Pages

Wednesday, August 18, 2010

HTTP Basic authentication with SOA Suite 11g

There can be situations where you need to add some security like HTTP basic authentication to your Composite Services or References. Especially when you have some HTTP Binding Services or References. The HTTP Binding Service in SOA Suite 11g also has a SOAP endpoint beside the HTTP endpoint. With the SOAP endpoint you can always use WS-Security instead of the basic authentication, but if that was the case you won't choose for the HTTP Binding.    
For this blogpost I will use my http binding example of this blogpost 
In this example I have a Mediator with a HTTP Binding Reference. This reference has as endpoint the execute url of the Execute HTTP Binding Service, which is connected to the BPEL Component.
Select the execute Service and configure SOA WS Policies, Here you need to select the oracle/wss_http_token_service_policy . This OWSM policy enables HTTP Basic authentication for HTTP  & SOAP or WSS Username Token in SOAP.

For the Composite Reference you need to use the oracle/wss_http_token_client_policy.

Off course you need to provide the username / password for the basic authentication.  To do this you need to go to the Enterprise Manager Application and select your WebLogic Domain. In the Menu, select the Security menu Item and then go to Credentials.

When you don't have the oracle.wsm.security Map then you need to create this. In the Map you need to add the basic credentials Key where you can provide the username / password for the HTTP Binding Service and Reference.
After rebooting the SOA Server you can test this HTTP Binding Service. I use Wfetch of Microsoft. The internal tester client of WebLogic and Enterprise is not so great with HTTP posts and security.

First test is a POST on the HTTP endpoint with a bad username.  This gives a HTTP 403 Forbidden.
Now with a good username / password and for the POST I only have to provide the request in the body and without the SOAP envelop.

The HTTP Binding service also has a SOAP Endpoint. First we test this with a bad username.


Now with a good username / password. For the SOAP post you need to provide the Content-Type and SOAPAction HTTP Headers and the SOAP envelope with the request.

That's all.

Update by Maarten van Luijtelaar
You can have more than one account on the reference level by overriding the oracle/wss_http_token_client_policy properties. By default the value of csf-key is set to basic.credentials, but you can create a new key in EM and use that as an override.
Also, when not using the policy, adding the properties oracle.webservices.auth.username and oracle.webservices.auth.password with corresponding values will do the trick on external references.

66 comments:

  1. Great post. We were able to perform HTTP authentication by following your steps.

    We're still unable, however, to figure out how to dynamically set the username/password for the HTTP credentials, so we're still working on figuring that out.

    ~Ahmed

    ReplyDelete
  2. Hi,

    for the http binding on the service side, there you can use every user defined in the myrealm security realm. like I describe in this blog.

    http://biemond.blogspot.com/2010/08/things-you-need-to-do-for-owsm-11g.html

    on the reference side I dont know if you can have more then 1 account.
    take a look if you can set some attribute on the oswm policy reference like a username which you can also put in the owsm keystores.

    an other way is to use the spring component and in this use the apache http client

    thanks

    ReplyDelete
  3. You can have more than one account on the reference level by overriding the oracle/wss_http_token_client_policy properties. By default the value of csf-key is set to basic.credentials, but you can create a new key in EM and use that as an override.

    Also, when not using the policy, adding the properties oracle.webservices.auth.username and oracle.webservices.auth.password with corresponding values will do the trick on external references.

    ReplyDelete
  4. Hi Edwin,
    In my requirement,I have to do a secured http call (https).In the binding adapter I have to use https url.
    How Can I send headers(user name and password) in https call of http binding adapter?

    ReplyDelete
  5. Hi,

    There is no difference, only for HTTPs you need to have the right keystores installed on the weblogic soa server. I think you don't have to do something with a keystore where the remote service uses a certificate which is signed by one of the known CA's

    the rest is the same as a normal http binding, configure owsm and add basic.credentials or add the username password on the composite reference

    thanks

    ReplyDelete
  6. Hi Edwin,
    Thanks for the reply
    my external service needs below headers
    application/HTTPstream upload ADT00368
    ADT00368
    RBOSNL2A
    XML

    how to send that data to the service?

    I tried adding http_username_client_policy at composite refernce,but no luck.Can you please tell what can be the issue?

    ReplyDelete
  7. Hi,

    Did you also try by adding the following properties to the reference

    oracle.webservices.auth.username oracle.webservices.auth.password

    thanks

    ReplyDelete
  8. Edwin
    I have a webService to be called using SOAP over https from a BPEL using a partner link. I am using the webService adapter. I could see the SOAP header is getting created with the user id and password, but getting the below error
    FabricInvocationException
    sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

    Can you pls help me on where this certification path is sitting and how to set it up

    ReplyDelete
  9. Hi,

    Are you calling a https URL , probably you need to import the ca or public key of the service in your WebLogic key stores .

    thanks

    ReplyDelete
  10. Edwin,

    Repeated the same steps except that I am testing my bpel through SOA console. Even though, giving correct credentials it throws 'Bad response: 403 Forbidden' error.

    Any idea on this?

    ReplyDelete
  11. Edwin,

    We repeated the same step, however getting 'Bad response: 403 Forbidden' error even for the correct credentials.

    Any idea on this?

    ReplyDelete
  12. Hi,

    I don't trust the soa console , that why I used an other tool to test it.

    thanks

    ReplyDelete
  13. Hi Biemond,

    I just have a simple composite. I will be giving my composite WSDL to someone. And also I want to keep basic authentication on my composite. i know how to invoke a webservice which has basic http user authentication. But i really dont know how to keep some security on my composite. How do i keep http username authentication for my composite.

    Thanks,
    Nani

    ReplyDelete
  14. Hi,

    you can add the right owsm policy on the exposed service or add this to the soa deployment plan.

    this should work and users are validated against myrealm security realm.

    thanks

    ReplyDelete
  15. Hi Edwin,

    I have this problem. I have read on the otn but couldnt find a decent solution. We have a peoplesoft wsdl that has security on it. In 10g Jdeveloper, we should go to the partnerlink, click properties and define it like so:

    testUser
    welcome123
    credentials

    Now I have tried the following:

    * Right click on the external reference service and select “Configure WS policies”
    * Under the security tab, click add button and select “oracle/wss_username_token_client_policy”
    * Now Open the property Inspector window and click the add button under “Binding properties” tab.
    * Include the “oracle.webservices.auth.username” and “oracle.webservices.auth.password properties.

    But when i try to compile i get the error - Error(18,59): : XML-20129: (Error) Namespace prefix 'wsp' used but not declared. Error(18,59): : XML-20129: (Error) Namespace prefix 'orawsp' used but not declared.

    I need to set the properties in Jdev and be able to deploy. If anyone has resolved this please help here. I have even tried not configuring the ws policies and adding the properties directly in the binding but it didnt work.

    Here is my source code:






    true
    UP_INT
    UP_INTG





    But it fails to compile with the errors i got above, I am using Jdev 11.1.1.3.0

    ReplyDelete
  16. Hi,

    There is something wrong with your composite or in jdev , the required namespaces should be defined at the composite like this

    <composite name="SAMLHello"
    revision="1.0"
    label="2011-08-21_14-45-19_435"
    mode="active"
    state="on"
    xmlns="http://xmlns.oracle.com/sca/1.0"
    xmlns:xs="http://www.w3.org/2001/XMLSchema"
    xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
    xmlns:orawsp="http://schemas.oracle.com/ws/2006/01/policy"
    xmlns:ui="http://xmlns.oracle.com/soa/designer/">

    please check your composite.xml

    thanks

    ReplyDelete
  17. Hi Edwin,

    Thanks I have sorted out the issue but with the changes i have done i still cannot get the username and password to work.

    source code:




    true
    UPINTEG
    INTEG




    when i add the properties to the binding variables, i notice that these values oracle.webservices.auth.username and oracle.webservices.auth.password are not in the options avaliable. I have added them anyway, but is that correct, i still cannot invoke the peoplesoft wsdl with wsse security.

    ReplyDelete
  18. Krishil,

    Your source is not showing. I had to replace my "<" with "&lt" for the <property> to show in this post.

    There could be many reasons that yours is not working. I encountered a particular situation that may not apply to you. In my case, the problem is caused by this extra line in the composite.xml
    <property name="csf-key" type="xs:string" many="false">. I didn't add it in, it just went in inadvertently. I took this extra line out, and it worked for me.

    The irony is with this extra line, I accidentally found out it works with oracle/wss10_message_protection_client_policy. I don't recommend this, because I don't fully understand it. If anyone can explain it, I'd love to hear.

    The other thing you may consider is to trap the TCP payload from your SOA server to PeopleSoft server, and see what actually is in the header.

    Good luck.

    ReplyDelete
  19. Hi Ed,

    Do you have a example where your reference binding adapter is using Kerberos authentication.

    I need to invoke a Sharepoint web service from composite app. It uses Kerberos authentication. I dont know how to pass Kerberos authentication credentials to the web service in External Reference.

    It will be really helpful if you have give me some pointers where to start from.

    Thanks

    Rakesh

    ReplyDelete
  20. Hi,

    for SOA and Kerberos you need to use owsm, you can follow my blogpost on this http://biemond.blogspot.com/2011/09/using-owsm-kerberos-policies.html

    thanks

    ReplyDelete
  21. Hi Ed,
    How did you find the keywords in oracle docs. Can I ask you to provide the link that mentioned about "oracle.wsm.security" and " basic credentials"
    with my bests

    ReplyDelete
  22. Hi,

    here is the link http://docs.oracle.com/cd/E21764_01/web.1111/e13713/owsm_appendix.htm#CHDDJAEC

    thanks.

    ReplyDelete
  23. Hi Edwin,

    Its a great blog you are maintaining.
    I am struckup with a issue.
    Kindly help me on this.
    I have an external webService (remote) to be called using a BPEL using a partner link.I am using 11g soa suite. In 10g server same external webservice invoking is workin fine.But in 11g I am getting the below error

    sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at oracle.j2ee.ws.client.jaxws.DispatchImpl.invoke(DispatchImpl.java:851)

    Our admin team already installed CA and created keystore for the external server in our weblogic server.
    But one strange this I can see is the keystore file name is "keystore.importKEY", and same name is mentioned in the admin console at keystore configuaration.

    Usually keystore file will be .jks
    but we have "keystore.importKEY".
    Is it fine to have the keystore file like this in weblogic server?
    Can you please let me know whether renaming to.jks can resolve our issue. Or there is some other solution for my issue?

    Thanks in Advance,
    Vijay

    ReplyDelete
  24. Hi Edwin,

    Its a great blog you are maintaining.
    I am struckup with a issue.
    Kindly help me on this.
    I have an external webService (remote) to be called using a BPEL using a partner link.I am using 11g soa suite. In 10g server same external webservice invoking is workin fine.But in 11g I am getting the below error

    sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at oracle.j2ee.ws.client.jaxws.DispatchImpl.invoke(DispatchImpl.java:851)

    Our admin team already installed CA and created keystore for the external server in our weblogic server.
    But one strange this I can see is the keystore file name is "keystore.importKEY", and same name is mentioned in the admin console at keystore configuaration.

    Usually keystore file will be .jks
    but we have "keystore.importKEY".
    Is it fine to have the keystore file like this in weblogic server?
    Can you please let me know whether renaming to.jks can resolve our issue. Or there is some other solution for my issue?

    Thanks in Advance,
    Vijay

    ReplyDelete
  25. Hi,

    you wanna do https , You can try owsm instead of using the weblogic keystores, or import the keys in the ca trust store of your used jvm.

    the name doesn't matter.

    thanks

    ReplyDelete
  26. Hi Edwin,

    In this sample..how do we test the flow like ...
    Calling HelloMediator -> mediator --> Reference -> execute (service) --> HelloProcess..

    The reason why i am asking this question is ..we are trying to prototype something like below..

    We will receive a SOAP request and send those details to RESTFul service.It will expect Http Headers for authentication.[username/password.]

    Can u let us know how we can do this in SOA 11g PS2.

    Thanks,
    Sid.

    ReplyDelete
    Replies
    1. Hi,

      You can't pass on credentials this requires saml. but you can use the http adapter for your restfull service and provide the username on the reference in the composite.xml or use a owsm policy.

      thanks

      Delete
  27. I used HttpAdapter for calling restful service.
    Added following to Binding properties manually in composite.xml [These are not available in the drop of create property window.]

    =>“oracle.webservices.auth.username” and “oracle.webservices.auth.password properties.

    But wondering how to test this to make sure the payload contains these parameters.

    Just to iterate..The service is getting called perfectly,But i want to see the headers going in the input.

    Please suggest.

    ReplyDelete
    Replies
    1. Hi,

      you can use a network monitor / capture tool or use jdeveloper http analyzer and add this as proxy on the soa suite server.

      thanks

      Delete
  28. Hi Edwin,
    I am new to JDeveloper SOA; However, thx to your blog, I hope I can figure this out.
    I need to post some XML over HTTP to an external non Oracle non SOA HTTP web page URL http://host:port/xyz so I created an HTTP Binding with that URL as end point and the appropriate request and response schema from the external system's XSD. The URL needs basic HTTP auth.
    While creating the HTTP BINDING REFERENCE, I did not see any option to configure the http basic auth. Based on your blog, do I need to 1) add some properties to the HTTP BINDING manually in composite.xml? and then in Enterprise Manager, provide the username/password for basic HTTP auth? Am I on right track? Thx in advance, Shrikant

    ReplyDelete
    Replies
    1. Hi,

      2 options
      add these to the reference service entry in the source mode of the composite.xml
      oracle.webservices.auth.username and oracle.webservices.auth.password with corresponding values
      or add the OWSM client policy to this reference service and add the user values in the EM

      thanks

      Delete
    2. Hi, How exactly can this be done? Can you show this please in code? Thanks.

      Delete
    3. This comment has been removed by the author.

      Delete
    4. Hi,

      here a good example of a ws reference in the composite.xml

      <reference name="aaaaService" ui:wsdlLocation="aaa.wsdl">
      <interface.wsdl interface="http://aa"/>
      <binding.ws port="bbb" location="aaa.wsdl" soapVersion="1.2">
      <wsp:PolicyReference URI="oracle/wss_username_token_client_policy" orawsp:category="security" orawsp:status="enabled"/>
      <property name="oracle.webservices.auth.username" type="xs:string" many="false" override="may">weblogic</property>
      <property name="oracle.webservices.auth.password" type="xs:string" many="false" override="may">weblogic1</property>
      </binding.ws>
      </reference>

      Delete
  29. Hi Edwin,
    I am using security policy at composite level for External reference Service i.e "Siebel Service".
    Security Policy : "oracle/wss_username_token_client_policy"
    In composite i have mentioned credentials for the service, i.e.
    XXXXXX
    XXXXXX
    When i deploy the service and test it. It returns following error,
    Unable to process SOAP Header child element 'wsse:Security' with 'mustUnderstand="1"'(SBL-EAI-08000)

    Can u plz help me on this issue. Let me know how it can be fixed?

    ReplyDelete
    Replies
    1. Hi,

      Looks like SOA can't understand some elements of the remote siebel WSDL. Can you download it to your project and remove this wsse Security.

      thanks

      Delete
  30. hey Edwin,
    first of all thanks for the awesome post. i have one doubt.
    i need to pass username and password in WSS Username Token from weblogic em. i need to retrieve
    these values in my bpel process. i tried all possible ways but getting errors. can u please provide sample code for this .

    thanks in advance :)

    ReplyDelete
    Replies
    1. Hi,

      Don't think you can do this, but when you use http authentication then you can use this http://biemond.blogspot.nl/2012/04/retrieve-or-set-http-header-from-oracle.html to retrieve the http headers.

      or make you own OWSM policy which validates this and pass on the username in an element of the body.

      thanks

      Delete
  31. Hi Edwin,
    Have you ever explored the option of reading a key from the CSF inside a BPEL? I've posted my query in OTN but have not got any replies so far.

    https://forums.oracle.com/forums/thread.jspa?threadID=2489768&tstart=0

    Thanks,
    Rahul

    ReplyDelete
    Replies
    1. Hi Edwin,
      Got it working.
      Cheers,
      Rahul

      Delete
  32. Just to add to my question above about wss_http_token_service_policy in OSB. I also trid Basic authentication on HTTP POST with user name and password in service account.

    ReplyDelete
    Replies
    1. Hello Edwin. My OSB setup is configured to use WSM as mentioned in your blog. when I select WSM policies in my business service it shows exactly same list of policies as shown in one of the screenshot.
      however problem is I don't see right policy for HTTPS web service. I just have to pass username and password in header. looks like pretty simply. but somehow not able to make it.

      When I test from SOAP UI I just add following part in my SOAP envelop.and it goes well.



      MYUSERID
      MYPASSWORD


      Delete
    2. Hi,

      HTTPS is more a transport option and you can configure this on the weblogic server but you can read the cn of the cert in OSB/weblogic and validates this. There must be a policy who forces https but you need to configure HTTPS in weblogic.

      thanks

      Delete
  33. Q: I have a BPEL process which has a HumanWorkflow. At runtime, beyond approval of the HumanWorkflow, I would like to invoke a partner link as the approver of the HumanWorkflow - basically set csf-key to the approver username. I have the approver username available to me in the BPEL process, but how to I reference a binding property csf-key from the BPEL process to set the variable for that partner link invoke?

    ReplyDelete
    Replies
    1. Hi,

      I don't know , on the reference service you can set this in the policy part. Can you set this in a mediator assign.

      thanks

      Delete
  34. Hi Edwin,

    Hope you are doing good. We are exposing an HTTP binding to an external system in BPEL and we would like to enforce authentication since that service calls BPEL over internet. Could you please throw some light on how to achieve this?

    Thanks,
    Suresh.

    ReplyDelete
  35. Hi Edwin,

    In my scenario, i can't use the oracle/wss_http_token_client_policy as i have to pass Authentication information against the
    Authorization header which will have following value :
    for e.g.
    'Basic Yw79u1jshbihchjasj=='
    where, Yw79u1jshbihchjasj== represents Base64Encoded username:password
    I have following configuration based on your blog regarding Adding BPEL Headers

    1) I have added following in composite.xml under reference

    property name="oracle.webservices.http.headers">Authorization/property>

    2) I have added following in MyBPEL.bpel under invoke

    bpelx:toProperties>
    bpelx:toProperty name="Authorization" variable="tempString1"/>
    /bpelx:toProperties>


    I am assigning the value to Autorization(string variable) using Assign activity.
    But, it is not working for me. I am using SOA 11.1.1.5
    In addition, do I need to add bpelx:inputHeaderVariable="Autorization" along with the Custom Header properties?

    Please help as I am not able to figure out other ways to send this Header while making a HTTP POST call using HTTP Bindings adapter

    ReplyDelete
    Replies
    1. Hi,

      can you create your owsm policy?, with a policy you can intercept the outgoing request and do your thing. Even when it has nothing to do with security like formatting etc.

      Or you can change a existing OWSM policy which comes close to your requirements

      Good Luck

      thanks

      Delete
    2. I solve this problem using the old javax properties: more solution here: http://ta.cnci.org/more-about-java/35-java-blogs/248-how-to-set-uri-and-authentication-credentials-to-partner-link-dynamically

      Delete
  36. Hi Edwin,

    Thanks for maintaining such a nice blog. when i am calling the Webservice from BPEL i am getting error like "Nonce is required but nonce is missing from message". I tried to pass NONCE value from Header in Invoke Activity but it did not worked out.

    Can you guide me/ workaround to pass NONCE in SOAPHeader from bpel?
    Thanks in Advance!!!

    Pavan

    ReplyDelete
    Replies
    1. Hi,

      Can you use OWSM policies ( username_token_client_policy ) this will set also set this NONCE token.

      Thanks

      Delete
  37. Hi Edwin,

    I have to invoke client SOAP WSDL based web service, here I am using partner link to archive this. I want to invoke it from bpel. It is sync based web service.

    Please have look at sample input data of that web service. in the header section there is element called Token. what i need to do here I need to pass the user name and password those separated by ;




    username;password




    pass the input value




    Please advise me how to pass these values when i am invoking it from BPEL. Generally body variables/elements we can map them using assign/transformation activity but Am struck with auth.username and password values. Please help me out Edwin.

    ReplyDelete
    Replies
    1. Ok,

      adding to the soap header is hard.
      what you can do is using OSB in between, write a Custom OWSM policy or maybe a mediator with a custom java callout.

      thanks

      Delete
  38. Hi Edwin,

    Please advise me to integrate S)A 11g with Microsoft sharepoint,what are adapters are required

    ReplyDelete
    Replies
    1. Hi,

      Only the WS adapter will work or sharepoint need to use the .net weblogic jms client

      Thanks

      Delete
  39. Hi Edwin,

    Nice blog, need some help and guidance. I have a external webservice secured using wsse

    I am able to invoke but providing the credentials in composite.xml using "oracle.webservices.auth.username" properties. But the problem is I want username and password to be configurable for each environment. I tried using credential store and over riding the key but not working.
    Tried few other things too but all of no use. Can you please direct me to right direction. Not sure if this is doable or not.
    The policy I attached to external reference is - oracle/wss_username_token_client_policy

    ReplyDelete
  40. Hi,
    Thanks for this tutorial, I am facing one problem at the time of calling a web service,

    Suppose my web service is running over a cluster port & IP x.x.x.x:8888/XYZ/abx?wsdl

    If i am using this web service in oracle soa with that IP & port i am able to got response from web service, Same service is exposed over a domain name like abc.com which is SSL based so with that domain name my web service URL is something like.
    https://abc.com/XYZ/abx?wsdl
    When i am trying to calling this web service i am not able to got any response from web service.

    I already imported the certificate in the trust store and had been cross verified that certificate is exist in the trust store.


    I had tried with all the way but the web service is not giving response.


    I am stuck in my development please help me.

    Thanks!

    ReplyDelete
  41. Hi Edwin,
    HELP PLEASE...SOS
    i followed all these steps to add oracle/wss_http_token_client_policy, but i got an error and this is it :error 401 unAuthorized.
    from jdeveloper http analyzer i try to add an authorization header like this : name = Authorization. value = Basic username:password and it has worked fine, so now how i can add authorization header in composite to work fine after deploying the composite.
    Best regards

    ReplyDelete
  42. Hello Edwin,
    i followed this steps to add oracle/wss_http_token_client_policy, but i got this error : error 401 unauthorized .
    when i tried to test web service from http analyzer i got the same error, but after i add an Authorization to the request header like this: name : Authorization. value : Basic username:password, every things work fine and operation execute successfully from (analyzer).
    so now how i can add an Authorization header to the composite till it work fine with basic authentication
    Best regards.

    ReplyDelete
  43. Edwin, Excellent post. One question I am using oracle/wss_http_token_client_policy together with oracle.webservices.auth.username and oracle.webservices.auth.password as properties for reference to UCM getFile webservice in my composite service. However, the password is supposed to be confidential and secured, and is not ideal to be shown in SOAP header, how would you address this and which policy would you use instead ? Thanks very much.

    ReplyDelete
  44. Can we get the username in side the bpel , I am using soa 11.1.1.7

    ReplyDelete
  45. is there a way to extract the user name?

    ReplyDelete
  46. Nice post. I noticed that the default oracle/wss_username_token_service/client_policy supports only clear-text passwords.
    This might be okay when you accompany this with TLS/SSL. But if you don't want to expose your password when your SOAP request flows over the network, it is easy enough to create a password digest policy as well, where the caller only needs to send a hash of the password in the SOAP ws-security headers.
    I wrote a post on it here:
    http://weblog.singhpora.com/2016/10/ws-security-enabling-passworddigest.html

    ReplyDelete