| Author |
Message
|
| liminzhang |
 Posted: Tue Oct 21, 2014 2:56 pm Post subject: Monitor the invocation of web service call? |
 |
|
Novice
Joined: 29 Sep 2014
Posts: 11
|
I have deployed a simple message flow providing a web service with SOAP Input Node. The message flow was secured with the following set up.
.Policy set : WSS10Default
.Policy set binding : WSS10Default
.Security Profile Name : a LDAP-based profile
I would like to monitor the invocation of the web service whether authentications succeed or not. Ideally I hope I can find some logging information in WMB. Is it possible?
After I tried unsuccessfully to find the logging information, I turned to monitoring events of the SOAPInput node. However I still could not get the error message.
All event sources (Transaction start, Failure, Catch...) : Enabled
All terminals : Connected.
If I tested with a valid user id, I got records inside the monitoring subscription queue. However, if I tested with an invalid user, no record was put in the queue.
Your advice will be greatly appreciated.
Thanks a advance.
Limin |
|
| Back to top |
|
 |
| kimbert |
| Posted: Tue Oct 21, 2014 3:10 pm Post subject: |
|
|
Jedi Council
Joined: 29 Jul 2003
Posts: 5542
Location: Southampton
|
Which terminal does the message get propagated to when there is an authentication failure?
_________________
Before you criticize someone, walk a mile in their shoes. That way you're a mile away, and you have their shoes too. |
|
| Back to top |
|
|
| ruimadaleno |
| Posted: Wed Oct 22, 2014 2:37 am Post subject: |
|
|
Master
Joined: 08 May 2014
Posts: 274
|
one hint:
as far as i understand you said that all terminals of soapinput node are connected.
Place a trace node between each terminal of soapinput node and the destination node.
configure the trace node to record $Root , have a look at the values kept in the tree.
_________________
Best regards
Rui Madaleno |
|
| Back to top |
|
|
| liminzhang |
| Posted: Wed Oct 22, 2014 7:46 am Post subject: |
|
|
Novice
Joined: 29 Sep 2014
Posts: 11
|
Thanks for all the responses. I tried trace nodes connected to all the terminals, nothing was emitted to the trace file. I also made sure trace record was emitted for a successful authentication. I think after an authentication failure, the request message will not be propagated to any of the terminals.
I can see the authentication failure in user trace, however I don't want to enable the trace in production as performance will be affected. Also the information provided by user trace only shows a request comes and does not show where the request comes from.
I feel WMB should provide a method to monitor HTTP request regardless of authentication status. |
|
| Back to top |
|
|
| Vitor |
| Posted: Wed Oct 22, 2014 8:22 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| liminzhang wrote: |
| I think after an authentication failure, the request message will not be propagated to any of the terminals. |
Gosh....
| liminzhang wrote: |
| I can see the authentication failure in user trace, however I don't want to enable the trace in production as performance will be affected. |
Wise.
| liminzhang wrote: |
| Also the information provided by user trace only shows a request comes and does not show where the request comes from. |
If only there was some way of seeing the headers with that information in WMB....
| liminzhang wrote: |
| I feel WMB should provide a method to monitor HTTP request regardless of authentication status. |
You'd think that. And it's not what you asked for. You asked about notification on authorisation failure, not the status of HTTP traffic.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| liminzhang |
| Posted: Wed Oct 22, 2014 8:57 am Post subject: |
|
|
Novice
Joined: 29 Sep 2014
Posts: 11
|
Ideally I would like to log all http requests in a way similar to IIS http://www.iis.net/configreference/system.webserver/httplogging#004. In this way, I would know the invocations of the web service from clients.
I could not find such a logging mechanism in WMB. So I tried monitoring all the terminals though this is not a good solution at all as I need to configure all the SOAPInput nodes in all message follows. However even this suboptimal solution does not work when authentication failure happens.
Maybe my posts created some confusion. Sorry about that. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Wed Oct 22, 2014 9:00 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
The best solution for your requirement is to use an external web server, perhaps just Apache. then use the functions to export the Broker HTTP config as a mod_proxy configuration file.
Then configure the HTTP server to do the authentication and all the logging you need. |
|
| Back to top |
|
|
| Vitor |
| Posted: Wed Oct 22, 2014 9:08 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
It's a shame WMB is not IIS, WAS or any other kind of web server. It's also a shame it's not a pixie dust mine, but I've learned to live with my disapointment.
| liminzhang wrote: |
| I could not find such a logging mechanism in WMB. |
You'll find a lot of the SOAP fault logging in IIS is missing as well. That's because WMB is still not a web server.
| liminzhang wrote: |
| So I tried monitoring all the terminals though this is not a good solution at all as I need to configure all the SOAPInput nodes in all message follows. However even this suboptimal solution does not work when authentication failure happens. |
So do you want to monitor authentication failures or HTTP traffic?
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| Vitor |
| Posted: Wed Oct 22, 2014 9:09 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| mqjeff wrote: |
The best solution for your requirement is to use an external web server, perhaps just Apache. then use the functions to export the Broker HTTP config as a mod_proxy configuration file.
Then configure the HTTP server to do the authentication and all the logging you need. |
Or front end your flow with an IIS application, as I assume from your post you have access / experience with that technolgy.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| liminzhang |
| Posted: Wed Oct 22, 2014 9:56 am Post subject: |
|
|
Novice
Joined: 29 Sep 2014
Posts: 11
|
Thank you all for the quick responses 
An external web server is unavailable for us. However your posts remind me a solution. I can create a Gateway web service provider in WMB. In the Gateway service provider, no authentication is required. Thus all the requests can be logged. Then the requests can be forwarded to the service provider which requires authentication. The drawback of this solution is one more redirection within WMB. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Wed Oct 22, 2014 10:24 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| You can install apache on the same server as broker, and configure the broker http listeners to only listen on localhost. |
|
| Back to top |
|
|
| liminzhang |
| Posted: Wed Oct 22, 2014 11:20 am Post subject: |
|
|
Novice
Joined: 29 Sep 2014
Posts: 11
|
| mqjeff wrote: |
| You can install apache on the same server as broker, and configure the broker http listeners to only listen on localhost. |
Cool. It is a good option. Because of the policy of my company, I couldn't install software without many approvals  . However I will try this option in suitable projects. Thanks again, mqjeff. |
|
| Back to top |
|
|
|
|
