Best Practice - 10.1.3 OWSM: Configuration management for agents

When you deploy agents, you configure OH/owsm/bin/agent.properties. Now, if you have multiple agents you can quickly overwrite the configuration used for a previous agent deployment.
As a best practice, after you deploy an agent, copy the agent.properties file to __agent.properties (such as SID0003002_HelloWorld_agent.properties), and put it under source code control.
At a later point, if you need to redeploy the application you can quickly pull out the corresponding agent.properties file from source code control system and deploy the agent for the redeployed application.
Additionally, also put OH/owsm/config/serveragent or OH/owsm/config/clientagent directory under source code control. These directories contain configuration items for the agent runtime that can be customized, and you may want to version control it.

How To - 10.1.3 OWSM: Access the processed SAML token in a custom step

In some situations you may want to access the SAML token processed by the "Verify SAML token" policy step in a subsequent custom step.
The API to access it is

ArrayList samlAssertions = msgctx.getProperty("SAML_ASSERTIONS");
if(samlAssertions != null) 
  String samlAssertion = samlAssertions.get(0);

News: Apply OWSM 10.1.3.3 patchset

OWSM 10.1.3.3 patchset was released couple of months back. If you haven't patched your 10.1.3.1 installation yet, then I would strongly recommended you to do it.
Apart from many bug fixes, some enhacements also went into the patchset.

• Gateway can register services whose wsdl imported another wsdl or schema (xsd). This is very common in Oracle BPEL, and a workaround was required to be applied in 10.1.3.1 to put the imported wsdl or xsd in OH/j2ee/home/applications/gateway/gateway/services folder. This workaround is no longer required if the patchset is applied.
• Purge old policy versions using WSM console.
• Purge old message logs using WSM console
• Oracle WSM Server Agents for AXIS 1.4 on OC4J are supported.
• SOAP with attachments (SwA) messages can be processed by Oracle WSM Gateways and Agents, where the messages are neither signed nor encrypted.
• Custom steps in the Oracle WSM Gateway can add or modify outgoing HTTP headers.

The documentation guides also underwent updates

• SSL information is more complete
• Extensibility guide has more details with examples

How To - 10.1.3 OWSM: Propagate identity by inserting SAML token using OWSM client agent or gateway

When an application or web service calls another web service, you may want to propagate the identity of the user that first logged into the application or service.
OWSM client agent or gateway can be used to accomplish it.
The basic design is to read the user identity from the java Subject and then convert it into a SAML token.

Step 1: Read java Subject in your application, and create a custom SOAP header.
Subject subject = Subject.getSubject(AccessController.getContext());
Now, using the subject value to lookup username and roles, create the following custom SOAP header. Propagating roles is optional.

<env:Envelope ...>
  <env:Header>
    <custom:userInfo xmlns:custom="http://custom/ns">
      <username>JSmith</username>
      <roles>role1,role2</roles>
    </custom:userInfo>
  </env:Header>
  <env:Body>
  ...
  </env:Body>
</env:Envelope>

Step 2: Convert custom header to SAML token in OWSM client agent or client gateway
Add the following steps in the request pipeline of a client agent or client side gateway.

a. Custom step - Create a custom step that will read the custom SOAP header from the request and set the values in the message context that would be picked up the "Insert SAML step". Refer to OWSM extensibility guide for details on how to develop custom steps.

// read the username from custom header, and set it using API below
// this value will be used to represent SAML Subject
ctx.setUnverifiedUserid(username);

// if roles needs to passed
SOAPElement customHeader = ...
HashMap userMap = new HashMap();
ArrayList roles = new ArrayList();
//add the roles read from custom header. roles.add(...);
userMap.put("roles", roles);
msgCtxt.setProperty(MessageContext.USER_ATTRIBUTES, userMap);

// delete the custom SOAP header from the request message
customHeader.detachNode();

b. Insert SAML step - this will generate the SAML sender-vouches token, and add it to the SOAP Security header.

How To - 10.1.3 OWSM: Increase the 50 web services limit for the Gateway

OWSM Gateway by default comes with a limit of 50 web services that can be registered with it. This is a soft limit, and can be changed as follows.

Modify /owsm/config/ccore/ui-config-common.properties
changing this property to whatever limit you want
ui.pm.maxNumberOfPolicies=50

Redeploy the ccore application by going to OC4J_HOME/owsm/bin directory and running the following command
wsmadmin deploy OC4J_ADMIN_PASSWORD ccore

News: Cisco buys Securent for $100 M in cash

Cisco® (NASDAQ: CSCO) today announced an agreement to acquire Securent, Inc., a leading provider of entitlement management software for enterprises. Securent is privately held and based in Mountain View, Calif.
Complete story http://money.cnn.com/news/newsfeeds/articles/marketwire/0322664.htm

This clearly validates the demand in the marketplace for content and context based authorization using standards such as XACML.

Origins of OWSM which was originally developed by Confluent Software can be linked to Sekhar Sarukkai who is CTO and co-founder of Securent.
Incidentally he was also the co-founder of Confluent Software which Oblix had purchased to add web services security to its portfolio of IdM products. Oracle acquired Oblix in 2005, and released this product as Oracle Web Services Manager (OWSM).