Oracle SOA Suite 11g R1 : Introducing security policy management

Some of the key challenges that need to be addressed in regards to creating secure service-oriented applications are:

• Interoperability: Although one would like to have a single technology stack for security, the reality is that there will be a variety of security products that provide different types of functions. For instance, one product may provide authentication services and another fine-grained authorization services.

• End-to-end identity propagation:A  typical SOA composite uses multiple components using different technologies to provide a set of business functions. These composites also use external services as part of their processing. If these different components and services require authentication, you don't want go through the whole process of authentication for every invocation of every component or service. Identity propagation implies establishing the identity at the start of the conversation and then propagating that identity throughout the conversation.

• Security as a system administration function: As mentioned earlier, managing and enforcing security should be a system administration function not something that has to be developed and coded.

Before looking at how to address these challenges, first we define the basic requirements for securing an SOA composite:

Securing your composites using Oracle Web Services Manager

Oracle Web Services Manages (OWSM) is an integral component of the SOA Infrastructure in SOA Suite 11g. It provides a policy-based, completely declarative way of implementing secure SOA applications. OWSM supports centrally managed policies by providing policy management functions that are available through the Oracle Enterprise Manager (EM). The OWSM runtime is built-in into the service infrastructure and implements an interceptor-based framework for enforcing security policies for web services invocations.

In addition to providing security services, OWSM supports generalized, standards-based policy management, attachment, and enforcement. Policies can be created and attached to composite services, references, and components. Some examples of policies are:

• Authorization policies, to gain access to a composite

• WS-Security policy for security

• WS-Addressing policy for addressing of SOAP messages

• Message Transmission Optimization Mechanism (MTOM), for optimally handling large binary data

• WS-ReliableMessaging for reliability

• Management policies for actions like logging, and so on

Policy management and attachment are integrated seamlessly in the EM console. Policy attachment is also integrated seamlessly in JDeveloper. You can also enable/disable policies or attach new policies during deployment by using a deployment plan. There are a large number of predefined policies that are available for use out of the box. Typically you would use JDeveloper to attach policies in development, and change the policy during deployment into production or change it in the production EM console.

Identity management

For authentication to succeed, users and groups need to be defined in some identity store. There are many options for identity management with SOA Suite. Oracle has identity management solutions that can be used. Alternatively, you can plug in external identity management solutions.

Use SSL

An alternative, at least for some aspects of security, to using web services security with OWSM is to use one-way or two-way SSL. The main advantage of SSL is that it is widely used and you do not need a sophisticated web services stack to send and receive messages. However OWSM provides more security capabilities than SSL provides. Examples are Security Assertion Markup Language (SAML) for identity propagation and a variety of security authentication tokens like Kerberos token, username token, and X509 token.

A quick look at the policy management UI

You can take a quick look at the policy management console: