(OSB) Oracle Service Bus 12.2 – LDAP Authorization

Oracle Service Bus 12.2 is now available to download on Oracle support.

It bring news to middleware admin and new features to developer.

Now, all user priviledges and group roles are managed by ‘EM Console’. So it would be little confusing in this release.

I had little inconvenince on first time that I triyed to use OSB with LDAP autorization.

After configure Weblogic in LDAP, user could login in Weblogic Console (/console)

But, can’t login Service Bus Console (/sbconsole), taking in browser http 401 (Unauthorized)

In WL Admin log:

[AdminServer] [ERROR] [ADFC-50017] [oracle.adfinternal.controller.application.AdfcExceptionHandler] [tid: [ACTIVE].ExecuteThread: '20' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: maiquel_oliveira] [ecid: fdf185a3-35fd-4171-9b75-4b80a0f40b03-000000cf,0] [APP: service-bus] [partition-name: DOMAIN] [tenant-name: GLOBAL] [DSID: 0000Lu77u7K7q2r6wJAhMG1Pj34E000001] ADFc: While attempting to handle this exception the application's exception handler failed.[[
oracle.adf.controller.security.AuthorizationException: ADFC-0619: Authorization check failed: User 'user_name' does not have 'VIEW' permission on 'jsf.resourcesPageDef'.

Error 401–Unauthorized

From RFC 2068 Hypertext Transfer Protocol — HTTP/1.1:

10.4.2 401 Unauthorized

The request requires user authentication. The response MUST include a WWW-Authenticate header field (section 14.46) containing a challenge applicable to the requested resource. The client MAY repeat the request with a suitable Authorization header field (section 14.8). If the request already included Authorization credentials, then the 401 response indicates that authorization has been refused for those credentials. If the 401 response contains the same challenge as the prior response, and the user agent has already attempted authentication at least once, then the user SHOULD be presented the entity that was given in the response, since that entity MAY include relevant diagnostic information. HTTP access authentication is explained in section 11.

Follow the trick:

For OSB 12c Console, you now need to use Enterprise Manager (/em) to also add your LDAP user (or a group that they are a member of) to a “Application Role” for Service_Bus_Console.

The Monitor “Application Role” is the basic role which allows OSB Console access.

eg. To use the Enterprise Manager to add a user or group to the Monitor “Application Role” for Service_Bus_Console:

1. Enterprise Manager -> SOA -> service-bus) -> (right click) -> Security -> Application Roles

sb_12_grantI

2. Search for:

Application Stripe: Service_Bus_Console
Role Name (Starts With): Monitor

2. Select the Monitor role, and choose Edit -> Add

sb_12_grant

The Add Principle screen should appear.

3. Select the Type as either User or Group, depending on who you want to give the Monitor Role.

4. You can now try searching for your user or group here (enter a use or group name for the Principle name and click Search).

But it seems that if the user/group only exists in LDAP, then the search in this screen may not find them.

To workaround this, after you choose User or Group as the Type (in step 3), you should see a “Advanced Option” appear at the bottom of the screen. If you select this Advanced Option checkbox, then it allows you to manually type in your LDAP user or group name.

Once your user or group is a member of the Monitor “Application Role” for Service_Bus_Console, they should be able to access the OSB Console.

Cheers! 🙂

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.