Is there an example implementation of validating HMAC in .NET Core 5 WebApi? I've been following the guidance from here https://developers.docusign.com/platform/webhooks/connect/hmac/
but signatures never seem to match in my application
Related
We are using wso2ei 6.4.0 for SOAP and REST service mediation, some services are required to sign the requests or validate the message signature.
Deploying to Kubernetes I'm considering to migrate to WSO2EI 7 (which is Ballerina based), however at this point I am unable to find out how to secure (sign or validate) the SOAP payload.
At this point the only option I see is implementing the signing on my own (by XML manipulation or custom Java code).
Is it really so or do we have any other (robust, out of box) options to enforce WS-Policy requirements?
Edit:
I found the wso2/soap module, which only supports UsernameToken (password and digest), which is already basic, but apparently we will need to extend it :(
I need to encrypt my soap message with my private key before sending it to server
How do I configure Spring Ws with private key encryption.If any links or code please update
You can always go with some Apache project like suggested depending on the level of abstraction you want. You can use a lower level library like Apache Santuario, or the balanced Apache WSS4J, or CXF WSS4J. But to me it seems like you want to use Spring. Spring has it's own WSS4J wrapper which I think they call 'Spring-WS', and signing xml (the soap envelope) is possible with it within Spring. http://docs.spring.io/spring-ws/site/reference/html/security.html <- Chapter 7 of the Spring Docs
You're going to need to create 1 or 2 keystores. One keystore to contain your private keys for signing and the other for your public keys (certs) to see who the service trusts. You can use java keytool or openssl to create these. The following link shows you how to create them. http://cxf.apache.org/docs/ws-security.html#WS-Security-UsingX.509Certificates
You may also want to refer to: Sign SOAP request on client-side with Spring for context
-mario
I have been provided with a SOAP 1.1 WSDL and a Password protected P12 X509 certificate to connect to a web service to periodically transmit records. I have also been provided with a how to guide to sign the message using the X509. The example provided illustrates how to sign the message and provide appropriate security message headers. The sample code is in Java, and includes functions for signing the message which interact with the SOAP message directly.
The application I'm writing is a c# console app with entity framework elements to retrieve the data.
My question is related to the best approach for tackling this problem:
Use WCF with static configuration where possible.
Use WCF with programmatic configuration (e.g. using custom
MessageHeaders).
Use WebRequest/WebResponse and craft the messages manually.
Use WSE 3.0 and convert the WSDL to a proxy class using the older command line tools.
I've been investigating the WCF routes - WCF is ideal if you control both sides of the equation - but the articles are thinning out for my specific use case.
I have a .WSDL file from our client company, for which I need to use to call a web service. Their system is SAP (SAP PI). My application is a C# .NET 3.5 client developed in VS 2008. I added a Service Reference in Visual Studio using their provided .WSDL file. This created a reference class for me to use to call their service, and set up several bindings in the app.config file for me.
I did not change anything in the app.config file, but did create code to call their web service. However, when I call their webservice, I receive the following exception:
The HTTP request is unauthorized with client authentication scheme 'Anonymous'. The authentication header received from the server was 'Basic realm="SAP NetWeaver Application Server ..."'.
(I modified slightly the string used in the 'Basic realm' section so as to not give it out.)
Did the app.config not get built correctly from the WSDL? Am I supposed to modify the app.config file somehow?
Things I've tried:
changed authenticationScheme in app.config from Anonymous to Basic
(as well as all the other authentication types)
changed realm string in app.config to match the realm in the exception message
set username/pw fields in the ClientCredentials.Username object in my code
Any pointers or help would be appreciated.
Edit: After some more investigation, I found that Visual Studio has several warnings about the extension element Policy and Policy assertions:
Custom tool warning: The optional WSDL extension element 'Policy'
from namespace 'http://schemas.xmlsoap.org/ws/2004/09/policy' was not
handled.
Custom tool warning: The following Policy Assertions were not Imported:
XPath://wsdl:definitions[#targetNamespace='urn:sap-com:document:sap:rfc:functions']/wsdl:binding[#name='Binding_FieldValidation']
Assertions: ...
I wasnt able to find out if this was related or not to my current issue with the authentication scheme. It does seem to be related, but I havent been able to find any solutions to getting these policy warnings resolved either. It seems WCF doesnt handle the statements in the wsdl very well.
Most SAP services dont support anonymous.
So pass some form of authentication data with the call.
User and password / X.509 Ticket...
If you are sending auth data with the call the try this
Ask the SAP guy to regenerate the WSDL with
No SAP assertions, No policy, SOAP 1.1.
You can also try and edit the WSDL by hand to remove the extra guff...
As a starting point, I'd verify that you can call the service successfully with the provided username and password. Use something like SoapUI to test that everything works correctly - just create a new project, import the WSDL provided by SAP PI, set the username and password and execute the call. You'll probably get some form of exception with an empty payload, but at least that'll verify that the username and password are correct.
Once you've verified that's working, check that your application is calling the service correctly and that the http basic authentication headers are being sent. You can confirm this by using a network monitoring tool and checking that the http request is being generated correctly. Something like netcat for Windows can do it - just make it listen to a port on your local machine and then specify localhost and the port as your SOAP endpoint.
Once you've verified both of those are correct, your call should succeed.
There must be the Basic authentication header missing or something wrong
with the credentials.
SAP PI always defaults to Basic Authentication if a Service is published via it's SOAP Adapter. I would investigate if WCF really does send out that header (e.g. Point your client endpoint to TCP Gateway and let TCP Gateway point to the SAP PI Endpoint from the WSDL).
About the Warnings: AFAIK the WSDL generated by SAP PI will always contain these Policy Tags, you can't really ommit it. What you can do is simply throw them out as they are not really validated
Working on a docuSign integration with Coldfusion and need assistance in making the SOAP request using WS security.
Your question is a little short on detail, but I presume you mean the Web Services SOAP security extension.
We had to do this a few years back when communicating with a .NET web service. The basic idea is that you provide a set of extra SOAP headers that contains security info such as:
Timestamp
Username
Password
Etc
To do this you need to create a new XML document as per the standard defined here. Next you will need to write code to create the SOAP headers. This means:
Create your remote web service object, e.g.
var objWebSvc = createObject("webservice", "http://remoteURL?WSDL");
Creating an XML document to represent the new headers
Populating it with the required info (such as username and timestamp etc.)
Adding the XML document to the web service object, using addSOAPRequestHeader()
Call your remote web service
Then of course if and when they call your web service you'll need to parse out those headers from their SOAP request and validate them. That can be done by grabbing the XML using getSOAPRequestHeader() and parsing out the info.
I found this to be an error prone task and (basically) a royal pain. The web service we integrated with eventually dropped the requirement, apparently becuase the any web services trying to connect that were not native .NET were having a hard time implementing the specification.
Good luck!
I blogged this a while back. See if this helps:
http://onlineanthony.blogspot.com/2010/05/using-ws-security-for-soap-in.html