and need to know few things as I am getting Internal error from server and I think it is related how am I generating Header port of SOAP.
Here is how it should look like:
<soapenv:Header>
<wsse:Security soapenv:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsse:UsernameToken wsu:Id="UsernameToken-CA07017CE54cDFC14720230904344">
<wsse:Username>test</wsse:Username>
<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">******</wsse:Password>
<wsse:Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">xgy3s2Owe4zUNGc/2t3twA==</wsse:Nonce>
<wsu:Created>2016-08-24T07:18:10.434Z</wsu:Created>
</wsse:UsernameToken>
</wsse:Security>
</soapenv:Header>
ok, so:
- username is username :)
- password is cleardText from what I can see
- Nonce I am generating like this:
var nonce = new Date().getTime() * 1000;
nonce = new Buffer(nonce.toString()).toString('base64'); (Nodejs)
- And date is generated like below in sample.
My questions:
- UsernameToken ID: how this is generated? Must this be presented?
If my SOAP request looks like this, is this ok:
<soap:Header>
<wsse:UsernameToken>
<wsse:Password>1231231</<wsse:Password>
<wsse:Nonce>1232132131</wsse:Nonce>
<wsu:Created>2016-08-24T07:18:10.434Z</wsu:Created>
</wsse:UsernameToken>
</soap:Header>
Or must I put all http stuff end etc?
thank you very much!
MIha
I wish to add custom handler (axis2 handler) for to read custom headers in my message and validate user/password against the user store.
How would i achieve this.
My request security header will come like this
<soapenv:Header>
<pr:authent soapenv:actor="http://schemas.xmlsoap.org/soap/actor/next" soapenv:mustUnderstand="0" xmlns:pr="http://hh.eeeee.com/hh">
<pr:user>ssp</pr:user>
<pr:password>MW</pr:password>
</pr:authent>
</soapenv:Header>
Where as wso2 esb expecting WSSE standard format so the request is like this
<
soapenv:Header>
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" soapenv:mustUnderstand="1">
<wsu:Timestamp wsu:Id="TS-4">
<wsu:Created>2014-06-02T07:15:21Z</wsu:Created>
<wsu:Expires>2014-06-02T08:38:41Z</wsu:Expires>
</wsu:Timestamp>
<wsse:UsernameToken wsu:Id="UsernameToken-3">
<wsse:Username>admin</wsse:Username>
<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">admin</wsse:Password>
<wsse:Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">byWKVY4stEATvTqaoNMswQ==</wsse:Nonce>
<wsu:Created>2014-06-02T07:15:21.304Z</wsu:Created>
</wsse:UsernameToken>
</wsse: >
</soapenv:Header>
How would i change the header as per wso2 standard or how to write security policy as per my client request for validating aganist of default userstore.
Thanks in Advance
We have the webservice xml request as below. for this I have developed the Orchestration. But while we are sending the request to client, we need to add the SOAP header.
Could you suggest me, how can I do this?
WebService XML Request
<?xml version="1.0" encoding="utf-8" ?>
<Request xmlns="http://modeler.ass.abc/efgh/">
<HeaderReq>
<PartnerID>E0</PartnerID>
<TimeStampSubmitted>2013-11-21T18:19:11</TimeStampSubmitted>
<Version>3.0</Version>
</HeaderReq>
<ApplicationREQ>
<ID>1</ID>
</ApplicationREQ>
</Request>
SOAP Header
<soapenv:Header>
<wsse:Security xmlns:wsse="http://adb.ddad-sdfad.org/wss/2010/01/fasd-201201-wss-wssecurity-secext-1.0.xsd">
<wsu:Timestamp wsu:Id="TS-10">
<wsu:Created>2013-10-11T17:26:52.890Z</wsu:Created>
<wsu:Expires>2013-10-11T17:51:52.890Z</wsu:Expires>
</wsu:Timestamp>
<wsse:UsernameToken wsu:Id="UsernameToken-10">
<wsse:Username>User</wsse:Username>
<wsse:Password Type="http://adb.ddad-sdfad.org/wss/2010/01/fasd-201201-wss-username-token-profile-1.0#PasswordText">xxxxxxx</wsse:Password>
<wsse:Nonce EncodingType="http://adb.ddad-sdfad.org/wss/2010/01/fasd-201201-wss-soap-message-security-1.0#Base64Binary">xxxxxxx</wsse:Nonce>
<wsu:Created>2013-10-11T17:26:52.889Z</wsu:Created>
</wsse:UsernameToken>
</wsse:Security>
</soapenv:Header>
You would need to use the property WCF.OutboundCustomHeaders
Example:
xmlDoc.LoadXml("<headers><Origination>Home</Origination><Destination>Work</Destination></headers>");
And then
RequestMessageInstance(WCF.OutboundCustomHeaders) = xmlDoc.OuterXml;
I found this example at this page: http://msdn.microsoft.com/en-us/library/bb246026.aspx
Hope this helps!
I want to pass username/password of userA and userB in one SOAP message. Therefore I want to pass two UsernameToken in one SOAP message.
I am thinking in two options:
Option 1)
UsernameToken elements inside Security element:
<soapenv:Header>
<wsse:Security xmlns:wsse="sec" xmlns:wsu="ut">
<wsse:UsernameToken wsu:Id="UsernameToken-3">
<wsse:Username>userA</wsse:Username>
<wsse:Password Type="text">passA</wsse:Password>
</wsse:UsernameToken>
<wsse:UsernameToken wsu:Id="UsernameToken-4">
<wsse:Username>userB</wsse:Username>
<wsse:Password Type="text">passB</wsse:Password>
</wsse:UsernameToken>
</wsse:Security>
</soapenv:Header>
Option 2)
A Security element for each UsernameToken:
<soapenv:Header>
<wsse:Security xmlns:wsse="sec" xmlns:wsu="ut">
<wsse:UsernameToken wsu:Id="UsernameToken-3">
<wsse:Username>userA</wsse:Username>
<wsse:Password Type="text">passA</wsse:Password>
</wsse:UsernameToken>
</wsse:Security>
<wsse:Security xmlns:wsse="sec" xmlns:wsu="ut">
<wsse:UsernameToken wsu:Id="UsernameToken-4">
<wsse:Username>userB</wsse:Username>
<wsse:Password Type="text">passB</wsse:Password>
</wsse:UsernameToken>
</wsse:Security>
</soapenv:Header>
--
What is the most standard option 1) or 2)? or other?
The most common case of using several users I might recollect is passing message through several intermediate nodes. In terms of SOAP specification they are named Actors and requires separate wsse:Security element with different soap:actor attributes. It corresponds to option 2) from your question.
Consider the next example from here:
<soap:Header>
<wsse:Security xmlns:wsse="http://schemas.xmlsoap.org/ws/2003/06/secext">
<wsse:UsernameToken wsu:Id="sample" xmlns:wsu="http://schemas.xmlsoap.org/ws/2003/06/utility">
<wsse:Username>sample</wsse:Username>
<wsse:Password Type="wsse:PasswordText">oracle</wsse:Password>
</wsse:UsernameToken>
</wsse:Security>
<wsse:Security soap:actor="oracle" xmlns:wsse="http://schemas.xmlsoap.org/ws/2003/06/secext">
<wsse:UsernameToken wsu:Id="oracle" xmlns:wsu="http://schemas.xmlsoap.org/ws/2003/06/utility">
<wsse:Username>oracle</wsse:Username>
<wsse:Password Type="wsse:PasswordText">oracle</wsse:Password>
</wsse:UsernameToken>
</wsse:Security>
</soap:Header>
This example contains two blocks. The one with "oracle" attribute is used to authenticate the end-user, another without this attribute is used for authentication on the front-end gateway.
You may consider option 1) from your question if your use case supposes simultaneous authentication of several users that are not SOAP actors.
I'm using SOAPUI tool to access JAX-WS web services deployed in Weblogic 10.3.2
Request:
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ws="http://ws.pc3.polk.com/">
<soapenv:Header>
<wsse:Security soapenv:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wsu:Timestamp wsu:Id="Timestamp-1" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsu:Created>2010-12-03T21:10:43Z</wsu:Created>
<wsu:Expires>2010-12-03T21:44:03Z</wsu:Expires>
</wsu:Timestamp>
<wsu:Timestamp wsu:Id="Timestamp-60" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsu:Created>2010-12-03T20:10:39Z</wsu:Created>
<wsu:Expires>2010-12-03T20:43:59Z</wsu:Expires>
</wsu:Timestamp>
<wsse:UsernameToken wsu:Id="UsernameToken-59" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsse:Username>rwerqre</wsse:Username>
<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">ewrqwrwerqer</wsse:Password>
<wsse:Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">Nmw0ksmiOX+hkiSoWb2Rjg==</wsse:Nonce>
<wsu:Created>2010-12-03T20:10:39.649Z</wsu:Created>
</wsse:UsernameToken>
</wsse:Security>
</soapenv:Header>
<soapenv:Body>
<ws:getMetadata/>
</soapenv:Body>
</soapenv:Envelope>
Response:
<S:Envelope xmlns:S="http://schemas.xmlsoap.org/soap/envelope/">
<S:Body>
<SOAP-ENV:Fault xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
<faultcode>SOAP-ENV:MustUnderstand</faultcode>
<faultstring>MustUnderstand headers:[{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security] are not understood</faultstring>
</SOAP-ENV:Fault>
</S:Body>
</S:Envelope>
You can configure a dummy SOAPHandler for {http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security that would mark this header as 'understood'.
Or you could change the SOAP request (on the caller side) to set mustUnderstand="0" in the security header.
Example security SOAP header with mustUnderstand="0":
<S:Header xmlns:S="http://schemas.xmlsoap.org/soap/envelope/">
<wsse:Security S:mustUnderstand="0" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wsse:UsernameToken>
<wsse:Username>USERNAME</wsse:Username>
<wsse:Password wsse:Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">PASSWORD</wsse:Password>
</wsse:UsernameToken>
</wsse:Security>
</S:Header>
After much research, this article solves this issue.
http://dwuysan.wordpress.com/2012/04/02/jax-ws-wsimport-and-the-error-mustunderstand-headers-not-understood/#comment-215
As per WS security specification:
The processor MUST, after decrypting the encrypted header block, process the decrypted header block according to the SOAP processing guidelines. The receiver MUST raise a fault if any content required to adequately process the header block remains encrypted or if the decrypted SOAP header is not understood and the value of the S12:mustUnderstand or S11:mustUnderstand attribute on the decrypted header block is true. Note that in order to comply with SOAP processing rules in this case, the processor must roll back any persistent effects of processing the security header, such as storing a received token.
So please check Configuration of CallbackHandlers.
Issue is with the Handlers. You need to add following in handler implementation
public Set<QName> getHeaders() {
final QName securityHeader = new QName(
"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd",
"Security",
"wsse");
final HashSet headers = new HashSet();
headers.add(securityHeader);
return headers;
}
In SOAP UI Navigator,
right-click your project->Show Project View->WS-Security Configurations->Outgoing WS-Security Configurations
Uncheck Must Understand, and then send request.