Wednesday, October 23, 2013

Fetching value of variable not defined in Proxy WSDL


At times we get XML response in a format not defined in the proxy WSDL, common scenario is when a application returns a error response in a different format than response.

A simple way for fetching that value would be :
1. Add/define namespace in assign .
Prefix = saperrorns
URI = http://mysapaaplication/purchaseorder/error/v1

2. Use the namespace to fetch the value from response, i used below wild pattern
$body//saperrorns:ErrorMessage/text()

This is pretty simple but effective.

Cheers !!

Tuesday, October 15, 2013

LDAP authentication with OWSM


OWSM policies works seamlessly with integrated LDAP provided by weblogic. However sometimes the requirement is to integrate the OWSM policies like user name token policy to work with external LDAP.

Here are the steps that I recently followed to secure my Proxy services using OWSM and user token authenticated using LDAP server.


Part I: Create an external LDAP provider in weblogic

1. Add LDAP Provider : Login to Weblogic console
Home >Summary of Servers >Summary of Security Realms >myrealm >Providers
Create a new provider : MyLdapProvider
Type :  Active Directory Authentication provider



2) Set Control Flag : Sufficient
This step is important as this will make sure that if the user is not validated using this provider the validation will go to next provider. As the document says:
A SUFFICIENT value specifies this LoginModule need not succeed. If it does succeed, control is returned to the application. If it fails and other Authentication providers are configured, authentication proceeds down the LoginModule list




3. Set the Provider Specific configuration this is very important to get connected to LDAP server.

Host : mycompanycatalog.com
Port : 389
Principal  : CN=LdapAdmin,OU=WLUsers,DC=Myorg,DC=com
Credential : password

User Base DN: OU=WLUsers,DC=Myorg,DC=com , add filter for particular user if you want to restrict the access to only one user. like CN=Sam001, OU=WLUsers,DC=Myorg,DC=com

Group Base DN :OU=MyorgUsers, DC=Myorg,DC=com

4. Reorder Providers to make MyLdapProvider as first provider
5. Restart the servers
6. Verify if the LDAP settings are good .
My Realms -> Users and Groups
You should see the user fetched from Ldap Provider MyLdapProvider

Part II : Securing the OSB proxy with OWSM

1) Attach the policy to Proxy service
oracle/wss_username_token_service_policy

2) Pass security header with LDAP user credentials :

  <wsse:Security soapenv:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
         <wsse:UsernameToken wsu:Id="UsernameToken-4" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
            <wsse:Username>Sam001</wsse:Username>
            <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">PassWord3241</wsse:Password>
         </wsse:UsernameToken>
  </wsse:Security> 


This works !!