This example demonstrates how to invoke a Web Service that
requires a logon.
In the image below, in ProcessB the Receive step requires a user
name and password (authentication) in order to continue. CheckRec
is a user step to allow you to examine any data, and to confirm that
the Receive step executed.
In ProcessA, the user provides the user name and password in a
step before the Invoke step. In a post-step assignment, the user name
and password are encoded to make this data unreadable in the running
workflow.
The Invoke step is a system step with both an Assign and an Invoke
system function. The Assign inserts the user name and password into
the Security section of the Web Services message header. The Invoke
follows the usual procedure for choosing the Partner Link and specifying
the data fields for the outgoing parameters.
CheckInv is a user step that allows you to examine the data. Note
the encoding of the user name and password.

Create ProcessB workflow
- In Process Designer, on
the tab, provide a name and subject for the workflow definition
(ProcessB).
- Define the Web Service.
- On the Partner Links tab, enter a name
(RecProcessB) for the Web Service, then select Receive/Reply and clear
Invoke.
- In Process Port Type , enter a name (RecProcessBPort).
Click
Receive/Reply in the Type field to update the data. A new blank line
will display in the Partner Links table.
- On the tab, Finalize existing web services should not be selected—we
want to be able to modify the web service input and output parameters
as many times as we want.
- From the Web Services Palette, drag a Receive step to the workflow
map and name it ReceiveAuth. The Receive step must be the first step
after the Launch step in order to launch this workflow automatically.
- In the Properties pane, select the Partner Link for this Web Service
(RecProcessB)
- For Operation, enter a name (RecProcessBOp).
- Select Parameters message type
- Under Operation Parameters, specify the required input fields:
Table 1. Operation ParametersName |
Type |
Field Name |
MyName |
String |
(Create) MyName |
MyCompany |
String |
(Create) MyCompany |
- On the Advanced tab, select Authentication
Yes. Under Only Accept Messages From, select the name of a user or
group who is authorized to send messages to this web service. At
runtime, the invoking message must provide the specified user name
and the password.
- From the BPM step palette, drag an Activity step to the workflow
map and name it CheckRec. This step allows you to look at the data
fields and confirm that the Receive step executed.
- Choose a specific user (you can assign it to yourself) as the
participant for the step. NOTE Do not assign F_Originator for any
step in this workflow because this workflow will be launched by the
system.
- Specify MyName and MyCompany as parameters for this step.
- Validate, save, and transfer this workflow.
Create ProcessA workflow
- Create a new workflow definition.
- On the Workflow Properties >> General tab, provide a name and
subject for the workflow definition (ProcessA).
- In Workflow Properties >> Data Fields, define the following fields:
MyUserName (String), MyPassword (String)
TIP Data fields MyUserName
and MyPassword will be passed to the web service in ProcessB as required
by the Authentication option in the Receive step. Even though we will
encode these fields so that they cannot be read in the running workflow,
in an actual production application you might consider naming these
fields something less obvious to avoid calling attention to them.
- Define the Web Services Partner Link.
- On the Web Services >> Partner Links tab, enter a name (InvProcessA)
for the Partner Link.
- With Invoke selected, click Web Services explorer in WSDL URL.
- In the Web Services Explorer dialog box, select Web Services workflows,
then click Execute to display workflows with a Receive system function
that have been transferred to workflow system.
- Select ProcessB, then click OK.
- On the Partner Links tab, select the Port Type (RecProcessBPort).
TIP Click Invoke in the Type field to update the data. A new blank
line will display in the Partner Links table.
- From the BPM step palette, drag an Activity step to the workflow
map and name it EnterLogon.
- From the BPM step palette, drag a System step to the workflow
map and name it InvAuth.
- From the list of system function, move Assign and Invoke to the
right column. We are using Assign to insert the user name and password
into the header of the invoke message, so Assign must be before the
Invoke system function.
- Under Selected Functions, double-click Invoke. In the Properties
pane, select the Partner Link InvProcessA and Operation RecProcessBOp.
- Select Parameters and create the data field MyName and MyCompany.
- Double-click Assign system function in the InvAuth step.
- In Assignment Parameters, enter a name (temp)—we will replace
it in a later step, then click Expression Builder.
- In Expression Builder, from the list, select Partner Links and
choose InvProcessA. The message header displays in Header Information.
Click Insert to insert it into the Expression area.

Note
that the Security section is in this header because the Receive Web
Service requires authentication.
- Edit this header as follows:
- Cut (to the clipboard) F_EndPointRefInvProcessA= from the beginning
of the message. We will paste it as the name of the assignment.
- Delete the line OPTIONAL_FINAL_SOAP_ADDRESS shown above in the
box.
- Add double quotation marks (") to each existing double quotation
mark, and at the beginning and end of the message to make it a valid
string expression.
- Replace USERNAME and PASSWORD with the appropriate field names
MyUserName and MyPassword, and add the closing and opening quotes
and pluses to insert the field names into the string expression. The
completed message is shown below.
"<wsa:EndPointReference xmlns:wsa=""http://schemas.xmlsoap.org/ws/2003/03/addressing
"">
<wsa:ReferenceProperties>
<wsse:Security xmlns:wsse=""http://schemas.xmlsoap.org/ws/2002/12/secext" <wsse:UsernameToken>
<wsse:Username>" + MyUserName + "</wsse:Username>
<wsse:Password>" + MyPassword + "</wsse:Password>"
</wsse:UsernameToken>
</wsse:Security>
</wsa:ReferenceProperties>
</wsa:EndPointReference>"
- Click OK to close the Expression Builder.
- Paste F_EndPointRefInvProcessA into the Name field (replacing
temp) in Assignment Parameters. (Delete the trailing =.)
- Select the EnterLogon step.
- Specify MyName, MyCompany, MyUserName, and MyPassword as step
parameters.
- On the Assignments tab, select After Completion and use the following
field assignments to encode MyUserName and MyPassword that will be
passed to the receiving workflow. This encodes the user name and
password as soon as the EnterLogon step is completed so that the unencoded
data cannot be viewed in the running workflow.
- CAUTION IBM® recommends that
data to be encoded should be entered at an Activity step and encoded
in an assignment made after completion on the same step. The data
should not be entered at the Launch step because the unencoded data
could be intercepted by the Process Tracker application during the
launch process and before the data are encoded.
Table 2. Step
ParametersField name |
Expression |
MyUserName |
encode(MyUserName) |
MyPassword |
encode(MyPassword) |
- From the BPM step palette, drag an Activity step to the workflow
map as the last step in this workflow definition so that you can view
the data. Step name: CheckInv, Participant: F_Originator (the user
who submits the request), Parameters: MyName, MyCompany, MyUserName,
MyPassword
- Validate and save this workflow.
Run the authentication example
- Launch the ProcessA workflow.
- In Workplace Tasks, open the EnterLogon step
and enter values for the four data fields. You must enter the expected
user name and password for MyUserName and MyPassword.
- Open the CheckInv and CheckRec steps. Note the encoding of the
user name and password fields in CheckInv step; these do not display
in the CheckRec step.
If you provide an invalid user name or password, the two user
steps do not appear in your inbox. Use the administration console
to locate ProcessA in the Conductor queue; ProcessB does not launch.
A FileNet® workflow cannot
invoke a web service that is deployed on a web server that requires
authentication for access. This authentication feature relates to
the Receive step, not to the web server where the web service is deployed.