Sunday, June 3, 2012

Restrict the access to SOA Composite Service based on the User Role (Authorization to the SOA Composite Service) – Oracle SOA Suite 11g


Restrict the access to SOA Composite Service based on the User Role (Authorization to the SOA Composite Service) – Oracle SOA Suite 11g

Sometimes we may need to restrict the access to the SOA composite service based on the user role.
HTTP basic authentication and an authorization policy can be used to ensure that access is only granted to users who are members of a particular role.

This blog will explain the steps to enable authorization to our composite service. 

Configure the Users and Group:

  • Login to the Weblogic console ('http://<host>:<port>/console')
  • In the left menu select 'Security Realms'
  • Select the realm where you want to create the users and groups.  The default is 'myrealm'
  • At the top select the 'Users and Groups' tab
  • Select User tab and Click 'New' and enter your user name and pwd.  Here am creating the user albin and albin1, create as many users as you want
  • Select ‘Groups’ tab and create a new group.  Here I am creating  ‘IntegrationGroup’
  • Go back to the users and click on  'Albin'
  • Select the 'Groups' tab and add ‘IntegrationGroup’.  The user albin1 will not be part of this group.

Configure the Application Role:

  • Login to EM console
  • Right Click on WebLogic Domain -- >Select Security and Click on Application Roles

  •  Click on 'Create' to configure a new Application Role


  •  Select 'soa-infra' in the 'Application’ drop down and enter the Role name as ‘IntegrationRole’
  • Click on Add Group in the Member section

  •  Select the group – IntegrationGroup, we created earlier as shown below and Click on OK
 



  • Click on OK

Create the Application Policy:

  • Right Click on WebLogic Domain from Em console -- > Select Security and Click on Application Polices
  • Click on Create button

  • Click on the Add button in the Permissions section to configure the Permission details.


  • In the Customize section enter the Permission Class as oracle.wsm.security.WSFunctionPermission and enter '*' for both Resource Name and Permission Actions (In the actual implementation instead of “*” you have to specify the exact value) and Click OK.
  • Click on the Add Application Role button in the Grantee section to add grantees for the Policy.
  •  Select the IntegrationRole created above as shown below and Click on OK.



  • Click on OK, the configured policy details will be displayed as shown.
 

 Configure the Authentication/Authorizations policy to the Composite Service:

  • Open the composite.xml 
  • Right click on the client service and click on Configure WS Polices



  • Add the security Policy oracle/wss_http_token_client_policy and oracle/binding_permission_authorization_policy for authentication/authorization in the security section.


Deploy the composite to the server. The same policy configuration can also be done through EM console after the deployment of the composite.

Testing From SOAP UI:

First try with the user ‘albin’; we will receive the success response message from the server.

 

Try with the user ‘albin1’; we will receive the Authorization error response message from server.
 
 

1 comment: