Friday, March 2, 2018

How to pass a SOAP header in BPEL

A while back I had to do some research to find out how I could pass a username and password dynamically to an external service in BPEL through the SOAP header using the wss_username_token_policy. Turns out it’s quite easy so let me share a simple implementation with you.
 

This is what we are aiming for, a simple BPEL process that calls an external service to return some data to the client. Both require authentication through the UsernameToken. The security header which will contain the UsernameToken consisting of a username and password and will be received as input and passed on to the target service. 


The composite looks as follows. The client and target are both secured with the wss_username_token_policy.


To achieve this we will:
1-Create a schema that contains the definition of the security header
2-Update our WSDL so it will contain the header element
3-Create a variable in BPEL for the header and use it to pass it on

1. Create the XSD schema
Create an XSD schema that specifies the UsernameToken profile in accordance with the OASIS standard. It’s not necessary to create a separate XSD schema. You could also add it to the existing XSD schema that was already generated with your project.



2. Update the WSDL
In the WSDL we will have to add the namespace, import the XSD schema and add the message type of our security header. Lastly, we add the header to the binding. See the four snippets of code I put together below:


3. BPEL
Add the namespace (here it has xmlns:ns1) and import the XSD schema. Next, create a variable that will hold the security header. I named the variable SecurityHeader. Now you can use the 'Assign' or 'Transform' activity to assign values to the elements of the header.


Now, when you edit the receive, invoke and reply constructs, you can add your header variable via the ‘Headers’ tab.


When the security header has been added for all three constructs your code should look similar like the following. The highlighted parts are the references to our security header.


Now this is how you retrieve the header passed by the client service and use it to invoke a target service. If your target service returns a header, it will be returned to the client service.

That’s all! Hope this helped :)