How to call a WS-Security secured web service from Oracle BPEL

14

Introduction

I have been investigating Oracle’s Web Service Manager recently. WSM is shipped with the new SOA Suite. The WSM is a service gateway. Existing services can be placed behind the gateway. Security and authentication of the services will be done by the service gateway. WSM also provides a lot of logging facilities. Call to services behind the gateway can be logged. Authentication errors can be logged etc. Multiple services can be placed behing one gateway definition. All policies for that gateway definition, logging, authentication etc., will be applicable for all the services that are linked to the gateway.

Oracle provides a nice and complete tutorial that you can use when you are looking to the WSM for the first time. The tutorial can be found here. It was very straight forward to implement a authentication policy based on WS-Security. WS-Security is an OASIS standard that describes a uniform implementation regarding the security of webservices. The OASIS page regarding WS-Security can be found here. The following screen shot shows how easy it is to define a WS-Security policy. In this example a username/password file is defined that will be used for the authentication step. Note that the password in the file will be hashed with MD5.

 

How to call a WS-Secured service from BPEL

 

Following Oracle’s WSM introduction was easy. The hard part (for me) was how to call the now WS-Secured service from a BPEL process. The following steps decribe how to call a WS-Security secured service from a BPEL project:

1. Create a partner link to the gateway that is wrapping the actual service

2. Create a new BPEL variable

The username and password that should be provided to the service gateway should be in the SOAP header of the partner link call. For this we need a BPEL variable that is based on an XSD that is provided by OASIS. I have imported copy of this file into my BPEL project. The content of the file can be found at http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd. I can now create a BPEL variable based on the Security variable defined in this schema. This variable is of type: ANY_TYPE, but I will address that later.

 

3. Provide the authentication details to the new security variable

The variable of type security is of ANY_TYPE type. But are now going to assign a piece of XML as the variables value. This piece of XML will contain the username and password; in this case marcc/java1. Create an assign activity and copy the following XML to the Variable_1 variable:

<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
   <wsse:UsernameToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
      <wsse:Username>marcc</wsse:Username>
      <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">java1</wsse:Password>
   </wsse:UsernameToken>
</wsse:Security>

 

4. The value of the Variable_1 variable should be inserted in the SOAP header of the partner link call.

Loging details have to be provided in the SOAP header, that’s how WS-Security provides authentication details. That can be done by providing the the Variable_1 variable as a header variable during the Invoke activity. Of course you need to provide the proper input and output variables on the invoke activity.

 

That’s it. We have created a variable, provided our username and password to the variable. We have then put that variable in the SOAP header. The BPEL process we have now created looks like:

 

Testing it

After deployment and test of the BPEL project the result of the invoke activity shows:

<messages>
<ServiceIn>
<part xmlns:xsi=”http://www.w3.org/2001/XMLSchema-instance” name=”format”>
<format xmlns=”” xmlns:def=”http://www.w3.org/2001/XMLSchema”
xsi:type=”def:string”
xmlns:xsi=”http://www.w3.org/2001/XMLSchema-instance”/>
</part>
</ServiceIn>
<ServiceOut>
<part xmlns:xsi=”http://www.w3.org/2001/XMLSchema-instance” name=”Result”>
<Result xsi:type=”xsd:string”
xmlns:xsi=”http://www.w3.org/2001/XMLSchema-instance”>05:14 PM
</Result>
</part>
</ServiceOut>
</messages>

The following is the same output when I provide the wrong password:

&lt;messages&gt;
   &lt;input&gt;
      &lt;ServiceIn&gt;
         &lt;part xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
               name="format"&gt;
            &lt;format xmlns="" xmlns:def="http://www.w3.org/2001/XMLSchema"
                    xsi:type="def:string"
                    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"/&gt;
         &lt;/part&gt;
      &lt;/ServiceIn&gt;
   &lt;/input&gt;
   &lt;fault&gt;
      &lt;remoteFault xmlns="http://schemas.oracle.com/bpel/extension"&gt;
         &lt;part name="code"&gt;
            &lt;code&gt;Client.AuthenticationFault
&lt;/code&gt;
         &lt;/part&gt;
         &lt;part name="summary"&gt;
   &amp;nbs
p;        &amp;
lt;summary&gt;Invalid username or password
&lt;/summary&gt;
         &lt;/part&gt;
         &lt;part name="detail"&gt;
            &lt;detail&gt;
               &lt;detail/&gt;
            &lt;/detail&gt;
         &lt;/part&gt;
      &lt;/remoteFault&gt;
   &lt;/fault&gt;
&lt;/messages&gt;

So, It’s working!!! One question remains. It is possible to provide wsseUsername and wssePassword on the property table page of a partner link definition. My first hope was that should be all I need. For me providing these two variables did not do anyting. But the above is working fine.

 

Resources:

http://weblogs.asp.net/gsusx/archive/2006/03/22/WS_2D00_Security-interoperability-with-Oracle-BPEL-and-WSE-3.0.aspx

 

 

 

Share.

About Author

14 Comments

  1. Is there a way in which some kind of authenticated session token can be passed by client-code to the web-service instead of user-name, password?
    I am trying to implement a requirement where a user logs in to an application using a UI and the application business components (java beans) need to invoke a webservice. We want the logged in users authenticated session to be sent to the web-service.
    “My blog on SOA , XML, integration and related topics http://buddhiraju.wordpress.com

  2. hi,
    I have followed the same steps as u mentioned above, the only diff being that I have done this with the basic creditRatingService. I get classcastException,can u please help me with this.

  3. Hi Andre,

    The description given here is just fine but we are facing an error while calling a WS-Security secured web service from BPEL.
    The error goes like :-

    “Header http://schemas.xmlsoap.org/ws/2004/08/addressing:Action for ultimate recipient is required but not present in the message”

    We have followed the same steps as provided by you in your article.
    If you can please help me in this issue.

    Thanks and Regards,
    Saurabh

  4. Marius, this example do explane the security propagation. It shows how to create a security header in bpel!

  5. Hi Andre,

    Thanks for posting this and it is very useful.
    I want to know if it is possible to use the expression build to replace the XML fragment then assign to Variable_1?
    I tried many different ways to concat the string, but always fail.

    Thanks and regards,
    Kerr

  6. Peter Lorenzen on

    Thanks Eric,

    I think this is exactly what I need. We have a situation where we need to call a third party Web Service from BPEL and they need a userid and password in the HTTP header, probably for basic authentication.

  7. Very useful introduction André. I think now I can get started too.. I am curious about the other pieces of WSM functionality: monitoring the incoming calls to a WebService. Does it report on those as well? Is there a way to record SLA conditions and have WSM monitor against those? (response times, load peaks,..)

  8. Hi Sandor,

    As mentioned in the post. I could not find the cake yet :-). I used the wssePassword an dwsseusername variables; but that did not work. I will have to look further into that. But first I want to see how this works in the ESB.
    And I am not done looking at the WSM. I think it’s a very usefull tool and I was interested in it since you mentioned it during a meeting at Oracle. I will post my other findings on the WSM soon.

  9. Peter Lorenzen on

    Hi,

    Great example. Do you by change know how to put extra information, like user name and password, in the http header when calling a Web Service form BPEL?

    Regards Pete

  10. Very good description.
    Two notes:
    1. WSM can act in two modes: Gateway (as you described) or agent mode (client and/or server agents). Both have their own use and in reall life are mostly combined.
    2. Have you looked at SOA Suite/BPEL 10.1.3? Calling a WS-Sec secured WS is now really a piece of cake.