BPEL Security
Apply security at the BPEL deployment time
Configuring SecuredService-service.xml
The SecuredService-service.xml file contains the security policy configuration which is used to secure the BPEL service. For example:
<?xml version="1.0" encoding="UTF-8" standalone="no"?> <serviceGroup> <service name="DeployArtifact"> <module ref="rampart" /> <wsp:Policy xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="UTOverTransport"> <wsp:ExactlyOne> <wsp:All> <sp:TransportBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"> <wsp:Policy> <sp:TransportToken> <wsp:Policy> <sp:HttpsToken RequireClientCertificate="false" /> </wsp:Policy> </sp:TransportToken> <sp:AlgorithmSuite> <wsp:Policy> <sp:Basic256 /> </wsp:Policy> </sp:AlgorithmSuite> <sp:Layout> <wsp:Policy> <sp:Lax /> </wsp:Policy> </sp:Layout> <sp:IncludeTimestamp /> </wsp:Policy> </sp:TransportBinding> <sp:SignedSupportingTokens xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"> <wsp:Policy> <sp:UsernameToken sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient" /> </wsp:Policy> </sp:SignedSupportingTokens> <rampart:RampartConfig xmlns:rampart="http://ws.apache.org/rampart/policy"> <rampart:encryptionUser>useReqSigCert</rampart:encryptionUser> <rampart:timestampPrecisionInMilliseconds>true</rampart:timestampPrecisionInMilliseconds> <rampart:timestampTTL>300</rampart:timestampTTL> <rampart:timestampMaxSkew>300</rampart:timestampMaxSkew> <rampart:timestampStrict>false</rampart:timestampStrict> <rampart:tokenStoreClass>org.wso2.carbon.security.util.SecurityTokenStore</rampart:tokenStoreClass> <rampart:nonceLifeTime>300</rampart:nonceLifeTime> </rampart:RampartConfig> </wsp:All> </wsp:ExactlyOne> </wsp:Policy> </service> </serviceGroup>
Configuring deploy.xml
Add an additional element called endpoint
 to the inbound interface configuration section as shown below. The endpoint element is used to identify where the SecuredService-service.xml file is located. You need to provide the policy file name as the serviceDescriptionReference
value and ‘http://wso2.org/bps/bpel/endpoint/config
’ as the XML namespace.
<?xml version="1.0" encoding="UTF-8"?> <deploy xmlns="http://www.apache.org/ode/schemas/dd/2007/03" xmlns:deploy.core.af.carbon.wso2.org="http://deploy.core.af.carbon.wso2.org" xmlns:sample="http://wso2.org"> <process name="sample:DeployArtifact"> <active>true</active> <retired>false</retired> <process-events generate="all"/> <provide partnerLink="client"> <service name="sample:DeployArtifact" port="DeployArtifactPort"> <endpoint xmlns="http://wso2.org/bps/bpel/endpoint/config" serviceDescriptionReference="SecuredService-service.xml"/> </service> </provide> <invoke partnerLink="deployPL"> <service name="deploy.core.af.carbon.wso2.org:ApplicationDeployer" port="ApplicationDeployerHttpsSoap11Endpoint"/> </invoke> </process> </deploy>Â
There are multiple ways you can package SecuredService-service.xml.
- Package within the BPEL process. Tree structure of a secured BPEL package is shown below.
Store in the registry (config or WSO2 Governance Registry). You can specify the file path as follows:
serviceDescriptionReference="conf:/SecuredService-service.xml" OR serviceDescriptionReference="gov:/SecuredService-service.xml" in the deploy.xml file.Â
Store in the file system. You can specify the file path as follows:
serviceDescriptionReference="./../../../../repository/conf/SecuredService-service.xml" in the deploy.xml file.
The BPEL process is now secured.
Secure by using a predefined security scenarios at the BPEL at the runtime
Deploy the BPEL process and goto service listing page. Navigate to Process Information page.
Click on Security on the QOS Dashboard.
You'll find predefined security scenarios as described in http://docs.wso2.org/display/BPS320/Security+Scenarios You can find more information on each security scenario by clicking on the icon next to each security scenario and apply one of those to secure the BPEL process.