Tuesday, October 6, 2009

Testing ADF BC Services Protected by HTTP Basic Authentication

Using Oracle JDeveloper 11g and Oracle Application Development Framework (ADF) in tandem, you can implement business services and publish them as SOAP web services using a declarative and component-based approach.

ADF supports open industry standards for ensuring the integrity and privacy of communications and to ensure that only authorized users can access resources in an ADF BC service. It uses the underlying Oracle Platform Security Services (OPSS) as building blocks for its security services.

To secure your ADF BC services with HTTP basic authentication scheme, it's straightforward. You simply attach the following security policy:
  • oracle/wss_http_token_service_policy
to your ADF BC services. The wss_http_token_service_policy uses the credentials in the HTTP header to authenticate users against the OPSS identity store.

Testing ADF BC Services Using HTTP Analyzer

To test ADF BC services protected by HTTP basic authentication scheme, you can use built-in HTTP Analyzer provided in JDeveloper as follows:
  • In the Application Navigator, right-click the AppModuleServiceImpl.java in the serviceInterface folder and select Run.
  • Select Target URL (i.e., http://localhost:7101/EmployeeWS-Model-context-root/AppModuleService) in the Running:DefaultServer Log window and click on it.
  • HTTP Analyzer will be started as shown in the figure.


In our example, we'll use getEmp1() operation which requires a single input (i.e, Employee ID). To provide basic credentials, you can do:
  • Expand Request HTTP Headers and select one of the existing header (e.g., "Content-Type") and click on "+" button.
  • In the Name field, enter "Authorization".
  • In the Value field, enter "Basic weblogic:weblogic1".


Note that basic-credentials is Base64 encoded. However, HTTP Analyzer does the base64-encoding of "username:password" automatically for you. You can see the value field changes to:
  • Basic d2VibG9naWM6d2VibG9naWMx
if you shift the focus away from Authorization header by clicking on other headers.

Testing ADF BC Services Using Test Page

You can also use Web Service Test Page to test your secured ADF BC service:
  • Enter your service's URL (i.e., http://ap6029fses:7102/RestNoSecWS-Model-context-root/AppModuleService) to any browser's address field.
  • Expand Show Transport Info.
  • Enable Http Authentication and provide user name and password as shown in the diagram.


Testing ADF BC Services Using XMLHttpRequest

Finally, you can write a test client written in JavaScript using XMLHttpRequest. XMLHttpRequest object is based on W3C's specification and defines an API that provides scripted client functionality for transferring data between a client and a server.

A sample JavaScript snippet which provides basic-credentials is shown below:
var userName =  form.form_user.value;
var password =  form.form_password.value;
var xmlHttpReq = false;
if (window.XMLHttpRequest) {
xmlHttpReq = new XMLHttpRequest();
} else if (window.ActiveXObject) {
xmlHttpReq = new ActiveXObject("Microsoft.XMLHTTP");
}
xmlHttpReq.open("POST",
"http://ap6029fses:7102/RestNoSecWS-Model-context-root/AppModuleService",
false, userName, password);
xmlHttpReq.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
xmlHttpReq.send("");

1 comment:

Gerard Davison said...

Hi,

I would like to reference this post; but the "Tiger Woods Cheated on his wife for that?" video mean that is NSFW. Any chance you could clean this up?

Thanks,

Gerard