I have a JAVA web application which consumes WSO2 admin service - ServerAdmin and this need to be migrated to ASP .NET technology.
I tried to get client stub for AuthenticationAdmin (to get cookie which is needed for subsequent Admin service requests) using the client method login (username,password,server-name) , and the method returns "true"
But , how can I get the cookie from the response ?Or any AuthenticationAdmin client method which returns cookie ?
Raw XML response as below :
XML Response message as below :
<?xml version='1.0' encoding='UTF-8'?><soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"><soapenv:Body><ns:loginResponse xmlns:ns="http://authentication.services.core.carbon.wso2.org"><ns:return>true</ns:return></ns:loginResponse></soapenv:Body></soapenv:Envelope>
The Cookie is presented in the Response Headers. So, you will find the JSESSION Cookie in the Response Headers of the Authentication Admin service call. You can use JSESSION cookie to call the subsequent Admin Services in the WSO2 platform.
Related
I am having WCF client which consumes SOAP based web service which has OAuth authentication. My WCF service gets consumed by some other service but my issue is about authentication when it consumes web service.
My WCF client, consumes web service using proxy generated classes approach. I am able to get Bearer token for OAuth authentication and pass it to request http header as well however, proxy generated class expects binding configuration as well.
var client = new ExchangeServicePortTypeClient("EndPointConfigurationName", "WebServiceURL")
I have tried basicHttpBinding, customBinding (AuthenticationMode="IssuedToken/IssuedTokenForCertificate/IssuedTokenOverTransport"), wsHttpBinding (security mode Message & ClientCredentialType 'IssuedToken" but no luck.
I am assuming due to wrong not supported binding configuration authorization bearer token I am sending is not getting accounted.
I am able to consume this web service from console application successfully where I am not using proxy generated classes approach. So I just required to pass authorization bearer token in header and no binding information.
request.Headers.Add("Authorization", "Bearer " + accessToken);
Can someone please suggest what binding information I should add in my WCF client which can support OAuth authentication ?
Thanks,
I have a web service which is validated by OAuth (Authorization code).
I am using Oracle IDM stack (OAM /Oath service , OES etc).
The issue is - I want to have OAUth validation only when a webService API is processed at the backend, but not when a client is just browsing a WSDL or XSD.
In my current implementation, I am using filter in the web.xml and I have added web service name ( which is web service Servlet) URL in the filters. The url to browse the service and execute the service, will have same name except the ?WSDL at the end of the URL, in case of WSDL/XSD query.
So, the problem is when I query WSDL, then also it goes goes via OAuth validation, which I don't want!
I tried to add logic to determine if the http query string is ?WSDL then by pass OAUTH validation, but it does not work because clients like SOAP UI and others can actually use ?WSDL in the URL, to even execute the web service API, which sort of fails the whole validation purpose.
Has anyone come across similar issue? how to resolve this issue ?
I have a web service for which the user authentication is provided by web browser Single Sign-On authentication method , through which a human user is automatically logged in with his/her company email ID from a web browser.
I have written a java Jersey 2.x client (a non human consumer of web service). In client code I am using HttpAuth as
HttpAuthenticationFeature feature = HttpAuthenticationFeature.basic("ENTER_USERNAME_HERE", "PASSWORD_HERE");
But the client fails stating the HTTP status code as 302 (redirection error)
Then I used curl for the same and received the response as an HTML page stating
The document is moved here(<-- a link containing websso url to my resource).
After searching on SO I enabled the FollowsRedirection feature for my jersey client and now the error is changed to
Exception in thread "main" javax.ws.rs.NotAuthorizedException: HTTP 401 Unauthorized
Any pointer on how to handle this authentication problem ?
The issue was finally resolved , so I am going to answer my own question,
After all the RnD , it was clear that there isn't any sophisticated way for passing (Authenticating) the WEb SSO (Single Sign-On) from jeresy 2.x client code.
Although I found some interesting articles regarding kerberos here and here.
So , finally
I created an other URL path as
/AuthWithCert CONTEXT in server proxy configuration and added the requests coming from this path as an exclusion in webSSO login conf.
So automatically the authentication was pointed to default (HttpBasic Client Auth) without any redirection error and the client worked fine.
We have a web application in Spring MVC and also the web services are implemented using Spring Web Service. They are SOAP based.
I have couple of queries in CSRF front.
If there is a CSRF vulnerability for SOAP based web services? I dont think it should be as SOAP is XML. But still not sure if I am missing out on any thing.
If there is CSRF vulnerability for SOAP based web service, then how can a incoming request be validated? As for CSRF the token is once generated by the server and then the client (usually browser) send that token again to the server. How is this possible with web service calls.
Any inputs on this will be a help. Thanks in advance.
If the SOAP service authenticates requests using user ID and password sent in the SOAP header, then it will not be vulnerable to CSRF attacks. Note however that if that service is used by a Web application, then the Web application itself may still be vulnerable to CSRF attacks.
Only if you are authenticating bys somehting that will be sent by the client / User Agent / Browser automatically - such as a Cookie or NTLM / Kerberos token.
In this case an attacker could host a website that posts soap to your application and confince the user to visit it. The friendly browser would just punt the Cookie in with the request (or automatically authenticate with windows if set in browser/site).
Currently we are using wso2 IS 4.1.0 version, entitlements service for policy decisions. As entitlement service is a secured service we authenticate and get the cookie then pass the cookie along with the entitlements service requests. we are using jsessionid cookie and ran into a situation where if the wso2 is goes down we have to restart our app as it has a stale cookie we refresh the cookie on a time interval every 15 min. Is there a way in wso2 is to persist the cookie if it get restarted. we tried commenting the inside wso2is-4.1.0\repository\conf\tomcat\carbon\META-INF.
Can you suggest on how we can configure for persistence of jsessionid cookies in wso2is
Thanks
Kishore
User session (jsessionid) is not persisted in server side. So you can re-authenticated after 15min and get a new jsessionid. (If you received an authenticate failure, you can re authenticated). you need to implement PEP in such way.
If you are using basic authentication to authenticate with entitlement service. You can send both cookie (jsessionid) and basic auth header... if cookie is valid it would be authenticate with cookie, if not use basic auth headers and returns the new cookie to client. you can find some java code for this here.. but this is not for entitlement service but you can use....
[1] https://github.com/soasecurity/soasecurity/blob/master/user-mgt/client/remote-user-400/src/main/java/org/soa/security/sample/user/mgt/SampleUserRoleMgtClient.java