Recently a customer wanted to use OSB to connect to an external service that had a special policy that required a security token passed in the header. The security information for this token was a static username and password combination supplied to the organisation. They wanted to be able to connect to this service without requiring each calling service to know the security information.
To do this we needed to create a Business Service in OSB that applied this custom policy.
In your project, create the custom policy you want to use.
- Select ‘WS-Policy’ from the ‘Create Resources’ menu in the folder in your project where you want to create the web service (the location doesn’t really matter)
- Enter a name and then either upload the XML file containing your policy or paste into the box provided.
As an example here is one that enforces a username token and password digest on all messages:
<wsp:Policy wsu:Id="PasswordDigest" xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" xmlns:wssp="http://www.bea.com/wls90/security/policy" xmlns:wsu="http://docs.oasis.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"> <wssp:Identity> <wssp:SupportedTokens> <wssp:SecurityToken TokenType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#UsernameToken"> <wssp:UsePassword Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest"/> </wssp:SecurityToken> </wssp:SupportedTokens> </wssp:Identity> </wsp:Policy>
Next you need to determine how the username in the message is created. In the scenario I was working on the organisation had a single username and password allocated to them. All requests would use this corporate logon. To facilitate this I added a Service Account with a ‘Static’ Resource Type.
- Select ‘Service Account’ from the ‘Create Resources’ menu in the folder in your project where you want to create the service account (again, the location doesn’t really matter)
- Give it a name and then select ‘Static’ for the Resource Type.
- Press ‘Next’ and then add the username and password details.
Note: Alternative resource types are:
- Pass Through: User details will be sent by the calling service and sent directly through without modification
- Mapping: Here you map users in WebLogic to the details you want to pass through.
Now we just need to apply the policy to the services we want to secure.
- Open the Business Service you want to secure
- Click the ‘Policies’ tab
- Either apply the policy to the entire service, or apply it to each operation by clicking the ‘Add’ button.
- And finally click the ‘Security’ tab and add the service account you just created.
Now the when calling the Business Service the username and password details will be applied automatically (as it’s a static service account).