BPM, Workflow, and Case

BPM, Workflow, and Case

Come for answers. Stay for best practices. All we’re missing is you.

 View Only

  • 1.  Passing HTTP request header when calling outbound web service using ootb web service integration

    Posted Tue May 23, 2023 10:05 AM

    We have a big number of outbound web services in our application(s) and they all use out of the box web service integration. For security we are using basic authentication that is supported by outbound web service integration. We have now been told that all outbound web services will be switching security to oAuth and as a result we need to modify our BAW services to work with that type of security.

    So, in SOAP UI we can successfully call such web services without any major type of configuration. All we do is - add one header to the HTTP request (name / value) and it works fine. We pass the JWT token there and auth works.
    https://www.soapui.org/docs/functional-testing/teststep-reference/http-request/headers/

    Now we need to do the same in web service integration but am not finding any options for injecting HTTP request header.

    E.g. I only found SOAPHeaders business object where you could pass SOAP headers but it won't work because we need it to be HTTP request headers -
    https://www.ibm.com/docs/en/baw/19.x?topic=cish-adding-soap-headers-soap-request-message

    Here is an example of raw HTTP request data of successful request -


    POST https:/mywshost:8080/add HTTP/1.1
    Accept-Encoding: gzip,deflate
    Content-Type: text/xml;charset=UTF-8
    SOAPAction: "http://domain.com/Add"

    esb-jwt: eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ii1LSTNROW5OUjdiUm9meG1lWm9YcWJIWkdldyIsImtpZCI6Ii1LSTNROW5OUjdiUm9meG1lWm9YcWJIWkdldyJ9.eyJhdWQiOiJhcGk6Ly9BbnlQb2ludC1EZXYiLCJpc3MiOiJodHRwczovL3N0cy53aW5kb3dzLm5ldC84ODlhN2MwZC03YzJmLTRmYzEtYWU5Yy1lNjc5YWE4NWJkM2MvIiwiaWF0IjoxNjg0MTgxOTAzLCJuYmYiOjE2ODQxODE5MDMsImV4cCI6MTY4NDE4NTgwMywiYWlvIjoiRTJaZ1lCQXZhNTI1N2VQWk1MRm43R3VXWG5idEJBQT0iLCJhcHBpZCI6IjllOWNiYjA2LWUyZmUtNGFkMS05ZTdjLWJjMjRiN2M0MWI3NCIsImFwcGlkYWNyIjoiMSIsImlkcCI6Imh0dHBzOi8vc3RzLndpbmRvd3MubmV0Lzg4OWE3YzBkLTdjMmYtNGZjMS1hZTljLWU2NzlhYTg1YmQzYy8iLCJvaWQiOiJjMWNjM2U0Mi05ZWNhLTQ3NjctOTEzMC1kOWU5MDJiYWFkNzIiLCJyaCI6IjAuQVRnQURYeWFpQzk4d1UtdW5PWjVxb1c5UE1kUXh3MGYzZnBMbEFtSllOMnZOM2M0QUFBLiIsInJvbGVzIjpbInRyYW5zYWN0aW9uczptZXJjaGFudHM6cmV0cmlldmUiLCJtZXNzYWdlczpwb3N0LWVtYWlsIiwicHJveHk6aHVic3BvdDpjb250YWN0cyIsImZpc2VydjplcG9jOmFsbCJdLCJzdWIiOiJjMWNjM2U0Mi05

    Content-Length: 2792
    Host: mulapidev:8095
    Connection: Keep-Alive
    User-Agent: Apache-HttpClient/4.5.5 (Java/12.0.1)

    <soapenv:Header />
    <soapenv:Body>
    <sp:AddCardRequest>
    <!--Optional:-->
    <sp:Application>OAO</sp:Application>
    <!--Optional:-->
    ...
    ...
    ...


    I can't believe that nobody has requested this or done something similar because passing oAuth token in HTTP request when calling outbound WS is a common practice nowadays. So, perhaps I'm missing something obvious here?



    ------------------------------
    Sergei Malynovskyi
    ------------------------------


  • 2.  RE: Passing HTTP request header when calling outbound web service using ootb web service integration

    Posted Tue May 23, 2023 11:02 AM

    Hi Sergei,

    How are the consumers calling the web services? I believe, any Java HTTP client can be used to send the HTTP POST request with the auth-token in the header.

    Thanks!



    ------------------------------
    Atanu Roy
    Solution Architect
    Salient Process
    ------------------------------

    Original Message


  • 3.  RE: Passing HTTP request header when calling outbound web service using ootb web service integration

    Posted Tue May 23, 2023 11:14 AM

    Hi Atanu - 

    Right, any Java HTTP client can do it but we're using standard/out of the box web service integration in IBM BAW and we need to make it work with it. All our outbound web service calls are using standard web service integration - 
    https://www.ibm.com/docs/en/baw/19.x?topic=integrations-integrating-web-services



    ------------------------------
    Sergei Malynovskyi
    ------------------------------

    Original Message


  • 4.  RE: Passing HTTP request header when calling outbound web service using ootb web service integration

    Posted Tue May 23, 2023 12:56 PM

    Hi Sergei,

    Okay, I thought the webservices are being consumed by other non-bpm applications.
    I don't think, auth-token can be added in the built in web service integration component. Just a wild guess, can you try passing the token like if not already tried - 

    var authHeader = new tw.object.SOAPHeader(); 
authHeader.name = "Authorization";
authHeader.value = "Bearer {token}"
tw.local.requestHeaders.headers[0] = authHeader;


    Thanks!



    ------------------------------
    Atanu Roy
    Solution Architect
    Salient Process
    ------------------------------

    Original Message


  • 5.  RE: Passing HTTP request header when calling outbound web service using ootb web service integration

    Posted Tue May 23, 2023 01:00 PM

    Yeah, that's what we tried first but quickly realized that this injects SOAP headers into SOAP body and we need HTTP request headers instead



    ------------------------------
    Sergei Malynovskyi
    ------------------------------

    Original Message


  • 6.  RE: Passing HTTP request header when calling outbound web service using ootb web service integration

    Posted Tue May 23, 2023 01:51 PM

    Hi Sergei, 

    Have you tried setting up a server of type 'Web Service Server'? This allows you to select a policy set and binding. The policy set and binding can be defined in WAS (via admin console). So, at least in theory if you have enabled OAuth for use in WAS, you should be able to create a new policy set and use it for authentication in BAW. Once that is in place, then you can bind the web service to use this server definition. 



    ------------------------------
    Ajay Katre
    Salient Process
    ------------------------------

    Original Message


  • 7.  RE: Passing HTTP request header when calling outbound web service using ootb web service integration

    Posted Tue May 23, 2023 02:09 PM

    Hi Ajay - 

    Yeah, I know you can use policy sets and bindings for WS security in BAW. But I have not found a web service policy set that would support OAuth token - 
    https://www.ibm.com/docs/en/was-nd/8.5.5?topic=SSAW57_8.5.5/com.ibm.websphere.base.doc/ae/cwbs_wsspsps.htm

    Not sure what you mean by " if you have enabled OAuth for use in WAS". Do you mean enabling the OAuth 2.0 Trust Association Interceptor (TAI)? But it won't help me with the web service policy set I'm afraid. 

    Oh well, I guess we will have to come up with a custom web service connector ...

    Thanks!



    ------------------------------
    Sergei Malynovskyi
    ------------------------------

    Original Message


Related Content