I try to implement SSO on Gitlab using SAML 2.0 and i have some problems.
The managers of the IdP in my company sent me their metadatas and following the Gitlab documentation about SAML I configured Gitlab like this.
gitlab_rails['omniauth_enabled'] = true
gitlab_rails['omniauth_allow_single_sign_on'] = ['saml']
gitlab_rails['omniauth_block_auto_created_users'] = true
gitlab_rails['omniauth_auto_link_ldap_user'] = false
gitlab_rails['omniauth_auto_link_saml_user'] = false
gitlab_rails['omniauth_providers'] =
[
{
name: "saml",
args:
{
assertion_consumer_service_url: "https://my.domain.com/gitlab/auth/saml/callback",
idp_cert: "
-----BEGIN CERTIFICATE-----
IDP_Certificate
-----END CERTIFICATE-----
",
idp_sso_target_url: "https://my_idp_target_URL",
issuer: "sp-gitlab",
name_identifier_format: "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified",
},
label: "SSO"
}
]
I sent my metadatas to the the IdP and they were accepted.
<?xml version="1.0"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" validUntil="2017-11-22T09:24:33Z" ID="_1910909d-5325-4cba-a56f-4f9082e05e24" entityID="sp-gitlab">
<md:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:KeyDescriptor use="signing">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>
My cert
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:KeyDescriptor use="encryption">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>
Mycert
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://my.domain.com/gitlab/auth/saml/callback" index="0" isDefault="true"/>
<md:AttributeConsumingService index="1" isDefault="true">
<md:ServiceName xml:lang="en">Required attributes</md:ServiceName>
<md:RequestedAttribute FriendlyName="Email address" Name="email" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"/>
<md:RequestedAttribute FriendlyName="Full name" Name="name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"/>
<md:RequestedAttribute FriendlyName="Given name" Name="first_name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"/>
<md:RequestedAttribute FriendlyName="Family name" Name="last_name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"/>
</md:AttributeConsumingService>
</md:SPSSODescriptor>
</md:EntityDescriptor>
When I try to connect to Gitlab using SSO I have an error. The signature of my AuthnRequest is absent. IdP’s managers told me the problem comes from the certificate of my application.
So here is my conf about Gitlab HTTPS
nginx['redirect_http_to_https'] = true
nginx['redirect_http_to_https_port'] = 443
...
nginx['ssl_certificate'] = "/etc/gitlab/ssl/prod.cer"
nginx['ssl_certificate_key'] = "/etc/gitlab/ssl/prod.key"
My instance of Gitlab is running behind an Apache Proxy and the certificate used for Gitlab is also used for the website on this Apache.
So why I don't have a Signature in my AuthnRequest ? Where am I wrong or what did I miss ?
P.S. : I am very new to SAML and Gitlab Configuration so I probably missed something obvious
You need to add your certificate and private key into the gitlab parameters. Also, you need to specify the security parameters to enable the generation of the signature.
This is an sample :
gitlab_rails['omniauth_auto_sign_in_with_provider'] = 'saml'
gitlab_rails['omniauth_block_auto_created_users'] = false
gitlab_rails['omniauth_auto_link_saml_user'] = true
gitlab_rails['omniauth_providers'] = [
{
name: 'saml',
args: {
assertion_consumer_service_url: 'https://mywebsite/users/auth/saml/callback',
assertion_consumer_service_binding: 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
idp_cert_fingerprint: '77:EE:EE:AA:67:FA:78:4C:E2:ED:E8:57:AC:EE:AC:AB:AA:FF:FD:FD',
idp_sso_target_url: 'https://idp.url/auth/SSOPOST/metaAlias/ent/providerIDP',
idp_sso_target_binding: 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
idp_slo_target_url: 'https://idp.url/auth/IDPSloPOST/metaAlias/ent/providerIDP',
idp_slo_target_binding: 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
sso_binding: 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
protocol_binding: 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
issuer: 'sp_gitlab',
name_identifier_format: 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent',
certificate: "-----BEGIN CERTIFICATE-----
MIIDzjCCArYCCQCxUOzAVm5w3DANBgkqhkiG9w0BAQUFADCBqDELMAkGA1UEBhMC
....
v84ULsyAgv8sVJ4XerZ9wr7B
-----END CERTIFICATE-----",
private_key: "-----BEGIN RSA PRIVATE KEY-----
MIIEpQIBAAKCAQEAxcTsJ0sBMAH9NwEvDT5qcGBA6JiChtM90I9di7YC98lO5qFM
....
lfIj9QAaFdL9lPskg6zX6HEooOEoLib8fm9IZCIChjhsdjoj/6QXP6k=
-----END RSA PRIVATE KEY-----",
security: {
authn_requests_signed: true,
embed_sign: true,
digest_method: "XMLSecurity::Document::SHA1",
signature_method: "http://www.w3.org/2000/09/xmldsig#rsa-sha1"
}
},
label: 'SAML Auth'
}
]
There are no signatures in AuthnRequest according to my knowledge and experience. Signing or encryption starts in next HTTP requests.
See: https://en.wikipedia.org/wiki/SAML_2.0#Authentication_Request_Protocol
What and where are you getting errors if any?
(Example) Authnrequest doesn't have signatures:
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="_a976498d2ebe858cc56d486b5af2085ed957f45c5a"
Version="2.0"
IssueInstant="2017-08-10T13:29:09Z"
Destination="https://<idp_url>/idp/profile/SAML2/Redirect/SSO"
AssertionConsumerServiceURL="https://<mahara_adress>/simplesaml/module.php/saml/sp/saml2-acs.php/default-sp"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
>
<saml:Issuer>https://<mahara_adress>/mahara</saml:Issuer>
</samlp:AuthnRequest>
I'm trying to pass some custom HTTP headers using <int-http:outbound-gateway> and <int:header-enricher> components of Spring Integration, but it doesn't work on my configuration.
I have tried two configurations. The first one with the "mapped-request-headers" attribute:
<int:chain input-channel="requestChannel" output-channel="replyChannel">
<int:header-enricher>
<int:header name="test" value="test"></int:header>
</int:header-enricher>
<int-http:outbound-gateway id="gateway"
encode-uri="true" url="http://localhost:8080/webapp/service/{request}"
http-method="GET" mapped-request-headers="test, HTTP_REQUEST_HEADERS">
<int-http:uri-variable name="request" expression="payload"/>
</int-http:outbound-gateway>
</int:chain>
The second one with the "header-mapper" attribute, with the relative DefaultHttpHeaderMapper configuration:
<int:chain input-channel="requestChannel" output-channel="replyChannel">
<int:header-enricher>
<int:header name="test" value="test"></int:header>
</int:header-enricher>
<int-http:outbound-gateway id="gateway"
encode-uri="true" url="http://localhost:8080/webapp/service/{request}"
http-method="GET" header-mapper="headerMapper">
<int-http:uri-variable name="request" expression="payload"/>
</int-http:outbound-gateway>
</int:chain>
<bean id="headerMapper" class="org.springframework.integration.http.support.DefaultHttpHeaderMapper">
<property name="outboundHeaderNames" value="HTTP_REQUEST_HEADERS, test" />
<property name="userDefinedHeaderPrefix" value="" />
</bean>
But in both cases, the message's headers loaded by the remote application are the following:
GenericMessage[
payload={},
headers={
http_requestMethod=GET,
replyChannel=org.springframework.messaging.core.GenericMessagingTemplate$TemporaryReplyChannel#4c8b7a27,
errorChannel=org.springframework.messaging.core.GenericMessagingTemplate$TemporaryReplyChannel#4c8b7a27,
host=localhost: 8080,
http_requestUrl=http://localhost:8080/webapp/service/hello,
connection=keep-alive,
id=3c2a21ba-b7f5-e5e9-c821-45251d406318,
cache-control=no-cache,
pragma=no-cache,
user-agent=Java/1.8.0_65,
accept=[
text/html,
image/gif,
image/jpeg,
*/*;q=.2,
*/*;q=.2],
timestamp=1469009855797
}
]
There is no trace of the "test" header that I'm trying to add to the request message.
What's the right way to add a custom header to the <int-http:outbound-gateway> ?
It's also good any other working solution.
UPDATE
As from Gary indication, I turned on the DEBUG mode.
This is a very interesting thing: the log says that the header [test] "will be mapped":
message sent: GenericMessage [payload=hello, headers={id=79f98422-418b-f00f-1e21-09461b1ff80c, timestamp=1469021452494}]
2016-07-20 15:53:57 DEBUG org.springframework.integration.http.support.DefaultHttpHeaderMapper.fromHeaders:402 (executor-4) - outboundHeaderNames=[test, HTTP_REQUEST_HEADERS]
2016-07-20 15:53:57 DEBUG org.springframework.integration.http.support.DefaultHttpHeaderMapper.shouldMapHeader:537 (executor-4) - headerName=[test] WILL be mapped, matched pattern=test
2016-07-20 15:53:57 DEBUG org.springframework.integration.http.support.DefaultHttpHeaderMapper.fromHeaders:420 (executor-4) - setting headerName=[X-test], value=test
2016-07-20 15:53:57 DEBUG org.springframework.http.client.support.HttpAccessor.createRequest:79 (executor-4) - Created GET request for "http://localhost:8080/webapp/service/hello"
I have implemented a simple Filter on the server side that intercepts every HTTP request, and it prints on the log every header of that request.
This is the result:
x-test=test
cache-control=no-cache
pragma=no-cache
user-agent=Java/1.8.0_65
host=localhost:8080
accept=text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
connection=keep-alive
So, the header "x-test" is present on the HttpServletRequest instance.
But after that, in the log I can see this other message (I have reported only those significant for this context):
2016-07-20 15:53:57 DEBUG org.springframework.web.servlet.DispatcherServlet.doService:865 (http-nio-8080-exec-1) - DispatcherServlet with name 'dispatcherServer' processing GET request for [/webapp/service/hello]
2016-07-20 15:53:57 DEBUG org.springframework.integration.http.support.DefaultHttpHeaderMapper.toHeaders:436 (http-nio-8080-exec-1) - inboundHeaderNames=[Accept, Accept-Charset, Accept-Encoding, Accept-Language, Accept-Ranges, Authorization, Cache-Control, Connection, Content-Length, Content-Type, Cookie, Date, Expect, From, Host, If-Match, If-Modified-Since, If-None-Match, If-Range, If-Unmodified-Since, Max-Forwards, Pragma, Proxy-Authorization, Range, Referer, TE, Upgrade, User-Agent, Via, Warning]
2016-07-20 15:53:57 DEBUG org.springframework.integration.http.support.DefaultHttpHeaderMapper.shouldMapHeader:561 (http-nio-8080-exec-1) - headerName=[x-test] WILL NOT be mapped
2016-07-20 15:53:57 DEBUG org.springframework.integration.handler.AbstractMessageHandler.handleMessage:115 (executor-4) - ServiceActivator for [org.springframework.integration.handler.MethodInvokingMessageProcessor#6ae60a] (channelServiceActivator) received message: GenericMessage [payload={}, headers={http_requestMethod=GET, replyChannel=org.springframework.messaging.core.GenericMessagingTemplate$TemporaryReplyChannel#565fe0d8, errorChannel=org.springframework.messaging.core.GenericMessagingTemplate$TemporaryReplyChannel#565fe0d8, host=localhost:8080, http_requestUrl=http://localhost:8080/webapp/service/hello, connection=keep-alive, id=9578f82d-7fc2-fe94-d8bf-3225ec955b22, cache-control=no-cache, pragma=no-cache, user-agent=Java/1.8.0_65, accept=[text/html, image/gif, image/jpeg, */*;q=.2, */*;q=.2], timestamp=1469022837172}]
Now the log says that the header "[x-test] WILL NOT be mapped". How is possibile? It's because it doesn't appear in the inboundHeaderNames ?
In fact, the header seems to be "disappeared" in the GenericMessage:
GenericMessage [
payload={},
headers={
http_requestMethod=GET,
replyChannel=org.springframework.messaging.core.GenericMessagingTemplate$TemporaryReplyChannel#16b10fb6,
errorChannel=org.springframework.messaging.core.GenericMessagingTemplate$TemporaryReplyChannel#16b10fb6,
host=localhost:8080,
http_requestUrl=http://localhost:8080/webapp/service/hello,
connection=keep-alive,
id=ba2af515-9e29-4d84-d176-5b9d0d066cb0,
cache-control=no-cache,
pragma=no-cache,
user-agent=Java/1.8.0_65,
accept=[text/html,
image/gif,
image/jpeg,
*/*;q=.2,
*/*;q=.2],
timestamp=1469021452542
}
]
I don't understand why the header in present in the HTTP Request, but it's no present in the headers of the Message channel.
I have found the answer for this issue.
The <int-http:outbound-gateway> maps the headers that had to be inserted in the "exiting" HTTP requests.
The <int-http:inbound-gateway> maps the headers that are contained in the "entering" HTTP requests.
So, it has to be defined a "header-mapper" that:
maps the "inboundHeaderNames" for the <int-http:inbound-gateway>
maps the "outboundHeaderNames" for the <int-http:outbound-gateway>
In my example case, the solution for the "OUTBOUND SIDE" (the client application) was:
<int:chain input-channel="requestChannel" output-channel="replyChannel">
<int:header-enricher>
<int:header name="test" value="test"></int:header>
</int:header-enricher>
<int-http:outbound-gateway id="gateway"
encode-uri="true" url="http://localhost:8080/webapp/service/{request}"
http-method="GET" header-mapper="headerMapper">
<int-http:uri-variable name="request" expression="payload"/>
</int-http:outbound-gateway>
</int:chain>
<bean id="headerMapper" class="org.springframework.integration.http.support.DefaultHttpHeaderMapper">
<property name="outboundHeaderNames" value="HTTP_REQUEST_HEADERS, test" />
<property name="userDefinedHeaderPrefix" value="" />
</bean>
The "outboundHeaderNames" has to be setted with the header names that has to be mapped in the "outbound requests" ("test" in this case).
While the solution for the "INBOUND SIDE" (the receiver application) was:
<int-http:inbound-gateway id="gateway" request-channel="requestChannel"
path="/service/**" supported-methods="GET"
reply-channel="outputChannel" header-mapper="headerMapper">
</int-http:inbound-gateway>
<bean id="headerMapper" class="org.springframework.integration.http.support.DefaultHttpHeaderMapper">
<property name="inboundHeaderNames" value="*" />
</bean>
The "inboundHeaderNames" setted to "*" ensure that all the headers of the source request will be mapped in the Message headers.
With this approach, we can pass custom headers to any URL in HTTP requests, and we can recover them on the server side in the message channel context.
Turn on DEBUG logging; you should see messages about header mapping like this...
08:46:44.987 DEBUG [main] ... headerName=[id] WILL NOT be mapped
08:46:44.987 DEBUG [main] ... headerName=[test] WILL be mapped, matched pattern=test
08:46:44.987 DEBUG [main] ... setting headerName=[X-test], value=foo
(This is with your first example - custom headers currently get the X- prefix by default).
I'm deploying cluster setup with Jboss 7, but failed when adding/removing the large number (1000 enrties) of entries in Infinispan cache with exception "org.infinispan.util.concurrent.TimeoutException: Unable to acquire lock after":
2016-04-05 03:37:30,102 ERROR [transport-thread-14]-[org.infinispan.interceptors.InvocationContextInterceptor] ISPN000136: Execution error: org.infinispan.util.concurrent.TimeoutException: Unable to acquire lock after [290 seconds] on key [2y1455s-13fntc-ilxzqr13-1-im24ko61-7] for requestor [GlobalTransaction:<192.168.1.3/test-cache>:18497090:local]! Lock held by [GlobalTransaction:<192.168.1.1/test-cache>:5056802:remote]
at org.infinispan.util.concurrent.locks.LockManagerImpl.lock(LockManagerImpl.java:213)
at org.infinispan.util.concurrent.locks.LockManagerImpl.acquireLock(LockManagerImpl.java:186)
at org.infinispan.interceptors.locking.AbstractTxLockingInterceptor.lockKeyAndCheckOwnership(AbstractTxLockingInterceptor.java:183)
at org.infinispan.interceptors.locking.AbstractTxLockingInterceptor.lockAndRegisterBackupLock(AbstractTxLockingInterceptor.java:124)
at org.infinispan.interceptors.locking.OptimisticLockingInterceptor$LockAcquisitionVisitor.lockAndRecord(OptimisticLockingInterceptor.java:254)
at org.infinispan.interceptors.locking.OptimisticLockingInterceptor$LockAcquisitionVisitor.visitSingleKeyCommand(OptimisticLockingInterceptor.java:249)
at org.infinispan.interceptors.locking.OptimisticLockingInterceptor$LockAcquisitionVisitor.visitRemoveCommand(OptimisticLockingInterceptor.java:237)
at org.infinispan.commands.write.RemoveCommand.acceptVisitor(RemoveCommand.java:73)
at org.infinispan.interceptors.locking.OptimisticLockingInterceptor.acquireLocksVisitingCommands(OptimisticLockingInterceptor.java:335)
at org.infinispan.interceptors.locking.OptimisticLockingInterceptor.visitPrepareCommand(OptimisticLockingInterceptor.java:123)
at org.infinispan.commands.tx.PrepareCommand.acceptVisitor(PrepareCommand.java:124)
at org.infinispan.interceptors.base.CommandInterceptor.invokeNextInterceptor(CommandInterceptor.java:118)
at org.infinispan.interceptors.NotificationInterceptor.visitPrepareCommand(NotificationInterceptor.java:58)
at org.infinispan.commands.tx.PrepareCommand.acceptVisitor(PrepareCommand.java:124)
at org.infinispan.interceptors.base.CommandInterceptor.invokeNextInterceptor(CommandInterceptor.java:118)
at org.infinispan.interceptors.TxInterceptor.invokeNextInterceptorAndVerifyTransaction(TxInterceptor.java:128)
at org.infinispan.interceptors.TxInterceptor.visitPrepareCommand(TxInterceptor.java:115)
at org.infinispan.commands.tx.PrepareCommand.acceptVisitor(PrepareCommand.java:124)
at org.infinispan.interceptors.base.CommandInterceptor.invokeNextInterceptor(CommandInterceptor.java:118)
at org.infinispan.interceptors.base.CommandInterceptor.handleDefault(CommandInterceptor.java:132)
at org.infinispan.commands.AbstractVisitor.visitPrepareCommand(AbstractVisitor.java:126)
at org.infinispan.statetransfer.TransactionSynchronizerInterceptor.visitPrepareCommand(TransactionSynchronizerInterceptor.java:61)
at org.infinispan.commands.tx.PrepareCommand.acceptVisitor(PrepareCommand.java:124)
at org.infinispan.interceptors.base.CommandInterceptor.invokeNextInterceptor(CommandInterceptor.java:118)
at org.infinispan.statetransfer.StateTransferInterceptor.handleTopologyAffectedCommand(StateTransferInterceptor.java:216)
at org.infinispan.statetransfer.StateTransferInterceptor.handleTxCommand(StateTransferInterceptor.java:189)
at org.infinispan.statetransfer.StateTransferInterceptor.visitPrepareCommand(StateTransferInterceptor.java:93)
at org.infinispan.commands.tx.PrepareCommand.acceptVisitor(PrepareCommand.java:124)
at org.infinispan.interceptors.base.CommandInterceptor.invokeNextInterceptor(CommandInterceptor.java:118)
at org.infinispan.interceptors.base.CommandInterceptor.handleDefault(CommandInterceptor.java:132)
at org.infinispan.commands.AbstractVisitor.visitPrepareCommand(AbstractVisitor.java:126)
at org.infinispan.commands.tx.PrepareCommand.acceptVisitor(PrepareCommand.java:124)
at org.infinispan.interceptors.base.CommandInterceptor.invokeNextInterceptor(CommandInterceptor.java:118)
at org.infinispan.interceptors.InvocationContextInterceptor.handleAll(InvocationContextInterceptor.java:128)
at org.infinispan.interceptors.InvocationContextInterceptor.handleDefault(InvocationContextInterceptor.java:92)
at org.infinispan.commands.AbstractVisitor.visitPrepareCommand(AbstractVisitor.java:126)
at org.infinispan.commands.tx.PrepareCommand.acceptVisitor(PrepareCommand.java:124)
at org.infinispan.interceptors.InterceptorChain.invoke(InterceptorChain.java:343)
at org.infinispan.transaction.TransactionCoordinator.prepare(TransactionCoordinator.java:141)
at org.infinispan.transaction.TransactionCoordinator.prepare(TransactionCoordinator.java:123)
at org.infinispan.transaction.xa.TransactionXaAdapter.commit(TransactionXaAdapter.java:124)
at com.arjuna.ats.internal.jta.resources.arjunacore.XAResourceRecord.topLevelOnePhaseCommit(XAResourceRecord.java:667)
at com.arjuna.ats.arjuna.coordinator.BasicAction.onePhaseCommit(BasicAction.java:2263)
at com.arjuna.ats.arjuna.coordinator.BasicAction.End(BasicAction.java:1475)
at com.arjuna.ats.arjuna.coordinator.TwoPhaseCoordinator.end(TwoPhaseCoordinator.java:98)
at com.arjuna.ats.arjuna.AtomicAction.commit(AtomicAction.java:162)
at com.arjuna.ats.internal.jta.transaction.arjunacore.TransactionImple.commitAndDisassociate(TransactionImple.java:1165)
at com.arjuna.ats.internal.jta.transaction.arjunacore.BaseTransaction.commit(BaseTransaction.java:126)
at com.arjuna.ats.jbossatx.BaseTransactionManagerDelegate.commit(BaseTransactionManagerDelegate.java:75)
at org.infinispan.CacheImpl.executeCommandAndCommitIfNeeded(CacheImpl.java:1196)
at org.infinispan.CacheImpl.removeInternal(CacheImpl.java:314)
at org.infinispan.CacheImpl.access$600(CacheImpl.java:120)
at org.infinispan.CacheImpl$6.call(CacheImpl.java:994)
at java.util.concurrent.FutureTask.run(FutureTask.java:262)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at java.lang.Thread.run(Thread.java:744)
The cache configuration in standalone-full-ha.xml
<cache-container name="test-cache" default-cache="security" jndi-name="java:jboss/infinispan/test/cache" start="EAGER">
<transport lock-timeout="60000" />
<replicated-cache name="security" start="EAGER" jndi-name="java:jboss/infinispan/test/cache/security" mode="SYNC" remote-timeout="60000">
<locking isolation="READ_COMMITTED" acquire-timeout="290000"/>
<transaction mode="NON_DURABLE_XA"/>
<eviction strategy="LRU" max-entries="10000"/>
<state-transfer enabled="true" timeout="420000"/>
</replicated-cache>
Thank you
I'm working on a project that call a web service and made some decision based on it. Now the web service is secured with Apache rampart with this security-policy.xml file
<?xml version="1.0" encoding="UTF-8"?>
<wsp:Policy wsu:Id="SigEncr"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
<wsp:ExactlyOne>
<wsp:All>
<sp:AsymmetricBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:InitiatorToken>
<wsp:Policy>
<sp:X509Token
sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:RequireThumbprintReference/>
<sp:WssX509V3Token10/>
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:InitiatorToken>
<sp:RecipientToken>
<wsp:Policy>
<sp:X509Token
sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never">
<wsp:Policy>
<sp:RequireThumbprintReference/>
<sp:WssX509V3Token10/>
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:RecipientToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:TripleDesRsa15/>
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Strict/>
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp/>
<sp:OnlySignEntireHeadersAndBody/>
</wsp:Policy>
</sp:AsymmetricBinding>
<sp:Wss10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:MustSupportRefKeyIdentifier/>
<sp:MustSupportRefIssuerSerial/>
</wsp:Policy>
</sp:Wss10>
<sp:SignedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<sp:Body/>
</sp:SignedParts>
<sp:SignedSupportingTokens
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:UsernameToken
sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient"/>
</wsp:Policy>
</sp:SignedSupportingTokens>
<ramp:RampartConfig xmlns:ramp="http://ws.apache.org/rampart/policy">
<ramp:user>tatTestUser</ramp:user>
<ramp:encryptionUser>server1</ramp:encryptionUser>
<ramp:userCertAlias>client1</ramp:userCertAlias>
<ramp:passwordCallbackClass>com.asansoft.callbackHandler.PasswordCallbackHandler</ramp:passwordCallbackClass>
<ramp:signatureCrypto>
<ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin">
<ramp:property name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property>
<ramp:property name="org.apache.ws.security.crypto.merlin.file">/home/key/signedKey/client.jks</ramp:property>
<ramp:property name="org.apache.ws.security.crypto.merlin.keystore.password">password</ramp:property>
</ramp:crypto>
</ramp:signatureCrypto>
<ramp:sslConfig>
<ramp:property name="javax.net.ssl.trustStore">/home/key/client.jks</ramp:property>
<ramp:property name="javax.net.ssl.trustStorePassword">123456</ramp:property>
</ramp:sslConfig>
</ramp:RampartConfig>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
How can adopt my old service based on this security configuration?
I use outBoundGateWay to call a web service.
Can I use apache rampart in Spring-Integration?
Should I use an Interceptor?
I'm attempting to utilize the ruby gem Savon to connect to a web service provided by propertyware (http://propertyware.com/apidocs/Getting-Started). I've successfully connected to the service via SoapUI and executed an echoString request. When I try to do the same via Ruby I get a null user authentication error.
Here's what I've tried in Ruby...
require 'rubygems'
require 'savon'
client = Savon::Client.new do
wsdl.document = 'http://propertyware.com/pw/services/PWServices?wsdl'
wsse.credentials 'username', 'pwd'
end
response = client.request :web, :echo_string, :body => {:arg => "Hello world."}
Which produces the following xml...
<env:Envelope xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:web="http://propertyware.com/pw/services/PWServices"
xmlns:env="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:ins0="http://propertyware.com/pw/services/PWServices"
xmlns:ins1="http://criteria.soap.propertyware.com"
xmlns:ins2="urn:PWServices"
xmlns:ins3="http://soap.propertyware.com"
xmlns:ins4="http://xml.apache.org/xml-soap">
<env:Header>
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wsse:UsernameToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="UsernameToken-1">
<wsse:Username>user</wsse:Username>
<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">pwd</wsse:Password>
</wsse:UsernameToken>
</wsse:Security>
</env:Header>
<env:Body>
<web:echoString>
<arg>Hello world.</arg>
</web:echoString>
</env:Body>
</env:Envelope>
Here's the xml produced by SoapUI...
<soapenv:Envelope xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:web="http://webservices" >
<soapenv:Header>
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wsse:UsernameToken wsu:Id="UsernameToken-1" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsse:Username>user</wsse:Username>
<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">pwd</wsse:Password>
<wsse:Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">R41mCRd+tY+xthhE/YISLQ==</wsse:Nonce>
<wsu:Created>2011-10-25T09:52:40.220Z</wsu:Created>
</wsse:UsernameToken>
</wsse:Security>
</soapenv:Header>
<soapenv:Body>
<web:echoString soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
<arg xsi:type="xsd:string">?</arg>
</web:echoString>
</soapenv:Body>
</soapenv:Envelope>
One obvious difference is that SoapUI includes a nonce key and a createdAt timestamp. I'm not sure how to make savon do that without moving to digest auth. (and fwiw that doesn't work).
I'm not real savoy in the ways of web services - any guidance would be much appreciated.
Also - here's the response when I attempt to connect via savon:
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<soapenv:Body>
<soapenv:Fault>
<faultcode xmlns:ns1="http://xml.apache.org/axis/">ns1:Server.Unauthenticated</faultcode>
<faultstring>User 'null' not authenticated (unknown user)</faultstring>
<detail>
<ns2:hostname xmlns:ns2="http://xml.apache.org/axis/">rcpppwwwapt012.realpage.com</ns2:hostname>
</detail>
</soapenv:Fault>
</soapenv:Body>
</soapenv:Envelope>
TIA!
Bob
Try setting the digest in the wsse to true. This will instruct Savon to add the nonce and createdAt to the request:
wsse.credentials 'username', 'pwd', :digest
See the comments of this object for more info
In Savon version 2 you need following:
client = Savon.client do
wsdl 'https://webservice/theservice.wsdl'
wsse_auth("user", "pass", :digest)
end
I believe the first step would be to deal with the error.
<faultstring>User 'null' not authenticated (unknown user)</faultstring>
Your credentials aren't being passed to the service.