Proxy Auth based on Policy

I am using a Firewall IOS box 12.4 AdvancedIPServices. My design is as follows. I have 4 security zones in the firewall, and each zone has its own subnet. I want to create a policy/rule that allows port 3389 (RDP) to cross between a trust and untrust zone, and I want the user to have to authenticate to the tacacs+ or local database before it allows this connection to be made. I will have them go to a HTTP page to auth 1st. I am able to turn authentication on per interface, but I do not want all traffic leaving that zone to have to authenticate, just traffic I specify in my policy needs to authenticate. Is there a way to do this with Firewall IOS? If so can someone give me a config example?
Thanks
Chris

Hi Igor,
I don't think that is possible on ACE since client authentication is part of SSL handshake. The problem is that the server doesn't know if the client wants https://abc.com or https://abc.com/xyz until the SSL handshake has been completed. Only after SSH handshake is completed, ACE would be able to look into the URL and take LB decision, don't know of any way we can tell ACE to request for client authentication at that point which will mean complete ssl handshake again. I do see that can be done on Apache server etc but i am not aware of any way that can be done on ACE.
Regards,
Kanwal

Similar Messages

  • OSB: Proxy Service and Dispatch Policy

    Hi all,
    I'm trying to use OSB (10.3) proxy service with dispatch policy set to WebLogic (10.3) work manager to limit maximum number of threads allocated for request to this proxy service.
    It seems to me that whole dispatch policy setting is ignored in OSB. The situation is like this: I have simple Axis based web service with wait method that just waits for few seconds (based on request parameter). I use this service for testing (hm, so far just for trying to understand) OSB dispatch policy function.
    Using soapUI I created a simple load test which uses 10 threads to call wait(10) - it means "wait for 10 seconds". Time limit for the whole load test is set to 20 seconds. It is clear that the total execution count is 2 x 10 = 20. So far, so good.
    Then I created simple proxy service in OSB that just routes request to business service representing my Axis service with wait method. I set a dispatch policy for the proxy service to WorkManager-2threads (see below) and I expected that running the same load test with endpoint set to OSB would result in significant lower total execution count. I expected that because WebLogic should allocate 2 threads at most for all requests to this proxy service. However, that's not the case as the result is the same as in the first (Axis only) test. Just as there was no dispatch policy settings at all ...
    Where is the problem?
    This is the relevant part of my WebLogic configuration regarding work manager:
    <max-threads-constraint>
    <name>MaxThreadsConstraint-2</name>
    <target>AdminServer</target>
    <count>2</count>
    <connection-pool-name></connection-pool-name>
    </max-threads-constraint>
    <work-manager>
    <name>WorkManager-2threads</name>
    <target>AdminServer</target>
    <max-threads-constraint>MaxThreadsConstraint-2</max-threads-constraint>
    <capacity xsi:nil="true"></capacity>
    <ignore-stuck-threads>false</ignore-stuck-threads>
    </work-manager>

    It's same problem to me. I do pressure test by loadrunner,I deployed two separate proxy service,under same concurrent user,I get same TPS from the two proxy service.but when I add low priority concurrent user,low priority TPS up.
    I set the Route option as you say,but weblogic hanged immediately,and can't be accessed by the console.

  • WLC 5508 LDAP Windows 2008 Server - auth based on AD groups

    hi NG,
    i'm trying to web-authenticate my Wifi user of an WLC 5508 against LDAP.
    Thereby i'm trying to autenticate all users within a GROUP, not an OU within the MS Active Directory based upon an Windows 2008 Server.
    I can authenticate against a user, witch is beeing put into an OU, according to examples based here: https://www.cisco.com/en/US/products/ps6366/prod_configuration_examples_list.html
    Checking based upon Users within OUs works fine.
    But i have not got all of those users wihin one single OU!
    Need help for following:    LDAP-Auth based on AD Groups:
    Using:
    MS-Domain:                          MY-DOMAIN.CH
    AD-GROUP:                          VPN-USERS
    AD-Structure:
    MY-DOMAIN.CH
    |
    GROUPS
            |
        Administrative Groups
                          |
                     VPN-USERS
                              (-> Member of this Groups (Wireless1, Wirless2, ...)
    Server Adress:               IP.IP.IP.IP
    Port:                                 389
    Enable Server Stats      YES
    Simple Bind                    Authenticated
    Bind Username              LDAP-USER
    Bind Password               supersecret
    Bind Passw. confirm      supersecret
    User Base DN:               ?-1-?
    User Attribute:                ?-2-?
    User Object Type:          Person
    Server Timeout               2
    What happens for instance, if i put a GROUP within a GROUP regarding the LDAP Authentication.
    I guess i have to authenticate against the "upper" GROUP, or do i have to create an entry on the WLC for every GROUP i'm questoning?
    Could some one provide my with an example, since i have not found documentation regarding this topic.
    Thank you.

    Hi,
    User Base DN : this is in case you want to restrict the search area. If you put "dc=mydomain,dc=CH", you will search your whole AD. Depending on the size, it can be slow ...
    Remember that the User Base DN is also used for the admin user.
    In conclusion, User Base DN should be the most restrictive path that leads to both the admins and the users you want to authenticate.
    Example :
    OU=Employees,OU=Humans,DC=Mydomain,DC=CH
    This would prevent to search in machines or any assets. This implies that the admin you bind with is an employee and you are only authenticating employees. You can have any number of OUs under employees, it doesn't matter
    Attribute : This is the object attribute that the WLC uses to compare with the user name. In general, you would go with sAMAccountName in AD. CN would be another common example for LDAP databases.
    If what you are looking for is to restrict access and only authenticate people who belong to a certain group. Then you need a radius server like ACS.
    That server will be able to make selections and check the "memberOf" attribute to make sure it is in a certain group.
    Nicolas
    ===
    Don't forget to rate answers that you find useful

  • HTTP Basic Auth and Proxy Auth

    Hi,
    i have a problem with the authentication against a proxy server and against a content provider. At first I have to authenticate against the proxy to get "free internet". The next step is to authenticate against the content provider to get a html or xml file.
    The following source code runs very good in Eclipse, i.e. as JUnitTest. But If I execute the same code within a weblogic server, I will get an error (not authenticated). I believe I get this message from the content provider and not from the proxy because If I test this code within the weblogic server and with no authentication (i.e. google needs no authentication), I will get a valide xml/html file.
    StringBuffer sb = new StringBuffer();
              SimpleAuthenticator simple = new SimpleAuthenticator("joeuser","a.b.C.D"); //from openbook
              Authenticator.setDefault(simple);
              String strUrl = "http://www.rahul.net/joeuser/";
              URL url = null;
              try {
                   url = new URL(strUrl);
              } catch (MalformedURLException e) {
                   // TODO Auto-generated catch block
                   e.printStackTrace();
              URLConnection conn = null;
              InetSocketAddress addr = new InetSocketAddress("proxy.domain",8080);
              Proxy proxy = new Proxy(Proxy.Type.HTTP, addr);
              try {
                   conn = url.openConnection(proxy);
              } catch (IOException e) {
                   // TODO Auto-generated catch block
                   e.printStackTrace();
              String proxyStr = "username" + ":" + "passwordl";
              String encoded = new String(Base64.encodeBase64(proxyStr.getBytes()));
              conn.setRequestProperty("Proxy-Authorization", "Basic " + encoded);
              // get http status code which is located in header field 0
              String status = conn.getHeaderField(0);
              if (status.contains("200")) {
                   BufferedReader in = null;
                   try {
                        in = new BufferedReader(new InputStreamReader(conn.getInputStream(),
                                  "ISO-8859-1"));
                        String inputLine;
                        while ((inputLine = in.readLine()) != null) {
                             sb.append(inputLine);
                        in.close();
                   } catch (UnsupportedEncodingException e) {
                        // TODO Auto-generated catch block
                        e.printStackTrace();
                   } catch (IOException e) {
                        // TODO Auto-generated catch block
                        e.printStackTrace();
              else {
                   System.out.println("Error");
              System.out.println(sb.toString());
    public class SimpleAuthenticator
    extends Authenticator
         private String username,
         password;
         public SimpleAuthenticator(String username,String password)
              this.username = username;
              this.password = password;
         protected PasswordAuthentication getPasswordAuthentication()
              return new PasswordAuthentication(
                        username,password.toCharArray());
    Does somebody know a solution? I need the authentication against proxy and content provider in "one application".
    Thank you very much,
    André

    I typically have used Apache Commons HttpClient for anything but trivial URL connections, and especially when combining both basic auth and proxy auth. When you use it, be aware of the "preemptive authentication" flag. One server I worked with didn't send the correct parameters back on particular requests, so I had to turn on this flag to get it to work.

  • IMAP proxy auth - logs in as admin if user is absent

    While syncing accounts from an older server to OCUCS with the imapsync script, I found today that when using IMAP proxy auth (with OUCS 7u2 "vanilla" installation) and specifying a wrong user name (unknown to OCUCS), the IMAP server logs absence of the user, however imapsync goes on to put sync'ed messages into the proxy-admin user's account.
    I believe this means that failure to proxy-login as invalid user still succeeds as a proxy-user login. (Or imapsync retries this login, and the problem is there - I'll try to research that possibility too).
    If the problem is known to be the Messaging server's one, is there any toggle to disable such logins as the proxy user, and return a failure (i.e. user account absence, password mismatch, whatever)?

    Ok, upon revising the imapsync script (and parameters I've needed to set for OCUCS), I see this comment in the docs:
    You may authenticate as one user (typically an admin user), but be authorized as someone else, which means you don't need to know every user's personal password.
    Specify authuser1 "adminuser" to enable this on host1.  In this case, authmech1 PLAIN will be used by default since it is the only way to go for now.
    So don't use authmech1 SOMETHING with authuser1 "adminuser", it will not work. Same behavior with the --authuser2 option.
    When working on Sun/iPlanet/Netscape IMAP servers you must use --proxyauth1 to enable administrative user to masquerade as another user.
    Can also be used on destination server with --proxyauth2 Indeed, I had to use "--proxyauth2" to receive mails into a user's mailbox, and according to your description, the server part seemingly works as designed - so no problem on OCUCS side. I wonder if imapsync script can be amended to detect the "proxyauth" failure and abort, but this is also not an OCUCS problem indeed.
    Thanks for the quick and helpful description.

  • Proxy Auth authentication required and kerberos

    Hi All
    Oracle supports the proxy auth trusted subsystem which allows greater scalability through the use of a system wide connection pool. There is a configuration option to "authentication required" to the proxy auth system.
    Oracle also support kerberos authentication for external users.
    What I would like to know is whether the proxy_auth authentication required is compatable with kerberos authentication. That is can I configure proxy auth to authenticate the tunneled user using kerberos.
    Thanks
    Edited by: user8002300 on 28/10/2009 16:47

    Hi,
    What you can do is to set up a reverse and the forward proxy. When the client hits the first proxy it should be configured as a reverse proxy which will redirect the request to the second proxy (this will be a reverse proxy) which will connect to the internet.
    Hope this helps.
    Regards,
    Dakshin.
    Developer Technical Support
    Sun Microsystems
    http://www.sun.com/developers/support.

  • Comms Express and proxy auth (ie for a portal or Identity system)

    All, we'll be moving to Comms Express in about a month and we currently have an Identity/access management solution working with Mess Express (6.1) and using the proxy auth url (http://webmail.domain.com/?user=user1&proxy-auth=.....) We can pass the proxy auth from the access manager (SiteMinder) to ME and people can login into their Webmail (ME) without incident.
    However UWC is a different animal. Does anyone know how to get a proxy auth url string for UWC to accomplish the same thing? I know UWC essentially does a proxy auth for messaging and calenar already, so we have to find something that does it to pass it to messaging and calendar to get the Comms Exprees interface.
    We will be using the following version:
    Sun Java(tm) System Messaging Server 6.2-4.03 (built Sep 22 2005)
    libimta.so 6.2-4.03 (built 04:37:42, Sep 22 2005)
    And UWC is at 118540-23
    Any help would be appreciated.

    pruebitas wrote:
    Before, when we had Messenger Express, we have a web (like a portal) where users used to fill in a form with the user and the passwd to connect to the messenger express.
    Now, with the UWC, is not posible to access the same way. I'm a bit lose with this.UWC provides Acess Manager Single-Sign-On (SSO). So if your web-application was to set an access-manager SSO cookie when the user logged in and redirected the user to the UWC login page, they would be automatically logged in (assuming you had configured UWC to allow access manager authentication).
    For information on how to set access manager SSO cookies in web-interfaces, please refer to the access manager manuals on docs.sun.com.
    Regards,
    Shane.

  • Safari with web proxy auth

    hello friends, I have problems to navergar with safari, my connection is via a Web server proxy auth, which I form it and sails, but it asks for user to me and pass whenever habro a page or thorn a Link of the same, in Windows single entrance once user and pass, and does not ask for it until I close browser and I return it to open, the idea is that it works of that form as I can do it?
    Sorry English by google traslator.....

    There's no need to activate and no way to deactivate.
    Open a connection to the Proxy, write out multiple requests to the socket, and
    ensure that the responses arrive in the same order as the requests were sent.
    Regards,
    Suresh

  • Does PI need a direct connection to third party or can work with a proxy server based connection to third party?

    does PI need a direct connection to third party or can work with a proxy server based connection to third party?

    Hi,
    It basically includes 3 systems, one is our ECC sender system, middle one is PI box and third one is the receiver system. Data is successfully reaching to PI system from our sender system.Now we want to forward this to our third party system from PI box.
                                                                    I want to know that such sending of data requires direct connection to third party or it can be done by proxy server based connection to third party.If it is possible then what are the steps to do this?
    Regards-
    Anuj Nogja

  • Swupdate spamming proxy -- auth req'd

    We set up proxy authentication the other day to better track our users. The proxy/firewall is an Astaro Security Gateway V7.
    I'm getting the following messeage in our access logs
    2009:12:22-09:33:59 navmail httpproxy[4564]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="GET" srcip="10.10.210.2" user="" statuscode="407" cached="0" profile="REF_DefaultHTTPProfile (Default Proxy)" filteraction=" ()" size="2283" time="0 ms" request="0xb29038d0" url="http://swscan.apple.com/content/catalogs/others/index-leopard.merged-1.suc atalog" exceptions="" error=""
    it repeats this several times per second, which my proxy doesn't like much at all.
    "10.10.210.2" is the OS X server IP. I'm guessing the "swscan.apple.com" url is for software updates. I have input the proxy information, with authentication credentials, in System Preferences. Nonetheless, the "user" field is blank and the status code is 407 (proxy auth req'd.) Is there somewhere else where I have to set this information?
    Why is it retrying the request so aggressively? My firewall's CPU is pegged. Drops to 10% utilization when I shut the server down.
    That's another thing. If I turn off the software update service, the messages in the access log keep coming. I have to actually shut the whole thing down to get them to stop.
    Any ideas? Is this what I think it is? (software update?)
    thanks!

    We set up proxy authentication the other day to better track our users. The proxy/firewall is an Astaro Security Gateway V7.
    I'm getting the following messeage in our access logs
    2009:12:22-09:33:59 navmail httpproxy[4564]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="GET" srcip="10.10.210.2" user="" statuscode="407" cached="0" profile="REF_DefaultHTTPProfile (Default Proxy)" filteraction=" ()" size="2283" time="0 ms" request="0xb29038d0" url="http://swscan.apple.com/content/catalogs/others/index-leopard.merged-1.suc atalog" exceptions="" error=""
    it repeats this several times per second, which my proxy doesn't like much at all.
    "10.10.210.2" is the OS X server IP. I'm guessing the "swscan.apple.com" url is for software updates. I have input the proxy information, with authentication credentials, in System Preferences. Nonetheless, the "user" field is blank and the status code is 407 (proxy auth req'd.) Is there somewhere else where I have to set this information?
    Why is it retrying the request so aggressively? My firewall's CPU is pegged. Drops to 10% utilization when I shut the server down.
    That's another thing. If I turn off the software update service, the messages in the access log keep coming. I have to actually shut the whole thing down to get them to stop.
    Any ideas? Is this what I think it is? (software update?)
    thanks!

  • Osb proxy service with owsm policy auth slow when soap request very large

    I have a proxy service which is security with owsm policy: oracle/wss_username_token_service_policy, the proxy service simply route to Business Service which directly invoke a bpel exposed web service, when I call the proxy service with soap envelope large than 15MB(not attachment), waiting about 4~5 minutes, the bpel instance created ; but when I remove the security policy:oracle/wss_username_token_service_policy, it will cost only 20 seconds, why authentication cost so long? How can I deal with the problem?
    My English is poor, please don't mind!
    besides, with my OSB version is 11.1.1.6.0

    I finally figured it out. The nullpointer exception is related to the SAML assertion. The SAML assertion in my requests is signed with embedded signature and this seems to be not supported with the used OWSM policy. Without the signature is the exception gone.
    Marian

  • Configuring ISE to proxy Authentications based on email address

    Hi
    I'm looking for a little help configuring ISE to proxy requests to external radius servers based on email address and password. I want to configure eduroam on our WLAN. Eduroam allows students connect to the WIFI of other Campuses using their local credentials
    Workflow:
    User associates to SSID (eduroamTest)
    Prompted for username & password (802.1x)
    User puts in username and password in the form [email protected] (UPN)
    If the user is part of our local institution they are authenticated using our local radius server (ISE)
    If the user is a  member of a partner institution the request is proxied to an external radius server (National Gateways).
    The National Gateways  passes the request to the relevant institution based on the UPN (eg @ucd.ie will be passed to ucd radius servers)
    The institution authenticates the user and passes the  request back to the National Gateways
    The National Gateways passes this request back to our ISE server and the external user is authenticated
    The user can browse the web
    What I have done:
    Setup the National Gateways as external proxy servers
    Created firewall rules to allow the traffic
    Configured the proxy sequence with these servers
    Created a policy to proxy requests to the proxy sequence
    What I need to figure out:
    How to get ISE to authenticate/proxy requests, for the SSID eduroamTest, based on UPN eg (if username = *@rcsi.ie then use local ISE otherwise use proxy service)
    Any help with this configuration would be greatly appreciated as I am new to ISE.
    If you need any more info please let know.
    Kind regards
    John

    Sounds like you did most of the work already. To get ISE to direct certain requests based on attributes in the request to another radius server, all you need to do, is create a new authentication rule, where you check for the following attributes ;
    radius/called-station-id contains "eduroam"
    and
    radius/username ends with "rcsi.ie"
    Then you can select the radius server sequence you created instead of the normal "Allowed protocols" list.
    If you want to be in control of the authorization, there is a flag you must set in the radius server sequence in ISE, this will let you control what rights the client is given locally, while still authenticating the user remotely.

  • Windows 8 and IE10 not accepting Proxy Settings via Group Policy

    We have recently introduced a couple of Windows 8 computers in our network, and we are having issues applying the Internet Explorer Proxy Server settings.
    We use a Microsoft TMG 2010 server as our proxy server for accessing the internet.
     We have been using a GPO with the following settings to automatically configure our Windows 7 computers running IE9 with the appropriate Proxy settings:
    User Configuration\Policies\Windows Settings\Internet Explorer Maintenance\Connection/Proxy Settings
    “Enable Proxy Settings” : Checked
    “Address of proxy” : server.domain.local
    “Port” : 8080
    “Use the same proxy server for all addresses” : Checked
    “Exceptions” : Here we have a list of several internal or partner sites that should not be proxied.
    This GPO has worked beautifully for our Windows XP and Windows 7 users with IE 7, 8 and 9.
     Now with Windows 8 and IE10, this no longer works. 
    I’ve therefore added a Windows Server 2012 Domain Controller to the network, and using GPMC on that new DC, I created a new GPO with the following settings:
    User Configuration\Preferences\Control Panel Settings\Internet Settings\Internet Explorer 10
    Now, seeing as these are preferences, it’s a little different.  But, I’ve “checked off” the option “Use a proxy server for your LAN” as well as “Bypass proxy server for local addresses”. 
    Then I click on “Advanced” and setup all my proxy settings the way I would like them, including the proxy server name, port and exceptions list.
    When this new group policy gets applied to my Windows 8 PC, the only setting that gets applied is the “Use a proxy server for your LAN”. 
    It does not configure the name or port of the proxy server nor does it configure the exceptions list. 
    If I go back to the GPMC, and edit the new GPO, the settings are all there. 
    However, if I just view the settings from the main GPMC screen (without opening the GPO itself), 
    I don’t see all of those settings (again, only the one “Use a proxy server…”)
    What am I missing???

    Hi All, - (Revised Answer by myself)<o:p></o:p>
    I banged my head against the keyboard on this one for some time trying to get this group policy to apply.  I
    did every thing that was suggested, learning about the F6 and F7 keys to Green underline and Red underline the options required and not required.  I even gave in and used the registry settings and it still did not work.  It turned out that I had
    2 issues.  The first one is obvious and the second not so obvious, this is how it is setup:
    I have a 2012 R2 Standard DC with Windows 8.1 clients/workstations and IE 11.  As you are aware you must make
    sure that the following are underlined in green:
    Automatically detect settings - (but not ticked)<o:p></o:p>
    Use proxy server for your LAN<o:p></o:p>
    Bypass Proxy for local address<o:p></o:p>
    Next I made sure that the following had red dotted lines:
    Address<o:p></o:p>
    This still didn't work, so I went through my 'Do Not use proxy servers for addresses beginning with' removed all
    of these and then re-added one by one until the problem materialized.  The first issue was when using wildcards I had added an entry with the following:
    http://domain.subdomain.com/*
    Then caused my proxy fields not to be applied, I re-added this just with:<o:p></o:p>
    http://domain.subdomain.com/
    <o:p>This next one is IMPORTANT.</o:p>
    I had these entries in a Word document of which I had copied and pasted from the entry box for 'Do
    Not use proxy servers for addresses beginning with'.  As shown in the screen shot above provided by SVEN_BURGER I had very similar entries:
    http://domain.subdomain.com/;10.*.*.*;172.27.*.*;http://172.27.*.*
    Each time I copied and pasted the line (+ more) above the proxy field on the Windows 8.1 client
    be blank after using 'gpupdate /force' I then noticed that in my Word document the whole string was being seen as 1 URL due to the http part at the beginning, so I changed my entry to look like this:
    10.*.*.*;172.27.*.*;http://172.27.*.*;http://domain.subdomain.com/
    I again noticed that this section:
    http://172.27.*.*;http://domain.subdomain.com/
    Was being seen as one URL in my Word document.  To resolve this I had to add the URL's individually and
    apply and OK these before going back in and making the next entry.  So I ended up adding them all individually after separating the
    URL's in my Word document.
    I hope this helps.

  • Windows 8 and IE10 and 11 not accepting Proxy Settings via Group Policy from windows server 2003

    Hi
    We are still running Windows Server 2003 with a Win7 and Win8 desktop environment. I can control Win7 IE9 settings,
    But Win8 systems are running IE10. We have an internal proxy server.
    Is there any way to force the proxy settings to the Win8/IE10 or 11 systems .
    i have tried with The IE 10 .adm template and applied gpo,but does not have any proxy settings for ie10 and no changes were applies
    please can anyone help me regarding this
    i want to apply GPO from windows server 2003  to windows 8 ie10/11
    Thanks
    KNC

    Hi,   
    I agree with Zanderol24, we can install RSAT on a windows8 client, and then we can use Group Policy Management to manage group policy from the client.
    For more information about RSAT, we can refer to the following link:
    Remote Server Administration Tools (RSAT) for Windows Client and Windows Server (dsforum2wiki)
    http://social.technet.microsoft.com/wiki/contents/articles/2202.remote-server-administration-tools-rsat-for-windows-client-and-windows-server-dsforum2wiki.aspx
    For more detailed information about how to use GPP to configure the proxy setting for ie10 and ie11, we can refer to the following link:
    How to configure Group Policy Preference settings for Internet Explorer 11 in Windows 8.1 or Windows Server 2012 R2
    http://support.microsoft.com/kb/2898604
    When we use GPPs you need to be aware of the F5-F8 keys:
    Red / Green: GP Preferences doesn’t work even though the policy applied and after gpupdate \force
    http://blogs.technet.com/b/grouppolicy/archive/2008/10/13/red-green-gp-preferences-doesn-t-work-even-though-the-policy-applied-and-after-gpupdate-force.aspx
    Besides, aside from using group policy to manage IE, IEAK can also be used to do this.
    For IEAK, the following article can be referred to for more information.
    Internet Explorer Administration Kit (IEAK) Information and Downloads
    http://technet.microsoft.com/en-in/ie/bb219517.aspx
    Best Regards,
    Erin

  • Osb 10gR3 - Active Intermediary proxy with custom WS-Policy files

    I'm setting up an Active Intermediary proxy, and the Security option on the proxy to "Process WS-Security header" is only usable when Custom Policy Bindings are assigned to the proxy. But I don't want to use the default Oracle policies.
    The "Select WS-Policy" popup within OSB only shows entries under the Predefined Policy tab. Yet I have custom WS-Policy files which have been imported into OSB.
    So what's the trick?

    Hi,
    Below are the steps followed
    - OSB Proxy service has 'oracle/wss_username_token_service_policy' attached to it.
    - Iam invoking this from BPEL. BPEL process has 'oracle/wss_username_token_client_policy' attached.
    - I can invoke the osb proxy from bpel by passing credentials - No Issues.
    Now I need to put some authorization restriction to the proxy service, so only specific users can access that.
    -I used Role=Admin as a policy condition restriction under security in Proxy service.
    -Then I went to proxy test console and I added the 'oracle/wss_username_token_client_policy' credentials and weblogic/xxxxx at Transport section and I was able to invoke the process. Here weblogic has a Admin Role.
    -I cannot invoke the same proxy service from BPEL in Jdeveloper now.
    All Iam trying to do is to protect my proxy by authrorization policy.
    Thanks
    Jagan.

Maybe you are looking for