BPEL Security
Apply security at the BPEL deployment time
Configuring SecuredService-service.xml
The SecuredService-service.xml file contains the security policy configuration which is used to secure the BPEL service. For example:
<?xml version="1.0" encoding="UTF-8" standalone="no"?> <serviceGroup> <service name="DeployArtifact"> <module ref="rampart" /> <wsp:Policy xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="UTOverTransport"> <wsp:ExactlyOne> <wsp:All> <sp:TransportBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"> <wsp:Policy> <sp:TransportToken> <wsp:Policy> <sp:HttpsToken RequireClientCertificate="false" /> </wsp:Policy> </sp:TransportToken> <sp:AlgorithmSuite> <wsp:Policy> <sp:Basic256 /> </wsp:Policy> </sp:AlgorithmSuite> <sp:Layout> <wsp:Policy> <sp:Lax /> </wsp:Policy> </sp:Layout> <sp:IncludeTimestamp /> </wsp:Policy> </sp:TransportBinding> <sp:SignedSupportingTokens xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"> <wsp:Policy> <sp:UsernameToken sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient" /> </wsp:Policy> </sp:SignedSupportingTokens> <rampart:RampartConfig xmlns:rampart="http://ws.apache.org/rampart/policy"> <rampart:encryptionUser>useReqSigCert</rampart:encryptionUser> <rampart:timestampPrecisionInMilliseconds>true</rampart:timestampPrecisionInMilliseconds> <rampart:timestampTTL>300</rampart:timestampTTL> <rampart:timestampMaxSkew>300</rampart:timestampMaxSkew> <rampart:timestampStrict>false</rampart:timestampStrict> <rampart:tokenStoreClass>org.wso2.carbon.security.util.SecurityTokenStore</rampart:tokenStoreClass> <rampart:nonceLifeTime>300</rampart:nonceLifeTime> </rampart:RampartConfig> </wsp:All> </wsp:ExactlyOne> </wsp:Policy> </service> </serviceGroup>
Configuring deploy.xml
Add an additional element called endpoint
 to the inbound interface configuration section as shown below. The endpoint element is used to identify where the SecuredService-service.xml file is located. You need to provide the policy file name as the serviceDescriptionReference
value and ‘http://wso2.org/bps/bpel/endpoint/config
’ as the XML namespace.
<?xml version="1.0" encoding="UTF-8"?> <deploy xmlns="http://www.apache.org/ode/schemas/dd/2007/03" xmlns:deploy.core.af.carbon.wso2.org="http://deploy.core.af.carbon.wso2.org" xmlns:sample="http://wso2.org"> <process name="sample:DeployArtifact"> <active>true</active> <retired>false</retired> <process-events generate="all"/> <provide partnerLink="client"> <service name="sample:DeployArtifact" port="DeployArtifactPort"> <endpoint xmlns="http://wso2.org/bps/bpel/endpoint/config" serviceDescriptionReference="SecuredService-service.xml"/> </service> </provide> <invoke partnerLink="deployPL"> <service name="deploy.core.af.carbon.wso2.org:ApplicationDeployer" port="ApplicationDeployerHttpsSoap11Endpoint"/> </invoke> </process> </deploy>Â
There are multiple ways you can package SecuredService-service.xml.
- Package within the BPEL process. Tree structure of a secured BPEL package is shown below.
Store in the registry (config or WSO2 Governance Registry). You can specify the file path as follows:
serviceDescriptionReference="conf:/SecuredService-service.xml" OR serviceDescriptionReference="gov:/SecuredService-service.xml" in the deploy.xml file.Â
Store in the file system. You can specify the file path as follows:
serviceDescriptionReference="./../../../../repository/conf/SecuredService-service.xml" in the deploy.xml file.
The BPEL process is now secured.
Applying security with Developer Studio
You can configure security policies using WSO2 Developer Studio. For more information on how to do this, see Applying Security for a Service.
Â