Oracle SOA Suite Online Training

Interested in learning Oracle SOA Suite 12c?
Learn from the author of this blog!
A complete and comprehensive course on the #1 platform on SOA - Oracle SOA Suite

Click here to find the complete course details
Click here to check the first session on Oracle SOA Suite 12c


Invoking a Secured WebService in BPEL - Oracle SOA Suite 11g

No Webservice in real-world business applications is just exposed as it is, Security is enabled inherently
Oracle Fusion Middleware uses a policy-based model to manage and secure Web services across an organization
Policies apply security to the delivery of messages
Policies can be managed by both developers in a design-time environment and system administrators in a runtime environment

Below are the steps to invoke a secured WebService from a BPEL Process

  1. Before we start, we have to know what is the security policy imposed by the WebService. In this example, we are considering a WebService that has oracle/wss_username_token_client_policy

  1. There are 2 ways of imposing security for services in Oracle SOA Suite 11g
    1. Design Time
      1. Simply, rt click on the web service reference --> Configure WS Policies --> Select the appropriate Policy
Please note that you can select multiple policies at once, depending on the security of the WebService

This step adds the following snippet
      <wsp:PolicyReference URI="oracle/wss_username_token_client_policy" orawsp:category="security" orawsp:status="enabled"/>
  1. Run Time
    1. The same could be done at runtime using Enterprise Manager(EM)
Login to EM --> rt click on soa_infra --> configure Policies --> select the appropriate Policy
The above step creates a 'Lock' icon on top of the web service reference as shown above

  1. Open composite.xml, goto source view, find out the reference tag in the file and add the following snippet which basically tells that this particular reference is secured with so-and-so policy, and these are the credentials for invoking the same
      <property name="oracle.webservices.auth.username" type="xs:string"
                many="false" override="may">admin</property>
      <property name="oracle.webservices.auth.password" type="xs:string"
                many="false" override="may">Welcome123</property>

This will make sure the webservice is invoked using the provided credentials. And, that’s it!
Hope this gave you a clear understanding on invoking secured WebServices
Thanks for reading, Please check the other blogs as well


  1. This comment has been removed by a blog administrator.

  2. I am using Jdeveloper. It is not allowing me to create the service reference with out connectinf the WSDL. To connect to the WDDL URL username / password is required. Once it appears in the composite as external reference then only I can apply the above.Not sure what I am doing wrong here

    1. Hi
      You can save the WSDL to local, create a reference out of it and use the above mentioned approach.

  3. Hi
    add "?wsdl" to the end of the wsdl url and it will open without username and password.