- A simple way of protecting web-services from unauthorized access is to use standard WS security. Web Services Security (WS-Security, WSS) is an extension to SOAP to apply security to Web services.
- Oracle SOA suite 11g/12c provides an out of the box WS-Policies to protect web-services and to securely call a protected web service.
Step1: Configure CSF Key in EM console or configure User in Weblogic server.
⇾configure keys in Weblogic server
Click here 12c-soa-how-to-create-csf-key for the steps to create CSF-Key in em console.
⇾create an user in Weblogic server
Click here12c-soa-how-to-create-user-in-weblogic
Step2: Configure SOA WS Policies from Jdeveloper.
Open the composite.xml
Right Click on the exposed services and click Configure SOA WS policies..
Scroll down and select oracle/wss_username_token_service_policy and then OK
Test1: without WSSE security header
Outcome:
<env:Fault
xmlns:ns0="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<faultcode>ns0:InvalidSecurity</faultcode>
<faultstring>InvalidSecurity :
error in processing the WS-Security security header</faultstring>
<faultactor/>
</env:Fault>
<soapenv:Header>
<wsse:Security
soapenv:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wsse:UsernameToken
wsu:Id="UsernameToken-4"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsse:Username>weblogic</wsse:Username>
<wsse:Password
Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">welcome1<wsse:Password>
</wsse:UsernameToken>
</wsse:Security>
</soapenv:Header>
Note:
- For OSB, the same option is available on the proxy services.
- To test this webservice WSSE header has to be passed with username and password which were created during user/key creation.
No comments:
Post a Comment