OEG integration with OES11g
By pgoutin on Feb 22, 2012
Purpose of this blog entry
This blog entry will go through the main configuration steps of the OEG11g gateway to authenticate & authorize web service access using Oracle Entitlements Server (OES11g). This is demonstrated by configuring the gateway to delegate authorization to OES11g using the OES11g authorization filter. This filter assumes that an authorization server has been configured prior to it.
The latest OEG11g (release 126.96.36.199.0) is required. This release is available on OTN.
- the OEG gateway is configured to delegate authentication to OES11g. The credential to be used for authentication can be extracted from the HTTP Basic headers, WS-Security username token or anywhere inside the message paylaod
- upon successful authentication, the gateway can authorize the user to access a resource via OES11g
Overview of Oracle Entitlements Server (OES11g)
Oracle Entitlements Server (OES) is a fine grained authorization service which can be used to secure applications and services end-to-end across the enterprise. It provides authorization for a broad set of ecosystems including Java EE, Java SE, NET, SOA, content management systems and databases. OES comes with several out-of-the-box (OOTB) integrations which can be dropped into a given deployment with minimal impact. It allows for separation of development and deployment cycles, so application developers can be agnostic of deployment issues. As OES is Oracle's strategic authorization solution for all our applications and technology it has been designed to meet the performance and scalability requirements of Oracle's largest and most complex customer deployments. Unlike authentication, authorization requests have latency constraints in order of micro seconds and a single web page access can generate over 50 individual authorization requests. OES provides a rich hierarchical policy model based on the Role Based Access Control (RBAC) and Attribute Based Access Control (ABAC) standards. It supports multi-level delegated administration which allows for precise control over authoring and management of security policies. OES is the most mature fine grained authorization product in the market and it has been in continuous use for well over a decade.
The figure above provides a high level overview of OES. Users as part of their normal activities, such as accessing web pages, generate access requests. OES maps these requests into a normalized form and performs checks against authorization policies. During policy evaluation OES can utilize information from external data sources such as LDAP systems, databases and Web Services. At the end, OES sends an authorization response back to the caller in the form of an Authorization Decision and Obligations (Obligations are described in the section Policy Design).
[source : http://www.oracle.com/technetwork/middleware/oes/overview/index.html]
The diagram below shows the sequence of events that occurs when a client sends a message to that Gateway that needs to be authenticated and authorized to Oracle Entitlements Server.
- A client application sends a message containing credentials to the OEG Gateway
- The OEG Gateway extracts the credentials and delegates authentication to Oracle Entitlements Server. Once the client has been authenticated the OEG Gateway will query Oracle Entitlements Server to see if the specific client is permitted to access the resource (i.e. Web Service) that they are trying to contact.
- Once authentication and authorization has passed the message is trusted and will be forwarded to the target Web Service
In this tutorial, OEG11g & OES11g have been installed on the same platform, a OEL5.7 VirtualBox.
The main installation & configuration steps are :
- Install OEG11g (latest build 188.8.131.52.0 available on OTN in Q1 CY2012)
- Install OES11g server
- install a database as Oracle-XE or other
- install RCU
- define the db schema for OES11g
- install WLS
- install OES11g
- Install OES11g client
- install OES11g Client (The OES Client - Security Module - must be installed on the machine running the gateway
- configure OES11g client
The OES11g installation worksheet from Subbu Devulapalli is available.
The OEG's jvm.xml is provided as a template and needs to be updated according to your configuration : jvm.xml
Test OES11g client / OES11g server
Before going ahead with the gateway interaction with OES11g, I do recommend to test firstly this setup with a simple java application the access to OES11g server. A complete "Hello OES World" how-to guide from Subbu Devulapalli is also available.
Using OEG11g with OES11g
A simple policy able to authenticate?authorize against OES11g is show above :
The configuration for the OES11g Authorization filter is the following :
An export of this policy is provided : oes-policy.xml
- OES11g documentation area : [OEG11g http://www.oracle.com/technetwork/middleware/oes/overview/index.html]
- OEG11g download/documentation area : [http://www.oracle.com/technetwork/middleware/id-mgmt/oeg-300773.html?ssSourceSiteId=ocomen#downloads]
- OEG11g/OES11g integration guide
- OEG11g + OES11g virtualbox image is available on retriever.us.oracle.com