There can be situations where you need to add some security like HTTP basic authentication to your Composite Services or References. Especially when you have some HTTP Binding Services or References. The HTTP Binding Service in SOA Suite 11g also has a SOAP endpoint beside the HTTP endpoint. With the SOAP endpoint you can always use WS-Security instead of the basic authentication, but if that was the case you won't choose for the HTTP Binding.
For this blogpost I will use my
http binding example of this blogpost
In this example I have a Mediator with a HTTP Binding Reference. This reference has as endpoint the execute url of the Execute HTTP Binding Service, which is connected to the BPEL Component.
Select the execute Service and configure SOA WS Policies, Here you need to select the oracle/wss_http_token_service_policy . This OWSM policy enables HTTP Basic authentication for HTTP & SOAP or WSS Username Token in SOAP.
For the Composite Reference you need to use the oracle/wss_http_token_client_policy.
Off course you need to provide the username / password for the basic authentication. To do this you need to go to the Enterprise Manager Application and select your WebLogic Domain. In the Menu, select the Security menu Item and then go to Credentials.
When you don't have the oracle.wsm.security Map then you need to create this. In the Map you need to add the basic credentials Key where you can provide the username / password for the HTTP Binding Service and Reference.
After rebooting the SOA Server you can test this HTTP Binding Service. I use Wfetch of Microsoft. The internal tester client of WebLogic and Enterprise is not so great with HTTP posts and security.
First test is a POST on the HTTP endpoint with a bad username. This gives a HTTP 403 Forbidden.
Now with a good username / password and for the POST I only have to provide the request in the body and without the SOAP envelop.
The HTTP Binding service also has a SOAP Endpoint. First we test this with a bad username.
Now with a good username / password. For the SOAP post you need to provide the Content-Type and SOAPAction HTTP Headers and the SOAP envelope with the request.
That's all.
Update by Maarten van Luijtelaar
You can have more than one account on the reference level by overriding the oracle/wss_http_token_client_policy properties. By default the value of csf-key is set to basic.credentials, but you can create a new key in EM and use that as an override.
Also, when not using the policy, adding the properties oracle.webservices.auth.username and oracle.webservices.auth.password with corresponding values will do the trick on external references.
Great post. We were able to perform HTTP authentication by following your steps.
ReplyDeleteWe're still unable, however, to figure out how to dynamically set the username/password for the HTTP credentials, so we're still working on figuring that out.
~Ahmed
Hi,
ReplyDeletefor the http binding on the service side, there you can use every user defined in the myrealm security realm. like I describe in this blog.
http://biemond.blogspot.com/2010/08/things-you-need-to-do-for-owsm-11g.html
on the reference side I dont know if you can have more then 1 account.
take a look if you can set some attribute on the oswm policy reference like a username which you can also put in the owsm keystores.
an other way is to use the spring component and in this use the apache http client
thanks
You can have more than one account on the reference level by overriding the oracle/wss_http_token_client_policy properties. By default the value of csf-key is set to basic.credentials, but you can create a new key in EM and use that as an override.
ReplyDeleteAlso, when not using the policy, adding the properties oracle.webservices.auth.username and oracle.webservices.auth.password with corresponding values will do the trick on external references.
Hi Edwin,
ReplyDeleteIn my requirement,I have to do a secured http call (https).In the binding adapter I have to use https url.
How Can I send headers(user name and password) in https call of http binding adapter?
Hi,
ReplyDeleteThere is no difference, only for HTTPs you need to have the right keystores installed on the weblogic soa server. I think you don't have to do something with a keystore where the remote service uses a certificate which is signed by one of the known CA's
the rest is the same as a normal http binding, configure owsm and add basic.credentials or add the username password on the composite reference
thanks
Hi Edwin,
ReplyDeleteThanks for the reply
my external service needs below headers
application/HTTPstream upload ADT00368
ADT00368
RBOSNL2A
XML
how to send that data to the service?
I tried adding http_username_client_policy at composite refernce,but no luck.Can you please tell what can be the issue?
Hi,
ReplyDeleteDid you also try by adding the following properties to the reference
oracle.webservices.auth.username oracle.webservices.auth.password
thanks
Edwin
ReplyDeleteI have a webService to be called using SOAP over https from a BPEL using a partner link. I am using the webService adapter. I could see the SOAP header is getting created with the user id and password, but getting the below error
FabricInvocationException
sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Can you pls help me on where this certification path is sitting and how to set it up
Hi,
ReplyDeleteAre you calling a https URL , probably you need to import the ca or public key of the service in your WebLogic key stores .
thanks
Edwin,
ReplyDeleteRepeated the same steps except that I am testing my bpel through SOA console. Even though, giving correct credentials it throws 'Bad response: 403 Forbidden' error.
Any idea on this?
Edwin,
ReplyDeleteWe repeated the same step, however getting 'Bad response: 403 Forbidden' error even for the correct credentials.
Any idea on this?
Hi,
ReplyDeleteI don't trust the soa console , that why I used an other tool to test it.
thanks
Hi Biemond,
ReplyDeleteI just have a simple composite. I will be giving my composite WSDL to someone. And also I want to keep basic authentication on my composite. i know how to invoke a webservice which has basic http user authentication. But i really dont know how to keep some security on my composite. How do i keep http username authentication for my composite.
Thanks,
Nani
Hi,
ReplyDeleteyou can add the right owsm policy on the exposed service or add this to the soa deployment plan.
this should work and users are validated against myrealm security realm.
thanks
Hi Edwin,
ReplyDeleteI have this problem. I have read on the otn but couldnt find a decent solution. We have a peoplesoft wsdl that has security on it. In 10g Jdeveloper, we should go to the partnerlink, click properties and define it like so:
testUser
welcome123
credentials
Now I have tried the following:
* Right click on the external reference service and select “Configure WS policies”
* Under the security tab, click add button and select “oracle/wss_username_token_client_policy”
* Now Open the property Inspector window and click the add button under “Binding properties” tab.
* Include the “oracle.webservices.auth.username” and “oracle.webservices.auth.password properties.
But when i try to compile i get the error - Error(18,59): : XML-20129: (Error) Namespace prefix 'wsp' used but not declared. Error(18,59): : XML-20129: (Error) Namespace prefix 'orawsp' used but not declared.
I need to set the properties in Jdev and be able to deploy. If anyone has resolved this please help here. I have even tried not configuring the ws policies and adding the properties directly in the binding but it didnt work.
Here is my source code:
true
UP_INT
UP_INTG
But it fails to compile with the errors i got above, I am using Jdev 11.1.1.3.0
Hi,
ReplyDeleteThere is something wrong with your composite or in jdev , the required namespaces should be defined at the composite like this
<composite name="SAMLHello"
revision="1.0"
label="2011-08-21_14-45-19_435"
mode="active"
state="on"
xmlns="http://xmlns.oracle.com/sca/1.0"
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
xmlns:orawsp="http://schemas.oracle.com/ws/2006/01/policy"
xmlns:ui="http://xmlns.oracle.com/soa/designer/">
please check your composite.xml
thanks
Hi Edwin,
ReplyDeleteThanks I have sorted out the issue but with the changes i have done i still cannot get the username and password to work.
source code:
true
UPINTEG
INTEG
when i add the properties to the binding variables, i notice that these values oracle.webservices.auth.username and oracle.webservices.auth.password are not in the options avaliable. I have added them anyway, but is that correct, i still cannot invoke the peoplesoft wsdl with wsse security.
Krishil,
ReplyDeleteYour source is not showing. I had to replace my "<" with "<" for the <property> to show in this post.
There could be many reasons that yours is not working. I encountered a particular situation that may not apply to you. In my case, the problem is caused by this extra line in the composite.xml
<property name="csf-key" type="xs:string" many="false">. I didn't add it in, it just went in inadvertently. I took this extra line out, and it worked for me.
The irony is with this extra line, I accidentally found out it works with oracle/wss10_message_protection_client_policy. I don't recommend this, because I don't fully understand it. If anyone can explain it, I'd love to hear.
The other thing you may consider is to trap the TCP payload from your SOA server to PeopleSoft server, and see what actually is in the header.
Good luck.
Hi Ed,
ReplyDeleteDo you have a example where your reference binding adapter is using Kerberos authentication.
I need to invoke a Sharepoint web service from composite app. It uses Kerberos authentication. I dont know how to pass Kerberos authentication credentials to the web service in External Reference.
It will be really helpful if you have give me some pointers where to start from.
Thanks
Rakesh
Hi,
ReplyDeletefor SOA and Kerberos you need to use owsm, you can follow my blogpost on this http://biemond.blogspot.com/2011/09/using-owsm-kerberos-policies.html
thanks
Hi Ed,
ReplyDeleteHow did you find the keywords in oracle docs. Can I ask you to provide the link that mentioned about "oracle.wsm.security" and " basic credentials"
with my bests
Hi,
ReplyDeletehere is the link http://docs.oracle.com/cd/E21764_01/web.1111/e13713/owsm_appendix.htm#CHDDJAEC
thanks.
Hi Edwin,
ReplyDeleteIts a great blog you are maintaining.
I am struckup with a issue.
Kindly help me on this.
I have an external webService (remote) to be called using a BPEL using a partner link.I am using 11g soa suite. In 10g server same external webservice invoking is workin fine.But in 11g I am getting the below error
sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at oracle.j2ee.ws.client.jaxws.DispatchImpl.invoke(DispatchImpl.java:851)
Our admin team already installed CA and created keystore for the external server in our weblogic server.
But one strange this I can see is the keystore file name is "keystore.importKEY", and same name is mentioned in the admin console at keystore configuaration.
Usually keystore file will be .jks
but we have "keystore.importKEY".
Is it fine to have the keystore file like this in weblogic server?
Can you please let me know whether renaming to.jks can resolve our issue. Or there is some other solution for my issue?
Thanks in Advance,
Vijay
Hi,
ReplyDeleteyou wanna do https , You can try owsm instead of using the weblogic keystores, or import the keys in the ca trust store of your used jvm.
the name doesn't matter.
thanks