Adding authorization to your webservice in SOA Suite 11G

In a first post over security I explained how to authenticate a user using ws-security for a webservice in the SOA Suite 11G. Previously we create a user Hugo which was a member of the Test-group. We now want to secure the webservice so that only members of this group can access it. How do we do this?

To secure the webservice we are going to use another policy. This time we are going to use a slighty enhanced version of the ‘oracle/binding_authorization_denyall_policy’. Let’s see how it works.

First go to your Enterprise Manager and then to your domain. Then select Web Services -> Policies

Now you get to see a whole list of available policies. Select the ‘oracle/binding_authorization_denyall_policy’ policy and click ‘Create like’

Now we can create a policy which is like the denyall but we can tune and tweak it a little. Give the policy a new name and make sure only the Test-group is authorized to make use of this policy. You can do this by going to the bottom in the Roles section, select the radio button ‘Selected roles’ and select the group we just created in part 1.

After this you can validate and save the policy in the right top of the screen….don’t forget to save it! Now we are going to apply the just created policy to the service. Go to the service you want to secure and then to the policy tab. Select ‘Attach To/Detach From’ button and select the service you want to secure. Then select the policy from the list and click ‘Attach’. You can the validate and save it in the top right corner.

Now let’s go back to SoapUI. If we try to invoke the service with another account….let’s say the weblogic user. You should get the following screen.

Try it with the other user and you should succeed!

This post explained how to secure a webservice using a custom policy in the SOA Suite 11G.