Wednesday, March 16, 2016

Oracle API Gateway: Role based authorization using oracle XE database

Role based authorization enables you to restrict service access to authorized users based on their assigned roles or groups. In this blog post I am going to show you how authorization could be achieved in oracle api gateway without using any ldap server but using oracle xe database for storing the roles or groups and requested URI.


Suppose we have four services as follows
now we want to authorize these service based on roles or groups.

Steps to enable authorization in OAG:
  • Create users in OAG
  • Create Groups in OAG
  • Create table in database
  • Create database connection in OAG
  • Create a Group Authorization policy
  • Create Role Based Policies in OAG
  • Create Http Listener in OAG
  • Test the service in browser

Create Users in OAG

Lets create 5 user to demonstrate the role based authorization. Five user needed because 4 user for each services and 1 user is authorize to access all the service
  • Open Policystudio -> left navigation expand users and groups -> select users -> Add new user name that user user12c and password as welcome1

  • Similarly create 4 other user with name usersoa, userosb, userweblogic and useradmin with password as welcome1

Create Groups in OAG

 we create four groups for example

Critical - can access 12c service url
High - can access SOA service url
Medium - can access OSB service url
Low - can access weblogic service url

  • Go to groups tab -> add new group name as Low and assign user userweblogic and useradmin to this group

  • Simlarly create 3 more groups with name as Critical, High and Medium
    • Assign user usersoa and useradmin to group High
    • Assign user userosb and useradmin to group Medium
    • Assign user user12c and useradmin to group Critical

Create table in database

  • Open Sqlplus -> create a table name URI with two columns Groups and URL

  • Insert the following data into the table URI
    • insert into URI value ('Critical','/12c');
    • insert into URI value ('High','/soa');
    • insert into URI value ('Medium','/osb');
    • insert into URI value ('Low','/weblogic');
    • Commit ;

Create database connection in OAG

  • Go to External Connection --> Database connection --> Add a database connection

  • Click Ok and finish the wizard
Create a Group Authorization policy

This policy is common policy which authorize user to access the service based on roles and groups

  • Go to Policies --> Add policy --> give name Group Authorization policy
  • Drag and drop HTTP Basic filter, configure as below 
  • set http basic as set as start
  • Drag and drop Retrieve from or write to database, configure as below

SELECT * FROM uri where url = ${http.request.path}
  • Go to Advance tab. and configure as below
  • Click OK.
  • Drag and Drop Scripting Language, configure as below 

Here what is happening is the db query executed in the previous step retuns the a groups and url, this data stored in the user attribute list as groups and url and it can be access as user.groups or user.url. After extracting the value of groups then it passed to userGroup attribute which is use in the next step to check the group membership. The code snippet is below:

function invoke(msg)         {           

java.lang.System.out.println("Message is " + msg.get("attribute.lookup.list"));
var userGroup = msg.get("user.groups");

java.lang.System.out.println("user group is " + userGroup );

msg.put("", userGroup );

return true;       

  • Drag and drop Check Group Memebership, configure as below 
  • Finally connect all the filters and it looks like below

Create Role Based Policies in OAG

This policy is created for each service URI and it reuse the Group Authorization Policy created above and finally connect to the url.

  • Add container in Policies and name Role Based Policies
  • Create 4 Policies
    • 12c Policy
    • SOA Policy
    • OSB Policy
    • Weblogic Policy

  • one by one configure each policies. Open Google policy --> drag and drop policy shortcut and select the Group Authorization Policy
  • Drag and drop Connect to URL filter and configure as below
  • Finally connect all the filter and it looks like below

  • Similarly configure for other policies.

Create Http Listener in OAG

  • Go to Listeners --> Oracle API Gateway --> Default Services --> Paths --> Click Add and select Relative Path, configure as below

  • Click OK
  • Similarly create for other 3 service url's
Test the service in browser

Now if your api gateway is configure with http port as 8080, so to access the above services from the api gateway is
  • http://localhost:8080/12c
  • http://localhost:8080/soa
  • http://localhost:8080/osb
  • http://localhost:8080/weblogic

Run the above url and it will prompt for the username and password. Pass the username and password you have created above and check the authorization is working or not.

No comments:

Post a Comment