Monday, March 29, 2010

Identity Propagation in a flow involving OAM, OSB and web services

A Sales Consultant asked for my opinion in a scenario where a customer wants to propagate end user credentials all the way from OAM (Oracle Access Manager) to web services responsible for executing business logic.

In the customer flow, after being authenticated by OAM, the end user is redirected to a portal UI. The UI makes calls to OSB (Oracle Service Bus) which in turn invokes web services deployed on WebLogic Server. One of use case driving requirements is that the end user identity should be available for underlying web service implementation so that it can be recorded in database tables for auditing purposes. Therefore, the main question here is how to get the user identity from OAM token and make it available for web service implementation code.

OAM is a web-based SSO solution. Very roughly put, it works by means of an HTTP cookie called ObSSOCookie which is recognized by OAM's Policy Enforcement Points, known as Web Gates. A Web Gate intercepts all HTTP requests for a protected resource and evaluates whether an ObSSOCookie is present and valid, in which case the user is considered authenticated.

OSB is an SOA integration component within Oracle's SOA portfolio. It provides routing, transformation and mediation capabilities for interactions between heterogeneous services.

Ok, to the solution.

Let's first talk about what happens when an anonymous user accesses the protected portal UI page. Anonymous users don't hold an authenticated ObSSOCookie (note that anonymous users might hold an ObSSOCookie, but for the default OblixAnonymous user), therefore are challenged by OAM's Web Gate according to the configured authentication scheme.

Let's assume in this case a form-based scheme requiring username and password is set. When challenged, the user types in her username and password. Assuming those are correct, an ObSSOCookie identifying the end user is generated and added to the HTTP response. The end user is granted access and directed to the protected resource (portal UI page). Once the user lands on the portal UI page, a call is made to a web service running on a remote WebLogic Server via OSB.

At this point we need to make an important decision: how to retrieve the end user identity and move it forward. Remember that so far it only exists within the ObSSOCookie that is present in the HTTP request. There are two ways to accomplish it: Within the portal UI, i) the ObSSOCookie can be added to an Oracle proprietary SOAP header or ii) the end user identity can be obtained from portal application container's Java Subject and added to a standard SAML message within the SOAP header. In any case, an OAM identity asserter must be configured in WebLogic Server running the portal application. OWSM (Oracle Web Services Manager) also plays a vital role from now on. An OAM identity asserter basically asserts the end user identity present in ObSSOCookie against the configured Identity Store in WebLogic Server. If assertion succeeds, the user principals are added to the container's Java Subject.

OWSM is a key component in Oracle's SOA solution. It provides centralized definition and distributed enforcement of security and management policies for SOA and JavaEE applications. OWSM runtime modus operandi is very simple: simply put, agents installed at specific endpoints intercept and evaluate SOAP calls according to rules specified by attached policies. Policies come in two flavors: client-side and server-side. Client-side policies usually add data to the SOAP message while server-side policies retrieve that data and process them, many times delegating decisions to other third-party mechanisms.

Back to our flow, I recommend approach ii) as the means of propagating the end user identity. For two reasons: a) we're avoiding adding proprietary data to the SOAP message. If one decides for i), on the server side she needs to provide for understanding that proprietary data. Even considering that OWSM natively supports it, the implementation would stay tied to necessarily understanding ObSSOCookie. If your organization standardizes on SAML (Security Assertions Markup Language), for example, that might be a problem. b) OAM is unlikely to be available in a development environment, therefore relying on ObSSOCookie would simply not work. Once the ObSSOCookie is asserted, a Java Subject becomes available within WebLogic Server.

By attaching a SAML-based OWSM client-side policy to the calling endpoint, the OWSM agent will pick the principal from the Java Subject, generate a SAML message and add it to the SOAP header.

There are several options on how the SAML message can be generated: as clear-text, with message-level security (WSS) or sent through an SSL channel. I will cover the details of message-level and transport-level security in OWSM in a subsequent article.

At this point we're making a SOAP call and we've added a SAML token to the SOA header. Next element in our flow is OSB. The key point here is that we don't need to process that token in OSB. All that's required is having OSB configured in pass-through mode and the request will get intact to the invoked web service. On the web service, we attach a SAML-based OWSM server-side policy that is capable of understanding the token generated by the client-side policy. The policy extracts the token and submits it for processing, which in this case means asserting the end user identity against the identity store configured for the WebLogic Server hosting the web service. If the user is successfully asserted, a Java Subject is created and made available to running applications. One can use JAAS APIs to get the authenticated user name and stick it into any DML statements that are executed against a database.


  1. Andre,
    I'd like to thank you for all of these blog posts, they've been extremely helpful to getting my organizations Fusion Middleware implementation stood up and functioning.

    I realize this is an older post, but I was hoping you could provide some guidance with an issue I've been facing.

    We've configured an instance of OAM with OHS acting as a proxy to all of our applications. One of our apps wants to pull some data (using an AJAX call..i.e. directly from the browser) from a REST service to be consumed in browser. The service is currently protected using HTTP Basic authentication. This works fine for Java (and other) apps that want to make those service calls directly, but not so well when it is the browser that wants to make the call.

    My assumption (up to this point) had been that I would be able to utilize the OAM Identity Asserter on the service bus in much the same way that we have been using it to propagate identity to our application servers. After speaking with some of the service developers (guys more intimately familiar with the OSB than I am) we haven't tried to do this before and are unsure of the proper implementation to acheive our goal.

    So, with all of that being said, am I barking up the wrong tree? Would it be incorrect to have a REST service written that is serviced by two different OSB proxies? One that enforces HTTP Basic, and one that (somehow) uses the OAM_REMOTE_USER and an appropriate identity asserter to pass identity in such a manner that the OSB would be able to enforce security in that manner?

    Is there a better way to secure REST services being made from the browser?

    1. Hello James,

      that's an interesting question.
      In my opinion, there's nothing wrong in having two different OSB proxies, although having 1 would be more practical.
      Having non-browser clients poses a challenge here.
      That said, I'd have one version to serve Java (and other) client apps and another one so serve the AJAX-based apps called from the browser.
      For the AJAX apps, have the the auth-method set to CLIENT-CERT in web.xml and configure the OAM Identity Asserter in Weblogic server.
      Also, protect the REST resources in an OAM policy domain. This will basically make your REST resources part of the OAM SSO scheme.

      You may want to take a look at Oracle eSSO product, which provides SSO for browser-based and non browser-based apps.




Note: Only a member of this blog may post a comment.