Installation steps (windows OS):
- Install Oracle Web service manager soa_windows_x86_ws_mgr_101310.zip. Unzip and install.
- Start–> Programs, make sure you’ve Oracle WSM – OWSMHome1
- Your OWSM setup is ready
- Start–>Programs–>Oracle WSM – OWSMHome1–>Start Server
- To stop server, Start–>Programs–>Oracle WSM – OWSMHome1 –> Developer Prompt. Type the command wsmadmin stop <password>
- I prepared a web service and deployed it into Tomcat [Building a web service is out of scope of this post, you may google around to find good examples]
- Log into web service gateway manager with credentials: admin/oracle
- In this example, OWSM is running on a stand-alone OC4J server and web service running on Tomcat Server. Idea is to use OWSM as security gateway for web services of Tomcat.
- First create a gateway by filling a simple form from Policy Management Tab:
- After successful registration of Gateway. Now ‘am gonna use this gateway for my sample web service running on tomcat
- Click on creating Policies now
- Default Policies for Request would by ‘logging’ mechanism, click on “Add Step Below” to add File Authenticator
- On successful policy creation you should click on ‘Commit’ for the changes to take place (this is important otherwise policies will not be enforced). Now you should see a policy link adjacent to gateway. Click on it to see the just created policy. Now you are done!
- Note: OWSM is capable of authenticating against: LDAP, Siteminder, File, Active directory, Oracle Access Manager. It is capable of SAML token based authentication, Certificate/Signature verification, encryption/decryption and lot many things. Guess what! you don’t need to make a single line of code change or add any code to provide security to your web services. That’s the best part of it… For this post, we just considered file authenticator
- Now since we’ve used File Authenticator, you should prepare a file from where you would want to validate username and password against.
- You may store password in simple plain-text or MD5. For simplicity, store user credentials in simple plain text in a file say .htpwd stored at c:\ in a format (username:password).
first:java1OWSM builds a a new WSDL URL, which should be exposed to the client but not the endpoint web service wsdl url. So that, client uses OWSM WSDL to access web services. Original web service link should never be exposed, doing so clients would be able to access the endpoint bypassing gateway! ‘am sure you don’t want to do that…
From Tools–>Test Page in OWSM, write a sample client to connect to the web service by pointing the URL to OWSM WSDL. Run the client that’s it!
Here is a step-by-step quick start guide
Best things about OWSM:
- security code is separate from web services, this is really good and provides high cohesion and less coupling. However there is additional overhead of running a separate server for security
- Audit logging mechanism to know who accessed my web service, what was the request and what was the response delivered
- Overall latency of my web services
- Custom Reports on security issues