Authenticating the Calling User - Web Service API

Every API call that the client application makes to the BPM web service (SOAP) API must include an appropriate WS-Security token in the SOAP header.

The token must be either:

  • a UsernameToken, which specifies the username and password of the user on whose behalf the call is being made. (This is termed direct authentication.)
  • an X.509 certificate or signed SAML 2.0 token, if SSO authentication is being used. (This is termed Single Sign-on (SSO) authentication.)

TIBCO ActiveMatrix BPM LDAP authentication uses this token to authenticate the calling user. If the token does not identify a known TIBCO ActiveMatrix BPM user, the call is rejected.

Note: See Authenticating Access to a TIBCO ActiveMatrix BPM Service for more information about direct and SSO authentication methods and how to use them in different situations.

BPMTestApplication uses a UsernameToken to authenticate the calling user.

WCF provides standard mechanisms to add a UsernameToken to the SOAP header of an outgoing message. However, these mechanisms cannot be used for authentication against a BPM service because the UsernameToken produced does not comply with the WS-Security standard. (See http://social.msdn.microsoft.com/Forums/en-US/wcf/thread/4df3354f-0627-42d9-b5fb-6e880b60f8ee.)

Instead, BPMTestApplication implements a custom behavior to insert a WS-Security-compliant UsernameToken into the SOAP header of an outgoing message:

  • UsernameHeader.cs defines a custom SOAP header that includes a WS-Security-compliant UsernameToken, using the username and password supplied in the login dialog. (See Obtaining the Calling User’s GUID.)
  • UsernameBehavior.cs and UsernameHeaderInspector.cs define a custom endpoint behavior which overwrites the default SOAP header with the custom header when a message to the endpoint is constructed.
  • A ServiceClientFactory constructor (in ServiceClientFactory.cs) adds the custom endpoint behavior to each WCF client object. 
    public ServiceClientFactory(string user, string password, string host, string port, bool secure) : this(host,port,secure)
{
    SecurityBehavior = new UsernameBehavior(user, password);
}
public IEndpointBehavior SecurityBehavior
{
    get;
    set;
}
public WorkListServiceClient GetWorkListServiceClient()
{
    WorkListServiceClient clnt = new WorkListServiceClient(
                                CreateHttpBinding("WorkListService.soap"),
                                new EndpointAddress(GetWorkListServiceUrl()));
    clnt.Endpoint.Behaviors.Add(SecurityBehavior);
    return (clnt);
}