Tuesday, September 07, 2010

Adding Security policies to SOA Suite 11g web Services

This is a continuation of previous post.We will use the same composite and modify it as per our requirement.

In this exercise we will add some security policies for our web service.

Open up you composite.xml and right click on the exposed service and choose Configure WS Policies




Since we are using the previous project it will be having one default policy attached to it,delete the policy and add these two policies

oracle/wss_username_token_service_policy
oracle/binding_permission_authorization_policy

I already have pointed out the link that should be referred for these policies.

so we will select these policies in the policies window.



Now our project is complete.Save it and deploy it to server.

NOw this security policy forces us to have a user which has the privilege to access the web service.For this purpose we will first create a user from admin console.

Log in to admin console

http://host:port/console

In the left hand side.Find Security Realms


Select that click on myrealm and then choose users and groups tab and below users tab


There create a new user.



I created a new user arpit as shown



now log in to em console click on the service which you have deployed.

Click on show XML definition to find out the namespace and service name as shown below



It is because Resource name is defined as

Namespace/service_name#operation

Will discuss about resource name later ,fow now just understand that this is the URL we need to pass while configuring policy.

so from this configuration i found

namespace = http://xmlns.oracle.com/OWSM_jws/SOAOWSM/BPELProcess1

service_name = bpelprocess1_client_ep

Now to know about the operation ,click on test button for the process.

you can find the process name there



so my operation name is process so my Resource name will be

http://xmlns.oracle.com/OWSM_jws/SOAOWSM/BPELProcess1/bpelprocess1_client_ep#process

now again log in to em console and move to weblogic domain choose security policies there as shown below





Now in the next screen choose Principal as type and in permission click on search button. It will come up with Administrator and its permission class as shown below.




Now select the administrator and click on create like



It will come up with a screen like this having same permission class.We will modify it by clicking on edit option.



Now in the edit box

in Permission class provide

oracle.wsm.security.WSFunctionPermission

REsource name as http://xmlns.oracle.com/OWSM_jws/SOAOWSM/BPELProcess1/bpelprocess1_client_ep#process

and permission action as * which means all the permission.



For more idea on this permission class please refer to the following document

Now in the grantee section we can add our own user or groups but since we have created a user we add a user so click on add user in grantee section.



Now serach for all the users and move the user arpit to the right section select it and say ok.



SO now all the configuration are complete.We have created a new policies and have created a user also who has the authentication for the application.You should have an entry for the new permission class as below





Now we will try to check our application how does it work.

Log in to em console and click on test

provide the user arpit and its password while calling the web service



It should have invoked the process successfully but it throw me the following error


java.lang.Exception: oracle.sysman.emSDK.webservices.wsdlapi.SoapTestException: FailedAuthorization : failure in authorization at oracle.sysman.emas.model.wsmgt.WSTestModel.invokeOperation(WSTestModel.java:575) at oracle.sysman.emas.view.wsmgt.WSView.invokeOperation(WSView.java:381) at oracle.sysman.emas.view.wsmgt.WSView.invokeOperation(WSView.java:298) at sun.reflect.GeneratedMethodAccessor3157.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at com.sun.el.parser.AstValue.invoke(AstValue.java:157) at com.sun.el.MethodExpressionImpl.invoke(MethodExpressionImpl.java:283) at org.apache.myfaces.trinidadinternal.taglib.util.MethodExpressionMethodBinding.invoke(MethodExpressionMethodBinding.java:53)

Ideally it should work with arpit as user as he is the grantee for the application.

So if you will log in to em console select your process and go to policies tab you will find which policy has been violated.

IN my case it is showing numbers for both the policies because i have done lot of R & D but in real case it should show a violation for binding authorization policy which means we are making some mistake somewhere in configuring our permission or something which i am not sure of.



You can verify the same by disabling the binding permission and then if you will check the service it will work fine with any user and password who are default authenticator.

To narrow down the issue i m deleting the policy provider that we have created.



Now go to Em console and Go to soa-infra and create an application policies





Now here create a new application policies



Add Custom policies using the same details that we have provided previously



Say ok and similarly add user arpit for the grantee.

NOw sav the changes and try to invoke the process again from em console.

Just to study some error behaviour we will try to invoke it without giving any input header information.it will throw an error

java.lang.Exception: oracle.sysman.emSDK.webservices.wsdlapi.SoapTestException: InvalidSecurity : error in processing the WS-Security security header at oracle.sysman.emas.model.wsmgt.WSTestModel.invokeOperation(WSTestModel.java:575) at oracle.sysman.emas.view.wsmgt.WSView.invokeOperation(WSView.java:381) at oracle.sysman.emas.view.wsmgt.WSView.invokeOperation(WSView.java:298) at sun.reflect.GeneratedMethodAccessor3157.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at com.sun.el.parser.AstValue.invoke(AstValue.java:157) at com.sun.el.MethodExpressionImpl.invoke(MethodExpressionImpl.java:283) at org.apache.myfaces.trinidadinternal.taglib.util.MethodExpressionMethodBinding.invoke(MethodExpressionMethodBinding.java:53) at

If you will observer at the log files it says error in processing WS-Security header as we have not provided any header information.

Now we will again invoke it using header information.



Now it should be able to invoke but it again give me error.


java.lang.Exception: oracle.sysman.emSDK.webservices.wsdlapi.SoapTestException: FailedAuthorization : failure in authorization at oracle.sysman.emas.model.wsmgt.WSTestModel.invokeOperation(WSTestModel.java:575) at oracle.sysman.emas.view.wsmgt.WSView.invokeOperation(WSView.java:381) at oracle.sysman.emas.view.wsmgt.WSView.invokeOperation(WSView.java:298) at sun.reflect.GeneratedMethodAccessor3157.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at com.sun.el.parser.AstValue.invoke(AstValue.java:157) at com.sun.el.MethodExpressionImpl.invoke(MethodExpressionImpl.java:283) at org.apache.myfaces.trinidadinternal.taglib.util.MethodExpressionMethodBinding.invoke(MethodExpressionMethodBinding.java:53)


So some how it is not able to authorize :(

Referred to Oracle documentation and found following note

Configuring Permission-Based Authorization Policies

The permission-based policy oracle/binding_permission_authorization_policy provides a permission-based authorization policy based on the authenticated subject.

The policies ensure that the subject has permission to perform the operation. To do this, the Oracle WSM Authorization Policy executor leverages Oracle Platform Security Services (OPSS) to check if the authentiated subject has been granted oracle.wsm.security.WSFunctionPermission (or whatever permission class is specified in Permission Check Class) using the Resource Pattern and Action Pattern as parameters.

Resource Pattern and Action Pattern are used to identify if the authorization assertion is to be enforced for this particular request. Access is allowed if the authenticated subject has been granted WSFunctionPermission.

You can grant the WSFunctionPermission permission to a user, a group, or an application role. If you grant WSFunctionPermission to a user or group it will apply to all applications that are deployed in the domain.

To do this, edit the system-jazn-data.xml file under <domain-home>/config/fmwconfig to grant the WSFunctionPermission permission to the user, group, or application that will attempt to authenticate to the Web service, as shown in Example A-4.

In the example, the user who has the ApplicationRole must be a valid WebLogic Server user.

Example A-4 Editing the system-jazn-data.xml File to Grant Permission

:
<jazn-policy>
<grant>
<grantee>
<display-name>myPolicy</display-name>
<principals>
<principal>
<class>oracle.security.jps.service.policystore.ApplicationRole</class>
<name>testapp</name>
</principal>
</principals>
</grantee>
<permissions>
<permission>
<class>oracle.wsm.security.WSFunctionPermission</class>
<name>*</name>
<actions>echo1</actions>
</permission>
</permissions>
</grant>
</jazn-policy>


Verified the configuration file at my end and find following entry

<grant>
<grantee>
<principals>
<principal>
<class>weblogic.security.principal.WLSUserImpl</class>
<name>arpit</name>
</principal>
</principals>
</grantee>
<permissions>
<permission>
<class>oracle.wsm.security.WSFunctionPermission</class>
<name>http://xmlns.oracle.com/OWSM_jws/SOAOWSM/BPELProcess1/bpelprocess1_client_ep#process</name>
<actions>*</actions>
</permission>
</permissions>
<permission-set-refs>
</permission-set-refs>
</grant>

Further verified on binding template settings

To add to this ,this feature is working fine in SOA Suite 11.1.1.2 with the steps i have mentioned above but i am not sure why it is now not working with 11.1.1.3.

May be some issues with my 11.1.1.3 server as the same is working fine with 11.1.1.2.

Finally i resolved this issue.

Well for me also it worked in 11.1.1.3

if you have already have a version deployed ,deploy a new version overwriting the previous one.

instead of new user try to give the permission to weblogic and this should work

so for me following configuration is working fine

<grant>
<grantee>
<principals>
<principal>
<class>weblogic.security.principal.WLSUserImpl</class>
<name>weblogic</name>
</principal>
</principals>
</grantee>
<permissions>
<permission>
<class>oracle.wsm.security.WSFunctionPermission</class>
<name>http://xmlns.oracle.com/OWSM_jws/SOAOWSM/BPELProcess1/bpelprocess1_client_ep#process</name>
<actions>*</actions>
</permission>
</permissions>
<permission-set-refs>
</permission-set-refs>
</grant>

No comments: