Owsm saml policies
Hello,
In the Oracle documentation, the following is said about some saml policies:
oracle/wss10_saml_token_service_policy
oracle/wss10_saml_token_client_policy
This policy is not secure and is provided for demonstration purposes only. Although the SAML issuer name is present, the SAML token is not endorsed. Therefore, it is possible to spoof the message.
I really have no idea what is meant by this. Can anyone explain?
Thanks and regards, Jeroen
Hi, I am using Weblogic Oracle 12c and standalone server no clusters. I have a webservice configured which is working from the Weblogic, using DemoTrust.jks I just downloaded the SOAP-UI and having issues with this, I set up the aut Tab to use Global HTTP Settings for the authorization type and added a keystore which is pointing to the DemoTrust.jks.
When I run a test, I receive this error
Tue Jul 31 09:40:38 PDT 2012:DEBUG:<< "<env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/"><env:Header/><env:Body><env:Fault xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"><faultcode>wsse:InvalidSecurity</faultcode><faultstring>Error on verifying message against security policy Error code:1000</faultstring></env:Fault></env:Body></env:Envelope>"
You wouldn't know what this is about, from what I am reading it seems I need to pass a policy to the server from the client but unsure what to configure.
If you have any insight I would appreciate it.
Similar Messages
-
OWSM 11g : Authentication Providers for X.509 and SAML policies
Hi All,
I am currently trying to implement the X.509 and SAML policies. As per the documentation for these polices I need to configure an authentication provider(or Identity Assertion provider) that can handle perimeter authentication via the NameCallback. I had configured an authentication provider(default authentication provider) that handled the namecallback and passwordcallback. What I can't figure out is how do these two authentication providers differs. And, incase one has to configure for the X.509 and SAML policies how to do the same.
Any pointers will be useful. Especially, from anyone who has worked and implemented the above policies.
Thanks in advance.
Edited by: Shomit Sahdev on ८ अप्रैल, २०१० १२:२५ पूर्वाह्नAfter research by Oracle Support it actually turns out that this problem was a combination of factors:
1) some clients were effectively using an invalid certificate so it is corrrect they got an error and everything worked fine when they started using the right certificate
2) it does, however, turn out that, in the case of an error the error handling has been obfuscated in WLS 10.3.6 as compared to WLS 10.3.4 which gives a more descriptive error stating the nature of the problem (missing certificate, invalid certificate, unknown user, ...). Apparently this was deemed a security issue and has thus been replaced by a generic "internal server error". It is however possible to re-activate this older behaviour using a couple of JAVA_OPTS that you pass during server startup:
-Dweblogic.wsee.security.debug=true -Dweblogic.wsee.security.verbose=true
The above reintroduced the behaviour we had in WLS 10.3.4 and thus solves our problem! -
OWSM SAML verification and Must Understand error
Has anyone verified SAML tokens generated by JDev proxies by OWSM?
I tried to use the simplest scenario (similar to what I had tested when verifying SAML with Application Server) with OWSM. I don't use signature and just sender vouches at the proxy side. On the other side, OWSM, I have a gateway which has one step in the request pipeline which verifies SAML.
I get this response message:
<?xml version = '1.0' encoding = 'UTF-8'?>
<env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:ns0="http://project1/types/">
<env:Body>
<env:Fault>
<faultcode>env:MustUnderstand</faultcode>
<faultstring>*SOAP must understand error: {http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security*</faultstring>
</env:Fault>
</env:Body>
</env:Envelope>
Regards
Farbod
P.S. this is my request message:
<env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:ns0="http://project1/">
<env:Header>
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" env:mustUnderstand="1">
<wsse:SecurityTokenReference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" wsu:Id="B1tdL86gkmAN00oYpfTmOw22" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsse:KeyIdentifier xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID">lrLlLdbWLda851vHdngAEA22</wsse:KeyIdentifier>
</wsse:SecurityTokenReference>
<saml:Assertion MajorVersion="1" MinorVersion="1" xmlns="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" AssertionID="lrLlLdbWLda851vHdngAEA22" IssueInstant="2008-10-11T08:46:36Z" Issuer="www.oracle.com">
<saml:Conditions NotBefore="2008-10-11T08:46:36Z" NotOnOrAfter="2008-10-12T08:46:36Z"/>
<saml:AuthenticationStatement AuthenticationInstant="2008-10-11T08:46:36Z" AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password">
<saml:Subject>
<saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">www.oracle.com</saml:NameIdentifier>
<saml:SubjectConfirmation>
<saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:sender-vouches</saml:ConfirmationMethod>
</saml:SubjectConfirmation>
</saml:Subject>
</saml:AuthenticationStatement>
</saml:Assertion>
</wsse:Security>
</env:Header>
<env:Body>
<ns0:jamshidElement/>
</env:Body>
</env:Envelope>Without more specific about the SOAP Fault you are getting, the version and the type of client you built, it will be hard to give you specifics.
You may want to verify that the policy used to configure the client proxy does match with the server-side.
Usually, this error is generated during deserialization of a SOAP envelope when some SOAP header contains the mustUnderstand attribute with the value set to true and are not ready (configured) to process this specific header.
It could be just a version mismatch; I process header in the foo namespace, but this one was in the bar namespace.
Hope it helps,
-Eric -
OWSM SAML Verify step problem: Missing Security Header in SOAP message
I'm having a problem with SAML steps. From gateway log:
2008-09-17 13:21:32,987 INFO [HTTPThreadGroup-58] saml.InsertSAMLSVStep - User attributes map set to generate the attribute assertions: null
2008-09-17 13:21:33,034 INFO [HTTPThreadGroup-60] saml.SAMLProcessor - Assertion Major Version :1 , Minor Version :1
2008-09-17 13:21:33,034 WARNING [HTTPThreadGroup-60] saml.SAMLProcessor - SAML Assertion verification error: An invalid token was provided
2008-09-17 13:21:33,034 WARNING [HTTPThreadGroup-60] saml.VerifySAMLStep - SAML Token verification failed:
2008-09-17 13:21:33,096 SEVERE [HTTPThreadGroup-58] wssecurity.OSDTWSSecurity - Missing Security Header in SOAP message
2008-09-17 13:21:33,096 WARNING [HTTPThreadGroup-58] wssecurity.SecurityBaseStep - Failure while applying XML Security
FAULT CODE: InvalidSecurity FAULT MESSAGE: Missing WS Security header in the SOAP message
at com.cfluent.policysteps.security.wssecurity.OSDTWSSecurity.decryptVerify(OSDTWSSecurity.java:369)
at com.cfluent.policysteps.security.wssecurity.DecryptStep.performXmlSecurity(DecryptStep.java:131)
at com.cfluent.policysteps.security.wssecurity.SecurityBaseStep.execute(SecurityBaseStep.java:238)
at com.cfluent.pipelineengine.container.DefaultPipeline.executeStep(DefaultPipeline.java:124)
but the wsse:Security header with SAML assertion IS confirmed in the incoming message log. Anybody seen this issue?Below is the log of the incoming message just prior to the failing SAML Verify step:
<?xml version="1.0" encoding="UTF-8" ?>
- <env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:ns0="http://exception.common.periop.gehc.com" xmlns:ns1="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:ns2="http://www.patient.patientmanager.periop.gehc.com/service/" xmlns:ns3="http://entity.common.periop.gehc.com" xmlns:ns4="http://entity.patient.patientmanager.periop.gehc.com" xmlns:ns5="http://entity.allergy.patientmanager.periop.gehc.com" xmlns:ns6="http://pdo.domain.customizer.periop.gehc.com" xmlns:ns7="http://entity.cases.scheduler.periop.gehc.com" xmlns:ns8="http://entity.insurance.patientmanager.periop.gehc.com">
- <env:Header>
- <ns1:Security>
- <saml:Assertion MajorVersion="1" MinorVersion="1" AssertionID="158RBY2QvCFPiTqdXYWh9A22" IssueInstant="2008-09-17T19:58:43Z" Issuer="GE" xmlns="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion">
<saml:Conditions NotBefore="2008-09-17T19:58:13Z" NotOnOrAfter="2008-09-17T19:59:43Z" />
- <saml:AuthenticationStatement AuthenticationInstant="2008-09-17T19:58:43Z" AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password">
- <saml:Subject>
<saml:NameIdentifier NameQualifier="www.ge.com" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">gowri</saml:NameIdentifier>
- <saml:SubjectConfirmation>
<saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:sender-vouches</saml:ConfirmationMethod>
</saml:SubjectConfirmation>
</saml:Subject>
</saml:AuthenticationStatement>
</saml:Assertion>
</ns1:Security>
</env:Header>
- <env:Body>
- <ns2:getPatient>
<ns2:patientId>137115</ns2:patientId>
</ns2:getPatient>
</env:Body>
</env:Envelope> -
OWSM: SAML Verify WSS 1.0 Token
Hi,
I have created a policy for a service registered with the gateway with 'SAML - Verify WSS 1.0 Token' as one of the steps in the Request pipeline. I am using JKS as the store type. When a client tries to invoke the service, it gets the following error from the gateway:
javax.xml.rpc.soap.SOAPFaultException: Did not understand "MustUnderstand" header(s)
On the other hand gateway.log shows the following message:
saml.SAMLProcessor - SAML assertion confirmation method: urn:oasis:names:tc:SAML:1.0:cm:sender-vouches
The client is a J2SE client created using JDeveloper.
Am I missing something important here?
Any help would appreciated.
ThanksNormally, the mustUnderstand error is given out by the OC4J web service when the service receives a SOAP request with a security header with mustUnderstand attribute set to 1.
What is the SOAP message being received by the web service itself?
Vikas Jain
http://ws-security.blogspot.com -
OWSM: SAML message protection policy question
My web services are protected with SAML message protection policy. according to document:
http://download.oracle.com/docs/cd/E15523_01/web.1111/b32511/setup_config.htm#BABJAIHD
On the web service side, "+Needs the intermediary and root certificate corresponding to the client's public key in the keystore.These certificates will be used to verify the signature by generating a trusted certificate chain+."
Also says "+Generally, the recipient does not need to have the sender's public key in its keystore to validate the certificate. It is sufficient to have the root certificate in the keystore to verify the certificate chain+."
Since weblogic default trust store have more than 60 well known CA's trust intermediary and root certificate by default, does this mean that if web service client own a key signed by one of these well know CA, he will be able to access my web service through SAML policy?
What if I would like to limit my web service only to specified client instead of public access, should I remove those well known intermediary and root certificate from weblogic trust store?
ThanksHi RaJdeep,
Thank you for your inputs.But I couldnot get what I have to do here.
Could you please pass on your contact details so that I can contact you.
Thank you in advance.
Regards
Narendra -
Customizing OWSM 11g SAML policy
Hi,
The current OWSM SAML policy validates only one token against Identity store.
Our requirement is to validate against couple of atributes, is there any option available in existing policy or do we need to write custom policy extending the exisitng policy.
Any pointers on this will be more helpfull.
Thanks,
Sowmyame too am facing same problem..did you manage to solve this?
please suggest.. -
Custom OWSM Authorization Policy Not Visible in OSB 11g
I am trying to configure custom OWSM authorization policies to grant web service access in OSB to userids associated with custom WebLogic groups. Both OSB and SOA are version 11.1.1.5 with an Oracle Enterprise 11g database backend. To help rule out some possible operational errors, here are things that ARE working with the combination of SOA and OSB servcies:
* the underlying SOA service functions in the /em console test page
* the OSB proxy service works from the /sbconsole test page with OWSM oracle/wss_username_token_policy enabled
* the oracle/log_policy can be added to the OSB business service and generates log entries
* the outer proxy service can be successfully invoked from a remote client with no security policies,
with HTTP transport security and authorization policies and with OWSM authentication policies
attached (given the correct request payloads)
These findings would appear to rule out connection errors from the OSB engine to the jdbc/mds/owsm DataSource or proper startup of the "OWSM Policy Support in OSB Initializer Application" service within WebLogic. (By the way, that deploys with a typo in its registered name -- "Aplication" with a single p.)
Here are the steps that were performed:
1) created group myfirmIdentityData in WebLogic console (/console)
2) created userid myappuser in WebLogic console
3) added myappuser to the myfirmIdentityData group in WebLogic console
4) cloned the oracle/component_authorization_permitall Security policy to myfirm/authorize_IdentityData
using the Fusion console (/em on the SOA domain)
5) edied myfirm/authorize_IdentityData to add the "role" myfirmIdentityGroup to the
list of permitted roles (***)
*** note -- "roles" referenced within the OWSM policy configuration dialogs actually correspond to "groups" at the WebLogic Server level. A bit confusing at first but harmless.
6) accessed the SOA service in the Fusion console (/em), clicked on the Policies tab and verified
the myfirm/authorize_IdentityData policy is available for application to the SOA service (BUT DID
NOT ATTACH IT HERE -- I'm trying to attach it at the "outer" layer in OSB, not SOA Suite)
7) accessed the Service Bus console (/sbconsole), started a change session, selected the
proxy service, then clicked on the Policies tab, then clicked the Add button in the
Service Level Policies section
At that point, the only services listed are the factory supplied oracle/********* policies. There are two pages listed and flipping between the two doesn't show any other policies other than the oracle/***** policies.
I even tried stopping and starting the domain thinking maybe OSB caches all of the OWSM policies at startup rather than querying the mds_owsm schema dynamically to no avail. No myfirm/****** policies are displayed after a domain restart.
Any insight?
Thanks.Once again, I wound up opening a Support Request with the TAC for direction on this issue. The policies were not appearing for assignment to OSB proxy / business services because they were being created against the wrong type of object within OWSM.
In a nutshell, policies in OWSM can be created to be applied against:
* Components --- only usable against SOA services
* Service Endpoints --- against URLs used as access points into services
* Service Clients -- against consumers of services as identified by credentials
* All -- all of the above
However, policies built against Components can only be applied to SOA composite services. When I cloned the existing oracle/component_authorization_permitall Security policy to myfirm/authorize_IdentityData policy then limited it to the myfirmIdentityGroup group, that policy would only be assignable to SOA composities since it applied to only Components.
To allow the group based authorization policy to be enforced in the outer OSB tier, the oracle/binding_authorization_permitall_policy was cloned to myfirm/authorize_IdentityGroup. That policy was defined to apply to endpoints and once saved, appeared in the GUI of the Service Bus console to assign to the proxy service for the service being implemented. A second component policy named myfirm/componentauthorize_IdentityGroup was cloned from oracle/component_authorize_permitall_policy to perform the group authorization at the SOA layer.
A different issue is being encountered configuring the OSB business service to forward the OWSM headers from the outer proxy service to the SOA service so the authorization succeeds at the inner layer but that's a different problem. With the SOA layer authorization policy disabled, client tests to the proxy service function correctly with a userid in the myfirmIdentityGroup group and generate an authorization failure when another client credential is used that does not belong to myfirmIdentityGroup. -
OWSM 11g: Message Protection
Hi All,
I have earlier woked on OWSM 10g and implemented XML encryption and decryption. Now,I am trying to implement message protection(encryption and decryption) using OWSM 11g policies. The sample scenario consists of two web services OWSM_11g and OWSM_11g_client. The message send from OWSM_11g_client should be encrypted and signed and OWSM_11g needs to verify the signature and decrypt the message.
Here is what i have done so far.
a.) I have attached oracle/wss10_message_protection_client_policy to OWSM_11g and oracle/wss10_message_protection_service_policy to OWSM_11g_client.
b.) I have configured a keystore for weblogic domain exactly as explained in the following article http://www.ora600.be/node/5000
c.) I have enabled the logging assertion for oracle/wss10_message_protection_client_policy & oracle/wss10_message_protection_service_policy.
The message flow between the services is proceeding without any errors. There are two problems that I am facing here:
a.) I cannot view SOAP message in the message logs to verify the encrytion and decryption.
b.) It seems that I may be missing out some configuration parameters as specified in the documentation required to apply above policies.
Any inputs regarding this would be greatly helpful.Hi there,
I can suggest the following to you and hopefully it should work:
a.) Instead of using the default keystore you should set up a new keystore for the weblogic domain. You may follow the guidelines as described in the following article: http://www.ora600.be/node/5000
b.) Specify the keystore.recipient.alias (public key which maps to client_key according to the above article) at per-client basis using the Security Configuration Details and keystore.enc.csf.key (private key which again maps to client_key according to the above article).
c.) message_protection_client_policy and message_protection_service policy are made up of assertion templates. So, Go to the web services policy page and enable the loggin assertion for each of the policies. Here, in case both the composites are on the same soa server then, you need to turn off the local optimization. Read the above post by Ronald which explains this lucidly. On this page you may change setting for the request and response messages.
d.) You need to check the following log file to view the soap messages logged by the assertions to verify encryption and decryption domains\soa_domain\servers\AdminServer\logs\owsm\msglogging\diagonstic.log
Here I was able to encrypt and sign the message when both the composites were in the same soa server. However when they were in different soa server some server side error was occuring. You may try the same as an addtional exercise and update me in case you succeed.
In case you still face any problems I will be glad to help you out.
Regards,
Shomit -
WLS10.3 and wssp1.1 policies support
Hi,
I try to use SAML policies in OSB 10.3 ( ALSB). But the OSB only supports the wssp1.1 policies and the web services I try to call in the OSB are deployed on a wls 10.3 server which supports the wssp1.2 policies
Can I use the wss1.1 policies on a wls 10.3 server
I want to use the wssp1.1 saml1.1 sender vouches policy
thanks EdwinTry this policy:
<?xml version="1.0"?>
<wsp:Policy
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"
>
<sp:AsymmetricBinding>
<wsp:Policy>
<sp:InitiatorToken>
<wsp:Policy>
<sp:X509Token
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:WssX509V3Token10/>
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:InitiatorToken>
<sp:RecipientToken>
<wsp:Policy>
<sp:X509Token
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never">
<wsp:Policy>
<sp:WssX509V3Token10/>
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:RecipientToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic256/>
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Lax/>
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp/>
<sp:ProtectTokens/>
<sp:OnlySignEntireHeadersAndBody/>
</wsp:Policy>
</sp:AsymmetricBinding>
<sp:SignedSupportingTokens>
<wsp:Policy>
<sp:SamlToken
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:WssSamlV11Token10/>
</wsp:Policy>
</sp:SamlToken>
</wsp:Policy>
</sp:SignedSupportingTokens>
<sp:Wss10>
<wsp:Policy>
<sp:MustSupportRefKeyIdentifier/>
<sp:MustSupportRefIssuerSerial/>
</wsp:Policy>
</sp:Wss10>
</wsp:Policy> -
How validate user.attributes in SAML assertation?
Hello!
I'm using WebLogic Server 10.3.6.0 + Oracle Service Bus 11.1.1.6 + Oracle Enterprise Manager 11g.
I deploy my Web Service on Weblogic Server and protect this by OWSM SAML-based policy (now it is oracle/wss_saml_token_bearer_over_ssl_service_policy).
It is working, but some things I don't understand.
My main question: how can I configure to validation of user.attributes in the saml assertation?
For example, inbound requests has 3 attributes in saml assertation tag: role, email and dept.
<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:xsi="http://www.w3.org/2000/10/XMLSchema-instance">
<soap:Header>
<wsse:Security>
<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="Id-0000010a3c4ff12c-0000000000000002"
IssueInstant="2006-03-27T15:26:12Z" Version="2.0">
<saml:Issuer Format="urn:oasis ... WindowsDomainQualifiedName">
TestCA
</saml:Issuer>
<saml:Subject>
<saml:NameIdentifier Format="urn:oasis ... WindowsDomainQualifiedName">
TestUser
</saml:NameIdentifier>
</saml:Subject>
<saml:Conditions NotBefore="2005-03-27T15:20:40Z"
NotOnOrAfter="2028-03-27T17:20:40Z"/>
*<saml:AttributeStatement>*
*<saml:Attribute Name="role" NameFormat="http://www.oracle.com">*
*<saml:AttributeValue>admin</saml:AttributeValue>*
*</saml:Attribute>*
*<saml:Attribute Name="email" NameFormat="http://www.oracle.com">*
*<saml:AttributeValue>[email protected]</saml:AttributeValue>*
*</saml:Attribute>*
*<saml:Attribute Name="dept" NameFormat="">*
*<saml:AttributeValue>engineering</saml:AttributeValue>*
*</saml:Attribute>*
*</saml:AttributeStatement>*
</saml:Assertion>
</wsse:Security>
</soap:Header>
<soap:Body>
<product>
<name>Enterprise Gateway</name>
<company>Oracle</company>
<description>Web Services Security</description>
</product>
</soap:Body>
</soap:Envelope>
But I want permit only request's with 4 attibutes (for example, role + email + dept + city) or something like? How I can configure this in OWSM-policy settings or WebLogic settings?
Thanks for any help.That would be the easiest route but isn't it against the standards to use triggers on tables. I was thinking of doing the validation before the item is created on the page, by customizing the create item and update item pages.
Did anyone work on PIM to do this sort of customization, the pages are all dynamic and are pretty complex, I am not able to figure out where to fit in my validation. -
RIDC client using JAX-WS Web Service requires OWSM policy
Hi
For development purposes, I want to invoke the RIDC JAX-WS Web Service (I believe this to be the 11g idc native ws) but an error is thrown stating the various policies are invalid. The fact is my instance of Weblogic is not set up with OWSM and there are no security policies applied or configured.
I was wondering if there was a way to invoke this web service using http basic authentication and bypass the requirement to have a policy attached.
If not, does anyone have steps on how to enable OWSM and policies, and attach these to the IDC native web services).
Thanks
MHi Ryan
Yes, I have tried to use the JAX-WS with configuration that I was hoping would set Basic Auth on the request, however an error is thrown stating that the required policies are invalid on the server.
In summary:
I create a JaxWSClient client.
I create a binder using the client.
I create a IdcContext using a valid username and password.
I set up the service details and params in the binder.
I send the request by invoking the client and passing the binder and IdcContext.
With this basic set-up, I get a SOAP fault from the server stating that policy 'oracle/no_authentication_service_policy' and oracle/no_messageprotection_service_policy are invalid. It makes sense that there are invalid as they are not present on my weblogic instance, and it seems that because I have not specified any other configuration, that these are treated as the default policies.
Setting up basic auth would be ideal, as I do not have control of the Weblogic instances, and so getting OWSM would be a pain. There may be some way to set up the client to use Basic Auth, but unfortunately I cannot see how.
Cheers -
SOAP must understand error error when calling composite
Hi,
I am trying to invoke composite application in soa suite 11g from soapui. In soapui my soap request contains following part of security info under header part.
<wsse:Security soap:mustUnderstand="1" xsi:schemaLocation="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
..\Schemas\oasis-200401-wss-wssecurity-secext-1.0.xsd http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd ..\Schemas\oasis-wss-wssecurity-secext-1.1.xsd http://www.w3.org/2001/10/xml-exc-c14n# ..\Schemas\xml-exc-c14n.xsd">
But when I try to execute in soapui I am getting following error
<env:Fault>
<faultcode>env:MustUnderstand</faultcode>
<faultstring>SOAP must understand error:{http://docs.oasis-open.org/wss/2004 /01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security, {http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security.
</faultstring>
</env:Fault>
I think I need to copy these xsd files in my composite application? if yes where should I and how to refer those in soap request?
Appreciate your quick help.
Thanks,
SriWithout attaching policy can't I execute?No. You have to attach policy. If none of the pre-seeded policies fulfill your requirement then you may always create your won custom policy. Please refer -
http://technology.amis.nl/blog/11138/owsm-custom-policies-still-some-sharp-edges-so-beware-dont-cut-yourself
http://ws-security.blogspot.com/2010/01/howto-owsm-11g-creating-custom-policy.html
Regards,
Anuj -
Disable Webservices access through web
Hi All,
In OFMW and AIA 11g ps3, how can we disable webservices access through web i.e. restrict webservice call from outside
world using OWSM security policies?
We dont want to use username based authentication or any other policies that is based on authentication and authorization.
Please let me know how can we achieve this?
Thanks in advance.Hi,
I think the best way would be to block the access to services at firewall so that these services have restricted access within the network. This can be achieved only if none of the services need to be exposed over to the internet.
Regards,
Neeraj Sehgal -
BPEL - SOAP must understand error - Partner Link Reply Contains WSSE in Soa
Hello,
I'm trying to call a WS-Secured partner link from a BPEL process. The SOAP request looks perfect, however the partner link's reply contains a WSSE security element in the SOAP header. Is there a way to configure the BPEL process to expect this and not throw a 'SOAP must understand error'. Both Request and reply SOAP envelopes are below.
Any help would be much appreciated - thanks.
Request:
<?xml version="1.0" encoding="UTF-8"?>
<env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><env:Header><wsse:Security xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"><wsse:UsernameToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"><wsse:Username>username</wsse:Username><wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">password</wsse:Password></wsse:UsernameToken></wsse:Security></env:Header><env:Body>soapBody</env:Body></env:Envelope>
Response:
<env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:ns0="http://xmlns.domain.com/service/soa/ServiceEntitlementWS" xmlns:ns1="http://xmlns.domain.com/services" xmlns:ns2="http://xmlns.domain.com/service/contract" xmlns:ns3="http://xmlns.ni.com/support/customer/serviceLevel" xmlns:ns4="http://xmlns.ni.com/support/customer/linkageSet"><env:Header> *<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" env:mustUnderstand="1"/>* </env:Header><env:Body>soapBody</env:Body></env:Envelope>
Edited by: user639053 on Oct 6, 2009 2:33 PMWithout attaching policy can't I execute?No. You have to attach policy. If none of the pre-seeded policies fulfill your requirement then you may always create your won custom policy. Please refer -
http://technology.amis.nl/blog/11138/owsm-custom-policies-still-some-sharp-edges-so-beware-dont-cut-yourself
http://ws-security.blogspot.com/2010/01/howto-owsm-11g-creating-custom-policy.html
Regards,
Anuj
Maybe you are looking for
-
This is so frustrating, i have gone through iforgot and reset my password, re logged in and it all works fine until it wants me to update my apple ID?? I dont know what it wants me to put? Any help appreciated : )
-
I'm travelling to Santiago, Chile later this month. Do I need a transformer in order to charge my laptop, or will a converter suffice? Chile is on a 220V system (the US uses 120V outlets). Thank you!! Megan
-
Extracting JES 2005Q04, Or JES2005Q01 giving error
hi downloaded JES 2005Q04 part-1 and part-2 from sun's website when extracted it gives(WINRAR) that some files are missing. These happens for both release, Please share me some links from where I can download either of these release
-
Security Deposit Acount Determination
Hi Experts, When the security deposit request is paid by using Payment lot or Payment run the GL account reflecting in the entry is the bank clearing account. How do I post to the Security Deposit Accont GL ? In EK02 I have maintained the relevant GL
-
IPhone showing on TV with iPod AV Cable?
Hi. I bought the iPod AV Cable and was told it work with the iPhone. I can't get the slide show to show up on the TV. Does the iPod AV Cable work with the iPhone or should I return the cable? Thanks!