security is an up level topic for developers that writing codes for fulfill the daily needs. also proportion to project life, designing and defining security is take very short time. for so, security issues are being learned several time because developer forgets the key points of it.
hence, the blogs helps us in order to remember the key points.
we can start defining security policies in composite. we can do it with to ways. both ways are using same names. like "oracle/wss_*******"
in first way we can define with jdeveloper that code will be hard-coded for the project.
right click the service element in composite.xml and select the option configure ws-policies.
oracle picks up some useful policies together and give those simple and rememberable names like mentioned before.
select the policy you want to apply from the list after the click secure segment.
and deploy it to server and Bob's your uncle.
the other way defining policies is more declarative then this. by this way you can seperate policy options from source part and define it with declarative way(I like to say declaratively).
for this option, you have to deploy the composite first and in the em console, after selecting the composite, you must navigate to policies tab.
in this tab, you can see and manage previously defined policies and add new policies to composite.
select the en point to add policy for and wait the pop-up screen.
you have to be carefull for not definend that dont work together. for be sure that you can use validate button. that select what ever you want and press ok.
assume that we selected the "oracle/wss_username_token_server_policy" policy for our test case.
from wsdl fine for this composite, you can see the policy elements. the caller must implement the restrictions anymore.
to test you composite with a easy way, just open soap-ui and set the username and password parameters that placed in left down side. and also you must set the password type(plaintext is only choose if you are using soa suite with version 11.1.1.5, that is only supporting this option) and timetolive option. the last is mandatory for adding the content in to the header in the soap payload.(in my tests, first call is getting security error, must after restarting the soapui that it is succeed )
the other client option is ofcourse the java stub option. with oracle policies , it is very easy to use this policy.
for this option you have to create an application with java proxy category.
the wizard will direct you to right options. after this , you must just define your username password in source code. and run the class.
that is it.
SecurityPoliciesFeature securityFeatures = new SecurityPoliciesFeature(new String[] { "oracle/wss_username_token_client_policy" });
SecureComposite secureComposite = securecomposite_client_ep.getSecureComposite_pt(securityFeatures);
// Add your code to call the desired methods.
Map reqContext = ((BindingProvider) secureComposite).getRequestContext();
reqContext.put(BindingProvider.USERNAME_PROPERTY,"XXX");
reqContext.put(BindingProvider.PASSWORD_PROPERTY,"YYY");
notice that we select the clinet option in contrast to server policy "oracle/wss_username_token_client_policy" -> "oracle/wss_username_token_server_policy"
Hi,
YanıtlaSilThanks for this great post.
I have a question... Is there a way to remove the security on the composite, without touching the stub.
What I would like to know is if it's possible to send the SecurityPoliciesFeature when the composite doesn't require it ?
Thanks for your help.
Vince.
Hi Vince,
YanıtlaSilIf I'm not miss understood, you are asking about the http header entries and also the Soap-Header tags sending with client which is assuming that server is accepting only secure calls. But, in fact, server does not wait these token, does not need them.
If so, there were ignored like other unused header entries and also unused header tags. and your call must be success.
I wish, it is the answer.
with bests