Wednesday, June 25, 2014

Secure Web Services using Oracle Enterprise Manager Fusion Middleware Control

Ok. Recently I have been working on Web Service Security.

My web services are running on Oracle Enterprise Manager Fusion Middleware Control.

The security part has the following break down:

1) Authentication
Whether the service consumer is a trusted one. I am using the username-token to achieve this.

2) Authorization
In this case the service consumer is trusted. However it may not have the right to invoke the particular web service operation.

3) Transport Layer Security
TLS or SSL is generally used for transport layer protection. The idea is to encrypt every data during the transmitting process. I am yet to implement this.And I am not sure if I really need to do this in my enterprise environment. The reason is our web services are in a secure network environment. Our service consumers are all internal applications. So I am not going to cover the detail for this part in this post.

Ok. What we need to know next is all the WS-* stuff. This could take some time for you to read. And along the reading process you might get even more confusion. So I will tell you what not to be confused here, as follows:

WS-Policy VS WS-Security. WS-Policy and WS-Security are two different entities. WS-Policy is a Language, whereas WS-Security is a Conceptual Framework. 

Next we are going into the technical detail. Diagrams are not available because I am lazy to remove all the sensitive company and application name:

Scenario:
Create two users to call a particular web service and to invoke different service operations respectively.

1) You need to be aware, that for Oracle Enterprise Manager Fusion Middleware Control, the "User and Group" setup are controlled by Oracle Weblogic. The whole Oracle Enterprise Manager itself is running on Oracle Weblogic. So we are going to access two different "Portals", one is the Oracle Weblogic Administrative Console and another one is the Oracle Enterprise Manager.

2) Now our first step is to create a new user. Go to Oracle Weblogic Administrative Console -> Security Realm -> User and Group. Create your user there. Very easy. Just fill in the blanks only.

3)  I am not going to cover the "Group" because I want to keep this as simple as possible. Everything will be just "User". The "Group" is useful if you want to group different users into the same group and then instead of granting permission to multiple users you just need to grant permission to one group.

4) Now you don't need the Oracle Weblogic Administrative Console anymore. Close it kill it leave it fuck it. Our next focus is to login to the Oracle Enterprise Manager for the remaining steps.

5) I assume you have deployed your web service (to be exact, it is SOA composite exposed as a web service) using the Oracle Enterprise Manager.

6) Right click on your "domain" that hosts your SOA composite,  you will see "Web Service" appearing in the context menu. Go there and look for your particular web service and click it to go to the detail page. 

7) Go to the "policies" tab. Here you can attach any policies you like to your web service. In our case we should attach "oracle/binding_permission_authorization_policy" for Web Service Endpoint Authorization.

8) At the same tab, we must also attach a username token policy for "Authentication". Just attach any policy with the name username token. But of course you have to do this carefully. 

9) Ok. we are done with the "Attaching Policy" now. Next, go to your "domain" again. Right click on your domain and you will see "application policies" and "application roles". Using the "application roles", you can create a "role" that can consists of multiple users or groups for easier management. In our case I will just skip the "application roles" to make things simple. So we will just go straight to the "application policies".

10) At the application policies, Create an Application Grant. choose the user that you set up at step 2 as your "Grantee".

11) At the same page again, there is a section for "permission". Put something as follows:
Permission Class - oracle.wsm.security.WSFunctionPermission
Resource Name - your web service NAMESPACE/service name. Remember, it's the namespace, not endpoint address.
Permission Actions - your web service operation

Done. Now the Authorization part is completed.

12)  It is testing time now. I suggest you to create another user who is not granted any permission to the particular web service.  In fact I successfully made two different users to access to the same one web service but each of them are only authorized to invoke one particular service operation.

13) Where do you pass the username and password? In your SOAP Header. Remember to include the below part in your SOAP message.

Wednesday, April 9, 2014

My first Codenvy experience



Last year I have asked Divine to give me a chance to learn Cloud Development and recently my intention has got manifested. Thanks Divine! What happened was I was given a short assignment to quickly build one Web Application to read a CSV file and then display the data to webpage. The web application offers one function to the user, which is to allow users to select a specific date to filter the CSV data.

The thing about Codenvy is it puts everything on CLOUD! What I like most is the IDE itself is integrated with a lot of handy tools such as PAAS platforms and GitHub! 

What you need to do is just sign up! Then start coding! I picked up Spring MVC & JQuery in just one day! Imagine how this WEB IDE helped us to pick up new skill fast! Anyway of course my strong foundation in JavaScript and Java have contributed to my speed learning also. 

Here I list down my views on using Web IDE Codenvy: 

Pros
  1. The IDE is fully integrated with PAAS platforms and Github. 
  2. Code from anywhere with Internet and Browser! Your code will always be in the CLOUD! 
  3. IDE provides the appropriate directory structures and libraries with some sample code! This plus the fully integrated environment help the developer to avoid spending time in setting up the coding environment. 
Cons
  1. No auto suggestion. If you are using local IDE, you will find the auto suggestion helpful! With auto suggestion feature you don't need to go back to the API doc to find out if a certain variable or method is available to certain class. You just type dot and it will just pop out the selection list for you. Unfortunately Codenvy does not have this feature. 
  2. You cannot print to Console. Somehow System.out.print does not work for Codenvy. You will not be able to see anything in the console if you are using the System.out.print command. 
  3. No instant compilation. Instant compilation is very important to developer. I have wasted a lot of time to figure out what's wrong with my code to cause the compilation error without the help of instant compilation function. I strongly suggest Codenvy to include this feature in future because this is too important! 
  4. You cannot use Call Hierarchy. Call Hierarchy is one of my favorite way to understand a program flow easily! It is very helpful when the developer needs to troubleshoot the program.  

Monday, March 31, 2014

Now I am serious about Design Pattern



I know it is kinda late. I have been writing program following a code structure defined by some other team many years back and somehow I did not go find out what are the design patterns.

As you all know design patterns are meant to solve common programming problems in the area of program's stucture, program's behaviour and etc. I have studied all the design patterns before but without really using them, I do not rally remember them too much. The problem is whether  is if design pattern really needed in the developer's environment.

Recently I found out that actually I did use design pattern without me knowing about it. LOL. What I can identify now is the Bridge Design Pattern where in my code I created a lot of interfaces to group all the commonly used methods from different classes together. For the detail explanation of the Bridge Design Pattern you may just read about it here ---> Bridge Design Pattern

In fact, I have also used the Factory Design Pattern. This helps optimize the program's memory consumption by reducing the number of times of "instantiation". For details you may just read up Factory Design Pattern.

By the way there are something called "Architectural Pattern" aslo. This is useful for higher level end to end solution.