woensdag 20 augustus 2014

Dynamically setting the CSF-key

In one of my projects I faced the challenge of invoking, from within my SOA Suite 11g composite, a webservice that was secured with HTTP basic authentication. I decided to use the owsm policy oracle/wss_http_token_client_policy. Because I didn't want the username and password of the referenced webservice to be visible in the audit trail, I also decided to use the Credential Store Framework. There are some excellent blog posts describing exactly how to do this, for instance here and here. I happily implemented this solution and after some basic testing deployed my composite on our test environment. Unfortunately, all was not well and good. It turned out that in some situations the referenced webservice required a different set of credentials, depending on the value of an element in the payload of the message. Now I faced a real challenge! Perhaps because of my poor googling skills, the world wide web didn't provide me with a solution. But this blog post wouldn't have seen the light of day if I hadn't been able to crack it. Here is how it goes.

In the composite.xml, after defining a referenced webservice, applying the owsm policy and overriding the csf-key, this is how it looks in the binding section of the referenced service:

<wsp:PolicyReference URI="oracle/wss_http_token_client_policy"
                           orawsp:category="security" orawsp:status="enabled"/>
      <property name="csf-key">my-csf-key</property>

The trick is to override this csf-key property in the Invoke activity in the BPEL process. I couldn't do this from within the graphic design mode in JDeveloper, so I changed the source code manually:

<invoke ...>
    <bpelx:toProperty name="csf-key" variable="myOtherCsfKeyVariable"/>
</invoke>
 
As you can see, in the BPEL Invoke activity, it is possible to set this property using a variable. The value of this variable can be derived from the message payload in combination with for instance a Domain Value Map lookup.

Gepost door op

10 opmerkingen:

  1. Unknown5 november 2014 om 18:16

    Hi Jeroen,

    Thanks for posting this article

    I was wondering if this approach still works in version 11.1.1.7.0, because I have followed your steps but my csf-key is not being overridden. Maybe I am doing something wrong and would appreciate your feedback.

    Thanks

    regards,

    Johnny

    BeantwoordenVerwijderen
  2. Jeroen Bakker6 november 2014 om 22:50

    Hi Johnny,

    Try enclosing the bpelx:toProperty in a bpelx:toProperties parent element. This might do the trick.

    Regards, Jeroen

    BeantwoordenVerwijderen
  3. Valéry3 februari 2017 om 07:24

    Deze reactie is verwijderd door de auteur.

    BeantwoordenVerwijderen
  4. Valéry3 februari 2017 om 07:29

    Deze reactie is verwijderd door de auteur.

    BeantwoordenVerwijderen
  5. Valéry3 februari 2017 om 07:31

    Deze reactie is verwijderd door de auteur.

    BeantwoordenVerwijderen
  6. Valéry3 februari 2017 om 07:34

    Sorry for spamming : but in my first comment, my code was not visible because the tags were removed, and after my message was too big, I tried to split in 2 parts, and when I posted the second part of my message as an answer of the first message, I could see anymore the first part... :(
    So, I hope you got the 2 parts of my message :)
    Kind regards,
    Valery

    BeantwoordenVerwijderen
  7. Valéry3 februari 2017 om 07:37

    Then, I still tried to override the csf-key property in the Invoke activity in the BPEL process. In my MyBASProcess.bpel, it looks like :

    [...]
    <invoke name="Invoke_GetDocument" partnerLink="MyRestReferenceRS"
    portType="ns4:CMProxyRS_ptt" operation="getSingleSearchResultByDocName"
    inputVariable="Invoke_GetDocumentProperties_InputVariable"
    outputVariable="Invoke_GetDocumentProperties_OutputVariable"
    bpelx:invokeAsDetail="no">

    <bpelx:toProperties>
    <bpelx:toProperty name="csf-key" variable="anotherCsfKey"/>
    </bpelx:toProperties>
    </invoke>
    [...]

    Again, it does not work as expected. The credentials are those defined in the wsm-assembly.xml file.
    But, on the server, in the "Audit Trail", I can see

    Invoke_GetDocumentInvoke_GetDocument
    Started invocation of operation "getSingleSearchResultByDocName" on partner "MyRestReferenceRS".Started invocation of operation "getSingleSearchResultByDocName" on partner "MyRestReferenceRS".
    Sending property "csf-key", value is "FromBpel.basic.credentials".Sending property "csf-key", value is "FromBpel.basic.credentials".
    Invoked 2-way operation "getSingleSearchResultByDocName" on partner "MyRestReferenceRS".Invoked 2-way operation "getSingleSearchResultByDocName" on partner "MyRestReferenceRS".

    This seems to have no effect, because the Basic Authentication works fine, meaning that the csf-key defined in the wsm-assembly.xml was used.


    In parallel, I also tried not to use the Credential Store but adding the oracle.webservices.auth.password and oracle.webservices.auth.username properties in the composite.xml and deleting everything in the wsm-assembly.xml file, but it doen not work either.

    Now I am blocked, and I do not know how I can progress, what I can try...
    Do you have any idea ?

    Regards,
    Valery

    BeantwoordenVerwijderen
    Reacties
    1. Jeroen Bakker3 februari 2017 om 08:12

      I'm sorry, I have not tried this on SOA Suite 12c with a REST Service reference so I really wouldn't know an answer to your question. Once again, sorry.

      Verwijderen
    2. Anoniem6 november 2019 om 14:18

      I've got the same problem unfortunately. I was thinkig of accessing the credentials over java embedding and then setting the credentials manually by overriding the Authorization header but that is for sure ugly :-(

      Verwijderen
  8. rmouniak10 juli 2018 om 05:09


    It 's an amazing article and useful for developers
    Oracle SOA Online Training

    BeantwoordenVerwijderen

Abonneren op: Reacties posten (Atom)