We are using wso2ei 6.4.0 for SOAP and REST service mediation, some services are required to sign the requests or validate the message signature.
Deploying to Kubernetes I'm considering to migrate to WSO2EI 7 (which is Ballerina based), however at this point I am unable to find out how to secure (sign or validate) the SOAP payload.
At this point the only option I see is implementing the signing on my own (by XML manipulation or custom Java code).
Is it really so or do we have any other (robust, out of box) options to enforce WS-Policy requirements?
Edit:
I found the wso2/soap module, which only supports UsernameToken (password and digest), which is already basic, but apparently we will need to extend it :(
Related
I have a client written by C, it uses libcurl to send json to a restful api service(say it server). The server was written by java, the restful api was implemented by jersey, one of JAX-RS( It's very simple and can switch to another JAX-RS implementation). Now I want to do some security work between the C client access to the java restful api server. I searched on the Internet that seems I should use kerberos or spnego for the HTTP access. I met some problem.
I want to use kerberos/spnego authentication. But I look through the security part of jersey doc (https://jersey.java.net/documentation/latest/security.html) and I didn't found any kerberos related doc. Do you know whether jersey support kerberos ?
If I switch to Apache CXF,is it easy to switch ? I checked the doc about CXF kerberos support. Looks like it's too simple, do you have any detail doc or simple example to support kerberos authentication when using Apache CXF ?
If there is anything wrong, please correct me. Thanks.
This is achievable with Jersey. Jersey Client uses ClosableHttpClient in its implementation.
If you want to use SPNEGO authentication scheme for Kerberos, you may have to write a custom Connector and ConnectorProvider [ I haven't found a way to set AuthenticationScheme with ApacheConnector].
Check this post too for reference if it solves your usecase Can JCIFS be used with Jersey? :)
I need to encrypt my soap message with my private key before sending it to server
How do I configure Spring Ws with private key encryption.If any links or code please update
You can always go with some Apache project like suggested depending on the level of abstraction you want. You can use a lower level library like Apache Santuario, or the balanced Apache WSS4J, or CXF WSS4J. But to me it seems like you want to use Spring. Spring has it's own WSS4J wrapper which I think they call 'Spring-WS', and signing xml (the soap envelope) is possible with it within Spring. http://docs.spring.io/spring-ws/site/reference/html/security.html <- Chapter 7 of the Spring Docs
You're going to need to create 1 or 2 keystores. One keystore to contain your private keys for signing and the other for your public keys (certs) to see who the service trusts. You can use java keytool or openssl to create these. The following link shows you how to create them. http://cxf.apache.org/docs/ws-security.html#WS-Security-UsingX.509Certificates
You may also want to refer to: Sign SOAP request on client-side with Spring for context
-mario
I have been provided with a SOAP 1.1 WSDL and a Password protected P12 X509 certificate to connect to a web service to periodically transmit records. I have also been provided with a how to guide to sign the message using the X509. The example provided illustrates how to sign the message and provide appropriate security message headers. The sample code is in Java, and includes functions for signing the message which interact with the SOAP message directly.
The application I'm writing is a c# console app with entity framework elements to retrieve the data.
My question is related to the best approach for tackling this problem:
Use WCF with static configuration where possible.
Use WCF with programmatic configuration (e.g. using custom
MessageHeaders).
Use WebRequest/WebResponse and craft the messages manually.
Use WSE 3.0 and convert the WSDL to a proxy class using the older command line tools.
I've been investigating the WCF routes - WCF is ideal if you control both sides of the equation - but the articles are thinning out for my specific use case.
I have done a few use cases on WSO2-ESB including protocol mediation with transformation and service-chaining.
In all of them I had to manually write the wsdl for the proxy service. Having experienced other vendor products including Oracle and Tibco where wsdl generation is done by the tool.
Would it be right to assume in WSO2 ESB one needs to manually write the wsdl file to expose a proxy service on any protocol, do not see any documents calling that out.
Considering the usage of wsdl in practical use cases.
I have seen posts stating "you can give the WSDL available at your Axis2 service" but most of real time use cases would not be pass through and have custom request and response.
Thanks,
Wajid
I'm also confused with manual wsdl creation. As far as I can see there are gaps in wsdl proxy description. When I do wsdl proxy with WSO2 I have to indicate wsdl to expose
its either as:
"none" and I have only mediate function exposed
"same contract" and this breaks the whole idea of proxy because after that clients read original wsdl and go straight to original server access point.
or and I have several options to make my own wsdl.
With rich SOAP API (hundreds of methods) none of above work well, considering that manual support of exposed WSDL is rather cumbersome.
I wonder if there is more adequate way for proxying WSDL?
You can use java2wsdl generator tool to achieve the WSDL generation.
For the proxies, if you try to restrict access for some operations in your backend service, you can attach customized wsdl to the proxy.
The customization has to be done by yourself and it is simple..
If you want to generate a wsdl fro your service, jsut deploy the service in wso2as, and check the service dashboard, wsdl option to view the wsdls.
I have a JAX-WS #WebServiceProvider and would like to support both SOAP 1.1 and 1.2 protocols. I handle creation of response SOAPMessage of proper version manually. I have WSDL describing bindings for both, 1.1 and 1.2 protocol.
But the service endpoint is only able to support either version at a time.
I would appreciate either a solution or a pointer to a piece of doc where it's stated that it's impossible.
P.S. i'm using WebSphere 7 app server, which is bundled with JAX-WS 2.0 (which is Axis2 based)
I experienced the same problem. The main issue for me is that it is not possible to compile the class with both #BindingType(value = SOAPBinding.SOAP12HTTP_BINDING) and #BindingType(value = SOAPBinding.SOAP11HTTP_BINDING). Have a look to this http://www-01.ibm.com/support/docview.wss?uid=swg1PK96819, and this http://www-01.ibm.com/support/docview.wss?uid=swg1PK83482, it should be possible to set #BindingType(SOAPBinding.SOAP_HTTP_BINDING) to have the both SOAP version to be delivered. Unfortunaltely, i did not compile also with the Websphere runtime environment, what i don't understand.
I recently dealt with a service deployment issue related to trying to simultaneously enable both SOAP 1.1 and 1.2 for a service (on WebSphere v7.0). Unfortunately, I don't think that your question gives enough information to provide a specific solution.
It IS possible to support both bindings at the same time, but there are some considerations. I think the main thing is that the server has to be able to listen on separate endpoints (URLs) for each binding. As near as I can tell, this requires appropriate entries in your web.xml and/or your webservices.xml configuraiton files.
For an annotation based service, these configuration entries are theoretically optional; but when you try to enable multiple bindings for a given service without the "optional" configuration entries, the WAS Axis2 extension fails with various possible exceptions.
If you could provide more detail about your wsdl, and the relevant portions of web.xml and webservices.xml (if any), as well as any error messages reported in the WAS log(s) during deployment and application startup, then I could probably give a better answer.