Author |
Message
|
Vitor |
Posted: Mon Oct 01, 2012 1:04 pm Post subject: Using WS-Security in a SOAPRequest node |
|
|
 Grand High Poobah
Joined: 11 Nov 2005 Posts: 26093 Location: Texas, USA
|
Starting out, don't say this is all documented in the InfoCenter. I know it is:
here, her,here,here,here & here. I've also reviewed this as well as this & this. I have a blinding headache and an ongoing problem.
Scenario: I'm trying to comsume a web service using WMBv7.0.0.3. I have a WSDL which I've made deployable and WMB has built a nifty little sub flow for me. The service requires a WS-Security user id & password, which is available to the Compute node building the SOAP request but is not in any of the transport headers. As a result of the above reading I set the Identity in the Properties, created a policy set with username and password tokens, a binding associated with the policy set and a security profile with Propagation set to TRUE. I put all of this in the properties of the bar file, baked for a few minutes with a deploy command until golden brown and was rather upset to discover the target service complaining the wsse was missing.
I've tried it with IdentitySource, IdenityMapped, also threats, bribes and just cajoling. If I just add ESQL to add the username and password it works fine, but what am I missing?
Also, should the PolicySet, bindings and profile disappear from the bar file properties when I rebuild it or is that just my Toolkit being funky? Again? _________________ Honesty is the best policy.
Insanity is the best defence. |
|
Back to top |
|
 |
ganesh |
Posted: Tue Oct 02, 2012 4:37 am Post subject: |
|
|
Master
Joined: 18 Jul 2010 Posts: 294
|
Quote: |
Also, should the PolicySet, bindings and profile disappear from the bar file properties when I rebuild it or is that just my Toolkit being funky? Again? |
It disappears everytime you build the bar file, you have to add it manually everytime. |
|
Back to top |
|
 |
Vitor |
Posted: Tue Oct 02, 2012 4:44 am Post subject: |
|
|
 Grand High Poobah
Joined: 11 Nov 2005 Posts: 26093 Location: Texas, USA
|
ganesh wrote: |
Quote: |
Also, should the PolicySet, bindings and profile disappear from the bar file properties when I rebuild it or is that just my Toolkit being funky? Again? |
It disappears everytime you build the bar file, you have to add it manually everytime. |
Reassuring. With luck it's fixed in the next version; anyone?
Any thoughts on why it doesn't work even it I do add it? _________________ Honesty is the best policy.
Insanity is the best defence. |
|
Back to top |
|
 |
mqjeff |
Posted: Tue Oct 02, 2012 7:00 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008 Posts: 17447
|
|
Back to top |
|
 |
mqjeff |
Posted: Tue Oct 02, 2012 7:43 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008 Posts: 17447
|
The good news is that there's no specific reason you need to use the security profiles at all, if it's a standard ws-security header. You can just build it yourself and stick it in the soap message you pass to the request node. The only complexity is the type of encryption needed on the password...  |
|
Back to top |
|
 |
Vitor |
Posted: Tue Oct 02, 2012 8:04 am Post subject: |
|
|
 Grand High Poobah
Joined: 11 Nov 2005 Posts: 26093 Location: Texas, USA
|
mqjeff wrote: |
The good news is that there's no specific reason you need to use the security profiles at all, if it's a standard ws-security header. You can just build it yourself and stick it in the soap message you pass to the request node. |
It's comforting to know the kludge I put in to get it working is actually the right answer.
But if that's the case (and I assure you I believe you) how do I handle it in the response? With the header built manually, the service responds with a smile and a happy wave, but broker blows up:
Code: |
BIP3701E: A Java exception was thrown whilst calling the Java JNI method ''Axis2Requester_processResponseMessageSync''. The Java exception was ''org.apache.axis2.AxisFault: MustUnderstand Header-Check Failed for Header: {http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security whilst processing operation: importDocument''. The Java stack trace was ''Frame : 0 org.apache.axis2.AxisFault: MustUnderstand Header-Check Failed for Header: {http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security whilst processing operation: importDocument
@: com.ibm.broker.axis2.MustUnderstandHeaderInHandler.invoke(MustUnderstandHeaderInHandler.java:327)
@: org.apache.axis2.engine.Phase.invoke(Phase.java:318)
@: org.apache.axis2.engine.AxisEngine.invoke(AxisEngine.java:268)
@: org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:175)
@: com.ibm.broker.axis2.Axis2Requester.processResponseMessageInternal(Axis2Requester.java:1750)
@: com.ibm.broker.axis2.Axis2Requester.processResponseMessageSync(Axis2Requester.java:1510) |
How to I explain how to understand the mustUnderstand without all the policy set stuff? _________________ Honesty is the best policy.
Insanity is the best defence. |
|
Back to top |
|
 |
mqjeff |
Posted: Tue Oct 02, 2012 8:42 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008 Posts: 17447
|
remove the security policy? |
|
Back to top |
|
 |
mgk |
Posted: Tue Oct 02, 2012 8:59 am Post subject: |
|
|
 Padawan
Joined: 31 Jul 2003 Posts: 1642
|
Quote: |
How to I explain how to understand the mustUnderstand without all the policy set stuff? |
If you are going to do it all manually you need to add the WS-Sec namespace details to the "Must Understand" details on the node definition.
Kind regards, _________________ MGK
The postings I make on this site are my own and don't necessarily represent IBM's positions, strategies or opinions. |
|
Back to top |
|
 |
Vitor |
Posted: Tue Oct 02, 2012 9:15 am Post subject: |
|
|
 Grand High Poobah
Joined: 11 Nov 2005 Posts: 26093 Location: Texas, USA
|
mqjeff wrote: |
remove the security policy? |
Did that. Or more specifically the Toolkit did that when I rebuilt the bar file; see above. _________________ Honesty is the best policy.
Insanity is the best defence. |
|
Back to top |
|
 |
Vitor |
Posted: Tue Oct 02, 2012 9:25 am Post subject: |
|
|
 Grand High Poobah
Joined: 11 Nov 2005 Posts: 26093 Location: Texas, USA
|
mgk wrote: |
Quote: |
How to I explain how to understand the mustUnderstand without all the policy set stuff? |
If you are going to do it all manually you need to add the WS-Sec namespace details to the "Must Understand" details on the node definition. |
Of the 2 tables in the Advanced tab of the SOAPRequest node, the WSDL-defined SOAP response headers is read only & the User-defined SOAP response headers doesn't mention mustUnderstand. Adding the wsse namespace to that doesn't affect the error.
Clearly my week for missing things.  _________________ Honesty is the best policy.
Insanity is the best defence. |
|
Back to top |
|
 |
mgk |
Posted: Tue Oct 02, 2012 9:34 am Post subject: |
|
|
 Padawan
Joined: 31 Jul 2003 Posts: 1642
|
So the WSDL-Defined table is for SOAP-Headers defined in the WSDL which is why it is read only. The user-defined one is the correct one. You should add in a namespace of
"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
and a name of "Security".
Also, there may be more than one header to add...
Kind regards, _________________ MGK
The postings I make on this site are my own and don't necessarily represent IBM's positions, strategies or opinions. |
|
Back to top |
|
 |
ganesh |
Posted: Tue Oct 02, 2012 9:43 am Post subject: |
|
|
Master
Joined: 18 Jul 2010 Posts: 294
|
Code: |
<wsse:Security soapenv:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wsse:UsernameToken wsu:Id="UsernameToken-20" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsse:Username>abc</wsse:Username>
<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">@khfggh</wsse:Password>
</wsse:UsernameToken>
</wsse:Security> |
Does the header in your request look like above. |
|
Back to top |
|
 |
Vitor |
Posted: Tue Oct 02, 2012 9:46 am Post subject: |
|
|
 Grand High Poobah
Joined: 11 Nov 2005 Posts: 26093 Location: Texas, USA
|
mgk wrote: |
So the WSDL-Defined table is for SOAP-Headers defined in the WSDL which is why it is read only. The user-defined one is the correct one. You should add in a namespace of
"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
and a name of "Security". |
Ah - so adding it with a Header name of wsse (i.e. not the name of the Header) means it don't work? As a wise man once said - Doh!
Now I go and explain to the developer that the response I've got after all this effort doesn't match the response in the WSDL. Repeatedly and fairly hard.
Thanks for the assistance. _________________ Honesty is the best policy.
Insanity is the best defence. |
|
Back to top |
|
 |
Vitor |
Posted: Tue Oct 02, 2012 9:53 am Post subject: |
|
|
 Grand High Poobah
Joined: 11 Nov 2005 Posts: 26093 Location: Texas, USA
|
ganesh wrote: |
Code: |
<wsse:Security soapenv:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wsse:UsernameToken wsu:Id="UsernameToken-20" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsse:Username>abc</wsse:Username>
<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">@khfggh</wsse:Password>
</wsse:UsernameToken>
</wsse:Security> |
Does the header in your request look like above. |
I don't include the UsernameToken but it doesn't seem to mind. _________________ Honesty is the best policy.
Insanity is the best defence. |
|
Back to top |
|
 |
mqjeff |
Posted: Tue Oct 02, 2012 10:41 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008 Posts: 17447
|
Vitor wrote: |
I don't include the UsernameToken but it doesn't seem to mind. |
Does it fail if you *do* include the username token? |
|
Back to top |
|
 |
|