| Oracle® SOA Suite Developer's Guide 10g (10.1.3.1.0) Part Number B28764-01 |
|
|
View PDF |
| Oracle® SOA Suite Developer's Guide 10g (10.1.3.1.0) Part Number B28764-01 |
|
|
View PDF |
This section explains Oracle Web Services Manager security policies and policy pipelines, and provides a high-level view of the implementation steps.
Oracle Web Services Manager Agents are of interest to sites that wish to implement end-to-end security. This is designed to assure that the business process is secured from the very beginning to the very end of its execution. Agents are also useful in settings where the service endpoint is already known to clients and it would not be desirable to change the endpoint.
Gateways, on the other hand, are used when there is a need to deploy a security choke point. This is similar to a firewall, where security policies can be employed in a central location. A gateway can also perform functions that an agent cannot do, such as message routing, transformations, and failover.
|
Note: Agents can be used with gateways. The use of one does not preclude the use of the other. |
Policies are used to manage and secure web services: they include tasks such as authentication, authorization, encryption, decryption, protocol transformation, and so on.
As mentioned earlier, policies can be deployed at two kinds of policy enforcement points, gateways and agents.
An administrator can assemble policies from:
Predefined policy steps that ship with Oracle Web Services Manager
Custom policy steps
Steps are assigned to any of four policy pipelines, depending on where in the message stream the step is to be applied:
Pre-Request Pipelines contain policy steps to be enforced when preprocessing incoming web service requests.
Request Pipelines contain policy steps to be enforced when processing incoming requests.
Response Pipelines contain policy steps to be enforced when processing outgoing requests.
Post-Response Pipelines contain policy steps to be enforced when processing outgoing requests, after any policy steps in the response pipeline have been processed.
About Pre-Request and Post-Response Pipelines
Oracle Web Services Manager provides two sets of pipelines on both incoming and outgoing streams to allow flexibility in managing the services.
Pre-request and post-response pipelines can be used to set company and department-wide policies. For example, the pre-request pipeline is configured when preprocessing incoming web service requests.
The request and response pipelines, on the other hand, are used to provide additional policy enforcement steps locally for specific services. Administrators of those services can make use of the pipelines to implement additional policy steps.
In the SOA Order Booking Application, a customer signs on to the application through a web interface and orders a product. When the customer clicks the Place Order button, the OrderBookingESB flow (developed with the Oracle Enterprise Service Bus framework) is invoked. This flow, in turn, routes information from the web client and invokes the SOAOrderBooking BPEL flow.
The SOAOrderBooking BPEL flow then handles the order process; after the order is inserted into a database table, the customer data is sent to the Credit Validation Service for credit card verification.
Some security concerns must be addressed in this application flow:
Authentication of incoming credentials received by the Oracle BPEL Process Manager
An Oracle WSM Server Agent can be deployed to BPEL partner services in order to enforce security on these services. For example, one could require authentication to a service using a WS-Security username token.
Section 10.3, "Authenticating Users with an Oracle Web Services Manager Server Agent" explains how to implement authentication between Oracle BPEL Process Manager and an agent-secured partner service.
Encryption of customer credit card data sent over the network to the Credit Validation Service
An Oracle WSM gateway can be configured to protect the customer data exchange with the Credit Validation Service by means of data encryption and digital signatures.
Section 10.4, "Encryption with an Oracle Web Services Manager Gateway" describes the procedure for implementing authentication.
Role of Oracle Web Services Manager in the Demo Application
Web services security is not configured "out of the box" for the services participating in the SOA Order Booking Application. This chapter provides examples to illustrate how the services can be secured with Oracle Web Services Manager without any programmatic effort. Since Oracle Web Services Manager is an integrated component of the Oracle SOA Suite, no additional installation tasks are required to follow and replicate the examples presented here.
Although most of the configuration is accomplished using the UI tools in the Oracle SOA Suite, a few steps require the use of command-line tools as explained in the text of the examples.
