In our recent Label Security presentation we used a feature called Proxy Authentication. This allowed us to connect to the database as one user, but proxy the credentials of another so that we can access resources that proxied user can see. Without this we wouldn’t be able to use Label Security with our OSB services. It’s been brought to my attention that this is a useful feature that others would be interested in, but it’s hidden within my other post. So I’ve extracted the material out here to its own post so it can be found easier. Enjoy!
So by now you’ve seen how to install Label Security (here), configure a policy (here) and create a UI to access the data (here). Particularly in the UI post, you would have seen how Label Security helps to simplify our application development, as we no longer have to worry about configuring data security, the database takes care of it for us. Whilst a UI is a great way to access our data and demonstrates a common use case, it’s not the only way to access our data. So in this post we are going to demonstrate how to create a web service that will talk to our database and return the correct documents for each user.
If we weren’t using Label Security, we’d have to add some significant logic to poll the database for the security permissions of the user (ie: JCooper has Top Secret access, but CDoyle can only see Secret Narcotics documents). We’d then need to apply that to our query to return the documents. Whilst this will work, what happens if the developer writes the query incorrectly and some users start seeing documents they shouldn’t? Or what happens if the service is compromised and a hacker gets access to the underlying database using the application database credentials. This poses a significant risk to our organisation and it’s data security. With Label Security we can avoid all this as the service just has to query the database and pass down the user credentials. The database will take care of the rest, there is no opportunity for the developer to mess up the query or if the user account is compromised only the documents that user had access to will be affected.
I’ve uploaded the OSB project that we will create below to GitHub. You can access it here: https://github.com/Joelith/SecureOSB. To get it working, import the project into JDeveloper and configure the database source in WebLogic (detailed below). Otherwise read on to see how it’s all put together
In a previous post we created a WLST script that created a WebLogic domain from scratch, turned the servers on and deploy a jar file. It almost provided everything we needed from a continuous integration perspective, except that we needed WebLogic installed before we could run the WLST script. This meant that we couldn’t spin up a blank VM and start this script. The immediate solution to that would probably be to script the installation of WebLogic (you can create a silent install file so that WebLogic installs without any user intervention required). A better solution would be to use Maven. Maven is a project build tool that we can use to compile our java projects and run various plugins to install WebLogic, start servers and deploy code. For more information on Maven check out the Maven presentation from the July Oracle Middleware Forum.
(The example Maven file from this post is available at Github: https://github.com/Joelith/Maven-Install-WLS)
A new feature in WebLogic 12c is the support for WebSockets. WebSockets are a server-side tech to allow push data to multiple client browsers with minimal overhead. They are useful when you want to provide real-time updates to users or want updates or content from one client to be pushed to multiple clients simultaneously. In the past (and on older browsers) you would have to use some form of long-polling (where the browser maintains an open connection with the server and sends messages back and forth on this single connection) to be able to provide these features. However, long-polling has a significant performance impact on your webserver as each connection must be kept open at all times (which does not scale well). With WebSockets you can avoid this performance impact and still deliver reliable instant communication with clients.
I’m not going to go into the detail of how WebSockets work (there are plenty of resources on the net for that), but in this post I will go through a simple example of WebSockets in WebLogic.