| Author |
Message
|
| eugene |
 Posted: Tue Mar 02, 2010 2:45 am Post subject: SOAPRequest Http Authentication |
 |
|
Novice
Joined: 02 Mar 2010
Posts: 18
|
Hello,
My question is actually pretty simple - but I seem to not get a solution. 
I am using a SOAP Request Node in order to call a Web Service - but the Web Service is password/user protected. I can see that the SOAP Request Node has a WS-Security Property , but I was expecting for User/password there, instead I can see "XPath expression" and "Alias" - I don't get it - what are these? Also I have read about Policy Set - tried to add them, but no luck for now... Can anyone give a hint?
Thank you,
Eugene. |
|
| Back to top |
|
 |
| marko.pitkanen |
| Posted: Tue Mar 02, 2010 3:51 am Post subject: |
|
|
Chevalier
Joined: 23 Jul 2008
Posts: 440
Location: Jamsa, Finland
|
|
| Back to top |
|
|
| eugene |
| Posted: Tue Mar 02, 2010 11:01 am Post subject: |
|
|
Novice
Joined: 02 Mar 2010
Posts: 18
|
Actually I think I was wrong - it is nothing more then a Basic Http Authentication. I have to populate the httpRequestHeader with the necessary info - found some links here - but no success yet! Still working on it. But thx for your opinion anyway!
Best wishes,
Eugene. |
|
| Back to top |
|
|
| marko.pitkanen |
| Posted: Tue Mar 02, 2010 11:39 am Post subject: |
|
|
Chevalier
Joined: 23 Jul 2008
Posts: 440
Location: Jamsa, Finland
|
Hi,
I suggest that you first test to interact with your WS with soapUI for example. Then when you have working soap-request send it to brokers http -input node and echo request with trace node to user trace. There you have fine hints how to fill our message tree in your flow to make interaction with WS working also from broker.
--
Marko |
|
| Back to top |
|
|
| AndreasMartens |
| Posted: Wed Mar 03, 2010 5:17 am Post subject: use the Security Manager |
|
|
Acolyte
Joined: 30 Jan 2006
Posts: 65
Location: Hursley, UK
|
Hi Eugene,
I'd suggest you try this:
1. Remove your PolicySet and Binding from the node if you have them (unless you really need them for something else that is...)
2. In a Compute Node:
SET OutputRoot.Properties.IdentityMappedType = 'usernameAndPassword';
SET OutputRoot.Properties.IdentityMappedToken = 'eugene';
SET OutputRoot.Properties.IdentityMappedPassword = 'Pa55word';
3. On your SOAP Request Node, in the Bar editor's configuration, set Security Profile to 'Default_Propagation'
4. Redeploy and revel in the basic-auth magic!
(If your password really is Pa55word, I'd suggest you change it  )
What happens is as follows:
1. When the SOAP Request Node doesn't have a policy set or binding attached it defaults to the same behaviour as HTTP nodes for security processing.
2. Setting the Mapped Identity in the Properties folder ensures the broker has something to populate the WS-Authorization header with.
3. The Default_Propagation security profile does nothing apart from enabling Identity Propagation. When a request node with Identity Propagation enabled gets a message, they look in the Properties folder, first at the Mapped Identity, then at the Source Identity, to find something they can use. The HTTP and SOAP nodes do this in the form of basic-auth information.
If you'd like to know more, please read the on-line manual about Message Flow Security: http://publib.boulder.ibm.com/infocenter/wmbhelp/v7r0m0/topic/com.ibm.etools.mft.doc/bp28210_.htm |
|
| Back to top |
|
|
| eugene |
| Posted: Wed Mar 03, 2010 11:42 pm Post subject: |
|
|
Novice
Joined: 02 Mar 2010
Posts: 18
|
Hello!
Thank you for your time!  But the thing that you suggested - I tried it before I posted this question on the forum with no luck. Just to re-ensure myself tried it just now and no luck. Actually I have managed to over-come this situation in this manner :
SET OutputRoot.HTTPRequestHeader."Content-Type"= 'application/atom+xml';
SET OutputRoot.HTTPRequestHeader."Authorization" = 'Basic '||b64Encode(CAST(UserName||':'||Password as BLOB CCSID InputRoot.Properties.CodedCharSetId));
CREATE PROCEDURE b64Encode(IN source BLOB)
RETURNS CHARACTER
LANGUAGE JAVA
EXTERNAL NAME "com.ibm.broker.javacompute.Base64.encode";
I still get an error , but this time it is a Http 500 Error - which means that I have been authenticated successfully and there is something wrong with the request that I sent. Actually I will post this question in the forum, too, cause it is a damn interesting one.
Thx for your help anyway!
Best Wishes,
Eugene. |
|
| Back to top |
|
|
| AndreasMartens |
| Posted: Thu Mar 04, 2010 2:13 am Post subject: Should work... |
|
|
Acolyte
Joined: 30 Jan 2006
Posts: 65
Location: Hursley, UK
|
Hi again,
The previous method *really* should work, if you're willing to spend a little more time and grab some service trace, I'd willingly go through the trace and see what's gone wrong... There's nothing wrong with your workaround (it's what we recommended before putting in the Properties support), but the "proper" way should be faster.
One thing to mention, you're writing the username and password using the incoming ccsid. This might not always work, we always use Latin-1 as the HTTP standard says should be applied to HTTP headers, though it's a little ambiguous. If your server expects something else (I've seen Java-based systems expect UTF- you can set MQSI_HTTP_BASIC_AUTH_CCSID=1208 for example.
cheers,
Andreas |
|
| Back to top |
|
|
| eugene |
| Posted: Thu Mar 04, 2010 3:06 am Post subject: |
|
|
Novice
Joined: 02 Mar 2010
Posts: 18
|
Hello again!
I am on it - I'll give a bit more tests and eventually some logs.... For now though, I have another question to you, if I may.
For example, when using soapUI I can see the actual Http Request, I mean the Http Headers + SOAP Request.
For example:
POST http://xxxxxxxr:14200/frwksoapapi/servlet/rpcrouter HTTP/0.9
Content-Type: text/xml;charset=UTF-8
SOAPAction: ""
User-Agent: Jakarta Commons-HttpClient/3.1
Content-Length: 798
Authorization: Basic xxxxxxx
Host: xxxxxx:14200
<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:com="xxxxxxx">
<soapenv:Header/>
<soapenv:Body>
<com:midasActionAPI soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
<apiNames xsi:type="xsd:string">xxxxx</apiNames>
<zone xsi:type="xsd:string">xxxxxx</zone>
<xml xsi:type="xsd:string"><![CDATA[xxxxxxx]]></xml>
<returnFormat xsi:type="xsd:int">0</returnFormat>
</com:midasActionAPI>
</soapenv:Body>
</soapenv:Envelope>
@Sorry about the "xxxxxx" thing - company policy
Is there a way to see this layout in broker? A Trace Node may be? Will it capture the Http Request?
Thx again!
P.S. Is there a mail-notification thing on this forum, whenever people ask questions? Like a subscribe thing? I would gladly share and help others too - of course if I can.
Best Whises,
Eugene. |
|
| Back to top |
|
|
| AndreasMartens |
| Posted: Thu Mar 04, 2010 3:39 am Post subject: Trace Node |
|
|
Acolyte
Joined: 30 Jan 2006
Posts: 65
Location: Hursley, UK
|
Yeah, a trace node should tell you most of what you want to know.
Put in:
${Root}
${LocalEnvironment}
and I think you'll get what you're looking for.
cheers,
Andreas |
|
| Back to top |
|
|
| Herbert |
| Posted: Thu Mar 04, 2010 4:02 am Post subject: |
|
|
Centurion
Joined: 05 Dec 2006
Posts: 146
Location: Leersum, The Netherlands
|
| eugene wrote: |
| Is there a way to see this layout in broker? A Trace Node may be? Will it capture the Http Request? |
No, the raw HTTP request is not visible with a Trace Node:
Look at "Technology Samples", "Message Broker", "Web Services", "Addres Book Sample", "Extend the sample", "Set up the extension", "Setting up a TCP/IP Monitor" if you want to debug at this level. |
|
| Back to top |
|
|
| JohanSwanepoel |
| Posted: Thu Aug 26, 2010 9:54 pm Post subject: Have you set the Security Profile? |
|
|
Newbie
Joined: 12 May 2009
Posts: 4
|
Hi
I did the same thing and after setting the security profile to default the values got picked up from the properties.
It pretty much works exactly as AndreasMartens stated, the only other thing I had to do was set the values to something appropriate for WMQ at the end of the flow again, so change usernameAndPassword to username only before sending the message to WMQ at the end (if you do that). |
|
| Back to top |
|
|
| Maximreality |
| Posted: Fri Aug 27, 2010 12:46 am Post subject: |
|
|
Acolyte
Joined: 04 Jun 2004
Posts: 65
Location: Copenhagen
|
When working with http on the broker, using a http proxy for debugging is very usefull.
My favorite one is www.fiddler2.com (and it's for free!) |
|
| Back to top |
|
|
|
|
