I am working with WSO2, and I need to enrich the JWT Token for every request.
The enrichment need to be done done by an external rest service.
We are using WSO2 2.2
I am trying to enrich the JWT by extending the class "org.wso2.carbon.apimgt.keymgt.token.JWTGenerator"
and by using java HTTPClient librery to work with the rest service.
But it seems not natural to use HTTPClient code inside an apim product.
This is the code that I can use, but it seems that wso2 should be able to give me a better way to connect to an api as a client.
If you want to talk to an external REST service to fetch user claims, I don't see a problem with using an HTTP client. I don't understand why it's not natural to use an HTTP client to call an HTTP service. :)
Related
I am trying to do a POC where i need to invoke a Stateful SOAP webservice . I need to do a login call first to SOAP webservice and get the session id(or cookie or something like that) and use the session id for making subsequent calls to the webservice . I want to know if there is any sample stateful SOAP webservice hosted on the internet for which i can generate the client and try invoking the webservice to verify Stateful operation. Any other pointers on how i can do this is also very welcome.
If this POC is successful we will be invoking a Stateful SOAP webservice hosted by one of our vendors and we will be using a TIBCO BW client to call the SOAP webservice.
You can invoke the WebServiceDefinitionLanguage from the WSDL attached in the link It brings encouraging quotes.
You may use SOAP activity in BW or import the WSDL as a resource first and then use any SOAP or web service activity.
Check this java project in github is a multi cloud java project that invokes WebServices and Rest services from many Cloud providers and Many sites. It gives you an idea on how to do it.
Of course in BW is really easy to do it. Basically: start activity, SOAP activity, log, call subprocess, catch errors, end process.
Stateful or Stateless SOAP webservice call is just like any another web-service call. In your case, since you have to get the response(i.e. receiving token) of the first webservice call and use it in the subsequent calls, I think you should focus on how would you cache the cookie/token that you receive from the first call. Also, if there is an expiry associated to the life of the token received in your response, work on the technique of refreshing the token for which the SOAP API provider will have to provide you an token expiry interval.
Can we implement a secured API in WSO2 ESB and can we provide an existing user's credential, (as a header) who is in ESB's use store, to access it?
This scenario can be done in ESB Proxy: Guide by providing a policy file. Can't we do the same in API too, if not what is the reason behind that?
If you are going to secure the APIs using Oauth2 you can use Oauth mediator but if you looking to use basic auth you need to write a class mediator(Here is an old article,you can get brief idea on implementing basic auth class mediator even though details are outdated )
I am learning SOAP and I have some questions:
If I have a SOAP service, and if my understanding is correct then the consumer will need to import the WSDL and generate the stubs to consume my service?
If now I have exposed the SOAP service with a RESTful API with the help of a ESB in between. Does that mean the consumer no longer need to import any WSDL to generate the stubs?
Yes -the idea behind SOAP specification (wsdl) is so that clients can use it to create a proxy for calling the service and not have to figure out the details for themselves. It is very hard to connect to a SOAP service without using a wsdl
In this case the ESB does the calls to the actual service and the REST interface is a new interface client should use to communicate with the service.
A backend service needs to know the user for the service call. Reading through the API 1.6.0 documentation I have configured it to generate JWT and removed and republished my services as stated. Running tests, I am not seeing the JWT being passed to the backed service in the response headers in Fiddler. I am not using the ESB or Identity services from WSO2.
What am I missing?
JWT information should be passed in the header under the parameter X-JWT-Assertion. The Content is been encoded. Use TCPMon to intercept the request and see if the API Manager is actually passing the JWT. This would be a good starting point to debug.
I'm using this Access SAML Service example as a class mediator to access a SAML secured endpoint web service. This example works fine when run as a standalone Java program with main method.
Here is how I use it from WSO2:
1) Create a HTTPS user name token Custom proxy on top of actual SAML secured web service
2) Create a class mediator of the above example.
3) Access the class mediator class to invoke the endpoint web service.
The class mediator seems to be working fine till it gets SAML token, however the remaining piece of logic of engaging Rampart for the endpoint and applying relevant security for the outgoing soap message doesn't seem to work.
Any pointers in this issue would be useful.
i don't quite understand what the problem is, so what you got so far is something like this: saml2-web-browser-based-sso-wso2-identity-server
And the problem is that you want to get the secure token from the SAMLResponse?.