{"id":1498,"date":"2010-02-01T20:16:04","date_gmt":"2010-02-02T00:16:04","guid":{"rendered":"http:\/\/onlineappsdba.com\/index.php\/2010\/02\/01\/overview-of-securing-web-services-in-fusion-middleware-11g-soa-adf-webcenter\/"},"modified":"2014-03-02T15:26:53","modified_gmt":"2014-03-02T19:26:53","slug":"overview-of-securing-web-services-in-fusion-middleware-11g-soa-adf-webcenter","status":"publish","type":"post","link":"https:\/\/onlineappsdba.com\/index.php\/2010\/02\/01\/overview-of-securing-web-services-in-fusion-middleware-11g-soa-adf-webcenter\/","title":{"rendered":"Overview of Securing Web Services in Fusion Middleware 11g (SOA \/ ADF \/ WebCenter)"},"content":{"rendered":"

This post covers basic concepts around securing web services in Fusion Middleware <\/strong>11g. If you are administrator<\/strong> or developer, <\/strong>working on Fusion Middleware\u00a0(and developing\/managing web services)\u00a0then you may find this post useful (This post covers conceptual points around web services security. For detailed steps and advanced topics stay tuned to this blog)<\/p>\n

1) <\/strong>WebServices in Fusion Middleware (FMW) 11g are classified in two categories<\/strong>
\na) <\/strong>WebLogic Web Service – Java EE webservices
\nb) <\/strong>SOA, ADF and WebCenter Services<\/p>\n

2) <\/strong>Depending on kind of Webservices (mentioned above), webservices in FMW are protected by
\na)<\/strong> Oracle Web Services Manager (OWSM) Policy<\/strong>– for SOA, ADF and WebCenter Services
\nb)<\/strong> Oracle WebLogic Web Service Policy<\/strong>– for WebLogic Web Services<\/p>\n

3) <\/strong>Depending on kind of Webservices (mentioned above), administrators can protect webservices using
\na) <\/strong>Fusion Middleware Control (\/em) – “SOA, ADF and WebCenter Services<\/strong>” or “WebLogic Web Service<\/strong>”
\nb) <\/strong>WebLogic Scripting Tool (WLST) – “SOA, ADF and WebCenter Services<\/strong>”
\nc) <\/strong>Oracle WebLogic Console (\/console) – “WebLogic Web Service<\/strong>”<\/p>\n

4)<\/strong> Security in Web Services can be implemented at
\na) Transport Level<\/strong> – by implementing SSL to access Web Service, to protect communication channel between Web Service Consumer and Provider
\nb)<\/strong> Message Level or Application Level<\/strong> – by implementing XML Encryption, XML signature. To know more read WS-Security<\/a> which defines how to attach XML signature<\/strong> or XML Encryption headers<\/strong>.<\/p>\n

5.<\/strong>Tool used in Oracle Fusion Middleware (FMW) to protect Web Services around FMW components (SOA Suite, WebCenter Suite and Application Development Framework (ADF)) is Oracle Web Services Manager (OWSM)<\/strong><\/p>\n

To know more about OWSM in 10g click here<\/a>\u00a0or for OWSM in 11g click here<\/a><\/p>\n

6.<\/strong> Role of OWSM <\/strong>(O<\/strong>racle W<\/strong>eb S<\/strong>ervices M<\/strong>anager)
\na) at Client Side<\/strong> – OWSM intercepts SOAP message request to service and
\ni) Injects relevant tokens<\/strong>(username, group and other information) – depending on policy defined to protect webservice
\nii) Signs Encrypt message<\/strong>– – depending on policy defined to protect webservice<\/p>\n

b) at Server side<\/strong> – OWSM intercepts SOAP message request to service and
\ni) Extracts relevant tokens<\/strong>
\nii) Verifies client’s credentials<\/strong>against Identity Management Solution (OID, Oracle Access Manager) or WebLogic’s default LDAP server.<\/p>\n

7. <\/strong>OWSM Architecture includes – Enterprise Manager Fusion Middleware Control, OWSM Policy Manager, OWSM Agent, Policy Interceptors, Metadata Store and Database<\/p>\n

More on OWSM in 11g and changes from 10g OWSM to 11g OWSM\u00a0 in future posts !!<\/span><\/p>\n

8. For authentication and authorization<\/strong> – Policy Enforcement Point (PEP – Part of OWSM) leverages OPSS <\/strong>(Orale Platform Security Services) Login Module<\/strong>and WebLogic Server Security Authenticator.<\/p>\n

More on OPSS\u00a0coming soon !!!<\/span><\/p>\n

9. Policy Assertions<\/strong>– is smallest unit of policy that performs specific action for request and response .<\/p>\n

10. Policy<\/strong> – consists of one or more policy assertions<\/strong>. Policy describe capabilities and requirement of web service like how a message must be secured, whether and how a message must be delivered reliably etc..<\/p>\n

11. <\/strong>Policy in Oracle Fusion Middleware 11g could be of following types<\/p>\n

i) WS-Reliable Messaging<\/strong> – Guaranteed delivery of SOAP message, and can maintain order of sequence of messages more here<\/a>
\nii) Management –<\/strong> Log request, response and fault to a message log
\niii) WS-Addressing<\/strong> – Policies that verify that SOAP messages include WS-Addressing headers in conformance with the WS-Addressing specification here<\/a>
\niv) Security<\/strong>– security policy that implements WS-Security 1.0 and 1.1 . These type of policy enfoces message protection
\nv) Message Transmission Optimization Mechanism (MTOM)<\/strong> – Binary content (like images) can be sent as MIME attachment, which reduces transmission size . MTOM policy ensures that message is converted to MIME attachment before it is sent to Web Service or Client.<\/p>\n

.<\/p>\n

References<\/span><\/strong><\/p>\n