Oracle Corporation | Prakash Yamuna 1

Securing REST services using OWSM 12.1.2 2013

Securing REST using Oracle WebService

Manager 12.1.2

July 2013

Step-by-Step Instruction Guide

Author: Prakash Yamuna

Oracle Corporation

Oracle Corporation | Prakash Yamuna 2

Securing REST services using OWSM 12.1.2 2013

Table of Contents 1 Getting Started ...................................................................................................................................... 3

1.1 Pre-Requisites ............................................................................................................................... 3

1.2 Install Locations ............................................................................................................................ 3

1.3 Topology........................................................................................................................................ 3

1.4 Install & Topology Verification ...................................................................................................... 3

1.4.1 Verify all Product Consoles are reachable ............................................................................ 4

2 Usecase ................................................................................................................................................. 4

3 Create HelloWorld JAX-RS Application ................................................................................................. 5

3.1 Create HelloWorldRestApp Application and HelloWorld Project ................................................. 5

3.2 Create POJO Class “HelloWorldJaxRs” .......................................................................................... 7

3.3 Add method “helloHTML” to the Java Class “HelloWorldJaxRs” .................................................. 8

3.4 Create REST service from HelloWorldJaxRs POJO ........................................................................ 9

3.5 Annotated HelloWorldJaxRs ....................................................................................................... 12

4 Attach OWSM Security Policy to the HelloWorld JAX-RS application................................................. 13

4.1 Edit web.xml................................................................................................................................ 13

4.2 Select OWSM policy to secure the JAX-RS application via web.xml ........................................... 15

4.3 Create a WAR called helloworld.war .......................................................................................... 18

4.4 Deploy helloworld.war to Weblogic Domain using Enterprise Manager ................................... 21

4.5 Validate the JAX-RS REST Service ................................................................................................ 25

4.6 Attach/Detach OWSM Policies for REST service (JAX-RS application) in EM .............................. 29

4.7 Viewing WADL for REST services................................................................................................. 30

4.8 Testing the REST service ............................................................................................................. 30

Oracle Corporation | Prakash Yamuna 3

Securing REST services using OWSM 12.1.2 2013

1 Getting Started

1.1 Pre-Requisites

This How-To guide assumes that you have already downloaded and installed the following

products/components.

Download and install FMW 12.1.2 – this includes Oracle WebService Manager 12.1.2.

Download and install Database 11.2.0.3

Download JDeveloper 12.1.2

JDK7 is preinstalled

1.2 Install Locations

This How-To does not provide installation instructions for the pre-requisite components. You can consult the following how-to for installing FMW 12.1.2: http://www.oracle.com/technetwork/middleware/webservices-manager/owsm-installation-12c-

1971739.pdf

You can also consult the appropriate Install guides. OWSM documentation can be found at: http://docs.oracle.com/middleware/1212/owsm/index.html

The components in this How-To are installed at the following locations:

Component Install location

Oracle Weblogic 12.1.2 D:\oracle_12.1.2\wlserver_10.3

Oracle Web Services Manager (OWSM) 12.1.2 D:\oracle_12.1.2\oracle_common

Oracle Enterprise Manager (EM) 12.1.2 D:\oracle_12.1.2\oracle_common

JDeveloper D:\oracle_12.1.2\jdeveloper

JDK D:\Java\jdk1.7.0_15

1.3 Topology

This How-To uses a single domain. The domain includes a single weblogic server. The steps provided in

this How-To can vary based on Topology.

Domain Name: base_domain

Weblogic Server: AdminServer

1.4 Install & Topology Verification

Start the Admin Server Navigate to: D:\oracle_12.1.2\user_projects\domains\base_domain\bin

Oracle Corporation | Prakash Yamuna 4

Securing REST services using OWSM 12.1.2 2013

1.4.1 Verify all Product Consoles are reachable

Go to the product console URL and provide username as weblogic and password as welcome1.

Product URL Note

Oracle WebLogic http://localhost:7001/console

WebLogic Administration Console

Oracle Web Services Manager (OWSM)

http://localhost:7001/wsm-pm Indicates status of OWSM Policy Manager. Presence of this page indicates that the Policy Manager has started

http://localhost:7001/wsm-pm/validator

Show you all the out-of-the-box policy. If you see that page, OWSM policy store is properly deployed and running

Oracle Enterprise Manager (EM) http://localhost:7001/em Oracle Enterprise Manager

2 Usecase

Description This How-To describes how to secure a JAX-RS REST application using OWSM 12.1.2.

Objective The main objective of this How-To:

How to build a simple REST services using JAX-RS technology in JDeveloper

How to secure a simple HelloWorld JAX-RS application in JDeveloper

Deploy and Run the HelloWorld JAX-RS application to a Weblogic domain

Configure and Test the HelloWorld JAX-RS application using a browser.

Policies Used Service Policy Type HelloWorldJaxRS oracle/wss_http_token_service_policy REST service

Oracle Corporation | Prakash Yamuna 5

Securing REST services using OWSM 12.1.2 2013

3 Create HelloWorld JAX-RS Application

3.1 Create HelloWorldRestApp Application and HelloWorld Project

Oracle Corporation | Prakash Yamuna 6

Securing REST services using OWSM 12.1.2 2013

Oracle Corporation | Prakash Yamuna 7

Securing REST services using OWSM 12.1.2 2013

3.2 Create POJO Class “HelloWorldJaxRs”

Oracle Corporation | Prakash Yamuna 8

Securing REST services using OWSM 12.1.2 2013

3.3 Add method “helloHTML” to the Java Class “HelloWorldJaxRs”

public String helloHTML(String input) {

return "<html><body><p>Hello "+input+"</p></body></html>";

}

Oracle Corporation | Prakash Yamuna 9

Securing REST services using OWSM 12.1.2 2013

3.4 Create REST service from HelloWorldJaxRs POJO

Oracle Corporation | Prakash Yamuna 10

Securing REST services using OWSM 12.1.2 2013

In JAX-RS terms creating a REST service involve creating resources and a JAX-RS application. In this How-

To I will keep it simple and create a Root resource. You can create sub-resources and sub-resource

locators, etc using JAX-RS.

The helloHTML java method will support the HTTP “GET” method and we will configure the input to the

helloHTML java method as a path parameter as shown in the screen shot below.

JAX-RS supports various mime types, for the purposes of this how to – I have selected the mime type as

text/html.

Oracle Corporation | Prakash Yamuna 11

Securing REST services using OWSM 12.1.2 2013

Oracle Corporation | Prakash Yamuna 12

Securing REST services using OWSM 12.1.2 2013

3.5 Annotated HelloWorldJaxRs

Oracle Corporation | Prakash Yamuna 13

Securing REST services using OWSM 12.1.2 2013

4 Attach OWSM Security Policy to the HelloWorld JAX-RS

application Few things to keep in mind:

A single JAX-RS application can contain multiple JAX-RS resources.

OWSM in 12.1.2 supports attaching policies only for JAX-RS applications. You cannot secure

individual JAX-RS resources.

A JAX-RS application is different from a JEE application. A JEE application can contain multiple JAX-RS

applications.

OWSM 12.1.2 does not support securing REST services via annotations

The steps below describe how to attach a policy to a JAX-RS application.

4.1 Edit web.xml

Change the <servlet-name> entry in the web.xml.

Oracle Corporation | Prakash Yamuna 14

Securing REST services using OWSM 12.1.2 2013

Right click on web.xml and open the context sensitive menu. One of the menu items is “Secure RESTful

Application” as shown in the screen shot below.

Oracle Corporation | Prakash Yamuna 15

Securing REST services using OWSM 12.1.2 2013

4.2 Select OWSM policy to secure the JAX-RS application via web.xml

Clicking on the “Secure Restful Application” will launch a policy dialog box in JDeveloper as shown in the

screen shot below.

You can view the policy description and/or the XML for policy as well as shown below.

Oracle Corporation | Prakash Yamuna 16

Securing REST services using OWSM 12.1.2 2013

For this How to we will select the “oracle/wss_http_token_service_policy”. This basically secures the

JAX-RS application using the “Basic Auth” scheme.

Securing the JAX-RS application will create a wsm-assembly.xml as shown in the screen shot below.

CAUTION:

Do not modify the wsm-assembly.xml directly. Use the JDeveloper tooling to modify the wsm-

assembly.xml

If you change the <servlet-name> entry in the web.xml – then you will need to re-do steps

described in this section. This is because the wsm-assembly.xml is referencing that name. If you

change the <servlet-name> and do no re-do the steps – then your REST service will not be secured.

I have highlighted this reference in the screenshot below of the wsm-assembly.xml

Oracle Corporation | Prakash Yamuna 17

Securing REST services using OWSM 12.1.2 2013

Refers to the <servlet-

name> in web.xml

Oracle Corporation | Prakash Yamuna 18

Securing REST services using OWSM 12.1.2 2013

4.3 Create a WAR called helloworld.war

Oracle Corporation | Prakash Yamuna 19

Securing REST services using OWSM 12.1.2 2013

Oracle Corporation | Prakash Yamuna 20

Securing REST services using OWSM 12.1.2 2013

Oracle Corporation | Prakash Yamuna 21

Securing REST services using OWSM 12.1.2 2013

4.4 Deploy helloworld.war to Weblogic Domain using Enterprise

Manager

Oracle Corporation | Prakash Yamuna 22

Securing REST services using OWSM 12.1.2 2013

Oracle Corporation | Prakash Yamuna 23

Securing REST services using OWSM 12.1.2 2013

Oracle Corporation | Prakash Yamuna 24

Securing REST services using OWSM 12.1.2 2013

Oracle Corporation | Prakash Yamuna 25

Securing REST services using OWSM 12.1.2 2013

4.5 Validate the JAX-RS REST Service

Expand the “Application Deployments” node on the LHS pane in EM. This will list the helloworld jee

application that was just deployed in the previous section.

Click on the “helloworld (Admin Server)” node on LHS. The RHS pane will be updated as shown below.

Oracle Corporation | Prakash Yamuna 26

Securing REST services using OWSM 12.1.2 2013

Click on the “Application Deployment” menu on the RHS pane. Click on the “Web Services” menu item

as shown in the screen shot below.

Oracle Corporation | Prakash Yamuna 27

Securing REST services using OWSM 12.1.2 2013

Click on the “RESTful Services” tab as shown in the screen shot below. The RESTful Services tab shows all

the JAX-RS applications in a JEE application as well as the resources within a JAX-RS application.

Oracle Corporation | Prakash Yamuna 28

Securing REST services using OWSM 12.1.2 2013

Clicking on “helloworld” JAX-RS application in the above screenshot, opens up the JAX-RS application

home page in EM. One can attach/detach OWSM policies in EM via this page as shown in the screen

shot below.

In addition the page provides a link to the WADL that describes the REST resources exposed by the JAX-

RS application.

Oracle Corporation | Prakash Yamuna 29

Securing REST services using OWSM 12.1.2 2013

4.6 Attach/Detach OWSM Policies for REST service (JAX-RS application) in

EM

Clicking on the WSM Policies tab shows the directly or global policy attachments for the JAX-RS

application as shown in the screen shot below.

Oracle Corporation | Prakash Yamuna 30

Securing REST services using OWSM 12.1.2 2013

4.7 Viewing WADL for REST services

4.8 Testing the REST service

Since the REST service was secured with “basic auth” – we can test it via the browser.