How to call a WS-Security secured web service from Oracle BPEL
I have been investigating Oracle’s Web Service Manager recently. WSM is shipped with the new SOA Suite. The WSM is a service gateway. Existing services can be placed behind the gateway. Security and authentication of the services will be done by the service gateway. WSM also provides a lot of logging facilities. Call to services behind the gateway can be logged. Authentication errors can be logged etc. Multiple services can be placed behing one gateway definition. All policies for that gateway definition, logging, authentication etc., will be applicable for all the services that are linked to the gateway.
Oracle provides a nice and complete tutorial that you can use when you are looking to the WSM for the first time. The tutorial can be found here. It was very straight forward to implement a authentication policy based on WS-Security. WS-Security is an OASIS standard that describes a uniform implementation regarding the security of webservices. The OASIS page regarding WS-Security can be found here. The following screen shot shows how easy it is to define a WS-Security policy. In this example a username/password file is defined that will be used for the authentication step. Note that the password in the file will be hashed with MD5.
How to call a WS-Secured service from BPEL
Following Oracle’s WSM introduction was easy. The hard part (for me) was how to call the now WS-Secured service from a BPEL process. The following steps decribe how to call a WS-Security secured service from a BPEL project:
1. Create a partner link to the gateway that is wrapping the actual service
2. Create a new BPEL variable
The username and password that should be provided to the service gateway should be in the SOAP header of the partner link call. For this we need a BPEL variable that is based on an XSD that is provided by OASIS. I have imported copy of this file into my BPEL project. The content of the file can be found at http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd. I can now create a BPEL variable based on the Security variable defined in this schema. This variable is of type: ANY_TYPE, but I will address that later.
3. Provide the authentication details to the new security variable
The variable of type security is of ANY_TYPE type. But are now going to assign a piece of XML as the variables value. This piece of XML will contain the username and password; in this case marcc/java1. Create an assign activity and copy the following XML to the Variable_1 variable:
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"><br /> <wsse:UsernameToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"><br /> <wsse:Username>marcc</wsse:Username><br /> <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">java1</wsse:Password><br /> </wsse:UsernameToken><br /></wsse:Security>
4. The value of the Variable_1 variable should be inserted in the SOAP header of the partner link call.
Loging details have to be provided in the SOAP header, that’s how WS-Security provides authentication details. That can be done by providing the the Variable_1 variable as a header variable during the Invoke activity. Of course you need to provide the proper input and output variables on the invoke activity.
That’s it. We have created a variable, provided our username and password to the variable. We have then put that variable in the SOAP header. The BPEL process we have now created looks like:
After deployment and test of the BPEL project the result of the invoke activity shows:
<part xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" name="format">
<format xmlns="" xmlns:def="http://www.w3.org/2001/XMLSchema"
<part xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" name="Result">
The following is the same output when I provide the wrong password:
<messages><br /> <input><br /> <ServiceIn><br /> <part xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"<br /> name="format"><br /> <format xmlns="" xmlns:def="http://www.w3.org/2001/XMLSchema"<br /> xsi:type="def:string"<br /> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"/><br /> </part><br /> </ServiceIn><br /> </input><br /> <fault><br /> <remoteFault xmlns="http://schemas.oracle.com/bpel/extension"><br /> <part name="code"><br /> <code>Client.AuthenticationFault<br /></code><br /> </part><br /> <part name="summary"><br /> &nbs p; & lt;summary>Invalid username or password<br /></summary><br /> </part><br /> <part name="detail"><br /> <detail><br /> <detail/><br /> </detail><br /> </part><br /> </remoteFault><br /> </fault><br /></messages><br />
So, It’s working!!! One question remains. It is possible to provide wsseUsername and wssePassword on the property table page of a partner link definition. My first hope was that should be all I need. For me providing these two variables did not do anyting. But the above is working fine.
- AMIS Query on WebService Security and Administration using the Oracle WebServices Manager – and sneak preview of the Enterprise Service Bus
- Oracle BPEL PM – Invoking a (remote) BPEL Service from Java using RMI
- AMIS Query on Oracle Enterprise Service Bus, Oracle WebServices Manager, SOA & BPEL. …and not about JBoss
- Pivot using BPEL
- Introduction to SOA, BPEL and Oracle BPEL PM through a real life business case (Dutch white paper)