Overview of Securing Web Services in Fusion Middleware 11g (SOA / ADF / WebCenter)

This post covers basic concepts around securing web services in Fusion Middleware 11g. If you are administrator or developer, working on Fusion Middleware (and developing/managing web services) then you may find this post useful (This post covers conceptual points around web services security. For detailed steps and advanced topics stay tuned to this blog)

1) WebServices in Fusion Middleware (FMW) 11g are classified in two categories
a) WebLogic Web Service – Java EE webservices
b) SOA, ADF and WebCenter Services

2) Depending on kind of Webservices (mentioned above), webservices in FMW are protected by
a) Oracle Web Services Manager (OWSM) Policy– for SOA, ADF and WebCenter Services
b) Oracle WebLogic Web Service Policy– for WebLogic Web Services

3) Depending on kind of Webservices (mentioned above), administrators can protect webservices using
a) Fusion Middleware Control (/em) – “SOA, ADF and WebCenter Services” or “WebLogic Web Service
b) WebLogic Scripting Tool (WLST) – “SOA, ADF and WebCenter Services
c) Oracle WebLogic Console (/console) – “WebLogic Web Service

4) Security in Web Services can be implemented at
a) Transport Level – by implementing SSL to access Web Service, to protect communication channel between Web Service Consumer and Provider
b) Message Level or Application Level – by implementing XML Encryption, XML signature. To know more read WS-Security which defines how to attach XML signature or XML Encryption headers.

5.Tool used in Oracle Fusion Middleware (FMW) to protect Web Services around FMW components (SOA Suite, WebCenter Suite and Application Development Framework (ADF)) is Oracle Web Services Manager (OWSM)

To know more about OWSM in 10g click here or for OWSM in 11g click here

6. Role of OWSM (Oracle Web Services Manager)
a) at Client Side – OWSM intercepts SOAP message request to service and
i) Injects relevant tokens(username, group and other information) – depending on policy defined to protect webservice
ii) Signs Encrypt message– – depending on policy defined to protect webservice

b) at Server side – OWSM intercepts SOAP message request to service and
i) Extracts relevant tokens
ii) Verifies client’s credentialsagainst Identity Management Solution (OID, Oracle Access Manager) or WebLogic’s default LDAP server.

7. OWSM Architecture includes – Enterprise Manager Fusion Middleware Control, OWSM Policy Manager, OWSM Agent, Policy Interceptors, Metadata Store and Database

More on OWSM in 11g and changes from 10g OWSM to 11g OWSM  in future posts !!

8. For authentication and authorization – Policy Enforcement Point (PEP – Part of OWSM) leverages OPSS (Orale Platform Security Services) Login Moduleand WebLogic Server Security Authenticator.

More on OPSS coming soon !!!

9. Policy Assertions– is smallest unit of policy that performs specific action for request and response .

10. Policy – consists of one or more policy assertions. Policy describe capabilities and requirement of web service like how a message must be secured, whether and how a message must be delivered reliably etc..

11. Policy in Oracle Fusion Middleware 11g could be of following types

i) WS-Reliable Messaging – Guaranteed delivery of SOAP message, and can maintain order of sequence of messages more here
ii) Management – Log request, response and fault to a message log
iii) WS-Addressing – Policies that verify that SOAP messages include WS-Addressing headers in conformance with the WS-Addressing specification here
iv) Security– security policy that implements WS-Security 1.0 and 1.1 . These type of policy enfoces message protection
v) Message Transmission Optimization Mechanism (MTOM) – Binary content (like images) can be sent as MIME attachment, which reduces transmission size . MTOM policy ensures that message is converted to MIME attachment before it is sent to Web Service or Client.



For more information on below topics stay tuned to this blog
– Default Policy (to protect web services in Oracle Fusion Middleware)
– How to create policy and attach to Web Service
– How to integrate OWSM (in 11g Fusion Middleware) with Oracle Internet Directory (LDAP server) for authentication

Share This Post with Your Friends over Social Media!

About the Author Atul Kumar

Oracle ACE, Author, Speaker and Founder of K21 Technologies & K21 Academy : Specialising in Design, Implement, and Trainings.

follow me on:

Leave a Comment:

Jagannadh says March 10, 2010

Hi. I have a Question? We are hosting WebLogic Web Service, is it possible to use OWSM security policies with them?

Jagannadh says March 11, 2010

Atul, Thanks for the response.

Request you to clarify below questions too.

1. Our Web Services are already developed so only way for us to use OWSM security piolicies are using Weblogic(10.3.1) admin. My question is if I introduce OWSM now will there be any problem to my existing services.

2.If I enfore security policy on server is it mandatory for me to generate client using “clientGen” ant task?

Thanks in advance.

Pavan says May 25, 2010


I have a process… in that i am calling a siebel service which is a secured one.
How can i call that service.
I did like … I enabled username token policy for that ands given username and password in binding properties.
I am getting Invalid session or expired error.

And more over i want to pass these credential dynamically… I mean i need to read from a property file and have to assign

How can I achive this.


uarulraj says March 1, 2011

How to implement saml token poilcy using JAX-ws webservice in Jdeveloper 11g.
i have to use this policy OWSM policies: oracle/wss10_saml_token_service_policy
Kindly give me an detail technical document on this

Rex says September 23, 2011

Lot of things have changed in jdeveloper 11g.. I am trying to learn how to protect a web services with a simple username/password using basic auth on message level. I am not able to find enough documentations on these. Can anybody kindly post a n step-by-step guide on how to accomplish this.


sinraj72 says April 9, 2012

Hi Atul,

I Would like to know How “User credentials” are communicated between Fusion middleware and backend applications, where OWSM is used. Is it transferreed in clear text and if yes how it can be secured or encrypted?

    Atul Kumar says April 9, 2012

    @ sinraj72,
    It all depends on how OWSM is used. If you are passing password with webservice then you can use SSL between webservice end points (webservice producer and consumer).

great tut 4 fusion middleware says November 2, 2012

fusion middleware seems good 4 mating webservices. IS There is any other middleware for web services?

satbir says March 13, 2013

I am calling fusion standard web service in my ADF custom form for capturing order.Is there some guide which can help in doing so.

günstig ferien machen says May 5, 2013

encountered your website on del.icio.us today and definitely liked it.
. I bookmarked it and are going to be back to find out it out some
a lot more later ..

Syreeta says May 9, 2016

Good writing . I loved the details – Does someone know if I can find a fillable VA SCC LLC-1050 example to use ?

love spell says September 22, 2017

What’s up,I read your blog named “Overview of Securing Web Services in Fusion Middleware 11g (SOA / ADF / WebCenter) – Oracle Trainings for Apps & Fusion DBA” like every week.Your story-telling style is awesome, keep up the good work! And you can look our website about love spell.

Add Your Reply

Not found