Wednesday, October 21, 2015

How to Pass Dynamic Credentials to Web Services in BPEL Process


Few days ago I got encountered with a little requirement about how to pass credentials to external web service calls inside BPEL process dynamically. I quickly mentioned to my colleagues that we can do using CSF-KEY on SOA Composite but the challenge was our BPEL process was really a service oriented :). Therefore, we had to pass a separate credentials to external web service calls.

I did a little research and by hit and trail I found a little solution that works well.

So here in summary you have to do
  • Create Map in Weblogic Domain as 
  • Create Key inside the map called it my-custom-csf-key (you can call it anything) 
  • In BPEL attach a required policy to your service in external reference 
  • Create a custom variable in the BPEL process to hold the value of your custom CSF key i.e. my-custom-csf-key (You can read the CSF key name from Database if required) 
  • Assign a csf key value to your variable in the ASSIGN activity 
  • Add a csf-key property to your INVOKE Activity, set the value as your custom BPEL variable 
  • Deploy your code and test

Creating Key Map and Credentials Key

Log in to Enterprise Manager where BPEL Process is deployed i.e. http://localhost:7001/em

Right click the Domain Name and Choose Domain_Name > Security > Credentials 

Click Create Map button and enter (if it is not already exists), Click OK

Select in the table and click Create Key button

Enter your credentials, make sure the Type set as Password

Click OK, make sure you see the something similar in your screen (ignore basic.credentials)

BPEL Process Details

In the example my application have 2 BPEL process as follows

a. HellowithCredentials - This is main service secured by OWSM policy, you must pass credentials to successfully call it 
b.  CallSecureService - This is client application which is passing CSF key before invoking HellowithCredentials Service

HellowithCredentials Details

The service is a simple BPEL process and protected by SOA WS Policies i.e. oracle/wss_username_token_service_policy

Inside the BPEL process there is one ASSIGN activity which is just concat the input parameters you pass with String "Hello"

CallSecureService Details

The BPEL process is calling the HellowithCredentials service as External Service 

The oracle/wss_username_token_client_policy is attached to external service

A custom variable myCSFKeyVariable is created inside BPEL process to hold value of our dynamic csf-key 

Before Invoking External Service we are assigning value to myCSFKeyVariable using ASSIGN activity

The most important step is to create a property called csf-key inside INVOKE activity and set the value to your custom variable

Build and Deploy your code 

Testing application

Test CallSecureService from Enterprise Manager, you will see the following Green Flag

Now alter the password in your my-custom-csf-key to some random and Run again, you will see the following error message

There you go we have successfully pass the credentials to our BPEL process dynamically and secure, 

There is no need to hard code the credentials inside BPEL, WebLogic Key Map store the password and encrypt them securely. 

Zeeshan Baig

No comments:

Post a Comment