Oracle SOA blog: Soa 11g Human Task client Authentication

Java / Oracle SOA blog About Java, JDeveloper, OEPE and Oracle OSB & SOA suite Home

Thursday, February 18, 2010


Soa 11g Human Task client Authentication In Soa Suite 10g & 11g you can make your own HumanTask Client ( instead of the Worklist Application ) and integrate this in your own Application. Together with Ronald van Luttikhuizen we made an Human Task Client with works with the Soa Suite 10g & 11g version. The 10g version was a bit tricky because we called the 10g Human Task EJB on an OC4J container from an Weblogic Web application. With Soa Suite 11g I don't have these problems because everything is working on the Weblogic Container. In Soa 11g you have three ways to connect to Human Task Service. Use the local or remote EJB and you can call the soap service. The local EJB option is not acceptable because we need to deploy the customer application on the Soa Suite server else it won't work. With the Soap client I need to configure OWSM on the Weblogic Service and soap is not so fast as the Remote EJB option. This gives a other problem I don't want to use the soa suite weblogic account in the customer application. The user have to authenticate in the Customer application and this user is also known in the Human Task ( I add the same authenticator in the ADF & Soa Suite server) So why don't we use the same user for the EJB call to the Soa Suite. To make this works you need to make a domain trust between the two Weblogic domains. To do this you need to go to the weblogic console and change some domain properties. First change, enable the "Cross Domain Security Enabled" option.

Edwin Biemond Follow


ex Oracle ACE , Java Developer of the year 2009. Co-writer of the OSB Development Cookbook. I am working as a Software Architect and specialized in CI,CD, integration, middleware, security and web development. View my complete profile

Pageviews last month

2 2 7 5 8

Save this change and go the advanced options where you need to change the domain credential, this password must match with the Soa suite domain password.

Google+ Followers Edwin Biemond

Do this on both domains.

Add to circles

The next step is to create Workflow Client in your application. It will use your Application authentication for this remote EJB, so you don't to have a Soa Suite account in your application code. view plain

01. 02. 03. 04. 05. 06. 07. 08. 09. 10. 11. 12. 13. 14. 15. 16. 17. 18. 19. 20. 21. 22. 23. 24. 25. 26. 27. 28. 29. 30. 31. 32. 33. 34. 35. 36. 37. 38. 39. 40. 41. 42. 43.



String wlsserver = "HumanWorkFlow"; String soaserver = System.getProperty("humantask.url"); String wsurl = "http://"+soaserver; String t3url = "t3://"+soaserver; String contextFactory = "weblogic.jndi.WLInitialContextFactory"; String identityDomain = ""; IWorkflowContext context = null; IWorkflowServiceClient workflowServiceClient; BPMIdentityService bpmClient; WorkflowServicesClientConfigurationType wscct = new WorkflowServicesClientConfigurationType(); List servers = wscct.getServer(); ServerType server = new ServerType(); server.setDefault(true); server.setName(wlsserver); servers.add(server); RemoteClientType rct = new RemoteClientType(); rct.setServerURL(t3url); rct.setInitialContextFactory(contextFactory); rct.setParticipateInClientTransaction(false); server.setRemoteClient(rct); workflowServiceClient = WorkflowServiceClientFactory.getWorkflowServiceClient( WorkflowServiceClientFactory.REMOTE_CLIENT, wscct, logger2); Map properties = new HashMap(); properties.put(IWorkflowServiceClientConstants.CONNECTION_PROPERTY.SOAP_END_POINT_ROOT , wsurl); bpmClient = WorkflowServiceClientFactory.getSOAPIdentityServiceClient(identityDomain , properties , logger2);

1,227 have me in circles

Blog Archive 2014 (6) 2013 (13) 2012 (24) 2011 (34) t 2010 (36) November (4) September (2) August (4)

The last step is to acquire and release the Human Tasks on behalf of the application user. Because you don't know the application user password you need to have an account which can do that for the application user. This code can do that for the application user. Make sure that this account don't have too much authorization rights in Weblogic and your application. view plain

01. 02. 03. 04. 05. 06. 07. 08. 09. 10. 11. 12. 13. 14.


July (2) June (3) May (7) April (5)


March (1)

String identityUsername = System.getProperty("humantask.user" ); String identityPassword = System.getProperty("humantask.password"); IWorkflowContext contextBehalf = null; ITaskQueryService taskQueryService = getTaskQueryService(); if ( context == null ) { System.out.println("HumanWorkflow "+identityUsername+ " context created"); context = taskQueryService.authenticate( identityUsername , identityPassword.toCharArray() , identityDomain); } contextBehalf = taskQueryService.authenticateOnBehalfOf(context, onBehalfOfUser);

t February (5) Soa 11g Human Task client Authentication Soa 11g Identity Service and Human Task Web service references and Soa configuration plan Invoking FMW Application MBeans in Weblogic

Posted by Edwin Biemond at 7:00 PM

Weblogic / ADF web application security

Labels: jdeveloper 11g soa suite, WebLogic

January (3) Reactions:

2009 (68) 2008 (103)


2007 (30)

Nitin April 6, 2010 at 11:35 AM Hi Edwin I am working on cross domain security. I had some issues, and i posted them on OTN forum. Can you please take a look at them and suggest some solution.


here's the link

activiti (1)

Thanks and Regards Nitin

adf bc (bc4j) (11)


adf excel gui (1)

adf (69)

adf mobile (1) Nitin April 14, 2010 at 10:41 AM

adf security (5)

Thanks for your advise, but i have already cross checked all that,a number of times. I inquired about the service i was trying to consume, its an ADF-BC service,so its now SOA-ADF integration. I am first deploying both composite and this service on same domain,make sure that they work fine and then move to cross domain.

adf taskflow (30) Adobe Flex (29) Adobe Flex Blazeds (10) Adobe Flex LifeCycle (4)

Thanks Nitin

AIA (2)


AQ (7) AS (1)

Nitin April 22, 2010 at 7:29 AM Hi I deployed a secured ADF-BC service(not the one i was previously working on) on domain A and a SOA composite on domain B and called the service from composite WITHOUT ENABLING CROSS DOMAIN SECURITY ON DOMAIN A and using weblogic B's admin credentials for calling the service. Then I enabled cross domain on both the sides and was now able to call the service with both admin credentials and the user with crossdomainconnector role.

Axis (2) B2B (2) bpm (1) Coherence (4) EclipseLink (20)

My Question: -

EDN (3)

1. Cross domain is introduced so that we dont have to pass admin credentials to the other domain or there is something else too?

Exadel Fiji (2)

2. Also the same approach is not working with the first secured service i was trying to consume(my 1st post is still an issue for me)

HortnetQ (2)

GoldenGate (1)

hudson (1) java (14)

Please Advice

JBossAS (2)

Thanks Nitin

JCache (2)


jdeveloper 10.1.3 (17) jdeveloper 11g (85)

Edwin Biemond

April 22, 2010 at 7:12 PM

jdeveloper 11g soa suite (82)


jdeveloper 11g webcenter (12)

Yes cross domain is a easy way to pass on credentials between domains.

jdeveloper 11gR2 (5)

off course you can also use saml , where you can use sender- voucher see this for more info.

Jdeveloper 12.1.2 (5) Jdeveloper 12.1.3 (3)


jdeveloper 12c (1)


jheadstart (3) jms (9)

Gerben Vermoen September 10, 2010 at 5:46 PM

jsf (20)


JSON (3)

I've been struggling alot to get the 11g worklist application customized to the requirements of my customer.

ldap (4)

I'm now considering building a custom worklist app. Could you tell me how much effort this is or could you maybe be so kind to share your code?

Maven (7) MDS (6) Metro (WSIT) (1)

groeten, Gerben gvermoen at gmail

MySQL (5) NoSQL (1)


OEPE (8) Edwin Biemond

Oracle Service Bus (32)

September 10, 2010 at 5:58 PM

OWSM (11)


packer (1)

Here you got a working example of me

provisioning (2)

puppet (2)

you need to add the bpm-infra and bpm-services jar to the web-inf/lib folder.

REST (7) Robot (1)


Ruby on Rails (3)


RubyAMF (3) Adnan October 26, 2010 at 7:06 AM

SAML (6)

Hello I am getting the following exception can you please help java.lang.RuntimeException: weblogic/security/subject/AbstractSubject Exception in thread "main" java.lang.RuntimeException: weblogic/security/subject/AbstractSubject

SCA (4)


Siebel (1) Skinning (1) SOA (7)

Edwin Biemond

soa suite (2)

October 26, 2010 at 12:49 PM

Tuscany (1)

Hi, I dont know this error, what did you do and do you see the tasks in the humantasklist application.

vagrant (1) web services (30)


WebLogic (73)


WLST (10) XQuery (2)

Adnan October 26, 2010 at 2:33 PM i am sorry I meant to say .. I tried the example but I am getting .. Caused by: java.lang.ClassNotFoundException: Reply

Popular Posts

Adnan October 26, 2010 at 4:45 PM Edwin I downloaded your example from Thank you so much for sharing your example. I added the following jar files to the classpath bpm-infra.jar, bpm-services.jar, j2ee-1.3.1.jar, weblogic.jar, wlclient.jar, wsclient.jar, wsclient_extended.jar, xml.jar, xmlparserv2.jar I am getting the following error when I try to run the main method in class Exception breakpoint occurred at line 93 of java.lang.RuntimeException: weblogic/security/acl/UserInfo Exception in thread "main" java.lang.RuntimeException: weblogic/security/acl/UserInfo

October 26, 2010 at 4:54 PM

Hi, I think you only need bpm-infra.jar, bpm-services.jar in your web-inf/lib. and please generate a wlfullclient jar for java 1.6. for the Query test and off course check the project for usernames / password and check if they are the same for your env. thanks Reply

Adnan October 26, 2010 at 6:29 PM Thank you so much! it did work after I generated wlfullclient jar as you suggested. Thank you so much! Reply

Srini November 1, 2010 at 9:30 PM Hi Edwin We have some users created in company LDAP for human task. I want to have an admin user, used to get the details of tasks(assigned to users in company LDAP) using SOAP client. I tried with the admin user "weblogic" but it is not working.



Srini November 1, 2010 at 9:37 PM below is the request Reply

Srini November 1, 2010 at 9:52 PM weblogic welcome1 weblogic jwilliams All State EQ ASSIGNED TextAttribute1 EQ READY_TO_SHIP_STATUS_417442 Reply

November 2, 2010 at 5:07 PM

Hi, Is weblogic, the owner of the Task or is weblogic in the assigned group and do you see them in the worklistapp. thanks Reply

Amr Ismail Gawish January 30, 2011 at 3:34 PM Hi Edwin, I got your example working, but I can't seem to find the Task Details url, it's always coming empty (null) I checked your code and you are using task.getSystemMessageAttributes().getUrlAttribute1() , so what do you think is the proper replacement for this to use it in my inline frame! I use SOA Reply

January 31, 2011 at 10:36 PM

Hi, Did you add this attribute in your query // specific "text string" columns queryColumns.add(TableConstants.WFTASK_TEXTATTRIBUTE1_COLUMN.getName()); thanks Reply

Let's do something September 20, 2011 at 10:18 PM Hi Edwin, in case of cluster environment with multiple soa servers, should we give t3ursl as private String t3url = "t3://" +host1:port,host2:port; Please confirm. Thanks, Biltu Reply

September 20, 2011 at 11:39 PM

Hi Yes indeed in case of t3 you can use t3:/host,host2:8001 for http you need a load balancer Reply Replies Anonymous August 4, 2014 at 4:47 PM Hi, I have same configuration, but only I can create WorkflowContext to first node managed (, when I connect on I'm getting WorkflowContext on null, (No get "jazn.xml" form thanks

Edwin Biemond

August 4, 2014 at 8:26 PM

Did you store the jazn config in the database, probably you need to store OPSS in a database or a ldap. Else the second server can't read it.

Anonymous August 4, 2014 at 9:37 PM Tanks Edwin, I have OPSS file based (File/XML based system-jazn-data.xml). I am going explain the complete steps for you, the exception was in this line: IWorkflowContext iWorkflowC = itTask.authenticate(null, null, null); // Here not created the context IBPMContext ctx = (IBPMContext)iWorkflowC; the varible "iWorkflowC" is incomplete for the node 2 ( in my cluster (I have 2 managed server with soa), them "ctx" is incomplete. The exception on trace is after above line, in line: ProcessMetadataSummary metadataSummary = processUtils_.getMetadataForProcess(ctx, processName, version); The error was but the context "ctx" is incomplet for node 2, so the true exception is not show in log, (show one exception in after step). BPM-71051 Exception exception.71051.type: error exception.71051.severity: 2 Error during authentication. exception.71051.description: Error while authenticating user {0}, identity context {1}. Provide valid userName, password and identityContext. exception.71051.fix: Contact Oracle support if exception can not be fixed at weblogic.rjvm.ResponseImpl.unmarshalReturn( at weblogic.rmi.cluster.ClusterableRemoteRef.invoke( at weblogic.rmi.cluster.ClusterableRemoteRef.invoke( at dataServiceRemoteImpl_1036_WLStub.listProcessMetadataSummary(Unknown Source) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke( at sun.reflect.DelegatingMethodAccessorImpl.invoke( at java.lang.reflect.Method.invoke( at weblogic.ejb.container.internal.RemoteBusinessIntfProxy.invoke( :85) at $Proxy15.listProcessMetadataSummary(Unknown Source) at at at Caused by: java.lang.NullPointerException at a:583) Question: 1) Because do not have an exception if did not create the context ok? 2) I have other problem, in production enviroment not runing in any nodes, but the config is same that test? in all nodes I get the same exception descripted above for the node 2 in the test enviroment?

Thanks in advance

Anonymous August 5, 2014 at 4:51 PM Additional information It is not a security issue because to login with the user and a password wrong I get authentication error: javax.naming.AuthenticationException [Root exception is java.lang.SecurityException: User: eprocessos, failed to be authenticated.] at at at at eryServiceRe

Do I think it is some library missing or different version on node 2? Any help? Thanks in advance Reply

Let's do something September 25, 2011 at 12:00 AM Hi Edwin, thank you very much for your prompt response. Please let use what we have to do as per below scenario. We have soa_server1 (where we have deployed our client code after exposing it as custom ws)in a wldomain_1....and all user information are there in different wl-domain2 of OIM (ovd,oid1,oid2). Now how can I assign user to Human task from BPEl or BPMN component to Humantask which are deployed in soa_server1 of wl-domain_1. Looking for youe response. Thanks, Biltu Reply

Anonymous May 24, 2012 at 11:21 PM Hi Edwin, Please tell us how to use WorkflowServiceClientFactory.LOCAL_CLIENT while creating context by invoking WorkflowServiceClientFactory.getWorkflowServiceClient() myHumanTaskClient.war file is deployed in soa_server1 only, so I wanted to use local ejb call rather than remote ejb. will there be any issue with cluster enviornment in case we use LOCAL_CLIENT? Thanks, Biltu Reply Replies Edwin Biemond

May 29, 2012 at 10:12 PM

Hi, I think it should work, probably you don't have to provide any properties. Did you got some errors. cluster is no problem , it will get the local ejb on the soa server which gets the request. thanks Reply

SRI May 20, 2013 at 7:52 AM Hi, I am trying to send the actionable email through humanworkflow task. I am getting the below error. 1ORABPEL-30504 Internal error in Verification Service. Internal error in Verification Service for user weblogic. hasPermission. Check the underlying exception and correct the error. If the error persists, contact Oracle Support Services. The email driver is working fine. Workflow xontext authentication may be the issue. can you please help me how to set the credentials for the task service... Reply Replies Edwin Biemond

May 23, 2013 at 3:17 PM

Hi, did you change the authentication providers order, cause the Verification Service only looks at the first provider or you need to set the virtualize attribute. Thanks Reply

Anonymous February 10, 2014 at 3:33 PM hi, i got the following error when doing authenticateOnBehalf: ora-30509:Insufficient privileges to authenticate on behalf of another user. any idea how to configure such a user? i have a custom OID based authenticater and it is the first one. I also use a custom identity service plugin. this is with soa 11g, thanks Reply

shiva krishna September 7, 2015 at 8:33 AM Hi, i got the following error when i try to get the task list. SEVERE: ORABPEL-30504 Internal error in Verification Service. Internal error in Verification Service for user null. lookupUser. Check the underlying exception and correct the error. If the error persists, contact Oracle Support Services. can you please help me. Thanks. Reply

Links to this post Create a Link

Newer Post

Building an asynchronous web service with OSB A few weeks ago I made a blogpost over how you can build an asynchronous web service with JAXWS. In this blogpost I will do the same in th... The things you need to do for OWSM 11g policies In Fusion Middleware 11g it is not so difficult to protect your JAX-WS Web services or your Composite Services. You just need to add an Orac...

OSB Rest service with xml, json output Inspired by an article RESTify your world.. of Emiliano Pecis, I decided to make my own OSB Rest service which can return XML and JSON. To m...

TextAttribute1 EQ READY_TO_SHIP_STATUS_417442

Edwin Biemond

Retrieve or set a HTTP header from Oracle BPEL With Oracle SOA Suite 11g patch 12928372 you can finally retrieve or set a HTTP header from BPEL. This patch comes with Patch Set 5 ( 11.1...

Using database tables as authentication provider in WebLogic In WebLogic you can use database tables as authentication provider for your web applications. In these tables you can store your application...


Edwin Biemond

Some handy code for backing beans ( ADF & JSF ) Here some code which you can use in your backing beans, I use this code all the time. With this you can retrieve the data or actions from th...

Changing WSDL url ( endpoint) in JAX-WS client In JDeveloper 11G you can easily generate a JAX-WS client, just create a new Web Service proxy client and use the WSDL Url. This client work...

weblogic welcome1 weblogic jwilliams

Edwin Biemond

JAX-WS web service proxy client and HTTP authentication In a project I need to set the HTTP authentication on a JAX-WS proxy client. So let's do it. We only have to set the username and passwo... Soa Suite 11g MDS deploy and removal ANT scripts With the release of Soa Suite 11g R1 Patch Set 1 Oracle improved the standard ant scripts for MDS deployment and removal. Before PS1 we had ...


Edwin Biemond

Easy way to start your WebLogic Servers with the NodeManager in the background When you work with Fusion Middleware you probably know you need to start the WebLogic Servers with the scripts located in the bin folder of ...


Older Post

Subscribe to: Post Comments (Atom)

Awesome Inc. theme. Powered by Blogger.

View all


Oracle SOA blog: Soa 11g Human Task client Authentication

Java / Oracle SOA blog About Java, JDeveloper, OEPE and Oracle OSB & SOA suite Home Thursday, February 18, 2010 Search Soa 11g Human Task client Au...

435KB Sizes 19 Downloads 33 Views

Recommend Documents

No documents