Ok. Recently I have been working on Web Service Security.
My web services are running on Oracle Enterprise Manager Fusion Middleware Control.
The security part has the following break down:
1) Authentication
Whether the service consumer is a trusted one. I am using the username-token to achieve this.
2) Authorization
In this case the service consumer is trusted. However it may not have the right to invoke the particular web service operation.
3) Transport Layer Security
TLS or SSL is generally used for transport layer protection. The idea is to encrypt every data during the transmitting process. I am yet to implement this.And I am not sure if I really need to do this in my enterprise environment. The reason is our web services are in a secure network environment. Our service consumers are all internal applications. So I am not going to cover the detail for this part in this post.
Ok. What we need to know next is all the WS-* stuff. This could take some time for you to read. And along the reading process you might get even more confusion. So I will tell you what not to be confused here, as follows:
WS-Policy VS WS-Security. WS-Policy and WS-Security are two different entities. WS-Policy is a Language, whereas WS-Security is a Conceptual Framework.
Next we are going into the technical detail. Diagrams are not available because I am lazy to remove all the sensitive company and application name:
Scenario:
Create two users to call a particular web service and to invoke different service operations respectively.
1) You need to be aware, that for Oracle Enterprise Manager Fusion Middleware Control, the "User and Group" setup are controlled by Oracle Weblogic. The whole Oracle Enterprise Manager itself is running on Oracle Weblogic. So we are going to access two different "Portals", one is the Oracle Weblogic Administrative Console and another one is the Oracle Enterprise Manager.
2) Now our first step is to create a new user. Go to Oracle Weblogic Administrative Console -> Security Realm -> User and Group. Create your user there. Very easy. Just fill in the blanks only.
3) I am not going to cover the "Group" because I want to keep this as simple as possible. Everything will be just "User". The "Group" is useful if you want to group different users into the same group and then instead of granting permission to multiple users you just need to grant permission to one group.
4) Now you don't need the Oracle Weblogic Administrative Console anymore. Close it kill it leave it fuck it. Our next focus is to login to the Oracle Enterprise Manager for the remaining steps.
5) I assume you have deployed your web service (to be exact, it is SOA composite exposed as a web service) using the Oracle Enterprise Manager.
6) Right click on your "domain" that hosts your SOA composite, you will see "Web Service" appearing in the context menu. Go there and look for your particular web service and click it to go to the detail page.
7) Go to the "policies" tab. Here you can attach any policies you like to your web service. In our case we should attach "oracle/binding_permission_authorization_policy" for Web Service Endpoint Authorization.
8) At the same tab, we must also attach a username token policy for "Authentication". Just attach any policy with the name username token. But of course you have to do this carefully.
9) Ok. we are done with the "Attaching Policy" now. Next, go to your "domain" again. Right click on your domain and you will see "application policies" and "application roles". Using the "application roles", you can create a "role" that can consists of multiple users or groups for easier management. In our case I will just skip the "application roles" to make things simple. So we will just go straight to the "application policies".
10) At the application policies, Create an Application Grant. choose the user that you set up at step 2 as your "Grantee".
11) At the same page again, there is a section for "permission". Put something as follows:
Permission Class - oracle.wsm.security.WSFunctionPermission
Resource Name - your web service NAMESPACE/service name. Remember, it's the namespace, not endpoint address.
Permission Actions - your web service operation
Done. Now the Authorization part is completed.
12) It is testing time now. I suggest you to create another user who is not granted any permission to the particular web service. In fact I successfully made two different users to access to the same one web service but each of them are only authorized to invoke one particular service operation.
13) Where do you pass the username and password? In your SOAP Header. Remember to include the below part in your SOAP message.