Friday, November 6, 2009

The new Oracle Entitlements Server (OES) and Oracle Web Services Manager (OWSM) 11g integration is finally here!

I know that a lot of people have been after me for this, so I want to apologize again for how long it has taken me to get this together (OOW + 3 weeks). But I hope people find it worth the wait.

This is essentially an update of some work that Kamlesh Patel did last year, so the basic design is really his idea.

OES-OWSM Integration FAQ

Question:Where can I get it?

Answer: I added to the OWSM 11g Custom Assertions Project on

Question:What are the prerequisites?

Answer: You'll need an 11g SOA Suite Domain protected by an OES WLS SM. What I did for the OOW demo that makes things a lot simpler is use the OESAdjudicator. I talked a little about this approach previously. Basically, follow the steps I outline before except that instead of throwing the domain into discovery mode and figuring out the WLS resources, just add the OESAdjudicator to the domain. This basically eliminates the need for OES to protect the WLS resources.

Question: How do I build it?
Answer: You'll need to get the source code from svn. The details are here.
The src and the build are contained in the oes-owsm directory. You'll need to modify the build.xml file to point to the SOA home and OES home directories. From there, set-up you're environment (BEA_HOME/wlserver_10.3/server/bin/setWLSEnv.cmd) and then run ant. You should end-up with a file called oes-owsm.jar.

Question:Why do I need to know how to build it?

Answer:Because when you use it to protect a WLS Web Service, all of the configuration is contained in the META-INF/policies/samples/oes file, and this needs to be packed into the jar. I have not tested this custom assertion protecting SOA Composite Web Services

Question: What can I configure in the META-INF/policies/samples/oes file?

Answer: Let's take a look at the file

<wsp:Policy xmlns="" xmlns:orasp=""
orawsp:status="enabled" xmlns:wsu=""
xmlns:xsi="" orawsp:category="security" orawsp:attachTo="binding.server" wsu:Id="oes_authorization_policy"
xmlns:orawsp="" xmlns:wsp=""

<orasp:oes orawsp:Silent="true" orawsp:Enforced="true" orawsp:name="OES Authorization" orawsp:category="security/authorization">
<orawsp:Config orawsp:name="oes" orawsp:configType="declarative">
<orawsp:PropertySet orawsp:name="OES RMI SSM Settings">
<orawsp:Property orawsp:name="ConfigDirectory" orawsp:type="string" orawsp:contentType="required">
<orawsp:Property orawsp:name="ConfigID" orawsp:type="string" orawsp:contentType="required">
<orawsp:Property orawsp:name="AuthenticationRequired" orawsp:type="boolean" orawsp:contentType="required">
<orawsp:PropertySet orawsp:name="OES Identity Assertion Settings">
<orawsp:Property orawsp:name="InternalAssertion" orawsp:type="boolean" orawsp:contentType="required">
<orawsp:Property orawsp:name="OWSMIdentity" orawsp:type="string" orawsp:contentType="required">
<orawsp:PropertySet orawsp:name="OES Authorization Settings">
<orawsp:Property orawsp:name="Application" orawsp:type="string" orawsp:contentType="required">
<orawsp:Property orawsp:name="Resource" orawsp:type="string" orawsp:contentType="required">
<orawsp:Property orawsp:name="LookupAction" orawsp:type="string" orawsp:contentType="required">
<orawsp:Property orawsp:name="ExecuteAction" orawsp:type="string" orawsp:contentType="required">

There are only a few properties that you need to really care about. ConfigID is the name of the realm that WLS is running - I think the configTool makes it the domain name, but look in config.xml just to be sure. Application and Resource are concatenated together to make up the prefix for the resource in OES. Example: //app/policy//owsm/oow2009/model object name/port name

Question: How do I install it?

Answer: Copy the oes-owsm.jar to the DOMAIN_HOME/lib directory, and restart the server.

Question: How do I bind it to a webservice?

Answer: You add it to policy just like any other WLS Web-Services policy. Either through the WLS console or through the @Policy annotation. Note: You need to configure an additional policy that does the actual authentication, like one of the SAML policies. The assertion assumes that the user is already authenticated. Also, again I haven't tested it attaching it to a SOA composite, but if some one wants to try, I'll support the effort ;)

Question: How do I author an OES policy using it?
Answer: Take a look at the policies from my OOW demo

I modeled it as a two step process (I could have just as easily passed down the entire SOAP message to the WLS SM, like I did in the OES-BPEL integration, but I think for most in-bound authorization cases, I like this model). In the first step, the assertion calls OES with the lookup action. If it succeeds, it processes the responses in an interesting way. If the response has a name of namespace then it sets uses it as the target name space for the XPathQuery. If its anything else, then the Assertion assumes that the name of the response is a dynamic attribute, and the value is an XPathQuery that the assertion should run to populate the attributes.

In the example for OOW, there are two responses from the lookup. One to get the value of the CCType in the body and add it to the variable oow_cc_type. The other is pulling the value of the attribute title from the AttributeStatement from the SAML Assertion (basically, the user's title) and sets it in the oow_title attribute.

The execute action gets called next and basically, as you can see from the example, passes in the values it got from the lookup XPATHQuery.

Question: What do I do if I want to use a namespace other than tns,env, or saml?

Answer: You need to add it to modify the to handle the namespace. The code is pretty simple.

public String getNamespaceURI(String prefix) {
System.out.println("Looking for the namespace for prefix: "+prefix);

if (prefix.equals("env")) {

return "";

} else if (prefix.equals("saml")) {

return "urn:oasis:names:tc:SAML:1.0:assertion";


return theNamespace;

So What Next?

I added the project (like most of my stuff from the blog) to Try this out, and let me know what you think, but also, this integration could be enhanced in a number of ways. Examples:

  • What should OES do when filtering the response?
  • What could OES do with responses if it knew that the Web Service has a DataControl (i.e. SOAP Message contains a query)?

The source is out there, so I'm hoping people will add their own contributions. Basically, I hope that I've taught you how to fish. If you are starving, just post a comment here, and we'll throw you a fish stick :)

1 comment:

  1. Great work.. for the community. Thanks - Jagdish Krishnan


Note: Only a member of this blog may post a comment.