Sunday, January 23, 2011

Identity Switching in BPEL

Imagine a simple bpel process A that has an invoke activity which invokes an external webservice. Now, we wrap this bpel process with OWSM security policies. With OWSM in place, if the BPEL process is invoked as say, UserA, the external webservice also gets called under the same user's security context.

Many a time, we get a usecase where we might need to invoke the external webservice as a different user. With the authorization policies defined at the external web-service end, this might seem really complex. There are multiple alternatives to do this. In this blog, I discuss one of them where the invoke activity alone is switched to contain the second user's identity.

Step 1:

One assumption is that the service end of the web service is secured using  oracle/wss11_saml_token_with_message_protection_service_policy. If this is not the case, create a composite containing a Mediator that invokes the external service. Secure the endpoint of the composite using the oracle/wss11_saml_token_with_message_protection_service_policy

Step 2:

Starting from FMW PS2, there is a new owsm policy that has been introduced to handle such use cases. The policy is ' oracle/wss11_saml_token_identity_switch_with_message_protection_client_policy'. You need to make sure that the end point is secured using this policy


Step 3:
All we need to do is to set the value of the property javax.xml.ws.security.auth.username in the normalized message to the required user id before it makes a call to the webserice.


We can find the above property in the 'properties' tab of the invoke activity.




Once you select the required value the invoke xml fragment will look something like below.


<invoke name="xxxx"
           inputVariable="xxx"
           portType="xxx"
           partnerLink="xxxx"
           operation="execute">
           <bpelx:inputProperty name="javax.xml.ws.security.auth.username"
                                        variable="variable name"
                                        part="variable part"
                                        query="xpath to the variable containing the user id"/>
 </invoke>


This is the only change that need to be done at the code level.


Step 4:

We need to add a grant in the system-jazn-data.xml to the wsm-agent-core.jar and specify the Composite App for which OWSM will accept the externally supplied identity. The grant looks something like below. (you can add this via EM as well if you are not comfortable editing the file manually.)


 <grantee>
    <codesource>
        <url>file:${common.components.home}/modules/oracle.wsm.agent.common_11.1.1/wsm-agent-core.jar</url>
    </codesource>
</grantee>
<permissions>
    <permission>
        <class>oracle.wsm.security.WSIdentityPermission</class>
        <name>resource=<Your Composite Name></name>
        <actions>assert</actions>
    </permission>
<permissions>


Thats it. Restart the servers after making the changing to the system-jazn-data.xml file so as to reflect the changes and you are all set!


--Gupt
Posted by at
Labels: , , ,

2 comments:

  1. modiJune 4, 2011 at 10:47 AM

    thanks but i need more explanations... about the properties...

    ReplyDelete
  2. DilipNovember 2, 2012 at 11:28 AM

    Thank you for the step-by-step list. Can you provide details on some other options for supporting Identity Switching in the Oracle middelware?

    Thank you.

    ReplyDelete

Subscribe to: Post Comments (Atom)