Friday, December 29, 2017

Restrict the access to SOA Composite Service based on the User Role (Authorization to the SOA Composite Service) – Oracle SOA Suite 12c

Restrict the access to SOA Composite Service based on the User Role (Authorization to the SOA Composite Service) – Oracle SOA Suite 12c

Sometimes we may need to restrict the access to the SOA composite service based on the user role.
HTTP basic authentication and an authorization policy can be used to ensure that access is only granted to users who are members of a particular role.

This blog will explain the steps to enable authorization to our composite service.

Configure the Users and Group:

  • Login to the Weblogic console ('http://<host>:<port>/console')
  • In the left menu select 'Security Realms'
  • Select the realm where you want to create the users and groups.  The default is 'myrealm'
  • At the top select the 'Users and Groups' tab
  • Select User tab and Click 'New' and enter your user name and pwd.  Here am creating the user albin and albin1, create as many users as you want
  • Select ‘Groups’ tab and create a new group.  Here I am creating  ‘IntegrationGroup’
  • Go back to the users and click on  'Albin'
  • Select the 'Groups' tab and add ‘IntegrationGroup’.  The user albin1 will not be part of this group.

Configure the Application Role:

  • Login to EM console
  • Click on Target Navigation - WebLogic Domain - Domain Name 
  • Click on Weblogic Domain - Select Security and Click on Application Roles
soa-infra_application_roles
  • Select Application Stripe as soa-infra
  • Click on 'Create' to configure a new Application Role
  • Enter the Role name as ‘IntegrationRole’
  • Click on Add in the Member section
soa-infra_application_roles

  • Select "Check to enter principal name here instead of searching from above. This option can be used for advanced scenarios related to custom authenticators."
  • Enter the Principal Name -  IntegrationGroup and Click OK 

soa-infra_application_roles

soa-infra_application_roles
  • Click on OK
soa-infra_application_roles_configuration

Create the Application Policy:

  • Right Click on WebLogic Domain from Em console -- > Select Security and Click on Application Polices
  • Select the Application Stripe as soa-infra and Click on Create button
soa-infra_application_roles_configuration

  • Click on the Add button in the Permissions section to configure the Permission details.

soa-infra_application_roles_configuration

  • Click on Continue
  • In the Customize section enter the Permission Class as oracle.wsm.security.WSFunctionPermission and enter '*' for both Resource Name and Permission Actions (In the actual implementation instead of “*” you have to specify the exact value) and Click Select.
soa-infra_application_roles_configuration

  • Click on the Add button in the Grantee section to add grantees for the Policy.
soa-infra_application_roles_configuration

  •  Search for the Principal name starts with Integration

soa-infra_application_roles_configuration

  • Select the IntegrationRole from the search result and Click on OK
soa-infra_application_roles_configuration

  • Click on OK 

 Configure the Authentication/Authorizations policy to the Composite Service:

  • Open the composite.xml 
  • Right click on the client service and click on Configure SOA WS Polices - For Request

oracle_soasuite_12c_composite


  • Add the security Policy oracle/wss_http_token_service_policy and oracle/binding_permission_authorization_policy for authentication/authorization in the security section.
oracle_soasuite_12c_composite_policy


Deploy the composite to the server. The same policy configuration can also be done through EM console after the deployment of the composite.

Testing From SOAP UI:

First try with the user ‘albin’; we will receive the success response message from the server.


oracle_soasuite_12c_composite_authorization


Try with the user ‘albin1’; we will receive the Authorization error response message from server.

oracle_soasuite_12c_composite_authorization

No comments:

Post a Comment