We had to call a secured web service that required a username token to be sent in the SOAP header, but being a WS Security newbie, I bumped into a lot of issues trying to get it to work. After adding the certificate into the SOA Server trust store, I was getting the following error after applying the oracle/wss_username_token_policy:
oracle.j2ee.ws.client.jaxws.JRFSOAPFaultException: Client received SOAP Fault from server : Exception thrown while trying to deserialize the SOAP message
at oracle.j2ee.ws.client.jaxws.DispatchImpl.throwJAXWSSoapFaultException(DispatchImpl.java:1053)
at oracle.j2ee.ws.client.jaxws.DispatchImpl.invoke(DispatchImpl.java:839)
at oracle.j2ee.ws.client.jaxws.OracleDispatchImpl.synchronousInvocationWithRetry(OracleDispatchImpl.java:235)
at oracle.j2ee.ws.client.jaxws.OracleDispatchImpl.invoke(OracleDispatchImpl.java:106)
After reading this very useful post from the AMIS Technology blog, I was able to attach the WS Security header right into the SOAP message which included the Nonce section, like so:
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsse:UsernameToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsse:Username>username</wsse:Username>
<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">password</wsse:Password>
<wsse:Nonce>Gt0q/QzAnQn/KMzhXYgR8Q==</wsse:Nonce>
</wsse:UsernameToken>
</wsse:Security>
Solution:
1) Go to the Oracle Enterprise Manager.
2) Under the farm name, expand the Weblogic Domain folder and right-click on the name of your domain, then select WebServices -> Policies.
3) Filter the policies by Service Clients and scroll down until you find one called oracle/wss_username_token_policy. This is the policy I attached on the webservice I had to call, but by default, this policy does NOT include the Nonce. Select it and click at the top "Create Like". I created a copy of this policy so I wouldn't mess with the original.
4) Give your policy a name (I named mine oracle/wss_username_token_nonce_policy) and then scroll down to the area that says "Assertions", Under the Settings tab, click "Show Advanced Fields":
6) Now go to your composite, and below the composite name click SOA Composite -> Service/Reference Properties -> Web Service that you are calling
7) Here, click the Policies tab, then under Directly Attached Policies, click Attach/Detach.
8) Look for your new policy, click Attach, then OK.
9) Your policy should now appear under Directly Attached Policies. If you click on it, its information will be displayed under Security Configuration Details, including the csf-key. These are the credentials that the web service sends for the Username and Password. They can be configured in the Credential Store. In my case, since I had configured the basic.credentials with the username and password that the web service required, there was no need to override this value so the Current Value is left as blank.
When I tried the Web Service again, the policy did the same job as manually adding the SOAP header and the composite completed successfully! :)
No comments:
Post a Comment