In this blog i will explain how Oracle SOA suite addresses the security requirements of SOA application. The following shows the typical workflow of an order processing application.The application is built using Oracle SOA suite.
The SOA app shows the interaction between customer and order processing application. Once customer places an order it need to be validated and processed.
In addition the order processing app may integrate with shipping providers to ship the order.
Security challenges
When a customer places an order at a retailer's Website, it is readily apparent that the order transaction must be secure. However, there is more to it than meets the eye. The retailer's order fulfillment applications involve interactions with inventory management systems. Once the order is ready to be shipped, the retailer interacts with a shipping trading partner, and the customer should be provided with services to monitor the order's status. Each of these interactions would need security implementation at the application layers and, generally, the transport protocol layer as well. Moreover, organizations must set up and manage various policies: Who owns the data? Who is responsible for its veracity? How do departments and trading partners share their data?
These interactions bring up requirements similar to a customer placing an order on a Website. Security must be enforced in several layers during the message exchanges between these two trading partners, and policies must be established to govern the services.
Exposed applications and services become vulnerable to attacks, and the greater the number of integration and endpoints, the greater the number of potential points of attack. Moreover, with communication between services and consumers, ensuring secure operations over trust boundaries is crucial. Without an SOA security model in place, the entire business ecosystem is at risk.
The security requirements common to these scenarios include:
- Authentication: How do I know your identity is true?
- Authorization: Are you allowed to perform this transaction?
- Integrity: Is the data you sent the same as the data I received?
- Signature: Create and verify an electronic signature analogous to a handwritten signature.
- Confidentiality: Are we sure that nobody read the data you sent me?
- Auditing: Record all transactions for verification after the fact.
- Nonrepudiation: Both sender and receiver can legally prove to a third party (e.g., a judge) that the same data was sent and received in a transaction.
Securing your SOA using Policies
Oracle SOA suite comes up with number of out of box security policies. In addition to the security policies there are number of policies related to reliability, addressing, mtom and logging.
Following Table describes the supported policy categories.
|
Category
|
Description
|
|
Security
|
Implements the WS-Security 1.0 and 1.1 standards. They enforce
authentication and authorization of users. identity propagation, and message
protection (message integrity and message confidentiality).
|
|
Addressing
|
Verifies that simple object access protocol (SOAP) messages
include WS-Addressing headers in conformance with the WS-Addressing
specification. Transport-level data is included in the XML message rather
than relying on the network-level transport to convey this information.
|
|
Reliability
|
Supports the WS-Reliable Messaging protocol. This guarantees
the end-to-end delivery of messages.
|
|
MTOM
|
Ensures that attachments are in MTOM format. This format
enables binary data to be sent to and from web services. This reduces the
transmission size on the wire.
|
|
Management
|
Logs request, response, and fault messages to a message log.
Management policies can also include custom policies.
|
You can secure your SOA app at design time or post deployment by attaching these Policies.
1) Design time policy attachment using Oracle Jdeveloper.
While creating your SOA app using Oracle Jdeveoper, you can choose to secure your SOA.
2) Post deployment policy attachment using Oracle Fusion Middleware Enterprise Manager (EM) console.
That’s all for now..
No comments:
Post a Comment