BPEL Security
Configuring SecuredService-service.xml
The SecuredService-service.xml file contains the security policy configuration which is used to secure the BPEL service. For example:
<?xml version="1.0" encoding="UTF-8" standalone="no"?> <serviceGroup> <service name="DeployArtifact"> <module ref="rampart" /> <wsp:Policy xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="UTOverTransport"> <wsp:ExactlyOne> <wsp:All> <sp:TransportBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"> <wsp:Policy> <sp:TransportToken> <wsp:Policy> <sp:HttpsToken RequireClientCertificate="false" /> </wsp:Policy> </sp:TransportToken> <sp:AlgorithmSuite> <wsp:Policy> <sp:Basic256 /> </wsp:Policy> </sp:AlgorithmSuite> <sp:Layout> <wsp:Policy> <sp:Lax /> </wsp:Policy> </sp:Layout> <sp:IncludeTimestamp /> </wsp:Policy> </sp:TransportBinding> <sp:SignedSupportingTokens xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"> <wsp:Policy> <sp:UsernameToken sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient" /> </wsp:Policy> </sp:SignedSupportingTokens> <rampart:RampartConfig xmlns:rampart="http://ws.apache.org/rampart/policy"> <rampart:encryptionUser>useReqSigCert</rampart:encryptionUser> <rampart:timestampPrecisionInMilliseconds>true</rampart:timestampPrecisionInMilliseconds> <rampart:timestampTTL>300</rampart:timestampTTL> <rampart:timestampMaxSkew>300</rampart:timestampMaxSkew> <rampart:timestampStrict>false</rampart:timestampStrict> <rampart:tokenStoreClass>org.wso2.carbon.security.util.SecurityTokenStore</rampart:tokenStoreClass> <rampart:nonceLifeTime>300</rampart:nonceLifeTime> </rampart:RampartConfig> </wsp:All> </wsp:ExactlyOne> </wsp:Policy> </service> </serviceGroup>
Configuring deploy.xml
Add an additional element called endpoint
 to the inbound interface configuration section as shown below. The endpoint element is used to identify where the SecuredService-service.xml file is located. You need to provide the policy file name as the serviceDescriptionReference
value and ‘http://wso2.org/bps/bpel/endpoint/config
’ as the XML namespace.
<?xml version="1.0" encoding="UTF-8"?> <deploy xmlns="http://www.apache.org/ode/schemas/dd/2007/03" xmlns:deploy.core.af.carbon.wso2.org="http://deploy.core.af.carbon.wso2.org" xmlns:sample="http://wso2.org"> <process name="sample:DeployArtifact"> <active>true</active> <retired>false</retired> <process-events generate="all"/> <provide partnerLink="client"> <service name="sample:DeployArtifact" port="DeployArtifactPort"> <endpoint xmlns="http://wso2.org/bps/bpel/endpoint/config" serviceDescriptionReference="SecuredService-service.xml"/> </service> </provide> <invoke partnerLink="deployPL"> <service name="deploy.core.af.carbon.wso2.org:ApplicationDeployer" port="ApplicationDeployerHttpsSoap11Endpoint"/> </invoke> </process> </deploy>Â
There are multiple ways you can package SecuredService-service.xml.
- Package within the BPEL process. Tree structure of a secured BPEL package is shown below.
Store in the registry (config or WSO2 Governance Registry). You can specify the file path as follows:
serviceDescriptionReference="conf:/SecuredService-service.xml" OR serviceDescriptionReference="gov:/SecuredService-service.xml" in the deploy.xml file.Â
Store in the file system. You can specify the file path as follows:
serviceDescriptionReference="./../../../../repository/conf/SecuredService-service.xml" in the deploy.xml file.
The BPEL process is now secured.
HumanTasks can be secured in the same manner.