Monday, September 1, 2008

How to set security credentials dynamically in Oracle BPEL

Few months ago I have written a post on invoking WS-Security compliant services, In Oracle BPEL you can either propagate the security credentials coming from the caller process or you can hard-code the tokens in partner link properties.

If you want to invoke a WS-Security compliant web service and want to pass user supplied security tokens, Oracle BPEL does not let you set the security credential dynamically. You need to manually create a UserNameToken and then you need to pass the token as a SOAP header.

Follow the steps given below to change and pass security credentials dynamically:

  • Create 3 variable as given below:

<variable name="securityContext" element="ns2:Security"/>

<variable name="userNameToken" element="ns2:UsernameToken"/>

<variable name="pswd" element="ns2:Password"/>

  • Assign incoming security credentials to these variables:

<assign name="AssignSecurityCredentials">


<from variable="inputVariable" part="payload"


<to variable="pswd" query="/wsse:Password"/>



<from variable="inputVariable" part="payload"


<to variable="userNameToken"




<bpelx:from variable="pswd" query="/wsse:Password"/>

<bpelx:to variable="userNameToken"




<bpelx:from variable="userNameToken" query="/wsse:UsernameToken"/>

<bpelx:to variable="securityContext" query="/wsse:Security"/>



  • Pass the security credentials to the calling service like the expression given below:

<invoke name="InvokeAxisService" partnerLink="PartnerLinkAxisService"

portType="ns1:sample03PortType" operation="echo"




  • Complete you BPEL process by adding required functionalities then deploy and test it.


jr said...

This information is hard to come by, so thanks in advance for the post. I've tried the code and unfortunately it doesn't work. the process compiles just fine, but when I go to deploy it to my BPEL server, it fails saying it can't parse the process' wsdl properly. Wondering if you've come across this before.


Sam said...

Please mail your source code to me at , I will look into the issue.

sri said...

i have a requirement to call one secure webservice from bpel.
The WSDL (
when i am placing the url before opening that url it is asking username and pwd after that the wsdl is opoening in my browser)
same as in bpel also when i am creating partner link it is taking the username and pwd and also i am mentioning the username and pwd in bpel.xml even though when i am try to deploy the application build is failed and the Error is failed to read wsdl

Francois said...


Thanks for your work, it help me already. One question though:

- I'm trying to propagate the WSSE-Security header from the BPEL call to an internal partnerlink, but the "propagate" property in the partnerlink does not seem to work.

I'm now trying to retrieve the wsse:Security header from the SOAP-Message directly, put it into a variable and passing it to the partnerlink? ... but when i try

receive name="receiveInput" partnerLink="client"
portType="client:BPEL_Security_Test_4" operation="process"
variable="inputVariable" createInstance="yes"
bpelx:headerVariable="securityContext"to retrieve wsse:security from the soap header, the variable seems to stay empty... Am I missing something here?

Thanks for your help

Bh@kt@ said...

I have followed the steps as it is .. but still not able to connect to the secured web service.

Credentials are correct .

Any suggestions pls..


raju said...


is it work for 11g(7). can some one share the xsd location for 11g,