weblogic Ws-security policy vs oasis policy - weblogic-10.x

We are trying to configure ws-security on a webservice deployed on Weblogic 10.3.6: the purpose is to permit the execution of the ws only if authenticated.
So, we created an user ("dummy") into the default weblogic realm and communicated the credentials to who develops the client of this webservice.
He has released a test Envelope running by SOAP-UI
<soapenv:Envelope xmlns:sch="http://com.webservices.amm.standalone.key.provider/schema.xsd" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
<wsse:Security soapenv:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsse:UsernameToken wsu:Id="UsernameToken-2">
<wsse:Username>dummy</wsse:Username>
<wsse:Password Type="**http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest**"><!-- digested password --></wsse:Password>
<wsse:Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"><!-- encoding type --></wsse:Nonce>
<wsu:Created>2015-06-24T14:42:48.749Z</wsu:Created>
</wsse:UsernameToken>
</wsse:Security>
</soapenv:Header>
<soapenv:Body>
<sch:searchKeyReq>
<sch:KeyProviderInput>
<!--Here input attributes:-->
</sch:KeyProviderInput>
</sch:searchKeyReq>
</soapenv:Body>
</soapenv:Envelope>
which response is
<?xml version='1.0' encoding='UTF-8'?>
<S:Envelope xmlns:S="http://schemas.xmlsoap.org/soap/envelope/">
<S:Body><SOAP-ENV:Fault xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
<faultcode xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">**SOAP-ENV:MustUnderstand**</faultcode>
<faultstring>MustUnderstand headers:[{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security] are not understood</faultstring>
</SOAP-ENV:Fault></S:Body></S:Envelope>
Obviously, I think, it depends by no configuration on ws-policy of the webservice.
So the questions are:
1) which is the policy we must associate to our webservice by Administration Console or by weblogic #Policy annotation in correspondence of oasis policy we see into the soapenv:Header tag>?
2) the "dummy" user must have some specific role?
Thanks in advance

You can simply add below line to your web service class:
#Policy(uri = "Wssp1.2-2007-Https-UsernameToken-Plain.xml", attachToWsdl=true)
By means of this policy you tell the clients that send their username and password (plain text). There are some other policy that you can choose in order to send encrypted password such as Digest.
You can choose this policy also from weblogic console.
And about role of the user, according to my knowledge, defining a new user in security realm just works really well, but in order to manage roles and permissions there should be some roles.

Related

How to set SOAP Envelope Header in Spring Integration with data from int-http:inbound-gateway?

I tried to build a simple spring integration project where I get a REST request and convert it to a SOAP request. Something like:
<int-http:inbound-gateway id="rest-inbound-gateway" request-channel="restRequestChannel"
reply-channel="restOutputChannel" supported-methods="POST"
path="/somepath" request-payload-type="com.something.RequestObject">
<int-http:request-mapping consumes="application/json" produces="application/json" />
</int-http:inbound-gateway>
<int:transformer ref="RestToSoapTransformer" method="transform"
input-channel="restRequestChannel" output-channel="transformedChannel"/>
<int-ws:outbound-gateway id="marshallingGateway"
request-channel="transformedChannel" reply-channel="restOutputChannel"
uri="http://localhost:8088/mockSoapBinding" marshaller="marshaller"
message-sender="messageSender"
unmarshaller="marshaller" >
</int-ws:outbound-gateway>
But some informations which are in the REST request need to put to the SAOP envelope header and not the envelope body. Eg.
REST Request:
{
"foo": "foo",
"bar": "bar"
}
And SOAP Request sould be:
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
<foo>foo</foo>
</soapenv:Header>
<soapenv:Body>
<bar>bar</bar>
</soapenv:Body>
</soapenv:Envelope>
How can I do that? The transformer only create the soap body, and the in an interceptor or header mapper I don't have the original request anymore. Is there any way to do that?
See the documentation.
WS Message Headers
The Spring Integration WebService Gateways will map the SOAP Action header automatically. It will be copied by default to and from Spring Integration MessageHeaders using the DefaultSoapHeaderMapper.
Of course, you can pass in your own implementation of SOAP specific header mappers, as the gateways have respective properties to support that.
Any user-defined SOAP headers will NOT be copied to or from a SOAP Message, unless explicitly specified by the requestHeaderNames and/or replyHeaderNames properties of the DefaultSoapHeaderMapper.
...

SOAP UI validates improper fault structure

Can you help me understand why SOAP UI (v4.0.1) validates the below structure even though it should be non compliant to standard schema
<soapenv:Body>
**<code>FOUTNUMMER : RRC073</code>**
<soapenv:Fault>
<faultcode>soapenv:Client</faultcode>
<faultstring>Provider Error Occured.</faultstring>
</soapenv:Fault>
</soapenv:Body>

Spring WS UsernameToken authentication + session management via spring-boot

I have published spring web services using spring boot. in WsConfigurerAdapter, I used XwsSecurityInterceptor with SimplePasswordValidationCallback to authenticate users and this went fine.
Web config,
#Bean
XwsSecurityInterceptor securityInterceptor() {
XwsSecurityInterceptor securityInterceptor = new XwsSecurityInterceptor();
securityInterceptor.setCallbackHandler(callbackHandler());
securityInterceptor.setPolicyConfiguration(new ClassPathResource("securityPolicy.xml"));
return securityInterceptor;
}
#Bean
CallBackHandlerHelper callbackHandler() {
CallBackHandlerHelper callbackHandler = new CallBackHandlerHelper();
callbackHandler.loadUsers(); // loading users from DB
return callbackHandler;
}
sample soap header.
<soapenv:Header>
<wsse:Security soapenv:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wsse:UsernameToken wsu:Id="XWSSGID-14072105829651149256297" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsse:Username>admin</wsse:Username>
<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">1</wsse:Password>
</wsse:UsernameToken>
</wsse:Security>
</soapenv:Header>
Now I'm struggling with these 02 concerns,
1) How to use a password digest and nonce, than a plainText. (In my policy xml, i have set them to false and loading wss:usernameToken in plaintext format via SOAP header. But i prefer to get the password digest than a plainText format).
2) I need to setup this services as stateful by keeping a session key. Don't want to send each and every time user/pwd. Idea is to use Username token only to login request and hereafter manage the session with an unique key til user sends logoff request.(hoping to keep this generated session key in-memory until the session went off) How could I suppose to solve this in a given context?
For digests, you'd use the following in you security policy file:
<xwss:UsernameToken digestPassword="true" useNonce="true"/>
The reference docs for the XWSS configuration format can be found here.
I really think you should reconsider, as having stateful services is generally frowned upon. See this similar SO question for instance, or this one, or this one, and so on.

exploring the use of topic and event in Wso2 ESB

I’m exploring the use of topics and events in WSO2 ESB 4.8.1, I created a topic and subscribed to it the endpoint of one dataservice running in WSO2 WSAS(A), I supposed that if I published a message with the structure defined for the incoming message of one of A operations in the publish tool of the Topic Details console, the message would be sent to the supscriptor (A) and everything where going to work fine, but it don’t. Why?
I also create a proxy service with an event mediator and configured the event mediator with the name of the created topic. Then I Try the proxy service with an incoming message with the same structure explained before. I was expecting to at least get an incoming message in the WSAS Soap Tracer, but nothing happened.
Am I missing something?
The eventing infrastructure is based upon the WS-Eventing specification. Since you are using a WSDL based service as a subscriber of the topic and intend to invoke a specific operation of that service, I imagine it is failing because the SOAP message and/or SOAP action are incorrect because the message sent to the topic and the service are based around WS-Eventing and not your service.
I created the simple proxy below and subscribed it to a topic.
<proxy xmlns="http://ws.apache.org/ns/synapse" name="LogSubMessage" transports="http" statistics="disable" trace="disable" startOnLoad="true">
<target>
<inSequence>
<log level="full" category="ERROR">
<property name="SERVICE" value="LogSubMessage"/>
</log>
</inSequence>
<outSequence><send/></outSequence>
</target>
</proxy>
I then sent a <test/> message to the topic.
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
<ns:topic xmlns:ns="http://wso2.org/ns/2009/09/eventing/notify">topicname</ns:topic>
</soapenv:Header>
<soapenv:Body>
<test/>
</soapenv:Body>
</soapenv:Envelope>
As you can see in the message above, the message logged in the service contains WS-Eventing SOAP headers and the SOAP action was set to http://ws.apache.org/ws/2007/05/eventing-extended/Publish . If your data service requires that the SOAP header contain the name of the operation to invoke, then it would reject this request.
I would suggest creating a proxy service, similar to the the one above, that would subscribe to the topic. This service would set the correct SOAP action, perform any message transformations you need, and call your data service.

wso2 esb mtom attachment

I am currently playing around with the WSO2 enterprise service bus, some cxf based webservices and mtom attachments.
Using SoapUI (MTOM enabled), I submit the following request to one backend service:
...
<incident>
....
<attachmentList>
<attachment>
<contentID>cid:soapui32.png</contentID>
</attachment>
</attachmentList>
</incident>
...
With MTOM enabled Raw data is
...
<attachmentList>
<attachment>
<contentID>
<inc:Include href="cid:soapui32.png" xmlns:inc="http://www.w3.org/2004/08/xop/include"/>
</contentID>
</attachment>
</attachmentList>
...
------=_Part_0_22113723.1360006252844
Content-Type: image/x-png; name=soapui32.png
Content-Transfer-Encoding: binary
Content-ID: <soapui32.png>
Content-Disposition: attachment; name="soapui32.png"; filename="soapui32.png"
......
So far, so good.
Now, as the next step, I create a WSDL based proxy service (WSO2 ESB 4.5.1) for this webservice.
<proxy xmlns="http://ws.apache.org/ns/synapse" name="testService" transports="https,http" statistics="enable" trace="enable" startOnLoad="true">
<target>
<outSequence>
<send/>
</outSequence>
<endpoint>
<wsdl service="IncidentService" port="IncidentServicePort" uri="uri2myservicewsdl"/>
</endpoint>
</target>
<publishWSDL uri="uri2myservicewsdl"/>
<description></description>
</proxy>
enableMTOM is set to true in the axis2.xml, MTOM is enabled for the proxy service.
If I submit exactly the same request with the same attachment via SoapUI, the esb transforms the attachment to inline content (debug log):
DEBUG - Starting Activation Handler invocation. Incoming Message:
......
<incident>
<attachmentList>
<attachment>
<contentID>iVBORw0KGgoAAAANSUh.....</contentID>
</attachment>
</attachmentList>
</incident>
.....
</soapenv:Body></soapenv:Envelope>
{org.wso2.carbon.activation.module.ActivationHandler}
Where can I enable MTOM, so that the proxy doesnt transform it to inline content?
Many thanks in advance.
Workaround
Maybe someone is interested, even if it's just a workaround:
I had enabled MTOM and SwA attachments in the axis2.xml (wso2 esb conf directory).
As soon as I disabled SwA and only left MTOM enabled, attachments are not transformed to inline content any more.
Now SwA is disabled for all proxy services, but that's ok for the moment.
I will have another look at it later, maybe it's a bug.

Resources