Oracle Corporation | Prakash Yamuna 1
Securing REST services using OWSM 12.1.2 2013
Securing REST using Oracle WebService
Manager 12.1.2
July 2013
Step-by-Step Instruction Guide
Author: Prakash Yamuna
Oracle Corporation
Oracle Corporation | Prakash Yamuna 2
Securing REST services using OWSM 12.1.2 2013
Table of Contents 1 Getting Started ...................................................................................................................................... 3
1.1 Pre-Requisites ............................................................................................................................... 3
1.2 Install Locations ............................................................................................................................ 3
1.3 Topology........................................................................................................................................ 3
1.4 Install & Topology Verification ...................................................................................................... 3
1.4.1 Verify all Product Consoles are reachable ............................................................................ 4
2 Usecase ................................................................................................................................................. 4
3 Create HelloWorld JAX-RS Application ................................................................................................. 5
3.1 Create HelloWorldRestApp Application and HelloWorld Project ................................................. 5
3.2 Create POJO Class “HelloWorldJaxRs” .......................................................................................... 7
3.3 Add method “helloHTML” to the Java Class “HelloWorldJaxRs” .................................................. 8
3.4 Create REST service from HelloWorldJaxRs POJO ........................................................................ 9
3.5 Annotated HelloWorldJaxRs ....................................................................................................... 12
4 Attach OWSM Security Policy to the HelloWorld JAX-RS application................................................. 13
4.1 Edit web.xml................................................................................................................................ 13
4.2 Select OWSM policy to secure the JAX-RS application via web.xml ........................................... 15
4.3 Create a WAR called helloworld.war .......................................................................................... 18
4.4 Deploy helloworld.war to Weblogic Domain using Enterprise Manager ................................... 21
4.5 Validate the JAX-RS REST Service ................................................................................................ 25
4.6 Attach/Detach OWSM Policies for REST service (JAX-RS application) in EM .............................. 29
4.7 Viewing WADL for REST services................................................................................................. 30
4.8 Testing the REST service ............................................................................................................. 30
Oracle Corporation | Prakash Yamuna 3
Securing REST services using OWSM 12.1.2 2013
1 Getting Started
1.1 Pre-Requisites
This How-To guide assumes that you have already downloaded and installed the following
products/components.
Download and install FMW 12.1.2 – this includes Oracle WebService Manager 12.1.2.
Download and install Database 11.2.0.3
Download JDeveloper 12.1.2
JDK7 is preinstalled
1.2 Install Locations
This How-To does not provide installation instructions for the pre-requisite components. You can consult the following how-to for installing FMW 12.1.2: http://www.oracle.com/technetwork/middleware/webservices-manager/owsm-installation-12c-
1971739.pdf
You can also consult the appropriate Install guides. OWSM documentation can be found at: http://docs.oracle.com/middleware/1212/owsm/index.html
The components in this How-To are installed at the following locations:
Component Install location
Oracle Weblogic 12.1.2 D:\oracle_12.1.2\wlserver_10.3
Oracle Web Services Manager (OWSM) 12.1.2 D:\oracle_12.1.2\oracle_common
Oracle Enterprise Manager (EM) 12.1.2 D:\oracle_12.1.2\oracle_common
JDeveloper D:\oracle_12.1.2\jdeveloper
JDK D:\Java\jdk1.7.0_15
1.3 Topology
This How-To uses a single domain. The domain includes a single weblogic server. The steps provided in
this How-To can vary based on Topology.
Domain Name: base_domain
Weblogic Server: AdminServer
1.4 Install & Topology Verification
Start the Admin Server Navigate to: D:\oracle_12.1.2\user_projects\domains\base_domain\bin
Oracle Corporation | Prakash Yamuna 4
Securing REST services using OWSM 12.1.2 2013
1.4.1 Verify all Product Consoles are reachable
Go to the product console URL and provide username as weblogic and password as welcome1.
Product URL Note
Oracle WebLogic http://localhost:7001/console
WebLogic Administration Console
Oracle Web Services Manager (OWSM)
http://localhost:7001/wsm-pm Indicates status of OWSM Policy Manager. Presence of this page indicates that the Policy Manager has started
http://localhost:7001/wsm-pm/validator
Show you all the out-of-the-box policy. If you see that page, OWSM policy store is properly deployed and running
Oracle Enterprise Manager (EM) http://localhost:7001/em Oracle Enterprise Manager
2 Usecase
Description This How-To describes how to secure a JAX-RS REST application using OWSM 12.1.2.
Objective The main objective of this How-To:
How to build a simple REST services using JAX-RS technology in JDeveloper
How to secure a simple HelloWorld JAX-RS application in JDeveloper
Deploy and Run the HelloWorld JAX-RS application to a Weblogic domain
Configure and Test the HelloWorld JAX-RS application using a browser.
Policies Used Service Policy Type HelloWorldJaxRS oracle/wss_http_token_service_policy REST service
Oracle Corporation | Prakash Yamuna 5
Securing REST services using OWSM 12.1.2 2013
3 Create HelloWorld JAX-RS Application
3.1 Create HelloWorldRestApp Application and HelloWorld Project
Oracle Corporation | Prakash Yamuna 6
Securing REST services using OWSM 12.1.2 2013
Oracle Corporation | Prakash Yamuna 7
Securing REST services using OWSM 12.1.2 2013
3.2 Create POJO Class “HelloWorldJaxRs”
Oracle Corporation | Prakash Yamuna 8
Securing REST services using OWSM 12.1.2 2013
3.3 Add method “helloHTML” to the Java Class “HelloWorldJaxRs”
public String helloHTML(String input) {
return "<html><body><p>Hello "+input+"</p></body></html>";
}
Oracle Corporation | Prakash Yamuna 9
Securing REST services using OWSM 12.1.2 2013
3.4 Create REST service from HelloWorldJaxRs POJO
Oracle Corporation | Prakash Yamuna 10
Securing REST services using OWSM 12.1.2 2013
In JAX-RS terms creating a REST service involve creating resources and a JAX-RS application. In this How-
To I will keep it simple and create a Root resource. You can create sub-resources and sub-resource
locators, etc using JAX-RS.
The helloHTML java method will support the HTTP “GET” method and we will configure the input to the
helloHTML java method as a path parameter as shown in the screen shot below.
JAX-RS supports various mime types, for the purposes of this how to – I have selected the mime type as
text/html.
Oracle Corporation | Prakash Yamuna 11
Securing REST services using OWSM 12.1.2 2013
Oracle Corporation | Prakash Yamuna 12
Securing REST services using OWSM 12.1.2 2013
3.5 Annotated HelloWorldJaxRs
Oracle Corporation | Prakash Yamuna 13
Securing REST services using OWSM 12.1.2 2013
4 Attach OWSM Security Policy to the HelloWorld JAX-RS
application Few things to keep in mind:
A single JAX-RS application can contain multiple JAX-RS resources.
OWSM in 12.1.2 supports attaching policies only for JAX-RS applications. You cannot secure
individual JAX-RS resources.
A JAX-RS application is different from a JEE application. A JEE application can contain multiple JAX-RS
applications.
OWSM 12.1.2 does not support securing REST services via annotations
The steps below describe how to attach a policy to a JAX-RS application.
4.1 Edit web.xml
Change the <servlet-name> entry in the web.xml.
Oracle Corporation | Prakash Yamuna 14
Securing REST services using OWSM 12.1.2 2013
Right click on web.xml and open the context sensitive menu. One of the menu items is “Secure RESTful
Application” as shown in the screen shot below.
Oracle Corporation | Prakash Yamuna 15
Securing REST services using OWSM 12.1.2 2013
4.2 Select OWSM policy to secure the JAX-RS application via web.xml
Clicking on the “Secure Restful Application” will launch a policy dialog box in JDeveloper as shown in the
screen shot below.
You can view the policy description and/or the XML for policy as well as shown below.
Oracle Corporation | Prakash Yamuna 16
Securing REST services using OWSM 12.1.2 2013
For this How to we will select the “oracle/wss_http_token_service_policy”. This basically secures the
JAX-RS application using the “Basic Auth” scheme.
Securing the JAX-RS application will create a wsm-assembly.xml as shown in the screen shot below.
CAUTION:
Do not modify the wsm-assembly.xml directly. Use the JDeveloper tooling to modify the wsm-
assembly.xml
If you change the <servlet-name> entry in the web.xml – then you will need to re-do steps
described in this section. This is because the wsm-assembly.xml is referencing that name. If you
change the <servlet-name> and do no re-do the steps – then your REST service will not be secured.
I have highlighted this reference in the screenshot below of the wsm-assembly.xml
Oracle Corporation | Prakash Yamuna 17
Securing REST services using OWSM 12.1.2 2013
Refers to the <servlet-
name> in web.xml
Oracle Corporation | Prakash Yamuna 18
Securing REST services using OWSM 12.1.2 2013
4.3 Create a WAR called helloworld.war
Oracle Corporation | Prakash Yamuna 19
Securing REST services using OWSM 12.1.2 2013
Oracle Corporation | Prakash Yamuna 20
Securing REST services using OWSM 12.1.2 2013
Oracle Corporation | Prakash Yamuna 21
Securing REST services using OWSM 12.1.2 2013
4.4 Deploy helloworld.war to Weblogic Domain using Enterprise
Manager
Oracle Corporation | Prakash Yamuna 22
Securing REST services using OWSM 12.1.2 2013
Oracle Corporation | Prakash Yamuna 23
Securing REST services using OWSM 12.1.2 2013
Oracle Corporation | Prakash Yamuna 24
Securing REST services using OWSM 12.1.2 2013
Oracle Corporation | Prakash Yamuna 25
Securing REST services using OWSM 12.1.2 2013
4.5 Validate the JAX-RS REST Service
Expand the “Application Deployments” node on the LHS pane in EM. This will list the helloworld jee
application that was just deployed in the previous section.
Click on the “helloworld (Admin Server)” node on LHS. The RHS pane will be updated as shown below.
Oracle Corporation | Prakash Yamuna 26
Securing REST services using OWSM 12.1.2 2013
Click on the “Application Deployment” menu on the RHS pane. Click on the “Web Services” menu item
as shown in the screen shot below.
Oracle Corporation | Prakash Yamuna 27
Securing REST services using OWSM 12.1.2 2013
Click on the “RESTful Services” tab as shown in the screen shot below. The RESTful Services tab shows all
the JAX-RS applications in a JEE application as well as the resources within a JAX-RS application.
Oracle Corporation | Prakash Yamuna 28
Securing REST services using OWSM 12.1.2 2013
Clicking on “helloworld” JAX-RS application in the above screenshot, opens up the JAX-RS application
home page in EM. One can attach/detach OWSM policies in EM via this page as shown in the screen
shot below.
In addition the page provides a link to the WADL that describes the REST resources exposed by the JAX-
RS application.
Oracle Corporation | Prakash Yamuna 29
Securing REST services using OWSM 12.1.2 2013
4.6 Attach/Detach OWSM Policies for REST service (JAX-RS application) in
EM
Clicking on the WSM Policies tab shows the directly or global policy attachments for the JAX-RS
application as shown in the screen shot below.
Oracle Corporation | Prakash Yamuna 30
Securing REST services using OWSM 12.1.2 2013
4.7 Viewing WADL for REST services
4.8 Testing the REST service
Since the REST service was secured with “basic auth” – we can test it via the browser.