Tuesday, April 30, 2013

REST Security(SAML V/s OAuth ) in SOA 11g /OSB 11g –Part1



                    OWSM currently does not support REST security. Oracle is planning to add support in upcoming 11g release-PS6 and 12c releases.

SAML V/s OAuth in REST

In terms of SAML vs. OAuth.  OAuth has more buzz and is prevalent/popular for REST. However the answer can vary based on the use-case. For simple identity propagation – it’s better to use SAML.
SAML is supported by OWSM. OAuth is more suited for cases where we don’t want to propagate the password. OAuth uses digital signatures instead of sending the full credentials with each request. Digital signatures help the recipient to verify that the content of the request hasn’t changed in transit. To do that, the sender uses a mathematical algorithm to calculate the signature of the request and includes it with the request.

         In today’s Service Bus product, security for RESTful API is provided using transport level security (SSL).  In 11.1.1.7 (PS6),  one can apply OWSM transport policies to non-WSDL services (aka RESTful API). 
Service Bus has a custom token capability a few customers are using for proprietary tokens for RESTful API  (in lieu of OAUTH below) read more here:

So the only option is to use custom Oauth mechanism implemented in Java and I will mention more on this implementation in my coming articles

Wednesday, April 24, 2013

OSB11g –Adding OWSM Policy to OSB from Eclipse in case OWSM store is not accessible




In case the Eclipse is not able to access OWSM to fetch the policies, then workaround would be manually add the security policy entries into the proxy file from backend by editing the .proxy file.



Eclipse generated Proxy Service

<xml-fragment xmlns:ser="http://www.bea.com/wli/sb/services" xmlns:tran="http://www.bea.com/wli/sb/transports" xmlns:env="http://www.bea.com/wli/config/env" xmlns:http="http://www.bea.com/wli/sb/transports/http" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:con="http://www.bea.com/wli/sb/pipeline/config" xmlns:con1="http://www.bea.com/wli/sb/stages/logging/config" xmlns:con2="http://www.bea.com/wli/sb/stages/config" xmlns:con3="http://www.bea.com/wli/sb/stages/routing/config" xmlns:con4="http://www.bea.com/wli/sb/stages/transform/config" >
  <ser:coreEntry isProxy="true" isEnabled="true">
<ser:binding type="SOAP" isSoap12="false" xsi:type="con:SoapBindingType" xmlns:con="http://www.bea.com/wli/sb/services/bindings/config">
      <con:wsdl ref="GeoDownload/WSDL/v1/GeoService"/>
      <con:binding>
        <con:name>GeoServiceBinding</con:name>
        <con:namespace>http://geo.com/wsdl/download/v1.0</con:namespace>
      </con:binding>
      <con:selector type="SOAP body"/>
    </ser:binding>
    <ser:monitoring isEnabled="false">
      <ser:aggregationInterval>10</ser:aggregationInterval>
      <ser:pipelineMonitoringLevel>Pipeline</ser:pipelineMonitoringLevel>
    </ser:monitoring>
    <ser:reporting>true</ser:reporting>
    <ser:logging isEnabled="true">
      <ser:logLevel>debug</ser:logLevel>
    </ser:logging>
    <ser:sla-alerting isEnabled="true">
      <ser:alertLevel>normal</ser:alertLevel>
    </ser:sla-alerting>
    <ser:pipeline-alerting isEnabled="true">
      <ser:alertLevel>normal</ser:alertLevel>
    </ser:pipeline-alerting>
    <ser:ws-policy>
      <ser:binding-mode>owsm-policy-bindings</ser:binding-mode>
    </ser:ws-policy>
  </ser:coreEntry>




Message Level Security Configuration



To add OWSM Security Policy to Proxy Service

Add the highlighted fields in yellow into the proxy file to add the Policy to the SOAP service proxy.

<xml-fragment xmlns:ser="http://www.bea.com/wli/sb/services" xmlns:tran="http://www.bea.com/wli/sb/transports" xmlns:env="http://www.bea.com/wli/config/env" xmlns:http="http://www.bea.com/wli/sb/transports/http" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:con="http://www.bea.com/wli/sb/pipeline/config" xmlns:con1="http://www.bea.com/wli/sb/stages/logging/config" xmlns:con2="http://www.bea.com/wli/sb/stages/config" xmlns:con3="http://www.bea.com/wli/sb/stages/routing/config" xmlns:con4="http://www.bea.com/wli/sb/stages/transform/config" xmlns:con5="http://www.bea.com/wli/sb/services/security/config">
  <ser:coreEntry isProxy="true" isEnabled="true">
     <ser:security>
      <con5:inboundWss processWssHeader="true"/>
    </ser:security>
<ser:binding type="SOAP" isSoap12="false" xsi:type="con:SoapBindingType" xmlns:con="http://www.bea.com/wli/sb/services/bindings/config">
      <con:wsdl ref="GeoDownload/WSDL/v1/GeoService"/>
      <con:binding>
        <con:name>GeoServiceBinding</con:name>
        <con:namespace> http://geo.com/wsdl/download/v1.0</con:namespace>
      </con:binding>
      <con:selector type="SOAP body"/>
    </ser:binding>
    <ser:monitoring isEnabled="false">
      <ser:aggregationInterval>10</ser:aggregationInterval>
      <ser:pipelineMonitoringLevel>Pipeline</ser:pipelineMonitoringLevel>
    </ser:monitoring>
    <ser:reporting>true</ser:reporting>
    <ser:logging isEnabled="true">
      <ser:logLevel>debug</ser:logLevel>
    </ser:logging>
    <ser:sla-alerting isEnabled="true">
      <ser:alertLevel>normal</ser:alertLevel>
    </ser:sla-alerting>
    <ser:pipeline-alerting isEnabled="true">
      <ser:alertLevel>normal</ser:alertLevel>
    </ser:pipeline-alerting>
    <ser:ws-policy>
      <ser:binding-mode>owsm-policy-bindings</ser:binding-mode>
     <ser:policies>
        <ser:service-policy>
          <ser:owsm-policy-ref ID="geo/security/GeoCustomAuth"/>
        </ser:service-policy>
      </ser:policies>
    </ser:ws-policy>
  </ser:coreEntry>

After editing the .proxy file reload the file in eclipse.



Modified Message Level Security Configuration

The ProcessWS-Security Header value will be set to Yes.


Check the Service Policy Configuration tab to see the Policy assigned to the Service.
That’s it.

Tuesday, April 16, 2013

Passing custom soap headers in Invoke activity -SOA 11g


I had created a custom SOAP header to be passed in with the request, so while testing the service invocation passing in the soap security header the invocation was failing as the header was not getting passed properly. There is an issue with BPEL generated code for assigning the SOAP header. So you will need to manually change the headerVariable name to get it working.
I have used SOA PS4 environment.


   <soapenv:Header>
<geosec:UserTokenHeader soapenv:mustUnderstand="1" xmlns: geosec ="http://geo.com/geo-security">
         < geosec:UserSessionToken>xxxxxxxxxxxxx</ geosec:UserSessionToken>
         < geosec:TokenUserName>geotho</ geosec:TokenUserName>
         < geosec:ConsumerSystemId>MySystem</ geosec:ConsumerSystemId>
      </ geosec:UserTokenHeader>
      </soapenv:Header>

Add a SOAP header using the invoke Headers tab.


BPEL generated code
                     <invoke name="invokeStartSOAPProcess"
                          partnerLink="StartSOAPProcessService"
                          portType="ns17: StartSOAPProcessServicePType"
                          operation="startSOAPProcess"
                          inputVariable="startSOAPProcessMsgVar"
                          outputVariable="startSOAPProcessResponseMsgVar"
                          bpelx:invokeAsDetail="no"
                          bpelx: headerVariable ="SecurityHeader"/>

Need to change the headerVariable to  inputHeaderVariable

  Working code
                  <invoke name="invokeStartSOAPProcess"
                          partnerLink="StartSOAPProcessService"
                          portType="ns17: StartSOAPProcessServicePType"
                          operation="startSOAPProcess"
                          inputVariable="startSOAPProcessMsgVar"
                          outputVariable="startSOAPProcessResponseMsgVar"
                          bpelx:invokeAsDetail="no"
                          bpelx:inputHeaderVariable="SecurityHeader"/>


Thursday, April 11, 2013

Runtime invocation failing with .__OAUX_GENXSD_.TOP.XSD Error /duplicate elements in XSD



Recently I was working with BPEL process which had multiple service invocations and my job was to enhance it by adding some OSB invocations. When I started modifying the code for new service invocations and WSDL modifications, the process stopped compiling due to the .__OAUX_GENXSD_.TOP.XSD. It looked bit odd, one of the main issues was due to some shared XSD’s and some services had included the XSD’s some were importing it, some had different XSD implementations for same namespace. So after consolidating the entire included schemas and existing schemas the process started working.
The biemond blog was helpful. 
The problem I faced was when I starting testing, I had the location replaced at runtime and it started failing with the same .__OAUX_GENXSD_.TOP.XSD error. This was new to me as I thought it will be going through since all the wsdls will be looked up at compilation time. Each invocation will be different. But it isn’t so, so finally I had to tweak the abstract wsdl to make it concrete (by adding service tags) composite.xml and config plan for deployment.
Error stacktrace
Exception: Can not build schema 'http://geo.com/commons/schema/type' locate
d at 'http://geo.com/commons/schema/type.__OAUX_GENXSD_.TOP.XSD' [Cause=Can
not build schema 'http://geo.com/commons/schema/type' located at 'http://geo
.com/ commons/schema/type.__OAUX_GENXSD_.TOP.XSD']

Reference WSDL (named in location of composite.xml)
Add service tags in wsdl definitions and have a dummy address, which can be updated during deployment.




composite.xml
Add the the property endpointURI which will hold the runtime URI (without the ?wsdl)
Depoyment Plan(soa config plan)
In the deployment plan ,don’t update the location attribute to the runtime location, keep it your local wsdl.Update the endpointURI property to the environment specific URI.
Add separate search replace for the wsdl and update the location value to the environment specific URI
Environment is 11g PS4
Hope it helps