| Author |
Message
|
| Vitor |
 Posted: Mon Oct 01, 2012 1:04 pm Post subject: Using WS-Security in a SOAPRequest node |
 |
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
Starting out, don't say this is all documented in the InfoCenter. I know it is:
here, her,here,here,here & here. I've also reviewed this as well as this & this. I have a blinding headache and an ongoing problem.
Scenario: I'm trying to comsume a web service using WMBv7.0.0.3. I have a WSDL which I've made deployable and WMB has built a nifty little sub flow for me. The service requires a WS-Security user id & password, which is available to the Compute node building the SOAP request but is not in any of the transport headers. As a result of the above reading I set the Identity in the Properties, created a policy set with username and password tokens, a binding associated with the policy set and a security profile with Propagation set to TRUE. I put all of this in the properties of the bar file, baked for a few minutes with a deploy command until golden brown and was rather upset to discover the target service complaining the wsse was missing.
I've tried it with IdentitySource, IdenityMapped, also threats, bribes and just cajoling. If I just add ESQL to add the username and password it works fine, but what am I missing?
Also, should the PolicySet, bindings and profile disappear from the bar file properties when I rebuild it or is that just my Toolkit being funky? Again?
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
 |
| ganesh |
| Posted: Tue Oct 02, 2012 4:37 am Post subject: |
|
|
Master
Joined: 18 Jul 2010
Posts: 294
|
| Quote: |
| Also, should the PolicySet, bindings and profile disappear from the bar file properties when I rebuild it or is that just my Toolkit being funky? Again? |
It disappears everytime you build the bar file, you have to add it manually everytime. |
|
| Back to top |
|
|
| Vitor |
| Posted: Tue Oct 02, 2012 4:44 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| ganesh wrote: |
| Quote: |
| Also, should the PolicySet, bindings and profile disappear from the bar file properties when I rebuild it or is that just my Toolkit being funky? Again? |
It disappears everytime you build the bar file, you have to add it manually everytime. |
Reassuring.  With luck it's fixed in the next version; anyone?
Any thoughts on why it doesn't work even it I do add it?
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Tue Oct 02, 2012 7:00 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
|
| Back to top |
|
|
| mqjeff |
| Posted: Tue Oct 02, 2012 7:43 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
The good news is that there's no specific reason you need to use the security profiles at all, if it's a standard ws-security header. You can just build it yourself and stick it in the soap message you pass to the request node. The only complexity is the type of encryption needed on the password...  |
|
| Back to top |
|
|
| Vitor |
| Posted: Tue Oct 02, 2012 8:04 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| mqjeff wrote: |
| The good news is that there's no specific reason you need to use the security profiles at all, if it's a standard ws-security header. You can just build it yourself and stick it in the soap message you pass to the request node. |
It's comforting to know the kludge I put in to get it working is actually the right answer.
But if that's the case (and I assure you I believe you) how do I handle it in the response? With the header built manually, the service responds with a smile and a happy wave, but broker blows up:
| Code: |
BIP3701E: A Java exception was thrown whilst calling the Java JNI method ''Axis2Requester_processResponseMessageSync''. The Java exception was ''org.apache.axis2.AxisFault: MustUnderstand Header-Check Failed for Header: {http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security whilst processing operation: importDocument''. The Java stack trace was ''Frame : 0 org.apache.axis2.AxisFault: MustUnderstand Header-Check Failed for Header: {http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security whilst processing operation: importDocument
@: com.ibm.broker.axis2.MustUnderstandHeaderInHandler.invoke(MustUnderstandHeaderInHandler.java:327)
@: org.apache.axis2.engine.Phase.invoke(Phase.java:318)
@: org.apache.axis2.engine.AxisEngine.invoke(AxisEngine.java:268)
@: org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:175)
@: com.ibm.broker.axis2.Axis2Requester.processResponseMessageInternal(Axis2Requester.java:1750)
@: com.ibm.broker.axis2.Axis2Requester.processResponseMessageSync(Axis2Requester.java:1510) |
How to I explain how to understand the mustUnderstand without all the policy set stuff?
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Tue Oct 02, 2012 8:42 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| remove the security policy? |
|
| Back to top |
|
|
| mgk |
| Posted: Tue Oct 02, 2012 8:59 am Post subject: |
|
|
Padawan
Joined: 31 Jul 2003
Posts: 1642
|
| Quote: |
| How to I explain how to understand the mustUnderstand without all the policy set stuff? |
If you are going to do it all manually you need to add the WS-Sec namespace details to the "Must Understand" details on the node definition.
Kind regards,
_________________
MGK
The postings I make on this site are my own and don't necessarily represent IBM's positions, strategies or opinions. |
|
| Back to top |
|
|
| Vitor |
| Posted: Tue Oct 02, 2012 9:15 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| mqjeff wrote: |
| remove the security policy? |
Did that. Or more specifically the Toolkit did that when I rebuilt the bar file; see above.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| Vitor |
| Posted: Tue Oct 02, 2012 9:25 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| mgk wrote: |
| Quote: |
| How to I explain how to understand the mustUnderstand without all the policy set stuff? |
If you are going to do it all manually you need to add the WS-Sec namespace details to the "Must Understand" details on the node definition. |
Of the 2 tables in the Advanced tab of the SOAPRequest node, the WSDL-defined SOAP response headers is read only & the User-defined SOAP response headers doesn't mention mustUnderstand. Adding the wsse namespace to that doesn't affect the error.
Clearly my week for missing things. 
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| mgk |
| Posted: Tue Oct 02, 2012 9:34 am Post subject: |
|
|
Padawan
Joined: 31 Jul 2003
Posts: 1642
|
So the WSDL-Defined table is for SOAP-Headers defined in the WSDL which is why it is read only. The user-defined one is the correct one. You should add in a namespace of
"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
and a name of "Security".
Also, there may be more than one header to add...
Kind regards,
_________________
MGK
The postings I make on this site are my own and don't necessarily represent IBM's positions, strategies or opinions. |
|
| Back to top |
|
|
| ganesh |
| Posted: Tue Oct 02, 2012 9:43 am Post subject: |
|
|
Master
Joined: 18 Jul 2010
Posts: 294
|
| Code: |
<wsse:Security soapenv:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wsse:UsernameToken wsu:Id="UsernameToken-20" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsse:Username>abc</wsse:Username>
<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">@khfggh</wsse:Password>
</wsse:UsernameToken>
</wsse:Security> |
Does the header in your request look like above. |
|
| Back to top |
|
|
| Vitor |
| Posted: Tue Oct 02, 2012 9:46 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| mgk wrote: |
So the WSDL-Defined table is for SOAP-Headers defined in the WSDL which is why it is read only. The user-defined one is the correct one. You should add in a namespace of
"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
and a name of "Security". |
Ah - so adding it with a Header name of wsse (i.e. not the name of the Header) means it don't work? As a wise man once said - Doh!
Now I go and explain to the developer that the response I've got after all this effort doesn't match the response in the WSDL. Repeatedly and fairly hard.
Thanks for the assistance.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| Vitor |
| Posted: Tue Oct 02, 2012 9:53 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| ganesh wrote: |
| Code: |
<wsse:Security soapenv:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wsse:UsernameToken wsu:Id="UsernameToken-20" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsse:Username>abc</wsse:Username>
<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">@khfggh</wsse:Password>
</wsse:UsernameToken>
</wsse:Security> |
Does the header in your request look like above. |
I don't include the UsernameToken but it doesn't seem to mind.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Tue Oct 02, 2012 10:41 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| Vitor wrote: |
I don't include the UsernameToken but it doesn't seem to mind. |
Does it fail if you *do* include the username token? |
|
| Back to top |
|
|
|
|
