Monday, September 1, 2008

How to pass Security Credentials from BPEL to ESB to a Web Service

I have seen people facing problems to pass security credentials from an ESB routing service to a WS-Security compliant Web Service. Passing security credentials from ESB routing service is possible but it's tricky. You need to play with the XSLT transformation to add WS-Security tokens in SOAP header of a Web Service request.

Oracle ESB is having four extension function for SOAP header manipulation:

1. String getRequestHeader(String xpathExpression,String namespaceDecl)
2. void setOutboundHeader(String xpathExpression,String value, String namespaceDecl)
3. String getInboundResponseHeader(String xpathExpression,String namespaceDecl)
4. void setResponseHeader(String xpathExpression,String value, String namespaceDecl)

here,
xpathExpression - XPath expression to get/set
value - value to be set for the xpathExpression
namespaceDecl - namespace declarations in the form ‘prefix=namespace;’

You need to add the four expressions given below in the XSLT map before invoking a WS-Security compliant Web Service. First two expressions extract user name and password from the incoming SOAP header and the last two expressions add security credentials in the outbound SOAP header.

<xsl:variable name="userName"
select="ehdr:getRequestHeader('/soap:Header/wsse:Security/wsse:UsernameToken/wsse:Username','wsse=http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd; soap=http://schemas.xmlsoap.org/soap/envelope/;')"/>

<xsl:variable name="password"
select="ehdr:getRequestHeader('/soap:Header/wsse:Security/wsse:UsernameToken/wsse:Password','wsse=http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd; soap=http://schemas.xmlsoap.org/soap/envelope/;')"/>

<xsl:variable name="setUsername"
select="ehdr:setOutboundHeader('/soap:Header/wsse:Security/wsse:UsernameToken/wsse:Username',$userName,'wsse=http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd;')"/>

<xsl:variable name="setPassword"
select="ehdr:setOutboundHeader('/soap:Header/wsse:Security/wsse:UsernameToken/wsse:Password',$password,'wsse=http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd;')"/>

See my previous posts How to set security credentials dynamically in Oracle BPEL and Invoking WS-Security compliant Web Services from Oracle BPEL to learn how to send security credentials from a BPEL process. You can download sample BPEL and ESB projects from here. You can use these projects for your reference.

2 comments:

AVNReddy said...

Hi,
When I use this code to pass the Security Credentials from ESB, I am getting soap prefix used but not declared exception. Even I decalre the soap namespace prefix still getting the same error. Could you please post some sample example or how and where to declare the soap: name space.

Thanks a lot.

Unknown said...

Hi brothers,

could any one helo on doing same thing in Glassfish ESB bpel?

REgards,
aabi