Database Reference
In-Depth Information
Chapter 9. Securing a BPEL Process
In an enterprise environment, BPEL services usually serve either mission-critical or
business-critical business processes. These BPEL services exchange sensitive in-
formation with multiple composite applications, enterprise systems, and external ser-
vice providers as a service consumer or provider. That is why it is critical to ensure
that only authorized users have access to BPEL services and communication is kept
private. It is an industry-leading practice to implement a separate vertical layer for se-
curing BPEL process; commonly known as the security layer. The security control's
implementation needs to have defense in depth and should be capable enough to de-
liver the basic principles of information security to secure web services, they are as
follows:
•
Confidentiality
: Data is readable to authorized systems and users only.
•
Integrity
: Data exchange between service consumers and providers is not
tempered. In other words, data is not modified, unauthorized, or undetec-
ted.
•
Availability
: BPEL service(s) are available to authorized users (What can
you access?) when requested and protected from denial of service at-
tacks.
•
Authenticity
: Identity validation of consumers and providers (Who are
you?).
•
Non-repudiation
: BPEL service(s) consumers can't deny submission of a
request while producers can't deny receiving it.
In this chapter, we will explore the options and leading practices with network, host,
application,anddatalayersofasystemtocreatesecuritycontrolstoprotecttheBPEL
process services deployed in a SOA Suite platform.
Securing a BPEL process
We can create composite web services by orchestrating the flow between the web
services using the Oracle SOA Suite, as shown in the following diagram. Anyone can
invoke a BPEL process if they know the WSDL URL; the network route is then open
for them. It is required that we design and develop a solution that handles authen-
tication, authorization, transport layer security, and protects from denial of service at-
tacks.
