How to invoke a REST service from BPEL in Oracle SOA, with Basic Authentication?

Question

I am working with the Oracle Fusion Middleware 12.1.3, and I am developing a BPEL process which has to invoke a remote REST service that needs a Basic Authentication.

I created an External reference to the Rest Service, and in my composite.xml, it looks like this :

....
<component name="MyCompositeBASProcess" version="2.0">
    <implementation.bpel src="BPEL/MyCompositeBASProcess.bpel"/>
    <componentType>
        <service name="mycompositebasprocess_client" ui:wsdlLocation="WSDLs/MyCompositeBASProcess.wsdl">
            <interface.wsdl interface="http://xmlns.oracle.com/myPartitionSOA/MyCompositeBAS/MyCompositeBASProcess#wsdl.interface(MyCompositeBASProcess)"
                    callbackInterface="http://xmlns.oracle.com/myPartitionSOA/MyCompositeBAS/MyCompositeBASProcess#wsdl.interface(MyCompositeBASProcessCallback)"/>
        </service>
        <reference name="CMProxyRS" ui:wsdlLocation="WSDLs/CMProxyRS.wsdl">
            <interface.wsdl interface="http://xmlns.oracle.com/myPartitionSOA/MyCompositeBAS/CMProxyRS#wsdl.interface(CMProxyRS_ptt)"/>
        </reference>
    </componentType>
    <property name="bpel.config.oneWayDeliveryPolicy" type="xs:string" many="false">async.persist</property>
</component>

<reference name="CMProxyRS" ui:wsdlLocation="WSDLs/CMProxyRS.wsdl">
    <interface.wsdl interface="http://xmlns.oracle.com/myPartitionSOA/MyCompositeBAS/CMProxyRS#wsdl.interface(CMProxyRS_ptt)"/>
    <binding.rest config="Adapters/CMProxyRS.wadl" location="http://server_WITHOUT_basic-auth/cmproxy/resources/v2/" />
</reference>
....

With this code I invoke a REST service which is not secured by a BASIC_Auth, and it works fine.

Now, when I switch to a remote environment which needs a basic authentication, I did not manage to succeed.

I found some examples to invoke SOAP services with basic auth, but nothing really interesting for REST services. But, in the Oracle Fusion stack 12.1.3, REST services are "adapted" to SOAP services before being used, so I thought that I could use the examples I found.

So, I updated my composite.xml to add the user/password and the policy :

....
<reference name="CMProxyRS" ui:wsdlLocation="WSDLs/CMProxyRS.wsdl">
    <interface.wsdl interface="http://xmlns.oracle.com/myPartitionSOA/MyCompositeBAS/CMProxyRS#wsdl.interface(CMProxyRS_ptt)"/>
    <binding.rest config="Adapters/CMProxyRS.wadl" location="http://server_WITH_basic-auth/cmproxy/resources/v2/">
        <wsp:PolicyReference URI="oracle/wss_username_token_client_policy" orawsp:category="security" orawsp:status="enabled"/>
        <!-- <property name="oracle.webservices.auth.username">weblogic</property>                       -->
        <!-- <property name="oracle.webservices.auth.password">password</property>  -->
        <property name="oracle.webservices.preemptiveBasicAuth">true</property> 
        <property  name="javax.xml.ws.security.auth.username"  many="false"  override="may">weblogic</property>
        <property  name="javax.xml.ws.security.auth.password"  many="false"  override="may">password</property>
    </binding.rest>    
</reference>
....

As you can see, I tried with the javax.xml.ws.security.auth. properties and with the oracle.webservices.auth. properties. But both failed : on the remote, I do not get any Basic Authentication in the requests.

I also updated my CMProxyRS.wadl to add the Authorization key in the HTTP Header. For example :

<resources>
  <resource path="/documents">
     <method name="GET" soa:wsdlOperation="searchDocument">
        <request>
           <param name="Authorization" style="header" soa:expression="$msg.request/tns:Authorization" default="" type="xsd:string"/>
           <param name="queryText" style="query" soa:expression="$msg.request/tns:queryText" default="" type="xsd:string"/>
           <param name="fields" style="query" soa:expression="$msg.request/tns:fields" default="id,name,originalName,originalFormat,originalExtension,alternateFormat,alternateExtension,revision" type="xsd:string"/>
           <param name="waitForIndexing" style="query" soa:expression="$msg.request/tns:waitForIndexing" default="false" type="xsd:boolean"/>
        </request>
        <response status="200">
....

And this Authorization was "replicated" in the WSDL.CMProxyRS.wsdl :

<element name="searchDocument_params">
    <complexType>
        <sequence>
            <element name="Authorization" type="string"/>
            <element name="queryText" type="string"/>
            <element name="fields" type="string"/>
            <element name="waitForIndexing" type="boolean"/>
        </sequence>
    </complexType>
</element>

This did not help. In fact, I am really not sure that what I added in my composite.xml (the properties username, password, preemptiveBasicAuth) is used by the SOA Engine to build the REST request.

(I would like to specify that it is not a user/password issue : when I test this REST query with the same user/password from Postman, it work fine.)

How can I manage to invoke a REST service with basic Authentication from a soa-composite ?

Answer 1

You can send custom HTTP headers in BPEL.

Take a look at this post. You need to add oracle.webservices.http.headers on the reference service and then you can populate variables and send them on your REST invoke acticity in BPEL.

Answer 2

You can try OWSM oracle/http_jwt_token_client_policy to pass the required headers in the request.

Answer 3

I had the same issue initially trying to invoke WADL from Oracle SOA 12c.

It started working after applying the following OWSM security policy:

oracle/http_jwt_token_client_policy