BPEL Security changes between 10.1.2 Patch 2 and 10.1.2.0.2

As I have read on otn forums today, see here, there seems to be some confusion on the currently supported security - and specially how to implement it in the current release.

So I thought to write a little blog note, to clarify this.

The security features where implemented as a preview in 10.1.2 Patch 2, and at this time the webinar was recorded showing this features. Moving forward to the current production release (10.1.2.0.2), some of the configuration parts where haevily changed to fit into the domain concept, and a message handler framework was introduced, to intercept incoming calls.

As of this, no configuration is done in the console any more, and no configuration needs to be done in a custom file - to enable.
The one and only place for configuring security is now in message-handlers.xml, located in $BPEL_HOME/domains/your domain/config directory. Here the interceptor and the actual implementation is configured.

    <message-handler id="security">
        <classname>com.collaxa.cube.security.Authenticator</classname>
        <comment>
        <![CDATA[THis is the handler for security interception]]>
        </comment>

        <property id="ACLManager">
           <value>BPMIdentityValidator</value>
            <comment><![CDATA[BPMIdentityValidator uses the server 
                     configured security such as JAAS to validate the 
                     user against]]>
            </comment>
        </property>

        <property id="SecuredProcesses">
            <value>SecuredCreditRatingService</value>
            <comment><![CDATA[Processes can be secured 
                     explicitely without having effect on the whole 
                     domain, put their names in here and comma seperate 
                     them]]>
            </comment>
        </property>
               
    </message-handler>

If you decide to implement your own validator, either based on ACLManager interface
or based on BPELProcessValidator, you only need to change the value of the ACLManager property pointing to your class, and put it into system/classes directory.

Finally, ensure that the interceptor is used, by uncommenting the security part
withing the inbound flow - as shown here

    <inbound-flow>        
         <message-handler id="security" />
    </inbound-flow>

For more information and a detailed sample, check out 133.InvokingSecuredProcesses
tutorial in samples/tutorials folder.