Security is one of the main aspects while developing any service and is no different from our regular web applications. Also services are reusable and can be invoked by either internal or external customers, so you should consider securing your Service Bus Proxy Services so that only valid users can invoke.
Service Bus is completely integrated with Oracle Webservices Manager (OWSM) that provides several out of the box security policies. You can use any of these OWSM policies to secure your Proxy Services based on requirements. Here in this post, you will use oracle/wss_username_token_service_policy policy to secure Proxy Service.
As a first step, you need to create users who can invoke the service. Typically an Organization will have users in LDAP directory and you have to configure one of the Authenticators in Weblogic server to access LDAP for authentication purpose. This configuration will not be discussed here in this post.
Creating User:
Login to Admin Console and click Security Realms in Domain Structure.
Click myrealm as shown below.
Navigate to Users by clicking on Users and Groups tab.
Click New and enter credentials as shown below.
Click OK. Observe that new user has been created which can be used to invoke Proxy Service.
Attaching OWSM Policy:
Open your Proxy Service. Navigate to Policies tab and select option as shown below.
Click + icon in Security section and select policy oracle/wss_username_token_service_policy.
Click OK and observe that selected policy is shown up in Security section.
You can also attach OWSM policies to Proxy Service in sbconsole. Launch sbconsole and create a new session. Navigate to All Projects –> <<your project>> and open the Proxy service to bring up a new tab as shown below.
Click Security and choose the option as shown below.
Click Attach Policies icon (highlighted above) and select the policy as shown below and click Attach.
Click OK and observe that selected policy is shown up as shown below.
Save your changes in current tab and activate the session.
Testing
You can use SOAP UI for testing. Create a test suite in SOAP UI using your proxy service WSDL. Refer to http://soapui.org for any additional help.
Open request editor for any of your Proxy Service operations and paste the following in SOAP header. This represents the WS-Security header and is expected by OWSM policy i.e. attached to Proxy Service. You can observe username and password fields below.
<wsse:Security soapenv:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wsse:UsernameToken>
<wsse:Username>UNAME1</wsse:Username>
<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">Welcome1</wsse:Password>
</wsse:UsernameToken>
</wsse:Security>
Test using wrong credentials and observe the output showing security error.
Test using credentials created in previous section and observe the output.
Siva's Blog 
Thanks Siva for the post, is there any other way to send the username/password. we don’t want to include the password in the payload.
what other options we have to secure webservices apart from OWSM policies.
Thanks,
Sai.
Hey, when i try to attach a client policy to Business Service, it doesnt take any impact… the policy is not passed to the called webservice and i get the resooonse “Attentication requried” exactly similar to case when there is no policy attached at all
just adding the policy will not work, you should be using credentials from credential store or add the policy to proxy service. Get authenticated at proxy service and make sure same user is propagated to business service as well.
Hi Siva,
Thank you for the post.!!
Could you please explain us , how to authorize the users to access specific proxy service
For example ,there are two users 1.UserA and 2. UserB defined in Security reamls, so in this case either of the credentials can be used to execute the proxy service, but in my case i need only userB to access the proxy Service, for this we have to login to SBconsole and under security there will be ‘Message Access Control’ and select the UserB from predicate list and save the session. Now only UserB credentials will be able to execute proxy service
But In OSB 12c I am not able to click on ‘Message Access Control’ and even Transport Access Control’
I am able to See proxy service along with its operations under ‘Message Access Control’ but if i click on the proxy service nothing is enabling.
Kindly help me on this.
any update from anyone?
Great work man
Siva, Nice Article,
Is there any way to get ride of the stack trace in the response and pass nicer Fault Message.
We need to do fault handling in that case and override without using $fault contents. how are you doing it currently.
Thank you for this good article