Oracle Web Services Manager: Authentication and Authorization

6 min read

Here, we will see:

  • Steps involved in the authentication and authorization process
  • Learning file authentication and authorization
  • Implementing active directory authentication and authorization
  • Details of policy template

Steps Involved in the Authentication and Authorization Process

Oracle Web Services Manager can authenticate the web services request by validating the credentials against a data store. The credentials (e.g. username and password, SAML token, certificate, etc.) that are attached to the web services will be validated against the data store, such as the file system, databases, active directory and any LDAP compliant directory. Once authentication is successful, the next step is to perform authorization by validating the username against a set of pre-defined groups which have access to the web service.

The following figure shows the process where the user accesses an application which acts as a client for the web service. The client application then attaches the username and password to make the web service request. The username and password are then validated against file system or LDAP directory by Oracle WSM, either using the gateway or the agent.

Oracle Web Services Manager: Authentication and Authorization

The authentication and authorization against different directory stores can be configured using Oracle WSM policy steps. Oracle Web Services Manager has predefined policy steps for:

  • File Authenticate and Authorize
  • Active Directory Authenticate and Authorize
  • LDAP Authenticate and Authorize

In the previous figure, the Oracle WSM Gateway is used to protect the web services and externalize the security. In order to authenticate and authorize requests to web services, the web services can be registered within the gateway and the request pipeline of gateway will validate the credentials and authorize the access before it forwards the request to the actual web service provider. The gateway steps for authentication and authorization can be summarized as:

  • Log incoming request (optional)
  • Extract credentials get the credentials from the SOAP message or HTTP header)
  • Authenticate (file authenticate, active directory authenticate, etc.)
  • Authorize (file authorize, active directory authorize, etc.)
  • Request is forwarded to the web service provider

The response from the web service also follows through a similar response pipeline where you can implement the log, encryption of response, or signing, or response, etc. While it is not required to implement any steps in the response pipeline, there should be a response pipeline even if it’s doing nothing.

Oracle WSM: File Authenticate and Authorize

Oracle Web Services MManager can authenticate the web services requests against a file that has the list of usernames and passwords. In this example, the username and password information are part of the SOAP message, however one can also send a username and password as HTTP header, or it can be any XMML data that is a part of the web services message. While file-based authentication can easily be compromised, it is often used as a jump start or testing process to validate the authentication and authorization process.

Authentication and authorization of web service requests against a file requires three main steps, and these are described below. There is a default log step which will log all the request and response messages, and you can also include that log step at any point to log messages:

  • Extract Credentials
  • File Authenticate
  • File Authorize

The first step to authenticate a web service request against a password file (file authenticate) is to extract the username and password credentials from the SOAP message. The client application attaches the username and password to the SOAP message, as per the UserName token profile.

In the policy to authenticate the web service against the file, add the step in the request process to extract credentials. Since this is a web service request, as opposed to HTTP post, configure the Credentials location to WS-BASIC (refer to the following screenshot).

Note: WS-BASIC means that it is WS-security compliant. WS-security is the oasis specification that specifies how security tokens are inserted as a part of the SOAP message. In other words, WS-BASIC means that the username and password can be found in the SOAP message, as per the username token profile of the WS-security specification.

Oracle Web Services Manager: Authentication and Authorization

Once the credentials are extracted, the next step is to validate them against the file. The default implementation of the Oracle WSM File Authenticate requires the username and password to be in a comma separated format and the password should be the hash value using a MMD5 or SHA1 algorithm.

In order to authenticate the credentials against the data store, the next step is to configure the File Authenticate step in Oracle WSMM. In this step, the options are straightforward. We have to configure the location of the password file and the hash algorithm format as either md5 or SHA1 (see the next screenshot).

Oracle Web Services Manager: Authentication and Authorization

The sample file with username and password is: bob:{MD5}jK2x5HPF1b3NIjcmjdlDNA==

You can use the wsmadmin tool provided as part of Oracle WSMM standalone or SOA suite). Type: wsmadmin md5encode bob password c;.htpasswd



Now that the authentication steps are configured, the next step is to configure the authorization policy step to ensure that only valid users can access the web service. For the file authorization method, it is no different than the file authenticate method i.e. even the user-to-role mappings are kept in the file.

The following figure shows the File Authorize policy step. In this step, we have to define the location of the XML file that contains the users to roles mapping, and also the list of roles that should be allowed to access the service.

Oracle Web Services Manager: Authentication and Authorization

The roles XML file should look like:

<?xml version=‘1.0' encoding=‘utf-8'?>
<user username="joe" roles="guest"/>
<user username="Bob" roles="Admin,guest"/>

In the previous XML file, the list of roles the user belongs to are defined as a value of roles element and is comma separated.

Now that we have completed the steps to extract credentials, authenticate the request and also authorize the request, the next step is to save the policy steps and commit the policy changes. Once the policy is committed, any request to that web service would require a username and password, and that user should have necessary privileges to access the service.

Oracle WSM: Active Directory Authenticate and Authorize

In the previous section, we discussed authenticating and authorizing web service requests against a file. Though it’s an easy start, security based on a file system can be easily compromised and will be tough to maintain. Authentication and authorization of web services are better handled when integrated with a native LDAP directory, such as active directory, so that the AD administrator can manage users and group membership. In this section, we will discuss how to authenticate and authorize web service requests against an active directory.

Active-directory-based authentication and authorization of web service requests involves the same steps as file-based-authentication and authorization, and they are:

  • Extract Credentials
  • Active Directory Authenticate
  • Active Directory Authorize


Please enter your comment!
Please enter your name here