Policy Authorization Example in SOA Suite 11g

Use Case:

We have a composite that we want to limit access to.  We will use HTTP basic authentication and an authorization policy to ensure that access is only granted to users who are members of a particular group.

We will use the WebLogic Server Console to create our users and group.  Authentication and Authorization for the composite will be entirely configured in Enterprise Manager with notes on how some steps can also be done in JDeveloper. Note that all screenshots were taken using (PS5).

Configure the Users and Group

(No screenshots for this section but they will be used extensively in the following sections)
  1. Login to the WLS console ('http://<host>:<port>/console')
  2. In the left menu select 'Security Realms'
  3. Select the realm where you want to create the users and groups.  The default is 'myrealm'
  4. At the top select the 'Users and Groups' tab
  5. You'll start with 'Users' so click 'New' and enter your user name and pwd.  Create as many users as you want.but here we are using 'Bob1', 'Bill1' and 'jane'
  6. Go to the 'Groups' tab and create a new group.  Here we're using 'Group1'
  7. Go back to the users and select 'Bob1'
  8. Select the 'Groups' tab and add 'Group1'.  Do the same for Bill1. We're gong to intentionally leave 'jane' out of the group.

You've got your users and groups configured

If you haven't already done so, deploy your composite now.

Configuration in Enterprise Manager (EM)

The EM configuration is comprised of the following steps:
  1. Add a Domain Credential
  2. Add an Application Role
  3. Add an Application Policy that assigns the Application Role a specific permission
  4. Add 3 WS Policies to the project

Let's first add a domain Credential.  From the left menu expand the domains and right click on the domain name

1.  Add Domain Credential

1.1) Login to EM

1.2) Select 'Security' -> 'Credentials'

(click image for full view)

1.3) Select 'Create Map'

(click image for full view)

1.4) Enter the map name as 'oracle.wsm.security'

(click image for full view)

1.5) Click 'OK'

1.6) Highlight the new Map and select 'Create Key'

(click image for full view)

1.7) Enter the key name as 'basic.credentials'

1.8) Enter the user name and pwd, we're using the admin user 'weblogic' here

(click image for full view)

1.9) Click OK and your Credentials should now look like this:

(click image for full view)

(back to top)

The next steps in our configuration are to configure the Application Role and Application Policy.  These will be used by the Authorization policy.

2.  Create the Application Role

2.1) In the left menu right click the domain name

2.2) Select 'Security' -> 'Application Roles'

(click image for full view)

2.3) Select 'soa-infra' in the 'Application Stripe' drop down

2.4) Select 'Create' as we are going to create a new Application Role

(click image for full view)

We're going to name our new role 'GroupOneRole'

2.5) Under Members click 'Add'

(click image for full view)

The Type should be 'Group'

2.6) Search and select Group1 which we created earlier

2.7) Click 'OK'

(click image for full view)

You should now have Group1 in your Members list.

(click image for full view)

(back to top)

3.  Create the Application Policy

3.1) Right click on the domain name again

3.2) Select 'Security' -> 'Application Policies'

(click image for full view)

The 'Application Stripe' is 'soa-infra'
The 'Principal Type' is 'Application Role'

3.3) Search

3.4) Click 'Create'

(click image for full view)

3.5) Under 'Permissions' click 'Add'

(click image for full view)

3.6) Immediately click the 'Continue' button to get to the custom entry form

Intuitively it seems that the selections here are needed but they're actually not for what we want to do.

(click image for full view)

3.7) For 'Permission Class' enter 'oracle.wsm.security.WSFunctionPermission'

3.8) We're going to cheat a bit and enter '*' for both Resource Name and Permission Actions.  In an actual implementation you would probably specify the web service and relevant actions.

(click image for full view)

3.9) Click 'Select' and here's what we have for Permissions:

(click image for full view)

3,10) Under 'Grantee' click 'Add'

(click image for full view)

3.11) Search with the defaults and select 'GroupOneRole'

3.12) Click 'OK'

(click image for full view)

Your 'Create Application Grant' screen should now look like this:

(click image for full view)

3.13) Click 'OK' at the top right and confirm that the 'GroupOneRole' Principal appears in the list

(click image for full view)

(back to top)

We're now ready to add the policies to the project

4.  Add WS Policies to Project

4.1) Right click on the project name

4.2) Select 'Policies'

(click image for full view)

Here we see that the project has no policies associated with it.  We're going to add 3.

4.3) Select 'Attach To/Detach From'

(click image for full view)

Depending on the complexity of your project you will likely have more components than this.  Here we're going to select the web service that is the entry point for our composite, 'bpelprocess2_client_ep'.  The following window opens.

(click image for full view)

We're going to add 3 policies:

  • 'oracle/wss_http_token_service_policy' for authentication
  • 'oracle/log_policy' for logging the policy activities
  • 'oracle/binding_permission_authorization_policy' for authorization
All of these policies can be added to the web service in JDeveloper by right clicking on the service in the composite design view and selecting 'Configure WS Policies...'. The form is similar to what is shown here in EM.

4.4) Highlight the selections from the list and click 'Attach'.  When completed your 'Directly Attached Policies' should look like this:

(click image for full view)

4.5) Select 'Validate' and then 'OK'

Your policies list should now look like this:

(click image for full view)

The configuration is complete.

(back to top)

For testing we're using JMeter, submitting the request along with the HTTP authentication header.

I won't get into the JMeter configuration but will  provide the responses for two requests.  Let's first try our user 'Bob1'.

HTTP Authorization header value is 'Basic Qm9iMTp3ZWJsb2dpYzE='  (this is the Base64 encoding of 'Bob1:weblogic1')

Response from our server:

(click image for full view)

Now let's try user jane who exists in the domain but is not a member of Group1

HTTP Authorization header value is 'Basic amFuZTp3ZWJsb2dpYzE='  (Base64 encoding of 'jane:weblogic1')

Response from server:

(click image for full view)

Here we see the response code 403 which means the resource is forbidden to the authenticated requester.

In our server standard out we see the following error message:

<Error> <oracle.wsm.resources.security> <WSM-00045> <HTTP authentication/authorization failure.>

I hope this post is helpful for anyone trying to enable authorization for their SOA 11g  composite applications.  It's a very simply example but perhaps will serve as a good starting point.  In the future we may add the complexity in follow up posts.

(back to top)


This is a very precious post. Thanks.

Posted by tercüme on February 27, 2012 at 10:28 AM PST #

Nice blog. I ran it with (PS4) and noticed the screenshots are different in PS4. Looks like the the screenshots in the blog was taken from (PS5).


Posted by guest on February 28, 2012 at 01:58 PM PST #

very nice post. worth reading it.

Posted by ingilizce tercüme on March 09, 2012 at 01:43 AM PST #

I really appreciate this post. Worth reading it.

Posted by ingilizce tercume on March 13, 2012 at 09:26 AM PDT #

Awesome post for implementing Service poilcy.

Posted by Saurabh Jain on December 04, 2012 at 10:13 PM PST #

had missed what this included in it but recognized now.

Posted by almanca tercüme on August 18, 2014 at 07:46 AM PDT #

IM a bit late but only now had chance to read it. Thanks.

Posted by guest on August 24, 2014 at 10:20 AM PDT #

Post a Comment:
  • HTML Syntax: NOT allowed

This is the official blog of the SOA Proactive Support Team. Here we will provide information on our activities, publications, product related information and more. Additionally we look forward to your feedback to improve what we do.


« July 2016