Sunday Aug 04, 2013

How To - Securing REST clients using OWSM - 12.1.2

This is a follow up to my previous blog post, in that post I provided step by step instructions on how to secure a REST service built using Jersey JAX-RS technology that ships with Weblogic.

In this post I am providing a pointer to a detailed  step-by-step instructions for securing both REST service and REST client.

In a future post I plan to cover the steps for doing identity propagation using SAML in the context of REST services & clients.

I strong encourage people read up on the previous How Tos covered in the following blog posts before attempting the How to provided in this post:

Friday Jul 12, 2013

How To - Securing REST services using OWSM - 12.1.2

As I mentioned in my earlier blog post - one of the features in 12.1.2 is the support for securing and managing REST services/clients similar to SOAP web services/clients.

I have posted a how to describing the steps involved in securing REST services using OWSM 12.1.2

Thursday Jul 11, 2013

How To - OWSM 12.1.2 Installation

As I mentioned in my previous blog post FMW 12.1.2 was released today. There are a few things that are different in terms of installation for OWSM in 12.1.2 compared to 11g. So I have created a fairly detailed Install How-To with screen shots. This complements the 12.1.2 Install guide.

Note: The How To does not describe all scenarios/topologies. It is mainly intended for demo installs and to give you a quick overview of key steps.

FMW 12.1.2 released!

FMW 12.1.2 was just released! This a major release for Fusion Middleware components.

The release basically includes the following Fusion Middleware components:

  • Oracle WebLogic Server 12c (
  • Oracle Coherence 12c (
  • Oracle TopLink 12c (
  • Oracle Fusion Middleware Infrastructure 12c (
  • Oracle HTTP Server 12c (
  • Oracle Virtual Assembly Builder 12c (
  • Oracle JDeveloper 12c (

Note: This release includes OWSM but does not include SOA!

Here are some quick links for people to get started.

If you want to download 12.1.2 - click here

OWSM 12.1.2 documentation can be found here.

This release includes a lot of new features as described here

Here are key ones from my perspective:

REST security support for services and  clients.

This includes support for LPA and GPA in terms of policy attachment. You can do Policy Attachment in JDeveloper, EM, WLST. Monitoring, Auditing, etc.

Support for WS-SecureConversation, WS-Trust 1.3, Web Service Federation

Enhanced Kerberos, SPNEGO support including credential delegation

Support for securing SOAP over JMS

Better Key Management support via KSS

I hope to cover many of these features in more detail in the subsequent posts!

Tuesday Jun 12, 2012

Identity Propagation for Web Service - 11g

I came across this post from Beimond on how to do identity propagation using OWSM.As I have mentioned in the past here, here and here - Beimond has a number of excellent posts on OWSM. However I found one part of his comment puzzling. I quote:

"OWSM allows you to pass on the identity of the authenticated user to your OWSM protected web service ( thanks to OPSS ), this username can then be used by your service. This will work on one or between different WebLogic domains. Off course when you don't want to use OWSM you can always use Oracle Access Manager OAM which can do the same." The sentence in red highlights the issue i find puzzling.

In fact I just discussed this particular topic recently here.

So let me try and clarify on a few points:

a) OAM is used for Web SSO.

b) OWSM is used for securing Web Services. You cannot do identity propagation using OAM for Web Services.

c) You use SAML to do identity propagation across Web Services. OAM also supports SAML - but that is the browser profile of SAML relevant in the context of Web SSO and is not related to the SAML Token Profile defined as part of the WS-Security spec.

Thursday May 31, 2012

Identity Propagation across Web and Web Service - 11g

I was on a customer call recently and this topic came up. In fact since this topic seems to come up fairly frequently - I thought I would describe the recommended model for doing SSO for Web Apps and then doing Identity Propagation across the Back end web services.

The Image below shows a typical flow:

Here is a more detailed drill down of what happens at each step of the flow (the number in red in the diagram maps to the description below of the behind the scenes processing that happens in the stack).

[1] The Web App is protected with OAM and so the typical SSO scenario is applicable. The Web App URL is protected in OAM. The Web Gate intercepts the request from the Browser to the Web App - if there is an OAM (SSO) token - then the Web Gate validates the OAM token. If there is no SSO token - then the user is directed to the login page - user enters credentials, user is authenticated and OAM token is created for that browser session.

[2] Once the Web Gate validates the OAM token - the token is propagated to the WLS Server where the Web App is running. You need to ensure that you have configured the OAM Identity Asserter in the Weblogic domain. If the OAM Identity Asserter is configured, this will end up creating a JAAS Subject.

Details can be found at:

[3] The Web Service client (in the Web App) is secured with one of the OWSM SAML Client Policies. If secured in this fashion, the OWSM Agent creates a SAML Token from the JAAS Subject (created in [2] by the OAM Identity Asserter) and injects it into the SOAP message.

Steps for securing a JEE JAX-WS Proxy Client using OWSM Policies are documented at:

Note: As shown in the diagram - instead of building a JEE Web App - you can also use WebCenter and build portlets. If you are using WebCenter then you can follow the same architecture. Only the steps for securing WebCenter Portlets with OWSM is different.

[4] The SOA Composite App is secured with OWSM SAML Service policy. OWSM Agent intercepts the incoming SOAP request and validates the SAML token and creates a JAAS Subject.

[5] When the SOA Composite App tries to invoke the OSB Proxy Service, the SOA Composite App "Reference" is secured with OWSM SAML Client Policy. Here again OWSM Agent will create a new SAML Token from the JAAS Subject created in [4] by the OWSM Agent and inject it into the SOAP message.

Steps for securing SOA Composite Apps (Service, Reference, Component) are documented at:

[6] When the request reaches the OSB Proxy Service, the Proxy Service is again secured with the OWSM SAML Token Service Policy. So the same steps are performed as in [4]. The end result is a JAAS Subject.

[7] When OSB needs to invoke the Business App Web Service, it goes through the OSB Business Service. The OSB Business Service is secured with OWSM SAML Client Policy and step [5] is repeated.

Steps for securing OSB Proxy Service and OSB Business Services are document at:

[8] Finally when the message reaches the Business App Web Service, this service is protected by OWSM SAML Service policy and step [4] is repeated by the OWSM Agent.

Steps for securing Weblogic Web Services, ADF Web Services, etc are documented at:

In the above description for purposes of brevity - I have not described which OWSM SAML policies one should use; OWSM ships with a number of SAML policies, I briefly described some of the trade-offs involved with the various SAML policies here.

The diagram above and the accompanying description of what is happening in each step of the flow - assumes you are using "SAML SV" or SAML Bearer" based policies without an STS.

Wednesday May 23, 2012

WLS Custom Authenticator, OPSS Custom Identity Store Service, OWSM Custom Assertion - custom everything!! - 11g

Between WLS, OWSM, OPSS - Oracle supports a lot of flexibility in building custom security. However sometimes customer's maybe overwhelmed and find all this very confusing. This post provides a brief overview of the purpose of each and when to use them.

WLS Custom Authenticator (or Custom Authentication Provider)

Weblogic provides the ability to build Custom Authentication Providers. WLS documentation describing how to build "Security Providers" is described here.

When should you build it?

Typically you build a custom authentication provider - when your users are stored in "custom" repository.

Ex#1: Let's say you have users in a mainframe repository and you cannot use the OOTB Ldap or SQL Authentication Providers.

Ex#2: The users are stored in DB but the schema is custom and so the OOTB SQL Authentication Provider does not work.

We will use the terminology "Identity Store" to identify a repository where users are stored.

OPSS Custom Identity Store Service

OPSS supports the ability to configure the "Identity Store" service as part of a weblogic domain via the "jps-config.xml". OPSS OOTB currently does not support Oracle DB as an "Identity Store". If you have users in a DB or mainframe system - you may want to build a custom identity store service.


When should you build it?

The OPSS Identity Store service can be used to retrieve user profile information. Ex: If you want to retrieve the email of user in the "Identity Store".

OPSS provides what is called User/Role APIs and these APIs ultimately need to talk to the "Identity Store" to retrieve user profile information.

You can find details about the OPSS Identity Store service here.

OWSM Custom Assertion

I have briefly described about OWSM Custom Assertion/Policy support in this blog post.

When should you build it?

There are many scenarios where you may want to build a custom assertion.

Ex#1: Let's say you need to support a proprietary token (ex: CA SiteMinder Token) in your Web Services for authentication.

Ex#2: You want to support say a JWT token for your Web Services for authentication.

Hopefully this clarifies some of the confusion.

Note: There are a lot of nuances to each of the scenarios described in this post. I have tried to keep the post at a high level and gloss over many of nuances for purposes of brevity.

Tuesday Mar 13, 2012

How To - OWSM and WLS WS-Security Interop - 11g

Here is another How To that provides a detailed step by step guide for getting OWSM to Interop with WLS WS-Security using the Username Token with message protection policy.

Happy Reading!


A few things I forgot before I posted this entry:

  • The OWSM interop guide provides a high level overview of the steps involved in achieving this interop - however it does not provide a detailed step by step instructions and so I thought I would provide a more detailed How To for customers who are having problems following the interop guide.
  • As the doc makes it clear you only need to configure the "Confidentiality Key" - however in the How To I cover configuring both "Confidentiality and Signing Key". You can safely skip the steps relating to configuring the "Signing Key".
  • I have simplified things to a large extent in terms of the keystore setup. This setup is not always practical from a production setup perspective. However since I have not had a chance to post more on keystores, credential stores, etc - I have tried to keep it simple here. I hope to post more on the topic of Keystores, certificates, credentials, credential stores, etc in a future post.


In this blog I will discuss mainly features supported by Oracle Web Service Manager (OWSM).


« April 2014