Best Practice for Securing Web Services in the BPEL Workflow

Similar Messages

• Best practice for consuming web services

  Hi
  we are consuming web service in orchestration by "Add Generated Item".By using this option it creates 1 orch,1xsd file and some bindings.
  we have different projects for schemas,maps and orchestration under our solution in visual studio.
  Now i need to know that what will be the best practice for consuming web service in orchestration i mean in which project should i use "add generated item" (in orchstration project or in schemas project) coz it generates both 1 orch and 1
  schema.
  thanks

  From a service orientation perspective you should abstract the service artifacts from the other artifacts. Otherwise it will be very difficult to update the service interface without affecting the other artifacts. For example you don't want to have to redeply
  your entire application if only one field changes in the service you consume.
  So I typically generate the items, remove the unnecessary stuff, and put them in a separate project.
  Depending on the control you have over the services you want to consume, it would even be better to create another layer of abstraction. By that I mean create your own interface (schema) and map that one to the one the service exposes. This basically
  is only necessary if you consume external services that are beyond your control. By abstracting the interface it exposes, you limit the impact of changes of that interface on the rest of your system. All changes are abstracted behind your own interface.
  If you consume internal services, you can probably control the way the interface is defined. In a service oriented world all internal services expose a well known interface, based on the domain objects you have within your organisation.
  Jean-Paul Smit | Didago IT Consultancy
  Blog |
  Twitter | LinkedIn
  MCTS BizTalk 2006/2010 + Certified SOA Architect
  Please indicate "Mark as Answer" if this post has answered the question.

• What is the best practice for developing web service?

  Hi All,
  I'm a newbee to web services...
  I was wondering what would be the best approach in developing a web service,
  using tools or programmatic approach?
  If I use WebLogic Workshop, am I tied to a vendor?
  Is it possible for me to develop web services using workshop and deploy in
  another app server..?
  I would appreciate if somebody could give me a pointer to start.
  I have already referred BEA's docs.
  I'm still confused on a good starting point on the best approach to develop
  protable web services.
  Thanks in advance for any inputs.
  K K

  K K-
  You have a very valid point on the simplify or complicate matters. If you are
  going for clean and not-so-time-centric code, then there are several different
  programs and packages out there you can choose from.
  Since you are specialized in J2EE, than the Sun package may be what you are looking
  for. BEA's classes simplify much of the work you will be doing, but you could
  emulate their classes or extend yours above the functions provided in theirs.
  It all boils down to how much work are you willing to do.
  If you are asking for more detailed, coding 'Design Patterns' to utilize, I would
  wait for a few more posts from other folks as my work often requires me to utilize
  the tools provided.
  Sincerely,
  Eric Ballou
  "K K" <[email protected]> wrote:
  Eric,
  Thanks for the response.
  I was also looking at Sun's WSDP 1.1, which is more programmatic approach.
  Some how, I feel being a J2EE developer, I should go on the direction
  of the
  programmatic approach.
  Using the tools could simplify or complicate things. Also, the Workshop
  samples import all weblogic specific packages.
  My code looks so dirty with many vendor specific packages being imported.
  Could you give me your suggestions for a clean and neat approach?
  I would personally prefer to avoid the quick and dirty approach.
  Thanks again.
  "Eric Ballou" <[email protected]> wrote in message
  news:[email protected]...
  K K-
  The best approach in developing portable web services is knowing whatyou
  are
  planning on using them for as well as how much is willing to be spent,etc.
  BEA's Workshop is portable to other frameworks, but the ease ofintegrating a
  developed client or a developed server can very greatly. Even moreof an
  issue
  is migration from one framework to another. If you choose to developin
  Workshop
  and your company later deploys .Net solutions, some of your work mayhave
  to be
  redone unless the company is willing to keep portions of the 'old'system
  around
  until new versions of the service are available. However, Workshophas
  several
  ant tools available that would assist you in deploying to other appservers or
  even a stand-alone application should you need cross framework abilities.
  If you are just starting out in web services, http://www.webservices.org
  is a
  good place to start checking out vendors in the space.
  Sincerely,
  Eric Ballou
  "K K" <[email protected]> wrote:
  Hi All,
  I'm a newbee to web services...
  I was wondering what would be the best approach in developing a web
  service,
  using tools or programmatic approach?
  If I use WebLogic Workshop, am I tied to a vendor?
  Is it possible for me to develop web services using workshop and deploy
  in
  another app server..?
  I would appreciate if somebody could give me a pointer to start.
  I have already referred BEA's docs.
  I'm still confused on a good starting point on the best approach todevelop
  protable web services.
  Thanks in advance for any inputs.
  K K

• Best Practice for Security Point-Multipoint 802.11a Bridge Connection

  I am trying to get the best practice for securing a point to multi-point wireless bridge link. Link point A to B, C, & D; and B, C, & D back to A. What authenication is the best and configuration is best that is included in the Aironet 1410 IOS. Thanks for your assistance.
  Greg

  The following document on the types of authentication available on 1400 should help you
  http://www.cisco.com/univercd/cc/td/doc/product/wireless/aero1400/br1410/brscg/p11auth.htm

• Is there a list of best practices for Azure Cloud Services?

  Hi all;
  I was talking with a Sql Server expert today and learned that Azure Sql Server can take up to a minute to respond to a query that normally takes a fraction of a second. This is one of those things where it's really valuable to learn it when architecting as
  opposed to when we go live.
  Cloud Services are not Sql Server (obviously) but that led to the question - Is there a list of best practices for Azure Cloud Services? If so, what are they?
  We will be placing the cloud services in multiple datacenters and using traffic manager to point people to the right one. The cloud service will set between an IMAP client & server, pretending to be the mail client to the server, and the server to the client.
  Mostly it will pass all requests & responses across from one to the other.
  thanks - dave
  What we did for the last 6 months -
  Made the world's coolest reporting & docgen system even more amazing

  hi dave,
  >>Cloud Services are not Sql Server (obviously) but that led to the question - Is there a list of best practices for Azure Cloud Services? If so, what are they?
  For this issue, I have collected some blogs and document about best practices for azure cloud service, you can view them, but I am not sure they are your need.
  http://msdn.microsoft.com/en-us/library/azure/xx130451.aspx
  http://gauravmantri.com/2013/01/11/some-best-practices-for-building-windows-azure-cloud-applications/
  http://www.hanselman.com/blog/CloudPowerHowToScaleAzureWebsitesGloballyWithTrafficManager.aspx
  http://msdn.microsoft.com/en-us/library/azure/jj717232.aspxhttp://azure.microsoft.com/en-us/documentation/articles/best-practices-performance/
  >>The cloud service will set between an IMAP client & server, pretending to be the mail client to the server, and the server to the client. Mostly it will pass all requests & responses across from one to the other.
  For your scenarioes, If you'd like to communicate with each instances, I recommend you refer to this document (
  http://msdn.microsoft.com/en-us/library/azure/hh180158.aspx ). And generally, if we want connect the client to server on Azure, the service bus is a good choice (http://azure.microsoft.com/en-us/documentation/articles/cloud-services-dotnet-multi-tier-app-using-service-bus-queues/
  If I misunderstood, please let me know.
  Regards,
  Will
  We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
  Click
  HERE to participate the survey.

• Best practice for putting binary data on the NMR

  Hi,
  We're creating a component that will consume messages off the NMR, encode them, and subsequently put them back on the NMR. What's the best practice for sending binary data over the NMR?
  1. setContent()?
  2. addAttachment()?
  3. setProperty()?
  If NormailzedMessage.setContent() is the desired approach, then how can you accomplish that?
  Thanks,
  Bruce

  setContent() is used only for XML messages. The recommended way to accommodate binary data is to use addAttachment().

• Error while invoking a WS-Security secured web service from Oracle BPEL..

  Hi ,
  We are facing some error while invoking a WS-Security secured web service from our BPEL Process on the windows platform(SOA 10.1.3.3.0).
  For the BPEL process we are following the same steps as given in an AMIS blog : - [http://technology.amis.nl/blog/1607/how-to-call-a-ws-security-secured-web-service-from-oracle-bpel]
  but sttill,after deploying it and passing values in it,we are getting the following error on the console :-
  &ldquo;Header [http://schemas.xmlsoap.org/ws/2004/08/addressing:Action] for ultimate recipient is required but not present in the message&rdquo;
  Any pointers in this regard will be highly appreciated.
  Thanks,
  Saurabh

  Hi James,
  Thanks for the quick reply.
  We've tried to call that web service from an HTML designed in Visual Studios with the same username and password and its working fine.
  But on the BPEL console, we are getting the error as mentioned.
  Also if you can tell me how to set the user name and password in the header of the parter link.I could not find how to do it.
  Thanks,
  Saurabh

• What is best practice for calling XI Services with Web Dynpro-Java?

  We are trying to expose XI services to Web Dynpro via "Web Services".  Our XI developers have successfully generated the WSDL file(s) for their XI services and handed off to the Web Dynpro developers.
  The Java developers put the WSDL file to their local PC's and import as "Adaptive Web Services" data models.  When the application is constructed and deployed to our development box, the application abends because the J2EE server on that box cannot locate the WSDL file at runtime (it was on the developers box at, say, "C:\temp\" and that directory does not exist on the dev server).
  Since XI does not have a way of directly associating the generated WSDL file to the XI service, where is the best place to put the WSDL so it is readable at design time and at run time?  Also, how do we reconcile that we'll have 3 WSDL files for each service (one for Dev, one for QA and one for Prod) and how is the model in Web Dynpro configured so it gets the right ome?
  Does anyone have any good guide on how to do this?  Have found plenty of "how to consume a Web Service in Web Dynpro" docs on SDN, but these XI services are not really traditional Web Services so the instructions break down when it comes time to deploy.

  HI Bob,
  As sometimes when you create a model using a local wsdl file then instead of refering to URL mentioned in wsdl file it refers to say, "C:\temp" folder from where you picked up that file. you can check target address of logical port. Due to this when you deploy application on server it try to search it in "c:\temp" path instead of it path specified at soap:address location in wsdl file.
  Best way is  re-import your Adaptive Web Services model using the URL specified in wsdl file as soap:address location.
  like http://<IP>:<PORT>/XISOAPAdapter/MessageServlet?channel<xirequest>
  or you can ask you XI developer to give url for webservice and username password of server

• Using Identity Management for Securing Web Services

  My goal is to associate my services with an Oracle Internet Directory. I made some attempts to set up SAML authentication for the web services, but it didn't have the right outcome.
  (My identity management server and OID is up and running and I have successfully made authentication modules for other web applications)
  Here is what I did:
  1. I wrote a simple java file, used jdeveloper tools to create and deploy it as a web service to OC4J. I associated an identity management server with this service through OC4J web tools as security provider.
  2. I made a data control for the web service and put it in an ADF application . (client)
  3. I deployed the client project(2) to OC4J.
  I could use the web service through the page.
  Then
  I secured the webservice to expect SAML for authentication.
  Surprisingly, the client could still communicate with the webservice, Why? Shouldn't it have rejected the request because of the problem in SAML token? (The proxy and the data control were not secured, and didn't provide any SAML tokens)
  4.
  I added login page to my client project (through ADF security wizard). It used idenity management for authentication successfully. login process completes and web service data control is displayed.
  5. I want the authentication information to be propagated through the page so that the web service receives the data and uses Identity Management.
  I know I should add <property name="oracle.security.wss.propagate.identity" value ="true"/>
  to one of the configuration files, but don't know where exactly.
  Best Regards,
  Farbod

  It doesnt matter whether the service is invoked as part of your larger process or not, if it is performing any business critical operation then it should be secured.
  The idea of SOA / designing services is to have the services available so that it can be orchestrated as part of any other business process.
  Today you may have secured your parent services and tomorrow you could come up with a new service which may use one of the existing lower level services.
  If all the services are in one Application server you can make the configuration/development environment lot easier by securing them using the Gateway.
  Typical probelm with any gateway architecture is that the service is available without any security enforcement when accessed directly.
  You can enforce rules at your network layer to allow access to the App server only from Gateway.
  When you have the liberty to use OWSM or any other WS-Security products, i would stay away from any extensions. Two things to consider
  The next BPEL developer in your project may not be aware of Security extensions
  Centralizing Security enforcement will make your development and security operations as loosely coupled and addresses scalability.
  Thanks
  Ram

• Best Practice for embedding webi reports in hyperlinks..

  SAP Community
  What is the best practice for embedding hyperlinks (email) from webi and sending to a user?so the users can quickly consume the report with minimal effort (click link and launch infoview/report).
  John

  As mentionned already,  BI has it's own inbox, and/or SMTP integration for broadcasting.
  Else, if you go to Folders, right click on your report instance, then select "Copy URL" (or 'docuemnt link' i cannot remember the exact term.)  - that woudl give you an open document link to invoke the viewer .
  Regards,
  H

• Users for secure web services

  Hello,
  if i define a secure web service, i also have to define one or more users which are allowed to access this web service. I only found instruction for defining such users on the application level. If i undeploy or redeploy the web service i lost this users.
  Is there any possibility to store users for an application permanently or to define allowed users during the deployment?

  Hello,
  I suppose that you are in OracleAS 10.1.3.x and you are using the WS-Security built in the product. If this is the case...
  The WS-Security handlers are based on the JAAS security model, this means that the security processing is based on the container security. The user credentials are not related to the WS application but how the J2EE application security provider has been configured.
  So by default you are using the FileBased Security provided that stores the data in the system-jazn-data.xml, but you can easily configure your application to use any other system to store user information such as a LDAP server for example.
  I am inviting you to take a look to the Security Provider documentation:
  - Introducing the OracleAS JAAS Provider and Security Providers
  Regards
  Tugdual Grall

• Can config wallet on cloud DB for security web service invoke ?

  Currently, I can invoke the security web service by APEX at my local DB env.
  based the apex_web_service API
  http://docs.oracle.com/cd/E37546_01/doc/doc.41/e28475/apex_web_service.htm#AEAPI537
  we need wallet to store the cert files.
  want to confirm that
  --> Can we config wallet to import cert files on cloud DB?
  Thanks
  Edited by: 985754 on Feb 6, 2013 2:17 AM

  Hello 985754,
  Unfortunately, you cannot import your own certificates into the wallet used by Application Express in the Database Cloud Service. However, this wallet already contains many common CA certificates. Unless the web service you are consuming uses a self-signed certificate, chances are you will be able to use this functionality in the Cloud.
  -- Vlad

• Best practice for version control B2B, ESB and BPEL

  Hello,
  we are setting up a new system using B2B, ESB and BPEL. The development team is more experienced working with PL/SQL, Oracle Workflow and we are worried that Jdeveloper generates changes to the source files during development and that we might have problems with the version control.
  Is there any best practice for setting up version control for these systems? Do we need to take anything in particular into consideration when setting up the projects?
  We are using Serena Dimensions 9.1 for version control with the add-on in Jdeveloper.
  Thanks in advance!

  I believe JDeveloper has a plugin for Dimensions.
  I havent used it but to get it, go to tools (It may be help I don't have JDeveloper on this machine to confirm) check for updates.
  If you select the thrid party check box - next, you will see an entry for dimentions.
  Configure the connection and develop as you would any other project.
  cheers
  James

• Best practice for securing confidential legal documents in DMS?

  We have a requirement to store confidential legal documents in DMS and are looking at options to secure access to those documents.  We are curious to know.  What is the best practice?  And how are other companies doing it?
  TIA,
  Margie
  Perrigo Co.

  Hi,
  The standard practice for such scenarios is to use 'authorization' concept.You can give every user to use authorization to create,change or display these confidential documents. In this way, you can control access authorization.SAP DMS system monitors how you work, and prevents you from displaying or changing originals if you do not have the required authorization.
  The below link will provide you with an improved understanding of authorization concept and its application in DMS
  http://help.sap.com/erp2005_ehp_04/helpdata/en/c1/1c24ac43c711d1893e0000e8323c4f/frameset.htm
  Regards,
  Pradeepkumar Haragoldavar

• Best Practice For Secure File Sharing?

  I'm a newbie to both OX X Server and File Sharing protocols, so please excuse my ignorance...
  My client would like to share folders in the most secure way possible; I was considering that what might be the best way would be for them to VPN into the server and then view the files through the VPN tunnel; my only issue with this is that I have no idea how to open up File Sharing to ONLY allow users who are connecting from the VPN (i.e. from inside of the internal network)... I don't see any options in Server Admin to restrict users in that way....
  I'm not afraid of the command line, FYI, I just don't know if this is:
  1. Possible!
  And 2. The best way to ensure secure AND encrypted file sharing via the server...
  Thanks for any suggestions!

  my only issue with this is that I have no idea how to open up File Sharing to ONLY allow users who are connecting from the VPN
  Simple - don't expose your server to the outside world.
  As long as you're running on a NAT network behind some firewall or router that's filtering traffic, no external traffic can get to your server unless you setup port forwarding - this is the method used to run, say, a public web server where you tell the router/firewall to allow incoming traffic on port 80 to get to your server.
  If you don't setup any port forwarding, no external traffic can get in.
  There are additional steps you can take - such as running the software firewall built into Mac OS X to tell it to only accept network connections from the local network, but that's not necessary in most cases.
  And 2. The best way to ensure secure AND encrypted file sharing via the server...
  VPN should take care of most of your concerns - at least as far as the file server is concerned. I'd be more worried about what happens to the files once they leave the network - for example have you ensured that the remote user's local system is sufficiently secured so that no one can get the documents off his machine once they're downloaded?