Applying Security in Web Service with TIBCO BW

In this post we are going to learn how to apply security policies to our TIBCO BW WebService using the Policy palette that we have in our TIBCO Designer software. First of all, we are going to share some resources to get the basic knowledge for this post:

So we have our Web Service development as always. In our case we are using a Global Weather WSDL you can get from here: WSDL and we are using a Service palette and the menu-option WSDL to Process to create with dummy process:


OK, so we have our dummy Web Service implementation with two operations, GetCitiesByContry and GetWeather and we are going to proceed to secure one of them. So first of all we need this you artifacts from our Policy Palette:


These two artifacts works this way:

  • The first one (pink coloured, Security Policy named) allows us to create our service policy. The one we are defined is a very ‘simple’ one, as you can see here:


We are going to do only a Authentcation control in our inbound message, so the request must have a valid authentication control and we are using the following Authentication schema:


The election of ‘UserNameToken’ is because is very easy to do a test so you can assert that everything is working fine. So when we have defined the security policy, you need to configure the other artifact we discussed about. The blue-coloured Security Policy Association named, applying the following configuration:


Ok, with this configuration we proceed to do the deployment in our TIBCO Administrator server. And for do the testing we are using the soapUI software. First, we have a simple test without specifying any security option:


We are getting a WS Security Error as we could expect because we are not providing any credentials. So we do a new test specifying the credentails:


And now its working perfectly:


As always we left the process example so you can take a deeper look of it: Download

I hope you can use these information in your new developments! See you in the next post!


28 thoughts on “Applying Security in Web Service with TIBCO BW

  1. Thanks for your tutorial. It was really nice.
    However I have a question regarding the username and password.
    Do we need to set the username/password in the studio ?
    Do we need to provide from the SOAPUI Auth tab ? If it’s only from SOAPUI Auth tab then what is the username/password ? Is it tibco admin user id and password?
    Basically I am stuck in username/password part.

    Thank You

  2. Hi,

    Could you prepare a tutorial of applying security in businessworks 6.2? It has a very different configuration and there is isufficient documentation.

    Thanks in advance!

  3. Hi, thank you for your tutorial. It is straightforward and easy to follow 🙂

    I managed to get the service blocked by clients without authentication following your example. However, I could not make the service work from soapUI even after providing the username and password. In fact, I keep getting “WS Security Error : 181201”.
    The HTTP log shown “HTTP/1.1 500 Internal server error”.

    • Are your question related about how you specify your users database and link it with the policy? Or about how could you invoke specifiying the username and the password inside the SOAP header?

      • Dear
        thank you for your lesson
        i have question where or how can i put User Name example you put tibco in soupui but where you are put in project

        i think the third time i asked and there are another asked please answer 🙂
        thank you

  4. Very Nice example…!!!

    It will be good if you can share whole example step by step with screenshot …so Please will not raise concern….:)

  5. Is it configured in

    There is no file with that name in my tibco folder or on my computer.
    Do you know where I can download this file for local use or have an example of tha file that I can use and configured for my service?
    I’m using Tibco BW Hotfix03

    • As you can see in the post, you have to set the UsernameToken in your WebService Client. In the example this client is the Soap UI software, which has the capability to specify the username and the password using a Windows Form. Thanks for your comment!

      • Hi
        Thank you for a quick response, I know that part 🙂
        But I’m only having trouble applying this username and password to my WSSecurity Service. 😦
        I thought it would be configured in the Security Policy part where the UserNameToken is chosen, but I can’t browse to a identiy file from there and can’t see in the example you provided where the Username “tibco” and Password is configured.

  6. Hi
    It was very nice short and clear way to implement security services.
    Can you please post similar for REST Service how to implement Rest Service and Security to Rest Service. When Rest service is good and when Webservice is good?

    • Hi Rup Abba,

      First of all, I wan’t to apologize myself for the delay in the response. The way you can apply security to REST Service is very different. In this post we are using a Web Service Standard only aplicable to the SOAP requests. In BW5.x if you have a REST service developed using the TIBCO ActiveMatrix BusinessWorks™ Plug-in for REST and JSON you can apply security options at the transport level, using the HTTP capabilities (Basic Authentication and so on).

      If you want to use other security methods like OAuth or similar ones, you have to use a Security Gateway. There are some products in the TIBCO porfolio to do that, and I think the most recent is the API Exchange and you can get the documentation from the official web site: (similar to the older ones like: TIBCO Policy Manager or TIBCO Policy Director)

      The REST service are often used in lightweight environments and mainly focus in web application because the use of the JSON notation, you can read more in this link:

  7. i’m having this kind of error “unexpected end of file after null” when i called the wsdl from SOAPUI. I just copied your code, did no change and then deployed it. Should there be something configured first?

  8. While configuring security policy where are credentials you have provided? I see you have passed credentails in soap ui while invoking web services? what is the user name and password….

  9. Where exctaly in soap ui we have to provide this credentials. i guess this are tibco admin credentials we need to provide

  10. Very nice post and very clear, thanks for that…..
    Could you please tell me, how to make the security to entire webservice. for ex: i have 4 operations in wsdl , i want to provide security to all operations, With the above scenario i have to apply policy for all operations, instead of that, is there any posibility to apply security to entire wsdl.

    • As far as I know the only way you can achieve that is the way that you suggested, you must have 4 Security Policy Application which one applies over only single service operation. As you can see the Security Policy Application only connect the Policy with the operations, so you’ll only have one single policy (the same for all the operations) but you must have four elements to apply this policy.

  11. Too good !! One of the good sharing in recent days…
    Could you please share the SOAP UI tool if its possible
    Thanks a lot!!

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s