It would be great if the BPELInvoke activity could support the mapping of WS security information from the ESB Context into the message / variable associated with the receive operation. The use case requirement is:
"A service implemented as a BPEL process requires authentication of a user. Composite services also require an authenticated user, and re-authentication should avoided. The customer wants to use WS-Security and SAML to fulfill this requirement"
A possible solution is to expose the BPEL process services as an ESB Service via EBWS, and have the client consume this service using a WS-Security UsernameToken. This service would be configured like:
<security moduleName="saml-issue-token" callbackHandler="org.jboss.soa.esb.services.security.auth.login.JBossSTSIssueCallbackHandler">
<action name="startBPELProcessAction" class="org.jboss.soa.esb.actions.BPELInvoke">
<property name="service" value="
<property name="operation" value="hello" />
<property name="requestPartName" value="TestPart" />
This security module will authenticate the user and create a SAML token via PicketLInk STS and place the token it in the ESB Context. The BPELInvoke action could then access the ESB Context to get the SAML Token, create a WS security element with this token, and add it to the request used to invoke ODE.
The BPEL process WSDL would specify the use of the WS header element and the BPEL process designer would map the header element into variables and therefore outgoing message headers via assign / copy operations (similar to the hello_world_header_wsdl quickstart).
This is a good use case for ESB / Riftsaw integration, as Riftsaw is able to use the ESB to access PicketLink and provide SAML support.