Secure SOA Service Using OWSM

By | January 7, 2014 | 0 Comment

When we expose our SOA services to external world to send data, we should take care that only selected users can access the services means SOA services needs to be secured.

To secure our SOA services we use OWSM. OWSM contains some security policies that we can attach to our composite and make it secure.

There are two ways mentioned below to apply OWSM policy to SOA service.

  • Apply OWSM policy during design time using Jdeveloper
  • Apply OWSM policy from  em console

We will discuss above option one by one.

Apply OWSM policy during design time using Jdeveloper

We use Jdeveloper to attach required policy to SOA service. But first you need to make sure that all your OWSM policy are there in required location so that Jdeveloper can access it and show it when we attach it to service.

To attach the policy, right click on client and choose “Configure WS Policies”.


Once you choose above option, it will open another pop-up window which shows different types of policies type available.

Since we are securing our service so choose Security option and click on plus green sign.


This will show different security policies available in the policy store means there are different ways to secure your service; you can also add more than one policy to secure your service. Here we will add only one policy “Oracle/wss_username_token_service_policy”, so choose that policy and add it.


Once you add “Oracle/wss_username_token_service_policy” , you can see it in pop-up window.


Now you can deploy your service and expose it to external world.

Now to access this service the user needs to enter required credentials (Username & Password) otherwise user will not be able to access the service.

Important Note: If you are not able see policies in policy list. The go to Tools –> preferences –>WS Policy Store

Check Default Location. All the policies should be there at this location. If not then copy all the policies from server to this location.



Apply OWSM policy from em console

We can also secure SOA service once it is deployed to server, to do that you need to go to EM console, go to your composite. Once you click your composite, you will see many tabs present there.

Choose “Policies” tab which is the last tab.

Note: You need to have administrator rights to do the below necessary changes.


Select “Attach To/detach From” option and choose bpel client as we need to add security policy to BPEL client only.

Choose “Oracle/wss_username_token_service_policy” from list and attach to the BPEL client.


Below is the sample code for this post




Leave a Reply

Your email address will not be published. Required fields are marked *