Thursday, November 1, 2012

OSB, http basic authentication and OWSM policy

OWSM and OSB are bundled together after-fact. So OSB doesn't support some of the security policies that comes with OWSM.

However, it is misleading that OSB allows you to attach any OWSM policy to your proxy,but  that doesn't mean it will actually work. It took me a while to find out that the simplest of all: OWSM "wss_http_token_service_policy" does not work in OSB!

However, not all is lost. OSB actually supports http basic authentication out of box without OWSM. You just need to go to "HTTP Transport Configuration" tab in your proxy configuration page, check that "basic authentication" checkbox.

Then the caller needs to add a HTTP header like:
     Authorization: Basic d2VibG9naWM6d2VsY29tZTE=
where d2VibG9naWM6d2VsY29tZTE= is base64 encoded user:password, in this example, it's "weblogic:welcome1". You are not required to encode it, but it's the common practice.

You can base64 encode your stuff online from here:

that's all.


  1. Hey Yuan! Why would ever need to attach a client policy to a proxy? A proxy is an incoming entity. That would be like attaching a client policy to a service endpoint in BPEL (which jDev won't let you do). Client policies are for outgoing references - e.g. business services. If you attach the client policy to a biz service, then call THAT from your proxy, everything is cool.

  2. Ah, Craig, that's an excellent catch. I meant by "wss_http_token_service_policy". Just made the correction. Thanks!

  3. Yuan

    You genius!

    The 'Authorization: Basic' was the piece in the puzzle I was missing to dynamically set a custom token in the HTTP Header of OSB

    Thank you

  4. So many thanks!!! for this simple working stuff.

  5. Hi, thank your for share. But it does not work for me.

  6. Hello Yuan ...the blog is excellent.However I am new to this OSB thing .Can you little elaborate how this works in transport layer ? Whether a user/pwd needs to be configured with in security realm? How can I map a particular UAN to particular px? .thanks in advance SUBHODiP

  7. how to add the http header(Authorization: Basic) from "HTTP Transport Configuration" tab?