successful response from the HelloWorldComposite as
show in Figure 36
Figure 35 Testing oraclewss_username_token_service_policy using EM Web Service Tester
Note Usernamepassword will vary by deployment Provide usernamepassword that is appropriate for your
deployment
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 38
Figure 36 Response from HelloWorldComposite
Now that we have successfully tested the HelloWorldComposite app with the OOTB OWSM authentication policy we
will now secure it with the Custom Authorization policy that was created previously
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 39
Attach Custom authorization policy to the SOA Component
1 Go to the SOA Composite you want to secure with this Authorization Policy In the SOA Composite page click on the
Component as shown in Figure 37 In Figure 37 we have a ldquoHelloWorldCompositerdquo that has a ldquoBPELProcess1rdquo SOA
Component
Figure 37 Attaching OWSM Policy to SOA Component
2 Click on the Policies tab for the SOA Component In this example the SOA Component is called ldquoBPELProcess1rdquo as
shown in Figure 38
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 40
Figure 38 Attaching Policies to a SOA Component
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 41
3 On the Policies tab click on ldquoAttachDetachrdquo button as shown in Figure 39 Select the newly created Authorization
Policy
Figure 39 Selecting the Policy to attach
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 42
4 Once done selecting the policy to attach Click ldquoOKrdquo in Figure 39 You have completed the process of attaching an
Authorization Policy to a SOA Component Figure 40 shows the results of attaching the custom authorization policy
Figure 40 Policies attached to a SOA Component
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 43
5 Test the HelloWorldComposite from the EM Web Service Tester page Provide the credentials as
weblogicwelcome1 as shown in Figure 41
Figure 41 Negative Authorization Test with correct credentials
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 44
Notice that even though the credentials weblogicwelcome1 is correct the test fails as shown in Figure 42
Figure 42 Negative Authorization Test Response
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 45
6 In order to perform a positive authorization test ndash we need to add the weblogic user to the Monitor role In order to
do this ndash we first need to log in to Weblogic Console Click on ldquoSecurity Realmsrdquo on the Left Hand Domain Structure
Tree as show in Figure 43
Figure 43 Navigating to the Security Realms in Weblogic Console
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 46
7 Weblogic ships with a default realm called ldquomyrealmrdquo Click on ldquomyrealmrdquo as show in Figure 44
Figure 44 List of Security realms
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 47
8 Click on the ldquoUsers and Groupsrdquo tab under ldquomyrealmrdquo as shown in Figure 45 Figure 46 shows the default set of
users that ship with Weblogic In this case the users are ldquoweblogicrdquo and ldquoOracleSystemUserrdquo
Figure 45 myrealm General tab
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 48
Figure 46 Default set of users that ship with Weblogic
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 49
9 Click on ldquoweblogicrdquo user in Figure 46 and then click on the ldquoGroupsrdquo tab for the user ldquoweblogicrdquo This shows the
default group membership for ldquoweblogicrdquo as shown in Figure 47 As we can see ldquoweblogicrdquo is not part of the
ldquoMonitorrdquo group
Figure 47 Default Group membership of user weblogic
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 50
10 Add the ldquoMonitorrdquo group from the Parent Groups Available in Figure 47 The result is that the ldquoweblogicrdquo user is now
a member of both ldquoAdministratorsrdquo and ldquoMonitorrdquo group as shown in Figure 48 and click ldquoSaverdquo
Figure 48 Make weblogic user a member of Monitor group
11 Now go back to the EM Web Service Tester page and test the HelloWorldComposite app
Note You may need to start the weblogic server for changes to take effect
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 51
Oracle Web Services Manager
March 2012
Author Prakash Yamuna
Oracle Corporation
World Headquarters
500 Oracle Parkway
Redwood Shores CA 94065
USA
Worldwide Inquiries
Phone +16505067000
Fax +16505067200
oraclecom
Copyright copy 2011 Oracle andor its affiliates All rights reserved This document is provided for
information purposes only and the contents hereof are subject to change without notice This
document is not warranted to be error-free nor subject to any other warranties or conditions whether
expressed orally or implied in law including implied warranties and conditions of merchantability or
fitness for a particular purpose We specifically disclaim any liability with respect to this document and
no contractual obligations are formed either directly or indirectly by this document This document may
not be reproduced or transmitted in any form or by any means electronic or mechanical for any
purpose without our prior written permission
Oracle is a registered trademark of Oracle Corporation andor its affiliates Other names may be
trademarks of their respective owners
0109
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 37
Figure 35 Select an appropriate policy from the ldquoCompatible Client Policiesrdquo list (Note This is important if a policy is not
selected then no security information will be sent and thus may result in failures)
Username weblogic Passwordweblogic1
Click ldquoTest Web Servicerdquo button to test This should result in a successful response from the HelloWorldComposite as
show in Figure 36
Figure 35 Testing oraclewss_username_token_service_policy using EM Web Service Tester
Note Usernamepassword will vary by deployment Provide usernamepassword that is appropriate for your
deployment
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 38
Figure 36 Response from HelloWorldComposite
Now that we have successfully tested the HelloWorldComposite app with the OOTB OWSM authentication policy we
will now secure it with the Custom Authorization policy that was created previously
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 39
Attach Custom authorization policy to the SOA Component
1 Go to the SOA Composite you want to secure with this Authorization Policy In the SOA Composite page click on the
Component as shown in Figure 37 In Figure 37 we have a ldquoHelloWorldCompositerdquo that has a ldquoBPELProcess1rdquo SOA
Component
Figure 37 Attaching OWSM Policy to SOA Component
2 Click on the Policies tab for the SOA Component In this example the SOA Component is called ldquoBPELProcess1rdquo as
shown in Figure 38
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 40
Figure 38 Attaching Policies to a SOA Component
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 41
3 On the Policies tab click on ldquoAttachDetachrdquo button as shown in Figure 39 Select the newly created Authorization
Policy
Figure 39 Selecting the Policy to attach
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 42
4 Once done selecting the policy to attach Click ldquoOKrdquo in Figure 39 You have completed the process of attaching an
Authorization Policy to a SOA Component Figure 40 shows the results of attaching the custom authorization policy
Figure 40 Policies attached to a SOA Component
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 43
5 Test the HelloWorldComposite from the EM Web Service Tester page Provide the credentials as
weblogicwelcome1 as shown in Figure 41
Figure 41 Negative Authorization Test with correct credentials
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 44
Notice that even though the credentials weblogicwelcome1 is correct the test fails as shown in Figure 42
Figure 42 Negative Authorization Test Response
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 45
6 In order to perform a positive authorization test ndash we need to add the weblogic user to the Monitor role In order to
do this ndash we first need to log in to Weblogic Console Click on ldquoSecurity Realmsrdquo on the Left Hand Domain Structure
Tree as show in Figure 43
Figure 43 Navigating to the Security Realms in Weblogic Console
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 46
7 Weblogic ships with a default realm called ldquomyrealmrdquo Click on ldquomyrealmrdquo as show in Figure 44
Figure 44 List of Security realms
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 47
8 Click on the ldquoUsers and Groupsrdquo tab under ldquomyrealmrdquo as shown in Figure 45 Figure 46 shows the default set of
users that ship with Weblogic In this case the users are ldquoweblogicrdquo and ldquoOracleSystemUserrdquo
Figure 45 myrealm General tab
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 48
Figure 46 Default set of users that ship with Weblogic
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 49
9 Click on ldquoweblogicrdquo user in Figure 46 and then click on the ldquoGroupsrdquo tab for the user ldquoweblogicrdquo This shows the
default group membership for ldquoweblogicrdquo as shown in Figure 47 As we can see ldquoweblogicrdquo is not part of the
ldquoMonitorrdquo group
Figure 47 Default Group membership of user weblogic
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 50
10 Add the ldquoMonitorrdquo group from the Parent Groups Available in Figure 47 The result is that the ldquoweblogicrdquo user is now
a member of both ldquoAdministratorsrdquo and ldquoMonitorrdquo group as shown in Figure 48 and click ldquoSaverdquo
Figure 48 Make weblogic user a member of Monitor group
11 Now go back to the EM Web Service Tester page and test the HelloWorldComposite app
Note You may need to start the weblogic server for changes to take effect
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 51
Oracle Web Services Manager
March 2012
Author Prakash Yamuna
Oracle Corporation
World Headquarters
500 Oracle Parkway
Redwood Shores CA 94065
USA
Worldwide Inquiries
Phone +16505067000
Fax +16505067200
oraclecom
Copyright copy 2011 Oracle andor its affiliates All rights reserved This document is provided for
information purposes only and the contents hereof are subject to change without notice This
document is not warranted to be error-free nor subject to any other warranties or conditions whether
expressed orally or implied in law including implied warranties and conditions of merchantability or
fitness for a particular purpose We specifically disclaim any liability with respect to this document and
no contractual obligations are formed either directly or indirectly by this document This document may
not be reproduced or transmitted in any form or by any means electronic or mechanical for any
purpose without our prior written permission
Oracle is a registered trademark of Oracle Corporation andor its affiliates Other names may be
trademarks of their respective owners
0109
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 38
Figure 36 Response from HelloWorldComposite
Now that we have successfully tested the HelloWorldComposite app with the OOTB OWSM authentication policy we
will now secure it with the Custom Authorization policy that was created previously
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 39
Attach Custom authorization policy to the SOA Component
1 Go to the SOA Composite you want to secure with this Authorization Policy In the SOA Composite page click on the
Component as shown in Figure 37 In Figure 37 we have a ldquoHelloWorldCompositerdquo that has a ldquoBPELProcess1rdquo SOA
Component
Figure 37 Attaching OWSM Policy to SOA Component
2 Click on the Policies tab for the SOA Component In this example the SOA Component is called ldquoBPELProcess1rdquo as
shown in Figure 38
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 40
Figure 38 Attaching Policies to a SOA Component
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 41
3 On the Policies tab click on ldquoAttachDetachrdquo button as shown in Figure 39 Select the newly created Authorization
Policy
Figure 39 Selecting the Policy to attach
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 42
4 Once done selecting the policy to attach Click ldquoOKrdquo in Figure 39 You have completed the process of attaching an
Authorization Policy to a SOA Component Figure 40 shows the results of attaching the custom authorization policy
Figure 40 Policies attached to a SOA Component
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 43
5 Test the HelloWorldComposite from the EM Web Service Tester page Provide the credentials as
weblogicwelcome1 as shown in Figure 41
Figure 41 Negative Authorization Test with correct credentials
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 44
Notice that even though the credentials weblogicwelcome1 is correct the test fails as shown in Figure 42
Figure 42 Negative Authorization Test Response
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 45
6 In order to perform a positive authorization test ndash we need to add the weblogic user to the Monitor role In order to
do this ndash we first need to log in to Weblogic Console Click on ldquoSecurity Realmsrdquo on the Left Hand Domain Structure
Tree as show in Figure 43
Figure 43 Navigating to the Security Realms in Weblogic Console
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 46
7 Weblogic ships with a default realm called ldquomyrealmrdquo Click on ldquomyrealmrdquo as show in Figure 44
Figure 44 List of Security realms
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 47
8 Click on the ldquoUsers and Groupsrdquo tab under ldquomyrealmrdquo as shown in Figure 45 Figure 46 shows the default set of
users that ship with Weblogic In this case the users are ldquoweblogicrdquo and ldquoOracleSystemUserrdquo
Figure 45 myrealm General tab
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 48
Figure 46 Default set of users that ship with Weblogic
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 49
9 Click on ldquoweblogicrdquo user in Figure 46 and then click on the ldquoGroupsrdquo tab for the user ldquoweblogicrdquo This shows the
default group membership for ldquoweblogicrdquo as shown in Figure 47 As we can see ldquoweblogicrdquo is not part of the
ldquoMonitorrdquo group
Figure 47 Default Group membership of user weblogic
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 50
10 Add the ldquoMonitorrdquo group from the Parent Groups Available in Figure 47 The result is that the ldquoweblogicrdquo user is now
a member of both ldquoAdministratorsrdquo and ldquoMonitorrdquo group as shown in Figure 48 and click ldquoSaverdquo
Figure 48 Make weblogic user a member of Monitor group
11 Now go back to the EM Web Service Tester page and test the HelloWorldComposite app
Note You may need to start the weblogic server for changes to take effect
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 51
Oracle Web Services Manager
March 2012
Author Prakash Yamuna
Oracle Corporation
World Headquarters
500 Oracle Parkway
Redwood Shores CA 94065
USA
Worldwide Inquiries
Phone +16505067000
Fax +16505067200
oraclecom
Copyright copy 2011 Oracle andor its affiliates All rights reserved This document is provided for
information purposes only and the contents hereof are subject to change without notice This
document is not warranted to be error-free nor subject to any other warranties or conditions whether
expressed orally or implied in law including implied warranties and conditions of merchantability or
fitness for a particular purpose We specifically disclaim any liability with respect to this document and
no contractual obligations are formed either directly or indirectly by this document This document may
not be reproduced or transmitted in any form or by any means electronic or mechanical for any
purpose without our prior written permission
Oracle is a registered trademark of Oracle Corporation andor its affiliates Other names may be
trademarks of their respective owners
0109
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 39
Attach Custom authorization policy to the SOA Component
1 Go to the SOA Composite you want to secure with this Authorization Policy In the SOA Composite page click on the
Component as shown in Figure 37 In Figure 37 we have a ldquoHelloWorldCompositerdquo that has a ldquoBPELProcess1rdquo SOA
Component
Figure 37 Attaching OWSM Policy to SOA Component
2 Click on the Policies tab for the SOA Component In this example the SOA Component is called ldquoBPELProcess1rdquo as
shown in Figure 38
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 40
Figure 38 Attaching Policies to a SOA Component
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 41
3 On the Policies tab click on ldquoAttachDetachrdquo button as shown in Figure 39 Select the newly created Authorization
Policy
Figure 39 Selecting the Policy to attach
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 42
4 Once done selecting the policy to attach Click ldquoOKrdquo in Figure 39 You have completed the process of attaching an
Authorization Policy to a SOA Component Figure 40 shows the results of attaching the custom authorization policy
Figure 40 Policies attached to a SOA Component
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 43
5 Test the HelloWorldComposite from the EM Web Service Tester page Provide the credentials as
weblogicwelcome1 as shown in Figure 41
Figure 41 Negative Authorization Test with correct credentials
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 44
Notice that even though the credentials weblogicwelcome1 is correct the test fails as shown in Figure 42
Figure 42 Negative Authorization Test Response
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 45
6 In order to perform a positive authorization test ndash we need to add the weblogic user to the Monitor role In order to
do this ndash we first need to log in to Weblogic Console Click on ldquoSecurity Realmsrdquo on the Left Hand Domain Structure
Tree as show in Figure 43
Figure 43 Navigating to the Security Realms in Weblogic Console
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 46
7 Weblogic ships with a default realm called ldquomyrealmrdquo Click on ldquomyrealmrdquo as show in Figure 44
Figure 44 List of Security realms
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 47
8 Click on the ldquoUsers and Groupsrdquo tab under ldquomyrealmrdquo as shown in Figure 45 Figure 46 shows the default set of
users that ship with Weblogic In this case the users are ldquoweblogicrdquo and ldquoOracleSystemUserrdquo
Figure 45 myrealm General tab
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 48
Figure 46 Default set of users that ship with Weblogic
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 49
9 Click on ldquoweblogicrdquo user in Figure 46 and then click on the ldquoGroupsrdquo tab for the user ldquoweblogicrdquo This shows the
default group membership for ldquoweblogicrdquo as shown in Figure 47 As we can see ldquoweblogicrdquo is not part of the
ldquoMonitorrdquo group
Figure 47 Default Group membership of user weblogic
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 50
10 Add the ldquoMonitorrdquo group from the Parent Groups Available in Figure 47 The result is that the ldquoweblogicrdquo user is now
a member of both ldquoAdministratorsrdquo and ldquoMonitorrdquo group as shown in Figure 48 and click ldquoSaverdquo
Figure 48 Make weblogic user a member of Monitor group
11 Now go back to the EM Web Service Tester page and test the HelloWorldComposite app
Note You may need to start the weblogic server for changes to take effect
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 51
Oracle Web Services Manager
March 2012
Author Prakash Yamuna
Oracle Corporation
World Headquarters
500 Oracle Parkway
Redwood Shores CA 94065
USA
Worldwide Inquiries
Phone +16505067000
Fax +16505067200
oraclecom
Copyright copy 2011 Oracle andor its affiliates All rights reserved This document is provided for
information purposes only and the contents hereof are subject to change without notice This
document is not warranted to be error-free nor subject to any other warranties or conditions whether
expressed orally or implied in law including implied warranties and conditions of merchantability or
fitness for a particular purpose We specifically disclaim any liability with respect to this document and
no contractual obligations are formed either directly or indirectly by this document This document may
not be reproduced or transmitted in any form or by any means electronic or mechanical for any
purpose without our prior written permission
Oracle is a registered trademark of Oracle Corporation andor its affiliates Other names may be
trademarks of their respective owners
0109
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 40
Figure 38 Attaching Policies to a SOA Component
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 41
3 On the Policies tab click on ldquoAttachDetachrdquo button as shown in Figure 39 Select the newly created Authorization
Policy
Figure 39 Selecting the Policy to attach
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 42
4 Once done selecting the policy to attach Click ldquoOKrdquo in Figure 39 You have completed the process of attaching an
Authorization Policy to a SOA Component Figure 40 shows the results of attaching the custom authorization policy
Figure 40 Policies attached to a SOA Component
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 43
5 Test the HelloWorldComposite from the EM Web Service Tester page Provide the credentials as
weblogicwelcome1 as shown in Figure 41
Figure 41 Negative Authorization Test with correct credentials
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 44
Notice that even though the credentials weblogicwelcome1 is correct the test fails as shown in Figure 42
Figure 42 Negative Authorization Test Response
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 45
6 In order to perform a positive authorization test ndash we need to add the weblogic user to the Monitor role In order to
do this ndash we first need to log in to Weblogic Console Click on ldquoSecurity Realmsrdquo on the Left Hand Domain Structure
Tree as show in Figure 43
Figure 43 Navigating to the Security Realms in Weblogic Console
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 46
7 Weblogic ships with a default realm called ldquomyrealmrdquo Click on ldquomyrealmrdquo as show in Figure 44
Figure 44 List of Security realms
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 47
8 Click on the ldquoUsers and Groupsrdquo tab under ldquomyrealmrdquo as shown in Figure 45 Figure 46 shows the default set of
users that ship with Weblogic In this case the users are ldquoweblogicrdquo and ldquoOracleSystemUserrdquo
Figure 45 myrealm General tab
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 48
Figure 46 Default set of users that ship with Weblogic
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 49
9 Click on ldquoweblogicrdquo user in Figure 46 and then click on the ldquoGroupsrdquo tab for the user ldquoweblogicrdquo This shows the
default group membership for ldquoweblogicrdquo as shown in Figure 47 As we can see ldquoweblogicrdquo is not part of the
ldquoMonitorrdquo group
Figure 47 Default Group membership of user weblogic
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 50
10 Add the ldquoMonitorrdquo group from the Parent Groups Available in Figure 47 The result is that the ldquoweblogicrdquo user is now
a member of both ldquoAdministratorsrdquo and ldquoMonitorrdquo group as shown in Figure 48 and click ldquoSaverdquo
Figure 48 Make weblogic user a member of Monitor group
11 Now go back to the EM Web Service Tester page and test the HelloWorldComposite app
Note You may need to start the weblogic server for changes to take effect
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 51
Oracle Web Services Manager
March 2012
Author Prakash Yamuna
Oracle Corporation
World Headquarters
500 Oracle Parkway
Redwood Shores CA 94065
USA
Worldwide Inquiries
Phone +16505067000
Fax +16505067200
oraclecom
Copyright copy 2011 Oracle andor its affiliates All rights reserved This document is provided for
information purposes only and the contents hereof are subject to change without notice This
document is not warranted to be error-free nor subject to any other warranties or conditions whether
expressed orally or implied in law including implied warranties and conditions of merchantability or
fitness for a particular purpose We specifically disclaim any liability with respect to this document and
no contractual obligations are formed either directly or indirectly by this document This document may
not be reproduced or transmitted in any form or by any means electronic or mechanical for any
purpose without our prior written permission
Oracle is a registered trademark of Oracle Corporation andor its affiliates Other names may be
trademarks of their respective owners
0109
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 41
3 On the Policies tab click on ldquoAttachDetachrdquo button as shown in Figure 39 Select the newly created Authorization
Policy
Figure 39 Selecting the Policy to attach
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 42
4 Once done selecting the policy to attach Click ldquoOKrdquo in Figure 39 You have completed the process of attaching an
Authorization Policy to a SOA Component Figure 40 shows the results of attaching the custom authorization policy
Figure 40 Policies attached to a SOA Component
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 43
5 Test the HelloWorldComposite from the EM Web Service Tester page Provide the credentials as
weblogicwelcome1 as shown in Figure 41
Figure 41 Negative Authorization Test with correct credentials
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 44
Notice that even though the credentials weblogicwelcome1 is correct the test fails as shown in Figure 42
Figure 42 Negative Authorization Test Response
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 45
6 In order to perform a positive authorization test ndash we need to add the weblogic user to the Monitor role In order to
do this ndash we first need to log in to Weblogic Console Click on ldquoSecurity Realmsrdquo on the Left Hand Domain Structure
Tree as show in Figure 43
Figure 43 Navigating to the Security Realms in Weblogic Console
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 46
7 Weblogic ships with a default realm called ldquomyrealmrdquo Click on ldquomyrealmrdquo as show in Figure 44
Figure 44 List of Security realms
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 47
8 Click on the ldquoUsers and Groupsrdquo tab under ldquomyrealmrdquo as shown in Figure 45 Figure 46 shows the default set of
users that ship with Weblogic In this case the users are ldquoweblogicrdquo and ldquoOracleSystemUserrdquo
Figure 45 myrealm General tab
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 48
Figure 46 Default set of users that ship with Weblogic
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 49
9 Click on ldquoweblogicrdquo user in Figure 46 and then click on the ldquoGroupsrdquo tab for the user ldquoweblogicrdquo This shows the
default group membership for ldquoweblogicrdquo as shown in Figure 47 As we can see ldquoweblogicrdquo is not part of the
ldquoMonitorrdquo group
Figure 47 Default Group membership of user weblogic
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 50
10 Add the ldquoMonitorrdquo group from the Parent Groups Available in Figure 47 The result is that the ldquoweblogicrdquo user is now
a member of both ldquoAdministratorsrdquo and ldquoMonitorrdquo group as shown in Figure 48 and click ldquoSaverdquo
Figure 48 Make weblogic user a member of Monitor group
11 Now go back to the EM Web Service Tester page and test the HelloWorldComposite app
Note You may need to start the weblogic server for changes to take effect
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 51
Oracle Web Services Manager
March 2012
Author Prakash Yamuna
Oracle Corporation
World Headquarters
500 Oracle Parkway
Redwood Shores CA 94065
USA
Worldwide Inquiries
Phone +16505067000
Fax +16505067200
oraclecom
Copyright copy 2011 Oracle andor its affiliates All rights reserved This document is provided for
information purposes only and the contents hereof are subject to change without notice This
document is not warranted to be error-free nor subject to any other warranties or conditions whether
expressed orally or implied in law including implied warranties and conditions of merchantability or
fitness for a particular purpose We specifically disclaim any liability with respect to this document and
no contractual obligations are formed either directly or indirectly by this document This document may
not be reproduced or transmitted in any form or by any means electronic or mechanical for any
purpose without our prior written permission
Oracle is a registered trademark of Oracle Corporation andor its affiliates Other names may be
trademarks of their respective owners
0109
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 42
4 Once done selecting the policy to attach Click ldquoOKrdquo in Figure 39 You have completed the process of attaching an
Authorization Policy to a SOA Component Figure 40 shows the results of attaching the custom authorization policy
Figure 40 Policies attached to a SOA Component
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 43
5 Test the HelloWorldComposite from the EM Web Service Tester page Provide the credentials as
weblogicwelcome1 as shown in Figure 41
Figure 41 Negative Authorization Test with correct credentials
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 44
Notice that even though the credentials weblogicwelcome1 is correct the test fails as shown in Figure 42
Figure 42 Negative Authorization Test Response
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 45
6 In order to perform a positive authorization test ndash we need to add the weblogic user to the Monitor role In order to
do this ndash we first need to log in to Weblogic Console Click on ldquoSecurity Realmsrdquo on the Left Hand Domain Structure
Tree as show in Figure 43
Figure 43 Navigating to the Security Realms in Weblogic Console
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 46
7 Weblogic ships with a default realm called ldquomyrealmrdquo Click on ldquomyrealmrdquo as show in Figure 44
Figure 44 List of Security realms
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 47
8 Click on the ldquoUsers and Groupsrdquo tab under ldquomyrealmrdquo as shown in Figure 45 Figure 46 shows the default set of
users that ship with Weblogic In this case the users are ldquoweblogicrdquo and ldquoOracleSystemUserrdquo
Figure 45 myrealm General tab
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 48
Figure 46 Default set of users that ship with Weblogic
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 49
9 Click on ldquoweblogicrdquo user in Figure 46 and then click on the ldquoGroupsrdquo tab for the user ldquoweblogicrdquo This shows the
default group membership for ldquoweblogicrdquo as shown in Figure 47 As we can see ldquoweblogicrdquo is not part of the
ldquoMonitorrdquo group
Figure 47 Default Group membership of user weblogic
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 50
10 Add the ldquoMonitorrdquo group from the Parent Groups Available in Figure 47 The result is that the ldquoweblogicrdquo user is now
a member of both ldquoAdministratorsrdquo and ldquoMonitorrdquo group as shown in Figure 48 and click ldquoSaverdquo
Figure 48 Make weblogic user a member of Monitor group
11 Now go back to the EM Web Service Tester page and test the HelloWorldComposite app
Note You may need to start the weblogic server for changes to take effect
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 51
Oracle Web Services Manager
March 2012
Author Prakash Yamuna
Oracle Corporation
World Headquarters
500 Oracle Parkway
Redwood Shores CA 94065
USA
Worldwide Inquiries
Phone +16505067000
Fax +16505067200
oraclecom
Copyright copy 2011 Oracle andor its affiliates All rights reserved This document is provided for
information purposes only and the contents hereof are subject to change without notice This
document is not warranted to be error-free nor subject to any other warranties or conditions whether
expressed orally or implied in law including implied warranties and conditions of merchantability or
fitness for a particular purpose We specifically disclaim any liability with respect to this document and
no contractual obligations are formed either directly or indirectly by this document This document may
not be reproduced or transmitted in any form or by any means electronic or mechanical for any
purpose without our prior written permission
Oracle is a registered trademark of Oracle Corporation andor its affiliates Other names may be
trademarks of their respective owners
0109
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 43
5 Test the HelloWorldComposite from the EM Web Service Tester page Provide the credentials as
weblogicwelcome1 as shown in Figure 41
Figure 41 Negative Authorization Test with correct credentials
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 44
Notice that even though the credentials weblogicwelcome1 is correct the test fails as shown in Figure 42
Figure 42 Negative Authorization Test Response
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 45
6 In order to perform a positive authorization test ndash we need to add the weblogic user to the Monitor role In order to
do this ndash we first need to log in to Weblogic Console Click on ldquoSecurity Realmsrdquo on the Left Hand Domain Structure
Tree as show in Figure 43
Figure 43 Navigating to the Security Realms in Weblogic Console
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 46
7 Weblogic ships with a default realm called ldquomyrealmrdquo Click on ldquomyrealmrdquo as show in Figure 44
Figure 44 List of Security realms
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 47
8 Click on the ldquoUsers and Groupsrdquo tab under ldquomyrealmrdquo as shown in Figure 45 Figure 46 shows the default set of
users that ship with Weblogic In this case the users are ldquoweblogicrdquo and ldquoOracleSystemUserrdquo
Figure 45 myrealm General tab
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 48
Figure 46 Default set of users that ship with Weblogic
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 49
9 Click on ldquoweblogicrdquo user in Figure 46 and then click on the ldquoGroupsrdquo tab for the user ldquoweblogicrdquo This shows the
default group membership for ldquoweblogicrdquo as shown in Figure 47 As we can see ldquoweblogicrdquo is not part of the
ldquoMonitorrdquo group
Figure 47 Default Group membership of user weblogic
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 50
10 Add the ldquoMonitorrdquo group from the Parent Groups Available in Figure 47 The result is that the ldquoweblogicrdquo user is now
a member of both ldquoAdministratorsrdquo and ldquoMonitorrdquo group as shown in Figure 48 and click ldquoSaverdquo
Figure 48 Make weblogic user a member of Monitor group
11 Now go back to the EM Web Service Tester page and test the HelloWorldComposite app
Note You may need to start the weblogic server for changes to take effect
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 51
Oracle Web Services Manager
March 2012
Author Prakash Yamuna
Oracle Corporation
World Headquarters
500 Oracle Parkway
Redwood Shores CA 94065
USA
Worldwide Inquiries
Phone +16505067000
Fax +16505067200
oraclecom
Copyright copy 2011 Oracle andor its affiliates All rights reserved This document is provided for
information purposes only and the contents hereof are subject to change without notice This
document is not warranted to be error-free nor subject to any other warranties or conditions whether
expressed orally or implied in law including implied warranties and conditions of merchantability or
fitness for a particular purpose We specifically disclaim any liability with respect to this document and
no contractual obligations are formed either directly or indirectly by this document This document may
not be reproduced or transmitted in any form or by any means electronic or mechanical for any
purpose without our prior written permission
Oracle is a registered trademark of Oracle Corporation andor its affiliates Other names may be
trademarks of their respective owners
0109
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 44
Notice that even though the credentials weblogicwelcome1 is correct the test fails as shown in Figure 42
Figure 42 Negative Authorization Test Response
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 45
6 In order to perform a positive authorization test ndash we need to add the weblogic user to the Monitor role In order to
do this ndash we first need to log in to Weblogic Console Click on ldquoSecurity Realmsrdquo on the Left Hand Domain Structure
Tree as show in Figure 43
Figure 43 Navigating to the Security Realms in Weblogic Console
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 46
7 Weblogic ships with a default realm called ldquomyrealmrdquo Click on ldquomyrealmrdquo as show in Figure 44
Figure 44 List of Security realms
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 47
8 Click on the ldquoUsers and Groupsrdquo tab under ldquomyrealmrdquo as shown in Figure 45 Figure 46 shows the default set of
users that ship with Weblogic In this case the users are ldquoweblogicrdquo and ldquoOracleSystemUserrdquo
Figure 45 myrealm General tab
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 48
Figure 46 Default set of users that ship with Weblogic
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 49
9 Click on ldquoweblogicrdquo user in Figure 46 and then click on the ldquoGroupsrdquo tab for the user ldquoweblogicrdquo This shows the
default group membership for ldquoweblogicrdquo as shown in Figure 47 As we can see ldquoweblogicrdquo is not part of the
ldquoMonitorrdquo group
Figure 47 Default Group membership of user weblogic
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 50
10 Add the ldquoMonitorrdquo group from the Parent Groups Available in Figure 47 The result is that the ldquoweblogicrdquo user is now
a member of both ldquoAdministratorsrdquo and ldquoMonitorrdquo group as shown in Figure 48 and click ldquoSaverdquo
Figure 48 Make weblogic user a member of Monitor group
11 Now go back to the EM Web Service Tester page and test the HelloWorldComposite app
Note You may need to start the weblogic server for changes to take effect
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 51
Oracle Web Services Manager
March 2012
Author Prakash Yamuna
Oracle Corporation
World Headquarters
500 Oracle Parkway
Redwood Shores CA 94065
USA
Worldwide Inquiries
Phone +16505067000
Fax +16505067200
oraclecom
Copyright copy 2011 Oracle andor its affiliates All rights reserved This document is provided for
information purposes only and the contents hereof are subject to change without notice This
document is not warranted to be error-free nor subject to any other warranties or conditions whether
expressed orally or implied in law including implied warranties and conditions of merchantability or
fitness for a particular purpose We specifically disclaim any liability with respect to this document and
no contractual obligations are formed either directly or indirectly by this document This document may
not be reproduced or transmitted in any form or by any means electronic or mechanical for any
purpose without our prior written permission
Oracle is a registered trademark of Oracle Corporation andor its affiliates Other names may be
trademarks of their respective owners
0109
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 45
6 In order to perform a positive authorization test ndash we need to add the weblogic user to the Monitor role In order to
do this ndash we first need to log in to Weblogic Console Click on ldquoSecurity Realmsrdquo on the Left Hand Domain Structure
Tree as show in Figure 43
Figure 43 Navigating to the Security Realms in Weblogic Console
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 46
7 Weblogic ships with a default realm called ldquomyrealmrdquo Click on ldquomyrealmrdquo as show in Figure 44
Figure 44 List of Security realms
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 47
8 Click on the ldquoUsers and Groupsrdquo tab under ldquomyrealmrdquo as shown in Figure 45 Figure 46 shows the default set of
users that ship with Weblogic In this case the users are ldquoweblogicrdquo and ldquoOracleSystemUserrdquo
Figure 45 myrealm General tab
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 48
Figure 46 Default set of users that ship with Weblogic
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 49
9 Click on ldquoweblogicrdquo user in Figure 46 and then click on the ldquoGroupsrdquo tab for the user ldquoweblogicrdquo This shows the
default group membership for ldquoweblogicrdquo as shown in Figure 47 As we can see ldquoweblogicrdquo is not part of the
ldquoMonitorrdquo group
Figure 47 Default Group membership of user weblogic
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 50
10 Add the ldquoMonitorrdquo group from the Parent Groups Available in Figure 47 The result is that the ldquoweblogicrdquo user is now
a member of both ldquoAdministratorsrdquo and ldquoMonitorrdquo group as shown in Figure 48 and click ldquoSaverdquo
Figure 48 Make weblogic user a member of Monitor group
11 Now go back to the EM Web Service Tester page and test the HelloWorldComposite app
Note You may need to start the weblogic server for changes to take effect
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 51
Oracle Web Services Manager
March 2012
Author Prakash Yamuna
Oracle Corporation
World Headquarters
500 Oracle Parkway
Redwood Shores CA 94065
USA
Worldwide Inquiries
Phone +16505067000
Fax +16505067200
oraclecom
Copyright copy 2011 Oracle andor its affiliates All rights reserved This document is provided for
information purposes only and the contents hereof are subject to change without notice This
document is not warranted to be error-free nor subject to any other warranties or conditions whether
expressed orally or implied in law including implied warranties and conditions of merchantability or
fitness for a particular purpose We specifically disclaim any liability with respect to this document and
no contractual obligations are formed either directly or indirectly by this document This document may
not be reproduced or transmitted in any form or by any means electronic or mechanical for any
purpose without our prior written permission
Oracle is a registered trademark of Oracle Corporation andor its affiliates Other names may be
trademarks of their respective owners
0109
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 46
7 Weblogic ships with a default realm called ldquomyrealmrdquo Click on ldquomyrealmrdquo as show in Figure 44
Figure 44 List of Security realms
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 47
8 Click on the ldquoUsers and Groupsrdquo tab under ldquomyrealmrdquo as shown in Figure 45 Figure 46 shows the default set of
users that ship with Weblogic In this case the users are ldquoweblogicrdquo and ldquoOracleSystemUserrdquo
Figure 45 myrealm General tab
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 48
Figure 46 Default set of users that ship with Weblogic
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 49
9 Click on ldquoweblogicrdquo user in Figure 46 and then click on the ldquoGroupsrdquo tab for the user ldquoweblogicrdquo This shows the
default group membership for ldquoweblogicrdquo as shown in Figure 47 As we can see ldquoweblogicrdquo is not part of the
ldquoMonitorrdquo group
Figure 47 Default Group membership of user weblogic
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 50
10 Add the ldquoMonitorrdquo group from the Parent Groups Available in Figure 47 The result is that the ldquoweblogicrdquo user is now
a member of both ldquoAdministratorsrdquo and ldquoMonitorrdquo group as shown in Figure 48 and click ldquoSaverdquo
Figure 48 Make weblogic user a member of Monitor group
11 Now go back to the EM Web Service Tester page and test the HelloWorldComposite app
Note You may need to start the weblogic server for changes to take effect
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 51
Oracle Web Services Manager
March 2012
Author Prakash Yamuna
Oracle Corporation
World Headquarters
500 Oracle Parkway
Redwood Shores CA 94065
USA
Worldwide Inquiries
Phone +16505067000
Fax +16505067200
oraclecom
Copyright copy 2011 Oracle andor its affiliates All rights reserved This document is provided for
information purposes only and the contents hereof are subject to change without notice This
document is not warranted to be error-free nor subject to any other warranties or conditions whether
expressed orally or implied in law including implied warranties and conditions of merchantability or
fitness for a particular purpose We specifically disclaim any liability with respect to this document and
no contractual obligations are formed either directly or indirectly by this document This document may
not be reproduced or transmitted in any form or by any means electronic or mechanical for any
purpose without our prior written permission
Oracle is a registered trademark of Oracle Corporation andor its affiliates Other names may be
trademarks of their respective owners
0109
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 47
8 Click on the ldquoUsers and Groupsrdquo tab under ldquomyrealmrdquo as shown in Figure 45 Figure 46 shows the default set of
users that ship with Weblogic In this case the users are ldquoweblogicrdquo and ldquoOracleSystemUserrdquo
Figure 45 myrealm General tab
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 48
Figure 46 Default set of users that ship with Weblogic
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 49
9 Click on ldquoweblogicrdquo user in Figure 46 and then click on the ldquoGroupsrdquo tab for the user ldquoweblogicrdquo This shows the
default group membership for ldquoweblogicrdquo as shown in Figure 47 As we can see ldquoweblogicrdquo is not part of the
ldquoMonitorrdquo group
Figure 47 Default Group membership of user weblogic
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 50
10 Add the ldquoMonitorrdquo group from the Parent Groups Available in Figure 47 The result is that the ldquoweblogicrdquo user is now
a member of both ldquoAdministratorsrdquo and ldquoMonitorrdquo group as shown in Figure 48 and click ldquoSaverdquo
Figure 48 Make weblogic user a member of Monitor group
11 Now go back to the EM Web Service Tester page and test the HelloWorldComposite app
Note You may need to start the weblogic server for changes to take effect
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 51
Oracle Web Services Manager
March 2012
Author Prakash Yamuna
Oracle Corporation
World Headquarters
500 Oracle Parkway
Redwood Shores CA 94065
USA
Worldwide Inquiries
Phone +16505067000
Fax +16505067200
oraclecom
Copyright copy 2011 Oracle andor its affiliates All rights reserved This document is provided for
information purposes only and the contents hereof are subject to change without notice This
document is not warranted to be error-free nor subject to any other warranties or conditions whether
expressed orally or implied in law including implied warranties and conditions of merchantability or
fitness for a particular purpose We specifically disclaim any liability with respect to this document and
no contractual obligations are formed either directly or indirectly by this document This document may
not be reproduced or transmitted in any form or by any means electronic or mechanical for any
purpose without our prior written permission
Oracle is a registered trademark of Oracle Corporation andor its affiliates Other names may be
trademarks of their respective owners
0109
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 48
Figure 46 Default set of users that ship with Weblogic
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 49
9 Click on ldquoweblogicrdquo user in Figure 46 and then click on the ldquoGroupsrdquo tab for the user ldquoweblogicrdquo This shows the
default group membership for ldquoweblogicrdquo as shown in Figure 47 As we can see ldquoweblogicrdquo is not part of the
ldquoMonitorrdquo group
Figure 47 Default Group membership of user weblogic
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 50
10 Add the ldquoMonitorrdquo group from the Parent Groups Available in Figure 47 The result is that the ldquoweblogicrdquo user is now
a member of both ldquoAdministratorsrdquo and ldquoMonitorrdquo group as shown in Figure 48 and click ldquoSaverdquo
Figure 48 Make weblogic user a member of Monitor group
11 Now go back to the EM Web Service Tester page and test the HelloWorldComposite app
Note You may need to start the weblogic server for changes to take effect
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 51
Oracle Web Services Manager
March 2012
Author Prakash Yamuna
Oracle Corporation
World Headquarters
500 Oracle Parkway
Redwood Shores CA 94065
USA
Worldwide Inquiries
Phone +16505067000
Fax +16505067200
oraclecom
Copyright copy 2011 Oracle andor its affiliates All rights reserved This document is provided for
information purposes only and the contents hereof are subject to change without notice This
document is not warranted to be error-free nor subject to any other warranties or conditions whether
expressed orally or implied in law including implied warranties and conditions of merchantability or
fitness for a particular purpose We specifically disclaim any liability with respect to this document and
no contractual obligations are formed either directly or indirectly by this document This document may
not be reproduced or transmitted in any form or by any means electronic or mechanical for any
purpose without our prior written permission
Oracle is a registered trademark of Oracle Corporation andor its affiliates Other names may be
trademarks of their respective owners
0109
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 49
9 Click on ldquoweblogicrdquo user in Figure 46 and then click on the ldquoGroupsrdquo tab for the user ldquoweblogicrdquo This shows the
default group membership for ldquoweblogicrdquo as shown in Figure 47 As we can see ldquoweblogicrdquo is not part of the
ldquoMonitorrdquo group
Figure 47 Default Group membership of user weblogic
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 50
10 Add the ldquoMonitorrdquo group from the Parent Groups Available in Figure 47 The result is that the ldquoweblogicrdquo user is now
a member of both ldquoAdministratorsrdquo and ldquoMonitorrdquo group as shown in Figure 48 and click ldquoSaverdquo
Figure 48 Make weblogic user a member of Monitor group
11 Now go back to the EM Web Service Tester page and test the HelloWorldComposite app
Note You may need to start the weblogic server for changes to take effect
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 51
Oracle Web Services Manager
March 2012
Author Prakash Yamuna
Oracle Corporation
World Headquarters
500 Oracle Parkway
Redwood Shores CA 94065
USA
Worldwide Inquiries
Phone +16505067000
Fax +16505067200
oraclecom
Copyright copy 2011 Oracle andor its affiliates All rights reserved This document is provided for
information purposes only and the contents hereof are subject to change without notice This
document is not warranted to be error-free nor subject to any other warranties or conditions whether
expressed orally or implied in law including implied warranties and conditions of merchantability or
fitness for a particular purpose We specifically disclaim any liability with respect to this document and
no contractual obligations are formed either directly or indirectly by this document This document may
not be reproduced or transmitted in any form or by any means electronic or mechanical for any
purpose without our prior written permission
Oracle is a registered trademark of Oracle Corporation andor its affiliates Other names may be
trademarks of their respective owners
0109
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 50
10 Add the ldquoMonitorrdquo group from the Parent Groups Available in Figure 47 The result is that the ldquoweblogicrdquo user is now
a member of both ldquoAdministratorsrdquo and ldquoMonitorrdquo group as shown in Figure 48 and click ldquoSaverdquo
Figure 48 Make weblogic user a member of Monitor group
11 Now go back to the EM Web Service Tester page and test the HelloWorldComposite app
Note You may need to start the weblogic server for changes to take effect
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 51
Oracle Web Services Manager
March 2012
Author Prakash Yamuna
Oracle Corporation
World Headquarters
500 Oracle Parkway
Redwood Shores CA 94065
USA
Worldwide Inquiries
Phone +16505067000
Fax +16505067200
oraclecom
Copyright copy 2011 Oracle andor its affiliates All rights reserved This document is provided for
information purposes only and the contents hereof are subject to change without notice This
document is not warranted to be error-free nor subject to any other warranties or conditions whether
expressed orally or implied in law including implied warranties and conditions of merchantability or
fitness for a particular purpose We specifically disclaim any liability with respect to this document and
no contractual obligations are formed either directly or indirectly by this document This document may
not be reproduced or transmitted in any form or by any means electronic or mechanical for any
purpose without our prior written permission
Oracle is a registered trademark of Oracle Corporation andor its affiliates Other names may be
trademarks of their respective owners
0109
Component level Role Authorization in SOASuite using Oracle Web Services Manager 11g
Oracle Corporation | Component level Role authorization | Version 10 51
Oracle Web Services Manager
March 2012
Author Prakash Yamuna
Oracle Corporation
World Headquarters
500 Oracle Parkway
Redwood Shores CA 94065
USA
Worldwide Inquiries
Phone +16505067000
Fax +16505067200
oraclecom
Copyright copy 2011 Oracle andor its affiliates All rights reserved This document is provided for
information purposes only and the contents hereof are subject to change without notice This
document is not warranted to be error-free nor subject to any other warranties or conditions whether
expressed orally or implied in law including implied warranties and conditions of merchantability or
fitness for a particular purpose We specifically disclaim any liability with respect to this document and
no contractual obligations are formed either directly or indirectly by this document This document may
not be reproduced or transmitted in any form or by any means electronic or mechanical for any
purpose without our prior written permission
Oracle is a registered trademark of Oracle Corporation andor its affiliates Other names may be
trademarks of their respective owners
0109
