There can be situations where you need to add some security like HTTP basic authentication to your Composite Services or References. Especially when you have some HTTP Binding Services or References. The HTTP Binding Service in SOA Suite 11g also has a SOAP endpoint beside the HTTP endpoint. With the SOAP endpoint you can always use WS-Security instead of the basic authentication, but if that was the case you won't choose for the HTTP Binding.
For this blogpost I will use my
http binding example of this blogpost
In this example I have a Mediator with a HTTP Binding Reference. This reference has as endpoint the execute url of the Execute HTTP Binding Service, which is connected to the BPEL Component.
Select the execute Service and configure SOA WS Policies, Here you need to select the oracle/wss_http_token_service_policy . This OWSM policy enables HTTP Basic authentication for HTTP & SOAP or WSS Username Token in SOAP.
For the Composite Reference you need to use the oracle/wss_http_token_client_policy.
Off course you need to provide the username / password for the basic authentication. To do this you need to go to the Enterprise Manager Application and select your WebLogic Domain. In the Menu, select the Security menu Item and then go to Credentials.
When you don't have the oracle.wsm.security Map then you need to create this. In the Map you need to add the basic credentials Key where you can provide the username / password for the HTTP Binding Service and Reference.
After rebooting the SOA Server you can test this HTTP Binding Service. I use Wfetch of Microsoft. The internal tester client of WebLogic and Enterprise is not so great with HTTP posts and security.
First test is a POST on the HTTP endpoint with a bad username. This gives a HTTP 403 Forbidden.
Now with a good username / password and for the POST I only have to provide the request in the body and without the SOAP envelop.
The HTTP Binding service also has a SOAP Endpoint. First we test this with a bad username.
Now with a good username / password. For the SOAP post you need to provide the Content-Type and SOAPAction HTTP Headers and the SOAP envelope with the request.
That's all.
Update by Maarten van Luijtelaar
You can have more than one account on the reference level by overriding the oracle/wss_http_token_client_policy properties. By default the value of csf-key is set to basic.credentials, but you can create a new key in EM and use that as an override.
Also, when not using the policy, adding the properties oracle.webservices.auth.username and oracle.webservices.auth.password with corresponding values will do the trick on external references.
Great post. We were able to perform HTTP authentication by following your steps.
ReplyDeleteWe're still unable, however, to figure out how to dynamically set the username/password for the HTTP credentials, so we're still working on figuring that out.
~Ahmed
Hi,
ReplyDeletefor the http binding on the service side, there you can use every user defined in the myrealm security realm. like I describe in this blog.
http://biemond.blogspot.com/2010/08/things-you-need-to-do-for-owsm-11g.html
on the reference side I dont know if you can have more then 1 account.
take a look if you can set some attribute on the oswm policy reference like a username which you can also put in the owsm keystores.
an other way is to use the spring component and in this use the apache http client
thanks
You can have more than one account on the reference level by overriding the oracle/wss_http_token_client_policy properties. By default the value of csf-key is set to basic.credentials, but you can create a new key in EM and use that as an override.
ReplyDeleteAlso, when not using the policy, adding the properties oracle.webservices.auth.username and oracle.webservices.auth.password with corresponding values will do the trick on external references.
Hi Edwin,
ReplyDeleteIn my requirement,I have to do a secured http call (https).In the binding adapter I have to use https url.
How Can I send headers(user name and password) in https call of http binding adapter?
Hi,
ReplyDeleteThere is no difference, only for HTTPs you need to have the right keystores installed on the weblogic soa server. I think you don't have to do something with a keystore where the remote service uses a certificate which is signed by one of the known CA's
the rest is the same as a normal http binding, configure owsm and add basic.credentials or add the username password on the composite reference
thanks
Hi Edwin,
ReplyDeleteThanks for the reply
my external service needs below headers
application/HTTPstream upload ADT00368
ADT00368
RBOSNL2A
XML
how to send that data to the service?
I tried adding http_username_client_policy at composite refernce,but no luck.Can you please tell what can be the issue?
Hi,
ReplyDeleteDid you also try by adding the following properties to the reference
oracle.webservices.auth.username oracle.webservices.auth.password
thanks
Edwin
ReplyDeleteI have a webService to be called using SOAP over https from a BPEL using a partner link. I am using the webService adapter. I could see the SOAP header is getting created with the user id and password, but getting the below error
FabricInvocationException
sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Can you pls help me on where this certification path is sitting and how to set it up
Hi,
ReplyDeleteAre you calling a https URL , probably you need to import the ca or public key of the service in your WebLogic key stores .
thanks
Edwin,
ReplyDeleteRepeated the same steps except that I am testing my bpel through SOA console. Even though, giving correct credentials it throws 'Bad response: 403 Forbidden' error.
Any idea on this?
Edwin,
ReplyDeleteWe repeated the same step, however getting 'Bad response: 403 Forbidden' error even for the correct credentials.
Any idea on this?
Hi,
ReplyDeleteI don't trust the soa console , that why I used an other tool to test it.
thanks
Hi Biemond,
ReplyDeleteI just have a simple composite. I will be giving my composite WSDL to someone. And also I want to keep basic authentication on my composite. i know how to invoke a webservice which has basic http user authentication. But i really dont know how to keep some security on my composite. How do i keep http username authentication for my composite.
Thanks,
Nani
Hi,
ReplyDeleteyou can add the right owsm policy on the exposed service or add this to the soa deployment plan.
this should work and users are validated against myrealm security realm.
thanks
Hi Edwin,
ReplyDeleteI have this problem. I have read on the otn but couldnt find a decent solution. We have a peoplesoft wsdl that has security on it. In 10g Jdeveloper, we should go to the partnerlink, click properties and define it like so:
testUser
welcome123
credentials
Now I have tried the following:
* Right click on the external reference service and select “Configure WS policies”
* Under the security tab, click add button and select “oracle/wss_username_token_client_policy”
* Now Open the property Inspector window and click the add button under “Binding properties” tab.
* Include the “oracle.webservices.auth.username” and “oracle.webservices.auth.password properties.
But when i try to compile i get the error - Error(18,59): : XML-20129: (Error) Namespace prefix 'wsp' used but not declared. Error(18,59): : XML-20129: (Error) Namespace prefix 'orawsp' used but not declared.
I need to set the properties in Jdev and be able to deploy. If anyone has resolved this please help here. I have even tried not configuring the ws policies and adding the properties directly in the binding but it didnt work.
Here is my source code:
true
UP_INT
UP_INTG
But it fails to compile with the errors i got above, I am using Jdev 11.1.1.3.0
Hi,
ReplyDeleteThere is something wrong with your composite or in jdev , the required namespaces should be defined at the composite like this
<composite name="SAMLHello"
revision="1.0"
label="2011-08-21_14-45-19_435"
mode="active"
state="on"
xmlns="http://xmlns.oracle.com/sca/1.0"
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
xmlns:orawsp="http://schemas.oracle.com/ws/2006/01/policy"
xmlns:ui="http://xmlns.oracle.com/soa/designer/">
please check your composite.xml
thanks
Hi Edwin,
ReplyDeleteThanks I have sorted out the issue but with the changes i have done i still cannot get the username and password to work.
source code:
true
UPINTEG
INTEG
when i add the properties to the binding variables, i notice that these values oracle.webservices.auth.username and oracle.webservices.auth.password are not in the options avaliable. I have added them anyway, but is that correct, i still cannot invoke the peoplesoft wsdl with wsse security.
Krishil,
ReplyDeleteYour source is not showing. I had to replace my "<" with "<" for the <property> to show in this post.
There could be many reasons that yours is not working. I encountered a particular situation that may not apply to you. In my case, the problem is caused by this extra line in the composite.xml
<property name="csf-key" type="xs:string" many="false">. I didn't add it in, it just went in inadvertently. I took this extra line out, and it worked for me.
The irony is with this extra line, I accidentally found out it works with oracle/wss10_message_protection_client_policy. I don't recommend this, because I don't fully understand it. If anyone can explain it, I'd love to hear.
The other thing you may consider is to trap the TCP payload from your SOA server to PeopleSoft server, and see what actually is in the header.
Good luck.
Hi Ed,
ReplyDeleteDo you have a example where your reference binding adapter is using Kerberos authentication.
I need to invoke a Sharepoint web service from composite app. It uses Kerberos authentication. I dont know how to pass Kerberos authentication credentials to the web service in External Reference.
It will be really helpful if you have give me some pointers where to start from.
Thanks
Rakesh
Hi,
ReplyDeletefor SOA and Kerberos you need to use owsm, you can follow my blogpost on this http://biemond.blogspot.com/2011/09/using-owsm-kerberos-policies.html
thanks
Hi Ed,
ReplyDeleteHow did you find the keywords in oracle docs. Can I ask you to provide the link that mentioned about "oracle.wsm.security" and " basic credentials"
with my bests
Hi,
ReplyDeletehere is the link http://docs.oracle.com/cd/E21764_01/web.1111/e13713/owsm_appendix.htm#CHDDJAEC
thanks.
Hi Edwin,
ReplyDeleteIts a great blog you are maintaining.
I am struckup with a issue.
Kindly help me on this.
I have an external webService (remote) to be called using a BPEL using a partner link.I am using 11g soa suite. In 10g server same external webservice invoking is workin fine.But in 11g I am getting the below error
sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at oracle.j2ee.ws.client.jaxws.DispatchImpl.invoke(DispatchImpl.java:851)
Our admin team already installed CA and created keystore for the external server in our weblogic server.
But one strange this I can see is the keystore file name is "keystore.importKEY", and same name is mentioned in the admin console at keystore configuaration.
Usually keystore file will be .jks
but we have "keystore.importKEY".
Is it fine to have the keystore file like this in weblogic server?
Can you please let me know whether renaming to.jks can resolve our issue. Or there is some other solution for my issue?
Thanks in Advance,
Vijay
Hi Edwin,
ReplyDeleteIts a great blog you are maintaining.
I am struckup with a issue.
Kindly help me on this.
I have an external webService (remote) to be called using a BPEL using a partner link.I am using 11g soa suite. In 10g server same external webservice invoking is workin fine.But in 11g I am getting the below error
sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at oracle.j2ee.ws.client.jaxws.DispatchImpl.invoke(DispatchImpl.java:851)
Our admin team already installed CA and created keystore for the external server in our weblogic server.
But one strange this I can see is the keystore file name is "keystore.importKEY", and same name is mentioned in the admin console at keystore configuaration.
Usually keystore file will be .jks
but we have "keystore.importKEY".
Is it fine to have the keystore file like this in weblogic server?
Can you please let me know whether renaming to.jks can resolve our issue. Or there is some other solution for my issue?
Thanks in Advance,
Vijay
Hi,
ReplyDeleteyou wanna do https , You can try owsm instead of using the weblogic keystores, or import the keys in the ca trust store of your used jvm.
the name doesn't matter.
thanks
Hi Edwin,
ReplyDeleteIn this sample..how do we test the flow like ...
Calling HelloMediator -> mediator --> Reference -> execute (service) --> HelloProcess..
The reason why i am asking this question is ..we are trying to prototype something like below..
We will receive a SOAP request and send those details to RESTFul service.It will expect Http Headers for authentication.[username/password.]
Can u let us know how we can do this in SOA 11g PS2.
Thanks,
Sid.
Hi,
DeleteYou can't pass on credentials this requires saml. but you can use the http adapter for your restfull service and provide the username on the reference in the composite.xml or use a owsm policy.
thanks
I used HttpAdapter for calling restful service.
ReplyDeleteAdded following to Binding properties manually in composite.xml [These are not available in the drop of create property window.]
=>“oracle.webservices.auth.username” and “oracle.webservices.auth.password properties.
But wondering how to test this to make sure the payload contains these parameters.
Just to iterate..The service is getting called perfectly,But i want to see the headers going in the input.
Please suggest.
Hi,
Deleteyou can use a network monitor / capture tool or use jdeveloper http analyzer and add this as proxy on the soa suite server.
thanks
Hi Edwin,
ReplyDeleteI am new to JDeveloper SOA; However, thx to your blog, I hope I can figure this out.
I need to post some XML over HTTP to an external non Oracle non SOA HTTP web page URL http://host:port/xyz so I created an HTTP Binding with that URL as end point and the appropriate request and response schema from the external system's XSD. The URL needs basic HTTP auth.
While creating the HTTP BINDING REFERENCE, I did not see any option to configure the http basic auth. Based on your blog, do I need to 1) add some properties to the HTTP BINDING manually in composite.xml? and then in Enterprise Manager, provide the username/password for basic HTTP auth? Am I on right track? Thx in advance, Shrikant
Hi,
Delete2 options
add these to the reference service entry in the source mode of the composite.xml
oracle.webservices.auth.username and oracle.webservices.auth.password with corresponding values
or add the OWSM client policy to this reference service and add the user values in the EM
thanks
Hi, How exactly can this be done? Can you show this please in code? Thanks.
DeleteThis comment has been removed by the author.
DeleteHi,
Deletehere a good example of a ws reference in the composite.xml
<reference name="aaaaService" ui:wsdlLocation="aaa.wsdl">
<interface.wsdl interface="http://aa"/>
<binding.ws port="bbb" location="aaa.wsdl" soapVersion="1.2">
<wsp:PolicyReference URI="oracle/wss_username_token_client_policy" orawsp:category="security" orawsp:status="enabled"/>
<property name="oracle.webservices.auth.username" type="xs:string" many="false" override="may">weblogic</property>
<property name="oracle.webservices.auth.password" type="xs:string" many="false" override="may">weblogic1</property>
</binding.ws>
</reference>
Hi Edwin,
ReplyDeleteI am using security policy at composite level for External reference Service i.e "Siebel Service".
Security Policy : "oracle/wss_username_token_client_policy"
In composite i have mentioned credentials for the service, i.e.
XXXXXX
XXXXXX
When i deploy the service and test it. It returns following error,
Unable to process SOAP Header child element 'wsse:Security' with 'mustUnderstand="1"'(SBL-EAI-08000)
Can u plz help me on this issue. Let me know how it can be fixed?
Hi,
DeleteLooks like SOA can't understand some elements of the remote siebel WSDL. Can you download it to your project and remove this wsse Security.
thanks
hey Edwin,
ReplyDeletefirst of all thanks for the awesome post. i have one doubt.
i need to pass username and password in WSS Username Token from weblogic em. i need to retrieve
these values in my bpel process. i tried all possible ways but getting errors. can u please provide sample code for this .
thanks in advance :)
Hi,
DeleteDon't think you can do this, but when you use http authentication then you can use this http://biemond.blogspot.nl/2012/04/retrieve-or-set-http-header-from-oracle.html to retrieve the http headers.
or make you own OWSM policy which validates this and pass on the username in an element of the body.
thanks
Hi Edwin,
ReplyDeleteHave you ever explored the option of reading a key from the CSF inside a BPEL? I've posted my query in OTN but have not got any replies so far.
https://forums.oracle.com/forums/thread.jspa?threadID=2489768&tstart=0
Thanks,
Rahul
Hi Edwin,
DeleteGot it working.
Cheers,
Rahul
Hi,
DeleteGreat work
Indeed I used almost the same code to retrieve a password.
http://biemond.blogspot.nl/2011/10/using-fmw-identitystore-for-your-user.html
thanks
Just to add to my question above about wss_http_token_service_policy in OSB. I also trid Basic authentication on HTTP POST with user name and password in service account.
ReplyDeleteHi,
Deletedid you read this about owsm and osb http://biemond.blogspot.nl/2010/05/wsm-in-fmw-11g-patch-set-2-and-osb-11g.html
thanks
Hello Edwin. My OSB setup is configured to use WSM as mentioned in your blog. when I select WSM policies in my business service it shows exactly same list of policies as shown in one of the screenshot.
Deletehowever problem is I don't see right policy for HTTPS web service. I just have to pass username and password in header. looks like pretty simply. but somehow not able to make it.
When I test from SOAP UI I just add following part in my SOAP envelop.and it goes well.
MYUSERID
MYPASSWORD
Hi,
DeleteHTTPS is more a transport option and you can configure this on the weblogic server but you can read the cn of the cert in OSB/weblogic and validates this. There must be a policy who forces https but you need to configure HTTPS in weblogic.
thanks
Q: I have a BPEL process which has a HumanWorkflow. At runtime, beyond approval of the HumanWorkflow, I would like to invoke a partner link as the approver of the HumanWorkflow - basically set csf-key to the approver username. I have the approver username available to me in the BPEL process, but how to I reference a binding property csf-key from the BPEL process to set the variable for that partner link invoke?
ReplyDeleteHi,
DeleteI don't know , on the reference service you can set this in the policy part. Can you set this in a mediator assign.
thanks
Hi Edwin,
ReplyDeleteHope you are doing good. We are exposing an HTTP binding to an external system in BPEL and we would like to enforce authentication since that service calls BPEL over internet. Could you please throw some light on how to achieve this?
Thanks,
Suresh.
Hi,
DeleteLook at this blogpost and take the policy you need http://biemond.blogspot.nl/2010/08/things-you-need-to-do-for-owsm-11g.html
Thanks
Hi Edwin,
ReplyDeleteIn my scenario, i can't use the oracle/wss_http_token_client_policy as i have to pass Authentication information against the
Authorization header which will have following value :
for e.g.
'Basic Yw79u1jshbihchjasj=='
where, Yw79u1jshbihchjasj== represents Base64Encoded username:password
I have following configuration based on your blog regarding Adding BPEL Headers
1) I have added following in composite.xml under reference
property name="oracle.webservices.http.headers">Authorization/property>
2) I have added following in MyBPEL.bpel under invoke
bpelx:toProperties>
bpelx:toProperty name="Authorization" variable="tempString1"/>
/bpelx:toProperties>
I am assigning the value to Autorization(string variable) using Assign activity.
But, it is not working for me. I am using SOA 11.1.1.5
In addition, do I need to add bpelx:inputHeaderVariable="Autorization" along with the Custom Header properties?
Please help as I am not able to figure out other ways to send this Header while making a HTTP POST call using HTTP Bindings adapter
Hi,
Deletecan you create your owsm policy?, with a policy you can intercept the outgoing request and do your thing. Even when it has nothing to do with security like formatting etc.
Or you can change a existing OWSM policy which comes close to your requirements
Good Luck
thanks
I solve this problem using the old javax properties: more solution here: http://ta.cnci.org/more-about-java/35-java-blogs/248-how-to-set-uri-and-authentication-credentials-to-partner-link-dynamically
DeleteHi Edwin,
ReplyDeleteThanks for maintaining such a nice blog. when i am calling the Webservice from BPEL i am getting error like "Nonce is required but nonce is missing from message". I tried to pass NONCE value from Header in Invoke Activity but it did not worked out.
Can you guide me/ workaround to pass NONCE in SOAPHeader from bpel?
Thanks in Advance!!!
Pavan
Hi,
DeleteCan you use OWSM policies ( username_token_client_policy ) this will set also set this NONCE token.
Thanks
Hi Edwin,
ReplyDeleteI have to invoke client SOAP WSDL based web service, here I am using partner link to archive this. I want to invoke it from bpel. It is sync based web service.
Please have look at sample input data of that web service. in the header section there is element called Token. what i need to do here I need to pass the user name and password those separated by ;
username;password
pass the input value
Please advise me how to pass these values when i am invoking it from BPEL. Generally body variables/elements we can map them using assign/transformation activity but Am struck with auth.username and password values. Please help me out Edwin.
Ok,
Deleteadding to the soap header is hard.
what you can do is using OSB in between, write a Custom OWSM policy or maybe a mediator with a custom java callout.
thanks
Hi Edwin,
ReplyDeletePlease advise me to integrate S)A 11g with Microsoft sharepoint,what are adapters are required
Hi,
DeleteOnly the WS adapter will work or sharepoint need to use the .net weblogic jms client
Thanks
Hi Edwin,
ReplyDeleteNice blog, need some help and guidance. I have a external webservice secured using wsse
I am able to invoke but providing the credentials in composite.xml using "oracle.webservices.auth.username" properties. But the problem is I want username and password to be configurable for each environment. I tried using credential store and over riding the key but not working.
Tried few other things too but all of no use. Can you please direct me to right direction. Not sure if this is doable or not.
The policy I attached to external reference is - oracle/wss_username_token_client_policy
Hi,
ReplyDeleteThanks for this tutorial, I am facing one problem at the time of calling a web service,
Suppose my web service is running over a cluster port & IP x.x.x.x:8888/XYZ/abx?wsdl
If i am using this web service in oracle soa with that IP & port i am able to got response from web service, Same service is exposed over a domain name like abc.com which is SSL based so with that domain name my web service URL is something like.
https://abc.com/XYZ/abx?wsdl
When i am trying to calling this web service i am not able to got any response from web service.
I already imported the certificate in the trust store and had been cross verified that certificate is exist in the trust store.
I had tried with all the way but the web service is not giving response.
I am stuck in my development please help me.
Thanks!
Hi Edwin,
ReplyDeleteHELP PLEASE...SOS
i followed all these steps to add oracle/wss_http_token_client_policy, but i got an error and this is it :error 401 unAuthorized.
from jdeveloper http analyzer i try to add an authorization header like this : name = Authorization. value = Basic username:password and it has worked fine, so now how i can add authorization header in composite to work fine after deploying the composite.
Best regards
Hello Edwin,
ReplyDeletei followed this steps to add oracle/wss_http_token_client_policy, but i got this error : error 401 unauthorized .
when i tried to test web service from http analyzer i got the same error, but after i add an Authorization to the request header like this: name : Authorization. value : Basic username:password, every things work fine and operation execute successfully from (analyzer).
so now how i can add an Authorization header to the composite till it work fine with basic authentication
Best regards.
Edwin, Excellent post. One question I am using oracle/wss_http_token_client_policy together with oracle.webservices.auth.username and oracle.webservices.auth.password as properties for reference to UCM getFile webservice in my composite service. However, the password is supposed to be confidential and secured, and is not ideal to be shown in SOAP header, how would you address this and which policy would you use instead ? Thanks very much.
ReplyDeleteCan we get the username in side the bpel , I am using soa 11.1.1.7
ReplyDeleteis there a way to extract the user name?
ReplyDeleteNice post. I noticed that the default oracle/wss_username_token_service/client_policy supports only clear-text passwords.
ReplyDeleteThis might be okay when you accompany this with TLS/SSL. But if you don't want to expose your password when your SOAP request flows over the network, it is easy enough to create a password digest policy as well, where the caller only needs to send a hash of the password in the SOAP ws-security headers.
I wrote a post on it here:
http://weblog.singhpora.com/2016/10/ws-security-enabling-passworddigest.html