| Author |
Message
|
| Vitor |
 Posted: Fri Sep 13, 2013 5:43 am Post subject: WS-Security & BasicAuth - advice and suggestions please |
 |
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
WMBv7.0.0.3
Scenario:
We have a perfectly normal flow SOAPInput -> lots of stuff -> SOAPReply. The SOAPInput node is configured to authenticate & authorize against our corporate LDAP server with the default policy set, bindings, configurable services and a full chorus of singing cherubs. It's been tested extensively, works a treat, allowed people get responses, other people get the cold shoulder. Glorioius.
Problem:
The flow in question replaces an existing integration in webMethods. During the requirments phrase we learned that all the consuming clients use WS-Security. During testing we learned that all the consuming clients use WS-Security except the legacy ones that use BasicAuth.
It's politically unacceptable to use my preferred solution on the legacy applications in question. 
I'd like suggestions & advice from the assembled crowd on the best / fastest / easiest why to provide both WS-Security and BasicAuth support through a single flow. The only constraints are time (we'd nearly finished testing when these jokers showed up) and both WS-S & BA applications want to consume the service through the same endpoint.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
 |
| smdavies99 |
| Posted: Fri Sep 13, 2013 5:55 am Post subject: |
|
|
Jedi Council
Joined: 10 Feb 2003
Posts: 6076
Location: Somewhere over the Rainbow this side of Never-never land.
|
As you want the same endpoint, I don't think it is possible using the basic node in an AS format.
What I think you are looking for is a way to perform the auth based upon the ip/fqdn of the caller.
Without rolling your own node there is no way to do it.....
Unless you front end the flow with one that lets everything in and then sends it on to the correct backend flow that had different (non-ldap-auth or ldap-auth) endpoints
_________________
WMQ User since 1999
MQSI/WBI/WMB/'Thingy' User since 2002
Linux user since 1995
Every time you reinvent the wheel the more square it gets (anon). If in doubt think and investigate before you ask silly questions. |
|
| Back to top |
|
|
| Vitor |
| Posted: Fri Sep 13, 2013 6:03 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| smdavies99 wrote: |
| Without rolling your own node there is no way to do it..... |
We lack the time for this, and the will. I'd sooner resort to Plan A
| smdavies99 wrote: |
| Unless you front end the flow with one that lets everything in and then sends it on to the correct backend flow that had different (non-ldap-auth or ldap-auth) endpoints |
So (to be clear) you're proposing SOAPInput (with no auth) -> Filter -> SecurityPEP (for WS-Security) / SecurityPEP (for BasicAuth)
??
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| lancelotlinc |
| Posted: Fri Sep 13, 2013 6:15 am Post subject: |
|
|
Jedi Knight
Joined: 22 Mar 2010
Posts: 4941
Location: Bloomington, IL USA
|
You can have two entry-point flows, that resolve the user credentials then pass those credentials to your existing flow. Its the best of both worlds since you don't have to change any of your code you already developed.
_________________
http://leanpub.com/IIB_Tips_and_Tricks
Save $20: Coupon Code: MQSERIES_READER |
|
| Back to top |
|
|
| mqjeff |
| Posted: Fri Sep 13, 2013 6:18 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
|
| Back to top |
|
|
| mqjeff |
| Posted: Fri Sep 13, 2013 6:18 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| lancelotlinc wrote: |
| You can have two entry-point flows, that resolve the user credentials then pass those credentials to your existing flow. Its the best of both worlds since you don't have to change any of your code you already developed. |
That would require two external URLs. |
|
| Back to top |
|
|
| Vitor |
| Posted: Fri Sep 13, 2013 6:25 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| lancelotlinc wrote: |
| You can have two entry-point flows |
As I said above, we can only have one endpoint 
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| lancelotlinc |
| Posted: Fri Sep 13, 2013 6:28 am Post subject: |
|
|
Jedi Knight
Joined: 22 Mar 2010
Posts: 4941
Location: Bloomington, IL USA
|
| Vitor wrote: |
| lancelotlinc wrote: |
| You can have two entry-point flows |
As I said above, we can only have one endpoint |
If Client A is using Basic Auth and Client B is using WS-Security, can you not publish the URL to Client A for Basic Auth and the URL to Client B for WS-Security ? In both instances, only one URL is used .
Also you want to update your runtime to 7.0.0.6. Important fixes in 4 and 5 apply to your use case.
_________________
http://leanpub.com/IIB_Tips_and_Tricks
Save $20: Coupon Code: MQSERIES_READER |
|
| Back to top |
|
|
| Vitor |
| Posted: Fri Sep 13, 2013 7:04 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| lancelotlinc wrote: |
| If Client A is using Basic Auth and Client B is using WS-Security, can you not publish the URL to Client A for Basic Auth and the URL to Client B for WS-Security ? In both instances, only one URL is used . |
The URL is "published" in a company wide repository & hasn't varied for years. We can't have 2 endpoints for 1 company function.
| lancelotlinc wrote: |
| Also you want to update your runtime to 7.0.0.6. Important fixes in 4 and 5 apply to your use case. |
Yes, yes, I've had a formal request for the update to be applied for so long 7.0.0.6 has been released while the request was open. Still no sign of action from the sys admins.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| lancelotlinc |
| Posted: Fri Sep 13, 2013 7:08 am Post subject: |
|
|
Jedi Knight
Joined: 22 Mar 2010
Posts: 4941
Location: Bloomington, IL USA
|
| Vitor wrote: |
| lancelotlinc wrote: |
| If Client A is using Basic Auth and Client B is using WS-Security, can you not publish the URL to Client A for Basic Auth and the URL to Client B for WS-Security ? In both instances, only one URL is used . |
The URL is "published" in a company wide repository & hasn't varied for years. We can't have 2 endpoints for 1 company function.
| lancelotlinc wrote: |
| Also you want to update your runtime to 7.0.0.6. Important fixes in 4 and 5 apply to your use case. |
Yes, yes, I've had a formal request for the update to be applied for so long 7.0.0.6 has been released while the request was open. Still no sign of action from the sys admins. |
Then front-end your WMB flow with a WAS war or POJO.
_________________
http://leanpub.com/IIB_Tips_and_Tricks
Save $20: Coupon Code: MQSERIES_READER |
|
| Back to top |
|
|
| bielesibub |
| Posted: Fri Sep 13, 2013 7:25 am Post subject: |
|
|
Apprentice
Joined: 02 Jul 2008
Posts: 40
Location: Hampshire, UK
|
(Dare I interrupt MQSeries.net Behemoths??)
Vitor,
Having spent the past few years battling with WS-Security implementation in WMB/WAS and .Net, I think I might be able to help...
I'm assuming that the basic authentication method of access is still providing the same SOAP format message? If so, the securityPEP idea might be the best way for you to go (if you can only provide one endpoint), and providing you've not got any encryption / message signing on your SOAP input messages that is! I'm not even sure it would be a good idea to have identity in a message without having any kind of signature/encryption though.
Sadly, basic authentication and WS-Security aren't the best of companions. I agree with smdavies99, in addition, I think if you were to include all this in one endpoint you'd be losing some of the nice stuff that WS-Security gives to you.
If you come up with a solution, I'd be very interested to know how you solved it!!  |
|
| Back to top |
|
|
| smdavies99 |
| Posted: Fri Sep 13, 2013 7:42 am Post subject: |
|
|
Jedi Council
Joined: 10 Feb 2003
Posts: 6076
Location: Somewhere over the Rainbow this side of Never-never land.
|
| bielesibub wrote: |
(Dare I interrupt MQSeries.net Behemoths??)
|
You are quite welcome to interrupt.
You make some good points.
I don't think that Vitor can solve his problem without front ending the real flow with something that can detect which type of request the message is.
_________________
WMQ User since 1999
MQSI/WBI/WMB/'Thingy' User since 2002
Linux user since 1995
Every time you reinvent the wheel the more square it gets (anon). If in doubt think and investigate before you ask silly questions. |
|
| Back to top |
|
|
| Vitor |
| Posted: Fri Sep 13, 2013 8:43 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| bielesibub wrote: |
| (Dare I interrupt MQSeries.net Behemoths??) |
Yes, dare. Dare.
| bielesibub wrote: |
| I'm assuming that the basic authentication method of access is still providing the same SOAP format message? |
It is.
| bielesibub wrote: |
| providing you've not got any encryption / message signing on your SOAP input messages that is! |
We don't
| bielesibub wrote: |
| I'm not even sure it would be a good idea to have identity in a message without having any kind of signature/encryption though. |
I'm not sure either, but I just work here. 
| bielesibub wrote: |
| If you come up with a solution, I'd be very interested to know how you solved it!! |
I'd already thought of the SecurityPEP and the front-end-the-flow-with-insert-technology-here, but was running it past the Behemoths to see if anyone has a really cunning dodge or knew a hidden setting in the SOAPInput node.....
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
|
|
