Introduction to Oracle Web Service Manager

Oracle Web Services Manager (OWSM) is a Web services security and management solution that provides a common security infrastructure for all Web service applications. It provides an out-of-the-box (readily available with the product) common security policies (such as authentication, authorization, message encryption, message signing, and so on). This helps us to implement security for web services quickly without interfering with service implementation.

OWSM is a component of SOA Suite. It provides centralized policy management for governing SOA interactions. It provides visibility and control of the policies through a centralized administration interface offered by Oracle Enterprise Manager.

Key Benefits

  • Establish trust – Build security and operation level policies that can be layered over new or existing applications and services.
  • Automate consumer management – Automate enforcement of contracts between consumer and provider to preserve business alignment.
  • Ensure service levels – Use dashboards to monitor policies as they execute, to ensure service levels and avoid potential problems.
  • Minimize compliance risk – Centralize creation and management of policies and apply anywhere.
  •  Policies can be attached and detached at runtime by the administrators.

What is OWSM Repository

  • Oracle Web Services Manager (WSM) uses an MDS repository to store OWSM metadata, such as policies, assertion templates, and policy usage data.
  • OWSM Repository is available as a database (for production use) or as files in the file system (for development use in JDeveloper).

Custom OWSM Policy & Example Implementation

We can implement custom policies when out of the box policies don’t meet our needs. This blog describes how to develop a simple custom policy to demonstrate the capability.  Depending on the type and configuration of the policy, they can be triggered at different levels and perform different tasks. These policies do not interfere with the internals of a core service. A Policy can be composed of a number of “Assertions”. Typically, you will have at least one Assertion in a Policy.

This example, IP Address Validation Custom Assertion Policy, validates whether a request that is made to the Web service is from a set of valid IP addresses.

To make it simple, I am keeping the list of IP address as comma separated value in the policy. Any request coming from other IP address results in a FAILED_CHECK response.

The steps described in this blog to create and put the custom policy into action are:

  • Create Custom Policy:

            Custom Assertion Executor Class

            Policy Executor XML File

            Policy Configuration XML File

  •   Deploy & Import Policy Artifacts to Fusion Middleware Runtime platform
  •   Attach Policies to services
  •   Check the results produced by the policy attachment

Custom Assertion Executor Class

Create java class which Implements oracle.wsm.policyengine.impl.AssertionExecutor..

Implement the custom assertion executor method to validate the IP addresses (logic of your policy assertion).

When building the custom assertion executor, you will need wsm-policy-core.jar, wsm-agent-core.jar in your classpath which are located at oracle_common/modules/oracle.wsm.common_12.1.3 for 12.1.3 version and for 12.2.1 at oracle_common/modules/oracle.wsm.common.

Please refer the Oracle blog for more information.

Example Custom Assertion Executor:

package fd.custom.owsmcustompolicy;

import oracle.wsm.common.sdk.IContext;
import oracle.wsm.common.sdk.IMessageContext;
import oracle.wsm.common.sdk.IResult;
import oracle.wsm.common.sdk.Result;
import oracle.wsm.common.sdk.WSMException;
import oracle.wsm.policy.model.IAssertion;
import oracle.wsm.policy.model.IAssertionBindings;
import oracle.wsm.policy.model.IConfig;
import oracle.wsm.policy.model.IPropertySet;
import oracle.wsm.policy.model.ISimpleOracleAssertion;
import oracle.wsm.policy.model.impl.SimpleAssertion;
import oracle.wsm.policyengine.IExecutionContext;
import oracle.wsm.policyengine.impl.AssertionExecutor;

public class CustomPolicyAssertion
  extends AssertionExecutor
{
  public CustomPolicyAssertion()
  {
    super();
  }

  @Override
  public IResult execute(IContext Context)
    throws WSMException
  {
    try
    {
      //Retrieve Plociy bindings from Policy File
      IAssertionBindings bindings = ((SimpleAssertion) (this.assertion)).getBindings();
      //Get Plociy Config name from Policy File
      IConfig config = bindings.getConfigs().get(0);
      //Get Property set name of policy
      IPropertySet propertyset = config.getPropertySets().get(0);
      String valid_ips = propertyset.getPropertyByName("valid_ips").getValue();
      String ipAddr = ((IMessageContext) Context).getRemoteAddr();
      IResult result = new Result();
      if (valid_ips != null && valid_ips.trim().length() > 0)
      {
        String[] valid_ips_array = valid_ips.split(",");
        boolean isPresent = false;
        for (String valid_ip: valid_ips_array)
        {
          if (ipAddr.equals(valid_ip.trim()))
          {
            isPresent = true;
          }
        }
        if (isPresent)
        {
          result.setStatus(IResult.SUCCEEDED);
        }
        else
        {
          result.setStatus(IResult.FAILED);
          result.setFault(new WSMException(WSMException.FAULT_FAILED_CHECK));
        }
      }
      else
      {
        result.setStatus(IResult.SUCCEEDED);
      }
      return result;
    }
    catch (Exception e)
    {
      throw new WSMException(WSMException.FAULT_FAILED_CHECK, e);
    }
  }
  //The init() method is invoked by the OWSM framework whenever the configuration of the policy attachment is updated (i.e. its property values are changed).
  @Override
  public void init(IAssertion assertion, IExecutionContext econtext, IContext Context)
    throws WSMException
  {
    this.assertion = assertion;
    this.econtext = econtext;

  }

  public oracle.wsm.policyengine.IExecutionContext getExecutionContext()
  {
    return this.econtext;
  }

  public boolean isAssertionEnabled()
  {
    //return policy enforce value
    return ((ISimpleOracleAssertion) this.assertion).isEnforced();
  }

  public String getAssertionName()
  {
    return this.assertion.getQName().toString();
  }

  @Override
  public void destroy()
  {
  }

  public oracle.wsm.common.sdk.IResult postExecute(oracle.wsm.common.sdk.IContext p1)
  {
    IResult result = new Result();
    result.setStatus(IResult.SUCCEEDED);
    return result;
  }

}

Policy Executor File

Create the custom policy file to define the bindings for and configure the custom assertion.
<?xml version = '1.0' encoding = 'UTF-8'?>
<wsp:Policy xmlns="http://schemas.xmlsoap.org/ws/2004/09/policy" xmlns:orasp="http://schemas.oracle.com/ws/2006/01/securitypolicy" orawsp:status="enabled"
            xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" orawsp:category="security"
            orawsp:attachTo="binding.server" wsu:Id="ip_assertion_policy" xmlns:orawsp="http://schemas.oracle.com/ws/2006/01/policy" xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
            wsp:Name="oracle/ip_assertion_policy">
  <orasp:ipAssertion orawsp:Silent="true" orawsp:Enforced="true" orawsp:name="WSSecurity IpAssertion Validator" orawsp:category="security/authentication">
    <orawsp:bindings>
      <orawsp:Implementation>fd.custom.owsmcustompolicy.CustomPolicyAssertion</orawsp:Implementation>
      <orawsp:Config orawsp:name="ipassertion" orawsp:configType="declarative">
        <orawsp:PropertySet orawsp:name="valid_ips">
          <orawsp:Property orawsp:name="valid_ips" orawsp:type="string" orawsp:contentType="constant">
            <orawsp:Value>10.48.0.161</orawsp:Value>
          </orawsp:Property>
        </orawsp:PropertySet>
      </orawsp:Config>
    </orawsp:bindings>
  </orasp:ipAssertion>
</wsp:Policy>

Policy Configuration XML File (Policy-Config.xml)

Create a policy-config.xml file that defines an entry for the new assertion and associates it with its custom assertion executor. You also need to specify the custom assertion executor class in the configuration file.

<?xml version="1.0" encoding="UTF-8"?>
<policy-config>
  <policy-model-config>
    <entry>
      <key namespace="http://schemas.oracle.com/ws/2006/01/securitypolicy" element-name="ipAssertion"/>
      <executor-classname>fd.custom.owsmcustompolicy.CustomPolicyAssertion</executor-classname>
    </entry>
  </policy-model-config>
</policy-config>

How to Build and Deploy (Import) OWSM Custom Policy Manually

Create a deployment profile (simple Java Archive) for the JDeveloper project. Deploy the project to a JAR file using this profile.

Deploying the JDeveloper project to a JAR file

Copy JAR file to the WLS DOMAIN\lib directory and Restart the WebLogic domain.

Copy JAR file to the WLS DOMAIN\lib directory

Now Import Policy Definition into EM FMW Infrastructure and navigate to WSM Policies.

Import Policy Definition into EM FMW Infrastructure and navigate to WSM Policies

Click on Import to import a zip file with appropriate structure (this means it should contain a folder structure of META-INF\policies\some-custom-folder-name\policyname.xml.

Click on Import to import a zip file

The report back:

The report after importing a ZIP file

And the policy is listed:

The listed policy of the report

Automate Build & Deploy (Import) Policy using FlexDeploy

To Automate through Flexdeploy follow the below steps to Build & Deploy Custom Policies.

  • Build OWSM Custom Policy using Flexdeploy JDeveloper plugin operation “projectBuild”.
Using Flexdeploy JDeveloper plugin operation "projectBuild" to build a OWSM Custom Policy
  • Deploy custom policy using FlexDeploy having two options
    • Deploy and Import OWSM Policy using FlexDeploy weblogic plugin.
    • Import OWSM Policy using FlexDeploy weblogic plugin.

Deploy & Import OWSM Policy

This operation will copy the deployable jar file into WebLogic Domain Lib Directory automatically , Recycle the Admin Server and Import OWSM Custom Policies into a OWSM Repository.  All in one step.

The below screenshot shows the FlexDeploy execution of DeployAndImportOWSMPolicy.

the FlexDeploy execution of DeployAndImportOWSMPolicy

Evidence of Success

Below is the OWSM custom policy successfully imported into Web Logic domain OWSM Repository.

the OWSM custom policy imported into WebLogic domain OWSM Repository

Import OWSM Policy

Imports OWSM Custom Policies into an OWSM Repository.

This operation assumes that the deployable jar file is already copied to the WebLogic Domain Lib Directory and the Admin server was already recycled. It only Imports the custom policy into OWSM Repository.

The below screenshot shows the FlexDeploy execution of Import OWSM Policy.

the FlexDeploy execution of Import OWSM Policy

Evidence of Success

Below is the OWSM custom policy successfully imported into WebLogic domain OWSM Repository.

the OWSM custom policy imported into WebLogic domain OWSM Repository


Download the Datasheet

Share this:
Rajasekhar Gundapaneni

I have been working as a Oracle Fusion Middleware developer for past 7 years. My passion and expertise is related to development and automation of the build, deploy, and release lifecycle. As a Fusion Middleware Developer at Flexagon, I am part of the FlexDeploy product development team and involved in developing Java services for Oracle Fusion Middleware.

More posts by Rajasekhar Gundapaneni
  

2 Comments

Leave a Reply

Your email address will not be published. Required fields are marked *