Securing Oracle Service Bus (OSB) Proxy Services and Resources

It is a common requirement in enterprises that Only authorized external partners should be able to invoke your OSB/BPEL/Other web services. Others should not be able to access these services.

In this blog post, we will see how using the inbuilt functionality in OSB itself ( and without using any policies, wls9 or OWSM) we can secure OSB Proxy Services.

In gist, these are the steps that need to be done :

1.) Authentication : This step allows OSB to identify the subject ( the user or the client application) that is trying to access the proxy Service.

  Authenticating a user can be done in many ways, the aim however remains the same, establishing the identity of the user.

In this post, we will use simple http basic authentication to get this done.

2.) Authorization  : Create a set of rules in OSB that restrict access to this particular proxy service. These rules decide who gets to access these services and who does not.( You can create restrictions based on user, or group or role and a bunch of other stuff)

3.) Create the user or groups or roles necessary .

You would need to decide how many users and what users will be able to access this service.

The best way , IMO, is to create a group say an OSBAccessGroup and then work down from there, you can add sub-groups to it, directly put users in it and so on.

So, Let's get started !!!

1.) First, let's create the users and the groups required to access this ProxyService. This part is totally left up to how you want to structure your external users. Below is the way, I would generally do it:

a.) Create the following users in the weblogic console, these would represent external systems who would need access to your proxy service.

    I would recommend setting your users' name  in such  a way, that they can instantly be recognized .

    like CRM, SAP, 

b.) Create a group and put these users in that group, name that group something like 'ExternalSystems'

c.) Create another group, name it 'OSBAccessGroup' and put the group created above into this one.

      This will be the group I will give access to later by creating a rule in the sbconsole.

       I can add a single user to this group, I could add the whole administrator group to this one, whoever needs access goes into this group and I will not have to make any change to the OSB rules.

2.) In the configuration settings of your proxy service, turn the basic authentication to ON.

3.) On the security tab on the same page, go to the Access Control Section and click on the Transport Access Control link.

Here,you can decide, if you want to restrict access to a particular user, role or group.

We will select 'Group' here and move on.

d.) Now , we will type-in the group argument. This will be the name of the group we want to give access to. Type 'OSBAccessGroup' here ( or whatever group name you have chosen) and click on Add.

Click on OK, and move ahead.

You should see this page now.

Please note that you can combine conditions to create complex rules like : "Grant access to CRM from 6:00 AM to 6:00PM, and to SAP from 6:01 PM to 5:59 AM " !!!

Save all your work, activate your session changes and then go ahead and test it from any external client like SOAPUI!!