Policy Authorization Example in SOA Suite 11g
By ShawnBailey on Feb 27, 2012
We have a composite that we want to limit access to. We will use HTTP basic authentication and an authorization policy to ensure that access is only granted to users who are members of a particular group.
We will use the WebLogic Server Console to create our users and group. Authentication and Authorization for the composite will
be entirely configured in Enterprise Manager with notes on how some steps can also be done in JDeveloper. Note that all screenshots were taken using 220.127.116.11 (PS5).
Configure the Users and Group(No screenshots for this section but they will be used extensively in the following sections)
- Login to the WLS console ('http://<host>:<port>/console')
- In the left menu select 'Security Realms'
- Select the realm where you want to create the users and groups. The default is 'myrealm'
- At the top select the 'Users and Groups' tab
- You'll start with 'Users' so click 'New' and enter your user name and pwd. Create as many users as you want.but here we are using 'Bob1', 'Bill1' and 'jane'
- Go to the 'Groups' tab and create a new group. Here we're using 'Group1'
- Go back to the users and select 'Bob1'
- Select the 'Groups' tab and add 'Group1'. Do the same for Bill1. We're gong to intentionally leave 'jane' out of the group.
You've got your users and groups configured
If you haven't already done so, deploy your composite now.
Configuration in Enterprise Manager (EM)The EM configuration is comprised of the following steps:
- Add a Domain Credential
- Add an Application Role
- Add an Application Policy that assigns the Application Role a specific permission
- Add 3 WS Policies to the project
1.  Add Domain Credential
1.1) Login to EM
1.2) Select 'Security' -> 'Credentials'
1.3) Select 'Create Map'
1.4) Enter the map name as 'oracle.wsm.security'
1.5) Click 'OK'
1.6) Highlight the new Map and select 'Create Key'
1.7) Enter the key name as 'basic.credentials'
1.8) Enter the user name and pwd, we're using the admin user 'weblogic' here
1.9) Click OK and your Credentials should now look like this:
(back to top)
The next steps in our configuration are to configure the Application Role and Application Policy. These will be used by the Authorization policy.
2.  Create the Application Role
2.1) In the left menu right click the domain name
2.2) Select 'Security' -> 'Application Roles'
2.3) Select 'soa-infra' in the 'Application Stripe' drop down
2.4) Select 'Create' as we are going to create a new Application Role
We're going to name our new role 'GroupOneRole'
2.5) Under Members click 'Add'
The Type should be 'Group'
2.6) Search and select Group1 which we created earlier
2.7) Click 'OK'
You should now have Group1 in your Members list.
(back to top)
3.  Create the Application Policy
3.1) Right click on the domain name again
3.2) Select 'Security' -> 'Application Policies'
The 'Application Stripe' is 'soa-infra'
The 'Principal Type' is 'Application Role'
3.4) Click 'Create'
3.5) Under 'Permissions' click 'Add'
3.6) Immediately click the 'Continue' button to get to the custom entry formIntuitively it seems that the selections here are needed but they're actually not for what we want to do.
3.7) For 'Permission Class' enter 'oracle.wsm.security.WSFunctionPermission'
3.8) We're going to cheat a bit and enter '*' for both Resource Name and Permission Actions. In an actual implementation you would probably specify the web service and relevant actions.
3.9) Click 'Select' and here's what we have for Permissions:
3,10) Under 'Grantee' click 'Add'
3.11) Search with the defaults and select 'GroupOneRole'
3.12) Click 'OK'
Your 'Create Application Grant' screen should now look like this:
3.13) Click 'OK' at the top right and confirm that the 'GroupOneRole' Principal appears in the list
(back to top)
We're now ready to add the policies to the project
4.  Add WS Policies to Project
4.1) Right click on the project name
4.2) Select 'Policies'
Here we see that the project has no policies associated with it. We're going to add 3.
4.3) Select 'Attach To/Detach From'
Depending on the complexity of your project you will likely have more components than this. Here we're going to select the web service that is the entry point for our composite, 'bpelprocess2_client_ep'. The following window opens.
We're going to add 3 policies:
- 'oracle/wss_http_token_service_policy' for authentication
- 'oracle/log_policy' for logging the policy activities
- 'oracle/binding_permission_authorization_policy' for authorization
4.4) Highlight the selections from the list and click 'Attach'. When completed your 'Directly Attached Policies' should look like this:
4.5) Select 'Validate' and then 'OK'Your policies list should now look like this:
The configuration is complete.(back to top)
For testing we're using JMeter, submitting the request along with the HTTP authentication header.
I won't get into the JMeter configuration but will provide the responses for two requests. Let's first try our user 'Bob1'.
HTTP Authorization header value is 'Basic Qm9iMTp3ZWJsb2dpYzE=' (this is the Base64 encoding of 'Bob1:weblogic1')
Response from our server:
Now let's try user jane who exists in the domain but is not a member of Group1
HTTP Authorization header value is 'Basic amFuZTp3ZWJsb2dpYzE=' (Base64 encoding of 'jane:weblogic1')
Response from server:
Here we see the response code 403 which means the resource is forbidden to the authenticated requester.
In our server standard out we see the following error message:
<Error> <oracle.wsm.resources.security> <WSM-00045> <HTTP authentication/authorization failure.>
I hope this post is helpful for anyone trying to enable authorization for their SOA 11g composite applications. It's a very simply example but perhaps will serve as a good starting point. In the future we may add the complexity in follow up posts.
(back to top)