In this chapter, we will cover:
- Preparing OSB server to work with OWSM
- Configuring OSB server for OWSM
- Securing a proxy service by Username Token authentication
- Securing a proxy service by protecting the message
- Securing a proxy service by using Username Token authentication and protecting the message
- Securing a proxy service by using certificate authentication and protecting the message
- Securing a proxy service with authorization through Message Access Control
- Using JDeveloper to test a secured service
- Calling a secured service from OSB
Security has always played and still plays an important role in today's information-driven business processes. Consumers of information must know who sent the information and whether it has not been changed or read by others. Only then can they trust the message and do the transaction.
When thinking about security it's important to distinguish between Transport and Message-level security.
Transport-level security represents a technique where the underlying operating system or application servers are handling security features. Recipes for transport-level security are covered in the next chapter
Message-level security represents a technique where all information related to security is encapsulated in the message. This is what WS-Security specifies for web services. Securing messages using message-level security instead of using transport-level security has several advantages that includ:
- Flexibility – parts of the message can be signed or encrypted. This means that intermediary nodes can see parts of the message that are indented for them. This might be necessary in a routing scenario, so that the intermediary can determine where to send the message to.
- Supports multiple protocols – secured messages can be sent over different protocols such as FTP, HTTP, or e-mail without having to use the protocol level security.
Oracle Service Bus (OSB) supports both Transport and Message-level security. The level of security available on the OSB is dependent on the transport protocol used.
In this chapter, we will only cover Message-level security related recipes. The recipes for Transport-level security are covered in the next chapter.
Security in the OSB is handled by the Oracle Web Service Manager (OWSM). OWSM was introduced in the 11gR1 version of the OSB. Before 11gR1, we could only use the WLS 9.2 policies. Oracle recommends using the OWSM policies because in the next major releases of OSB, the old WLS 9.2 policies will no longer be supported.