No Webservice in real-world business applications is just exposed as it is, Security is enabled inherently
Oracle Fusion Middleware uses a policy-based model to manage and secure Web services across an organization
Policies apply security to the delivery of messages
Policies can be managed by both developers in a design-time environment and system administrators in a runtime environment
Below are the steps to invoke a secured WebService from a BPEL Process
- Before we start, we have to know what is the security policy imposed by the WebService. In this example, we are considering a WebService that has oracle/wss_username_token_client_policy
- There are 2 ways of imposing security for services in Oracle SOA Suite 11g
- Design Time
- Simply, rt click on the web service reference --> Configure WS Policies --> Select the appropriate Policy
Please note that you can select multiple policies at once, depending on the security of the WebService
This step adds the following snippet
<wsp:PolicyReference URI="oracle/wss_username_token_client_policy" orawsp:category="security" orawsp:status="enabled"/>
- Run Time
- The same could be done at runtime using Enterprise Manager(EM)
Login to EM --> rt click on soa_infra --> configure Policies --> select the appropriate Policy
The above step creates a 'Lock' icon on top of the web service reference as shown above
- Open composite.xml, goto source view, find out the reference tag in the file and add the following snippet which basically tells that this particular reference is secured with so-and-so policy, and these are the credentials for invoking the same
<property name="oracle.webservices.auth.username" type="xs:string"
<property name="oracle.webservices.auth.password" type="xs:string"
This will make sure the webservice is invoked using the provided credentials. And, that’s it!
Hope this gave you a clear understanding on invoking secured WebServices
Thanks for reading, Please check the other blogs as well