In this recipe, we will configure a proxy service to use transport-level security based on HTTPS. By that we can ensure that the communication between the consumer and the OSB service is encrypted, but the proxy service gets the message in plain text.
If message-level security is necessary, where the message itself is encrypted, a recipe such as Securing a proxy service by protecting the message covered in Chapter 11, Handling Message-level Security Requirements, should be considered.
Make sure the OSB server is configured to work with SSL by applying the previous recipe Preparing the OSB server to work with SSL.
Make sure the solution from the recipe Using service accounts with OSB for basic authentication is available in Eclipse OEPE. If not, import it from here: chapter-12solutionusing-service-accounts-with-osb. Make sure you import both the using-service-accounts-with-osb and the using-service-accounts-with-osb-mockservice projects. Deploy the two projects to the OSB server.
Import the soapUI project from chapter-12solutionusing-service-accounts-with-osbsoapui into soapUI and execute Request 1 of the FindCustomer operation.
You can see that we are using HTTP by checking the endpoint on the top and that we pass the crmuser for basic authentication.
Let's now configure the proxy service so that the request is sent securely over SSL using HTTPS.
In Eclipse OEPE, perform the following steps:
- Open the proxy service CustomerManagement.proxy in the
proxyfolder. - Navigate to the HTTP Transport tab.
- Enable the HTTPS required checkbox and confirm that the option Basic is still set for Authentication.
- Deploy the project to the OSB server.
Now, let's test the behavior of our proxy service. In soapUI, perform the following steps:
- Re-execute the Request 1 test case like in the Getting Ready section.
- An HTTP/1.1 401 Unauthorized error will occur. This is because the server now only accepts SSL.
- Click on the endpoint drop-down listbox on the top and select [add new endpoint..] and a pop-up window will appear.
- Enter
https://192.168.219.128:7002/using-service-accounts-with-osb/proxy/CustomerManagementinto the Add new endpoint for interface field. We will need to change to https and replace the port with 7002. - Click OK.
- Rerun the Request 1 test case by using the new endpoint. It should run successfully using HTTPS.
We have now successfully added transport-level security by changing the protocol from HTTP to HTTPS on the proxy service.
By simply enabling the HTTPS option required on the proxy services we can enforce that a consumer uses HTTPS to communicate with the OSB service. This only works if SSL is enabled on the WebLogic server beforehand.
By doing this, basic authentication is more secure, because the username/password is no longer sent as plain text over the communication channel. But on the OSB server in the proxy service, the message is still readable. We can check that by just adding a log action into the message flow of the proxy service and log the value of the $body variable. If the message should also be protected inside the OSB, then we have to use message-level security covered in Chapter 11, Handling Message-level Security Requirements, and apply a recipe such as the Securing a proxy service by protecting the message.