I am trying to publish API in wso2 API Manager. But I am using basic security with my authorization key. I am getting a type error: Failed to execute 'fetch' on 'Window': Invalid name. I tried to change the swagger file. But didn't get the required response.
If you are trying to send a header to your backend through APIM, you have define it as a header under resources in the Publisher portal.
However, if the name of your header is Authorization you will have to use some sort of a mediation to send this to your backend. For example,
<sequence xmlns="http://ws.apache.org/ns/synapse" name="KeyExchange">
<property name="Custom" expression="get-property('transport', 'Custom')"/>
<property name="Authorization" expression="get-property('Custom')" scope="transport"/>
<property name="Custom" scope="transport" action="remove"/>
</sequence>
If you add the above to your in-sequences, you will have to send a header called Custom with the key you need to send to the backend. Then APIM will replace this Custom header with Authorization header when sending the request out from APIM.
If you have enabled Basic auth for your API created in APIM, you need to follow [1] to invoke the API.
Related
I'm trying to write a SOAP Web Service that:
accepts one request type A
maps request A to another outbound request type B
sends request B to an external SOAP service
maps the response B back to a response A object (and returns it)
I have this working when the endpoint (B) is statically configured.
But I want to be able to hit a variety of services with varying request/response types. These would probably be configured via a properties file.
Is it possible to do this in some generic/dynamic way?
Here's my spring camel XML:
<!— SOAP inbound service —>
<cxf:cxfEndpoint
id="paymentService_A"
serviceClass="#paymentServiceBean"
address="/PaymentService"/>
<!— SOAP outbound service —>
<cxf:cxfEndpoint
id=“paymentService_B"
wsdlURL="http://localhost:9080/externalpayment/ExternalPaymentService?wsdl"
serviceClass="com.yngwietiger.ExternalPayment"
address="http://localhost:9080/externalpayment/ExternalPaymentService"/>
<!— MAP from inbound SOAP request object to external SOAP request object —>
<bean id="mapAToB_RequestProcessor" class="com.yngwietiger.MyProcessor"/>
<!— MAP external SOAP response to a response for the initial/inbound SOAP request —>
<bean id="mapBToA_ResponseProcessor" class="com.yngwietiger.MyPostProcessor"/>
<camel:camelContext id="camelContext">
<camel:route>
<camel:from uri="cxf:bean:paymentService_A"/>
<camel:process ref="mapAToB_RequestProcessor"/>
<camel:to uri="cxf:bean:paymentService_B"/>
<camel:process ref="mapBToA_ResponseProcessor"/>
</camel:route>
</camel:camelContext>
Obviously, I'm using Camel's cxfEndpoint bean. But I don't see any way to set the address, wsdlURL, etc for each request. Is that possible?
Or am I going to have to build a route for each type? If so, how do I build one of these cxfEndpoints dynamically?
Would using Spring's WS Template be more flexible?
Is there a better way that I should be doing this?
Thanks in advance.
Camel Recipient List would better fit into your requirement. This is the link, http://camel.apache.org/recipient-list.html. You have to generate the dynamic endpoint and set into the header somewhere in the route and call the recipient list.
I think you can use HTTP endpoint for your outbound message.
As it is done in the example here
I am working in spring integration soap web service module for my project requirement. In my project if soap request does not find endpoint then there is a need to send soap fault message like "Invalid endpoint", for example if end point to access my service is http://www.mycomp.com/mychannel in request but user sends in request http://www.mycomp.com/myproject, here I want to send response as "invalid endpoint" soap fault.How can I achieve this in spring integration.
please find below ws-conf.xml
<context:component-scan base-package="com.mycomp.mychannel" />
<context:spring-configured/>
<context:annotation-config/>
<import resource="classpath:/WEB-INF/soap/config/g-config.xml" />
<!-- this is used for the endpoint mapping for soap request -->
<bean class="org.springframework.ws.server.endpoint.mapping.PayloadRootAnnotationMethodEndpointMapping" />
Thanks in advance.
Your question isn't valid or isn't full. Or I just don't understand you.
Actually MessageDispatcherServlet (Spring WS) just delegates request to the SoapMessageDispatcher, which ends up with NoEndpointFoundException, if there is no Endpoint with the provided path in Request.
And that Exception will be treated as SOAPFault with the faultMessage like No endpoint can be found for request ....
So, be more specific, please. Looks like Spring WS already has all required features.
I am having problems with redirecting to access token entry point /oauth/token which will detail bellow. I am hoping someone could give me some light to it as I took a lot of time
implementing this.
Also, interesting is the fact that I cannot test with with SoapUI 5.0 community edition even following their instructions. It gest the authorization code but fails later as you need to set the redirect URI as "urn:ietf:wg:oauth:2.0:oob".
Since Spring-Security-Oauth2 lacks a lot of good documentation and I had spent lots of time debugging and documenting the work I decided to share
my comments and configuration code here which might also be helpfull to someone else.
I am using the following dependencies versions on my pom:
<org.springframework-version>4.0.5.RELEASE</org.springframework-version>
<org.springframework.security-version>3.2.5.RELEASE</org.springframework.security-version>
<org.springframework.security.oauth2-version>2.0.3.RELEASE</org.springframework.security.oauth2-version>
Now, the idea was to implement all the clientId objects, UserPrincipal, access, nonce and token stores using Cassandra as a persistency store. All those components
are working perfectly and are tested. In fact, it fetches all the authentication/authorization, creates authorization codes.
I've seen a bug recently on testing JDBC stores on Spring Oauth2 github but that was related to testing not the actuall implementation, specially because not
using JDBC.
I have wrote a client webapplication to access a REST resource which resides with the OAuth2 servers and Spring Security for logging in. All goes well until I go request
an access token to /oauth/token.
When I hit the secure Rest service first it properly starting doing redirections and goes tru DefaultOAuth2RequestFactory createAuthorizationRequest() method. Loads
the ClientDetails object perfectly with the secret etc from the store. So it has all the scopes, grants etc for the Oauth2 client. It also validates properly the redirectURIParameter
and resolves the redirect. Then it goes to the TokenStoreUserApprovalHandler and create the OAuth2Request object. Then, of course, tries to find an existing access token which
does not exist yet on the workflow. It creates the authenticationkey from authenticationKeyGenerator and queries the store which properly returns null at this point.
Then it redirects back to /oauth/authorize twice when on the second time it has an authorization code and marks as approved (AuthorizationEndPoint) inside approveOrDeny() method.
The authorizationCodeServices creates the code and stores it properly in my Cassandra store.
At this point it calls (AuthorizationEndPoint) getSuccessfulRedirect() where it adds the state parameter to the template.
Then it calls (OAuth2RestTemplate class) getAccessToken() method. Since the access token is fine and valid it then calls acquireAccessToken() which returns an accessTokenRequest with
{code=[Q19Y6u], state=[1PyzHf]} . Then it calls the accessTokenProvider to obtain an access token at obtainAccessToken(). Then the calls OAuth2AccessTokenSupport is called at
retrieveToken() method. And fails at getRestTemplate. The AuthorizationCodeResourceDetails is created perfectly with grant type authorization_code and it has both authorizationScheme
and clientAuthenticationScheme as header. The clientId is correct as the clientSecret. The id of the AuthorizationCodeResourceDetails is oAuth2ClientBean and the userAuthorizationURI is
http://myhost.com:8080/MyAPI/oauth/authorize. Headers show as
{Authorization=[Basic .....]}
The extractor is org.springframework.security.oauth2.client.token.OAuth2AccessTokenSupport.
The form is {grant_type=[authorization_code], code=[Xc7yni], redirect_uri=[http://myhost.com:8080/OAuthClient/support]}
And then the application freezes and it shows on the logs:
DEBUG: org.springframework.security.authentication.DefaultAuthenticationEventPublisher - No event was found for the exception org.springframework.security.authentication.InternalAuthenticationServiceException
DEBUG: org.springframework.security.web.authentication.www.BasicAuthenticationFilter - Authentication request for failed: org.springframework.security.authentication.InternalAuthenticationServiceException
Then I have the following Exception on my client web application:
org.springframework.web.util.NestedServletException: Request processing failed; nested exception is error="access_denied", error_description="Error requesting access token."
org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:973)
org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:852)
javax.servlet.http.HttpServlet.service(HttpServlet.java:618)
org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:837)
Now, I believe I have a few things wrong on my xml configuration for OAuth2 and Spring Security. So the configuration file follows.
I do have a few questions concerning it so here are the questions first:
1) <oauth2:authorization-server> I am not sure if I had this configured correctly. Please look at the comments I have on my xml file.
I have added the authorization-request-manager-ref parameter which points to my userAuthenticationManager bean, a authentication manager
which takes a authentication-provider user-service-ref="userService"
<oauth2:authorization-server client-details-service-ref="webServiceClientService"
token-services-ref="tokenServices" user-approval-page="/oauth/userapproval"
error-page="/oauth/error" authorization-endpoint-url="/oauth/authorize"
token-endpoint-url="/oauth/token" user-approval-handler-ref="userApprovalHandler"
redirect-resolver-ref="resolver">
<oauth2:authorization-code
authorization-code-services-ref="codes" />
<oauth2:implicit/>
<oauth2:refresh-token/>
<oauth2:client-credentials/>
<oauth2:password authentication-manager-ref="userAuthenticationManager"/>
<!-- <oauth2:custom-grant token-granter-ref=""/> -->
</oauth2:authorization-server>
2) authentication-manager oauthClientAuthenticationManager is used when "/oauth/token" is intercepted.
This is defined as follows:
<sec:authentication-manager id="oauthClientAuthenticationManager">
<sec:authentication-provider user-service-ref="clientDetailsUserService">
<sec:password-encoder ref="passwordEncoder" />
</sec:authentication-provider>
</sec:authentication-manager>
3) I have the following methodSecurityExpressionHandler bean defined which is used at sec:global-method-security.
Not sure if this is correct or not as well.
<beans:bean id="methodSecurityExpressionHandler"
class="org.springframework.security.oauth2.provider.expression.OAuth2MethodSecurityExpressionHandler" />
4) I also have a bean "clientCredentialsTokenEndpointFilter" which I believe is not recommended.
I use this as a custom-filter for entry point "/oauth/token" but I believe this is wrong.
<beans:bean id="clientCredentialsTokenEndpointFilter" class="org.springframework.security.oauth2.provider.client.ClientCredentialsTokenEndpointFilter">
<beans:property name="authenticationManager" ref="oauthClientAuthenticationManager"/>
</beans:bean>
A filter and authentication endpoint for the OAuth2 Token Endpoint. Allows clients to authenticate using request
parameters if included as a security filter, as permitted by the specification (but not recommended). It is
recommended by the specification that you permit HTTP basic authentication for clients, and not use this filter at
all.
5) Now for the Oauth Token Endpoint:
This is the endpoint /oauth/token as I have many questions here:
This is never reached.
Shall I have a custom-filter like clientCredentialsTokenEndpointFilter to it or not?
Do I have to have a http-basic entry point?
Shall I have an access attribute as in IS_AUTHENTICATED_FULLY or can I use an authority I have defined on my UserPrincipal object such as OAUTH_CLIENT I have added there?
What about the session? Shall I say "stateless" or
"never"
Shall I add the corsFilter to it as well?
Is the entry point correct? Which is the OAuth2AuthenticationEntryPoint class?
Do I have to add the csrf token? I believe not as it will
restrict it more.
Is the expression-handler correct as a org.springframework.security.oauth2.provider.expression.OAuth2WebSecurityExpressionHandle?
The authentication-manager-ref I can change from oauthClientAuthenticationManager to userAuthenticationManager.
<sec:http use-expressions="true" create-session="stateless"
authentication-manager-ref="userAuthenticationManager"
entry-point-ref="oauthAuthenticationEntryPoint" pattern="/oauth/token">
<sec:intercept-url pattern="/oauth/token" access="hasAuthority('OAUTH_CLIENT')" />
<!-- <sec:intercept-url pattern="/oauth/token" access="IS_AUTHENTICATED_FULLY" /> -->
<sec:http-basic entry-point-ref="oauthAuthenticationEntryPoint"/>
<!-- <sec:http-basic/> -->
<sec:anonymous enabled="false" />
<sec:custom-filter ref="clientCredentialsTokenEndpointFilter" after="BASIC_AUTH_FILTER" />
<sec:access-denied-handler ref="oauthAccessDeniedHandler" />
<sec:expression-handler ref="webSecurityExpressionHandler" />
<!-- <sec:custom-filter ref="corsFilter" after="LAST"/> -->
</sec:http>
I would like to add the full config file here but there is a limit.
The /oauth/token endpoint should be secured with client credentials, and it looks like you wired it to a user authentication manager. You didn't show the configuration or implementation of that, but judging by the InternalAuthenticationServiceException it is failing with an exception that isn't classified as a security exception. Fix those two things and you might be in business.
(The #Configuration style is much more convenient by the way, and I would recommend getting started with that and more of the defaults it provides, until you get the hang of it.)
I’m exploring the use of topics and events in WSO2 ESB 4.8.1, I created a topic and subscribed to it the endpoint of one dataservice running in WSO2 WSAS(A), I supposed that if I published a message with the structure defined for the incoming message of one of A operations in the publish tool of the Topic Details console, the message would be sent to the supscriptor (A) and everything where going to work fine, but it don’t. Why?
I also create a proxy service with an event mediator and configured the event mediator with the name of the created topic. Then I Try the proxy service with an incoming message with the same structure explained before. I was expecting to at least get an incoming message in the WSAS Soap Tracer, but nothing happened.
Am I missing something?
The eventing infrastructure is based upon the WS-Eventing specification. Since you are using a WSDL based service as a subscriber of the topic and intend to invoke a specific operation of that service, I imagine it is failing because the SOAP message and/or SOAP action are incorrect because the message sent to the topic and the service are based around WS-Eventing and not your service.
I created the simple proxy below and subscribed it to a topic.
<proxy xmlns="http://ws.apache.org/ns/synapse" name="LogSubMessage" transports="http" statistics="disable" trace="disable" startOnLoad="true">
<target>
<inSequence>
<log level="full" category="ERROR">
<property name="SERVICE" value="LogSubMessage"/>
</log>
</inSequence>
<outSequence><send/></outSequence>
</target>
</proxy>
I then sent a <test/> message to the topic.
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
<ns:topic xmlns:ns="http://wso2.org/ns/2009/09/eventing/notify">topicname</ns:topic>
</soapenv:Header>
<soapenv:Body>
<test/>
</soapenv:Body>
</soapenv:Envelope>
As you can see in the message above, the message logged in the service contains WS-Eventing SOAP headers and the SOAP action was set to http://ws.apache.org/ws/2007/05/eventing-extended/Publish . If your data service requires that the SOAP header contain the name of the operation to invoke, then it would reject this request.
I would suggest creating a proxy service, similar to the the one above, that would subscribe to the topic. This service would set the correct SOAP action, perform any message transformations you need, and call your data service.
I'm developing SOAP web services using spring-ws framework and it is required to implement authentication for web service access.I'm trying to implement token based authentication as follows.
There is a separate web method to user authentication. If user credentials are valid, system generated token will be returned to the client. Token will have limited validity period.
When user accessing rest of the web methods, its required to provide username with the valid token which is returned by the authentication method.
Once the token expired, user need to get the valid token again and again through the authentication web service.
Please advice, what are the available methods in spring framework to implement such a scenario. Since I'm newer to spring web-service security, its better if I can have simple guideline on how to implement.
Thank you.
Here you can use Wss4jSecurityInterceptor - an EndpointInterceptor which can be used to perform security operations on request messages (of course before calling the Endpoint)
<bean class="org.springframework.ws.soap.security.wss4j.Wss4jSecurityInterceptor">
<property name="validationActions" value="UsernameToken Encrypt" />
</bean>