Wednesday, February 12, 2020

12c SOA - WS Security- How to protect a web-service with username and password

  • A simple way of protecting web-services from unauthorized access is to use standard WS security. Web Services Security (WS-Security, WSS) is an extension to SOAP to apply security to Web services.
  • Oracle SOA suite 11g/12c provides an out of the box WS-Policies to protect web-services and to securely call a protected web service. 

Step1: Configure CSF Key in EM console or configure User in Weblogic server.
configure keys in Weblogic server
Click here 12c-soa-how-to-create-csf-key for the steps to create CSF-Key in em console.
create an user in Weblogic server
Click here12c-soa-how-to-create-user-in-weblogic

Step2: Configure SOA WS Policies from Jdeveloper.
Open the composite.xml
Right Click on the exposed services and click Configure SOA WS policies..
 Under Security click on the + button
Scroll down and select oracle/wss_username_token_service_policy and then OK


Test1: without WSSE security header
      <env:Fault xmlns:ns0="">
         <faultstring>InvalidSecurity : error in processing the WS-Security security header</faultstring>


 Test2: with the WSSE Security header.
      <wsse:Security soapenv:mustUnderstand="1" xmlns:wsse="">
         <wsse:UsernameToken wsu:Id="UsernameToken-4" xmlns:wsu="">
            <wsse:Password Type="">welcome1<wsse:Password>

  • For OSB, the same option is available on the proxy services.
  • To test this webservice WSSE header has to be passed with username and password which were created during user/key creation.

No comments:

Post a Comment

Featured Post

11g to 12c OSB projects migration points

1. Export 11g OSB code and import in 12c Jdeveloper. Steps to import OSB project in Jdeveloper:   File⇾Import⇾Service Bus Resources⇾ Se...