We want to set the proxy service security authorization policy rules using WSLT. This is a biggy. Since it is undocumented feature and not supported by Oracle. I relied on a single post here http://ohnoes-nz.blogspot.com/2012/03/oracle-service-bus-using-wlst-to-secure.html, and I had to do some reverse engineering of Java classes in the OSB jars to sort out the API.
As an occasional user of WLST, I banged my head for a couple of days to make it work with OSB 11.1.1.6. Below is the working version of the script. I left in the comment more calls that can query and set the rules at different levels, feel freel to experiment:
import wlstModule
from com.bea.wli.sb.management.configuration import SessionManagementMBean
from com.bea.wli.sb.management.configuration import ALSBConfigurationMBean
from com.bea.wli.sb.security.management.configuration import ServiceSecurityConfigurationMBean
from com.bea.wli.config import Ref
from com.bea.wli.sb.util import Refs
from java.lang.reflect import Proxy
try:
#############
# execute sentDomainEnv.cmd, then add sb-kernel-impl.jar;com.bea.alsb.security.api.jar to classpath
# to run the script: %wl_home%\common\bin\wlst.cmd (this script file).py
############
# by default, after connect, pwd() shows 'serverConfig:/'
connect("weblogic", "welcome1", "t3://localhost:7001")
########
### locate session bean, then create a new session
#########
domainRuntime() # land in 'domainRuntime:/'
# need domainRuntime(), obtain session management mbean to create a session.
sessionMBean = findService(SessionManagementMBean.NAME, SessionManagementMBean.TYPE)
print "***SessionMBean is: ", sessionMBean
# create a session
sessionName = String("SecurePaymentService"+Long(System.currentTimeMillis()).toString())
sessionMBean.createSession(sessionName)
print "###session created: ", sessionMBean
########
### create proxy ref
#########
projectName = Refs.makeParentRef("OWSM Demo" + '/')
proxyRef = Refs.makeProxyRef(projectName, "helloBye")
print "***proxyRef: ", proxyRef
proxyReference = proxyRef
########
### find OSB security config bean
#########
serverConfig() # cd('serverConfig:/')
security_mbean_ih = MBeanServerInvocationHandler(mbs, ObjectName("com.bea:Name=%s.%s,Type=%s" % (ServiceSecurityConfigurationMBean.NAME,sessionName, ServiceSecurityConfigurationMBean.TYPE)))
serviceSecurityConfigurationMBean = Proxy.newProxyInstance(ServiceSecurityConfigurationMBean.getClassLoader(),jarray.array([ServiceSecurityConfigurationMBean],java.lang.Class),security_mbean_ih)
print "\r\n###serviceSecurityConfigurationMBean: ", serviceSecurityConfigurationMBean
########
### set up policy holder, and policy scope
#########
policyHolder = serviceSecurityConfigurationMBean.newAccessControlPolicyHolderInstance('XACMLAuthorizer')
print "\r\n=========policyHolder: ", policyHolder
policyStr="Rol(helloRole)"
operation="sayHello"
policyHolder.setPolicyExpression(policyStr)
print "\r\n###policyHolder: ", policyHolder
policyScope = serviceSecurityConfigurationMBean.newOperationMessagePolicyScope(proxyReference, operation)
#policyScope = serviceSecurityConfigurationMBean.newDefaultMessagePolicyScope(proxyReference)
#policyScope = serviceSecurityConfigurationMBean.newProxyPolicyScope(proxyReference)
print "\r\n************************policyScope: ", policyScope
########
### excute security config commands
#########
serviceSecurityConfigurationMBean.setAccessControlPolicy(policyScope, policyHolder)
#serviceSecurityConfigurationMBean.removeAccessControlPolicy(policyScope, policyHolder.getAuthorizationProviderID())
#px = serviceSecurityConfigurationMBean.getAccessControlPolicy(policyScope, policyHolder.getAuthorizationProviderID())
#print "###px: ", px
sessionMBean.activateSession(sessionName, "description for session activation")
print "script returns SUCCESS"
except:
print "Unexpected error: ", sys.exc_info()[0]
dumpStack()
raise
The screen shot shows the result the of the execution:
In OSB 12c, I see the WLS policies are deprecated, we are now upgrading from 11g to 12c for OSB. In 11g, both WebLogic security policies and OWSM policies were supported on Oracle Service Bus. As of 11g (11.1.1.7), WebLogic Security policies were deprecated, and are not supported in 12c (12.1.3). Because WebLogic security policies were available in 11g, deployment of the OWSM Policy Manager and use of the OWSM policies was optional. Since only OWSM policies are supported in 12c, OWSM Policy Manager deployment is mandatory. In my current domain which is on 11g, proxy services are using the WebLogic security policies on wsdl based proxy services, now have to deselect the WebLogic security policies from the proxy service and have to use OWSM policy, Please suggest how it can be done using WLST scripting/customization changes or any other approach in 12c, have to apply the changes on many web service based proxy services.
ReplyDelete