OWSM - Basic Understandings

• Oracle provides a security framework called Oracle Web Service Manager to secure the services across your organization. 

• We can use OWSM policies to secure 
• ADF Services.
• Web Services.
• RESTFull Services.    

We can apply default policies globally using EM console. 

• Domain
• Web Services
• Web Service Policy Set
• Here you can create a custom policy set based on the Subject. 
• Example Subjects
• RESTful Resource
• RESTful Client
• ADF SOAP Webservice Connection
• ESS SOAP Job Invoker
• SOA SOAP Service
• SOA SOAP Reference
• SOA RESTful Reference
• Etc.
• Add the existing OWSM policy to the policy set 
• Enable the policy set. 

We can add default values for the OWSM policies using EM console.

• Domain
• Web Services
• WSM Policies
• Search for the policy
• Select Open 
•  Select Settings 
• Add the default values. 

• Before we use OWSM policies , we need to install OWSM on weblogic server. 
• OWSM provides Client and Service policies to protect and invoke your secured services. 
• Service policies are used to secure your exposed services. 
• Client policies are used to invoke the secured services. 
• Some of the basic authentication policies are
• Policy - 1

                             oracle/http_basic_auth_over_ssl_service_policy

                             oracle/http_basic_auth_over_ssl_client_policy

                          This is an authentication only policy for both SOAP and REST service. 

• Policy -2 

                              oracle/wss_http_token_client_policy

                              oracle/wss_http_token_service_policy

                         This is an authentication only policy for SOAP. It  support transport  authentication. 

• Policy -3

                           oracle/wss_username_token_client_policy

                            oracle/wss_username_token_service_policy

                          This is an authentication only policy for SOAP. It  support SOAP authentication. 

• Policy -4 

                               oracle/wss_http_token_over_ssl_client_policy

                               oracle/wss_http_token_over_ssl_service_policy

                      This policy is used authentication as well as message protection . It support transport  authentication.  This will use SSL protection.  Communication happens via HTTPS  port.

• Policy -5

                             oracle/wss_username_token_over_ssl_client_policy

                             oracle/wss_username_token_over_ssl_service_policy

 

                         This policy is used authentication as well as message protection . It support SOAP     level authentication.  This will use SSL protection.  Communication happens via HTTPS  port.

• Oracle provide SAML authentication policies for web service.  
• For more details on other policies refer following oracle link. -  Custom-OWSM

Note: 

    If your application is not configured with OWSM then you can use basic authentication to access the services protected using OWSM policies. 

Example : 

      Python :

                     

                   creadentials = base64.encodestring('%s:%s' % (username, password))[:-1]

                   authorization = "Basic %s" % creadentials

     .NET :

              request.Method = "POST";

             request.ContentType = "text/xml;charset=UTF-8";

             request.ContentLength = byteArray.Length;

             request.Headers.Add("Authorization", "Basic " + credentials);