There can be situations where you need to add some security like HTTP basic authentication to your Composite Services or References. Especially when you have some HTTP Binding Services or References. The HTTP Binding Service in SOA Suite 11g also has a SOAP endpoint beside the HTTP endpoint. With the SOAP endpoint you can always use WS-Security instead of the basic authentication, but if that was the case you won't choose for the HTTP Binding.
For this blogpost I will use my http binding example of this blogpost
In this example I have a Mediator with a HTTP Binding Reference. This reference has as endpoint the execute url of the Execute HTTP Binding Service, which is connected to the BPEL Component.
First test is a POST on the HTTP endpoint with a bad username. This gives a HTTP 403 Forbidden.
The HTTP Binding service also has a SOAP Endpoint. First we test this with a bad username.
Now with a good username / password. For the SOAP post you need to provide the Content-Type and SOAPAction HTTP Headers and the SOAP envelope with the request.
Update by Maarten van Luijtelaar
You can have more than one account on the reference level by overriding the oracle/wss_http_token_client_policy properties. By default the value of csf-key is set to basic.credentials, but you can create a new key in EM and use that as an override.
Also, when not using the policy, adding the properties oracle.webservices.auth.username and oracle.webservices.auth.password with corresponding values will do the trick on external references.