Accessing a SOAP service URL from a Clients point of view - web-services

I was asked this question in a technical interview for a integration intern role.
He was digging much into understanding of SOAP web services.
Question). Consider that you are exposing a web service through SOAP to a Client.
The url through which you are providing the service is up and running when you check it.
But the Client has a problem, he is not able to access your webservice.
How will you go on troubleshooting this issue?
My response:
I would first check whether the url the client is trying to access the service is correct.
Will check the .wsdl file: port, bindings & will check once whether upon sending a SOAP request to the URL, am I receiving the SOAP response in local through SOAP UI.
If I get error, will troubleshoot based on the kind of error I get: Like page not found, null exception etc.
I felt he was still expecting some other point. He hinted saying where in what registry you will check all the web services which have been hosted(I guess this was much of a production support issue :P)
I told I may look into UDDI registry, but was not sure with this.
Please let me know your inputs on what could be possibly a right approach?

Apache jUDDI PMC here. Yes UDDI could be used to verify that the client is pointed at the right location, assuming the client knows where the UDDI server and that it is registered and the client knows what to query for on the UDDI server and a UDDI query is part of that client's normal workflow. That's a lot of assumptions but certainly feasible.
Most of time, the endpoint is in a config file somewhere or some idiot hard coded it.
That said, this my go to list for checking SOAP service connectivity (from the client's perspective)
DNS resolution of the hostname in the URL
Ping the remote host
HTTP GET to the URL of the SOAP service + ?wsdl (this usually works). This is also a good time to verify SSL connectivity.
You can also parse the WSDL doc, assuming one is returned for identify the endpoint url.
Finally if that all works, execute the service. HTTP 200 is general a positive sign
Edit:
Another alternative approach is to implement a very simple API (wsdl method) on every SOAP service that simple returns a true/false that answers the question "Am I open for business?". This method would provide a standardized approach for identifying if a service was available or not by testing an external dependencies (databases and whatnot).

Related

How to configure SOAP endpoint on my PC

I'm new at using SoapUI, I'd like to know if my machine supports SOAP and in case yes, what I can use as an endpoint for my newly created SoapUI project.
My machine is a Windows-10, and on top of that I have installed Cygwin (enabling some UNIX features).
Does somebody know how I can retrieve a possible value for an endpoint for my SoapUI project?
Oops, from the comment I have the impression that my question is badly formulated: on my PC I have a server application, of which I don't know if it supports SOAP (I know it supports HTTP because I'm using localhost in a browser to access it).
However when I use localhost or 127.0.0.1 as an endpoint in my SoapUI project, nothing happens (I see no response and the request log stays empty), hence my question.
Per default, mostly no application will act as a SOAP prodiver, as it is much more complicated as REST/http for example.
If your application has the capability of a SOAP provider, it is usually SOAP over HTTP. But you need to know the correct endpoint url address.
Not only 127.0.0.1
Usually there is a servicename in the url (and you can also try to show wsdl with ?wsdl), like http://127.0.0.1/myapplication/myservice?wsdl
when setting up a new soapui project, you also have to provide the wsdl location
(http://127.0.0.1/myapplication/myservice?wsdl)
Regards, rka

TomEE server is not passing web service request to the webmethod

I am new in the area of SOAP Based web services. I am using TomEE server. The server is a bit customized according to my organization's need.
Few days back, when I was trying to run the web services example from TomEE website, I was able to generate the wsdl and calling the web service by a client.
Now, when I need to use the customized version of TomEE plus (by the organization), I can see that the request does reach to the server and hence there is a log entry also but my #WebMethod is not getting executed.
Does any one has any idea about any configuration which can prevent the request from reaching to the webservice method? Is there any pointer around how can I debug further to reach out to the root cause of this issue?
Without further information about what is customized it's like fishing in the dark.
I would guess that perhaps the global web.xml or the server.xml of tomee server is changed so that some URI context mappings are not forwarded or ignored. But it's only a lucky tip.

Redirect outgoing HTTPS request to an HTTP fake service?

My title might be overly specific - I'm having trouble formulating the question, since I haven't dealt with network administration a lot, and especially not SSL / HTTPS. In other words, the answer to "Why haven't you done . . ." is like to be, "I don't know much about ...."
I am testing, and the System Under Test (SUT) is a web service calling into the Facebook API using https://graph.facebook.com.
I have a test server set up on a remote machine that will serve pages to http://graph.facebook.com. I can use the hostfile on the SUT server to redirect requests to http://graph.facebook.com to the test server. This works fine when I then type:
curl http://graph.facebook.com
The test server receives the request, and serves back the expected page.
However, as mentioned before, the SUT isn't using the HTTP site, but the HTTPS site for the Facebook API (naturally). Is there any way I can intercept the outgoing request and redirect it to the HTTP service that I'm running on the other site? I'd like to be able to type:
curl https://graph.facebook.com
and have it be redirected to the fake Facebook service I'm running on the test server. I can configure the servers at both ends.
If this is very difficult, I might also want to put in a feature request for the ability to change the URL for the Facebook API requests. However, I think the dev is using a pre-existing Facebook API module, and this might not be straight-forward. (Okay, I got curious and checked . . . a quick investigation suggests that the API supports data injection of the code that handles the actual HTTPS requests, so he'd have to implement his own version of the interface so that he could pass in a configurable URL that I could set from outside of the code - but I'd still rather not distract him unless it's really necessary).
I'm using an asis-server on port 80 to fake the Facebook responses, if that is relevant.
The solution we ended up using was a service on the test server that intercepted the HTTPS requests and redirected them to the HTTP service. Our ops person used nginx for this.
We're still not sure if this will work as a mock for the SUT - it depends on if the SUT is verifying the certificate information or ignoring it. I still might need to ask the developer to implement a feature to support mocking.

Do you know of a NGiNX module that performs something similar to verification of Amazon Web Service request signatures?

I'd like to restrict access to my web service to registered clients. The first thing I thought of was to mimic that of AWS which, in a nutshell, issues clients a non-secret and secret key pair, and requires clients to prove knowledge of the secret key by using a cryptographic function of some of the HTTP request data and the secret key, then specifying the output of the crypto function in a request header. AWS does the same and checks that the expected signature matches what the client has specified. The secret is not transmitted, blah blah. This is pretty typical and not that interesting albeit useful.
http://mws.amazon.com/docs/devGuide/Signatures.html
http://chrisroos.co.uk/blog/2009-01-31-implementing-version-2-of-the-amazon-aws-http-request-signature-in-ruby
My preferred web server for web services is nginx. I'd like to start requiring similar request signatures in certain services. It makes sense to me to create an nginx module that handles request signature validation before ever sending the request to an upstream process (my web service instance(s)).
Do you know of such a nginx module? Do you know of a different one that I can base my work off of?
There's a decent nginx module writing guide here:
http://www.evanmiller.org/nginx-modules-guide.html
Please note that I'm not asking "how do I write a nginx module?" I'm simply trying to avoid reinventing the wheel.
Thanks!
If I'm understanding correctly, you could simply check for custom headers with an if($http_{yourheader}){} and validate that against a backend such as memcached, or proxy to a fastcgi script, or even use an embedded perl script (although this will be slow and could block).
AFAIK there aren't any specific standard or third-party modules that do this, but a combination of them could provide a suitable solution (eg; $http_{header} + redis backend, for instance).
Is there a particular reason you're not looking to use custom SSL certs? They would seem an adequate solution for restricting access with added security.

Web Service Interface

I'm looking to add a web services interface to an existing server application. The set of services to expose is not known at compile time and can change over the runtime life of the server.
From a tech standpoint all the server/web services endpoints will be on Windows.
In our server app a user will have the option to register workflows as 'web services callable'. This will create the WSDL defining this particular workflow service.
For the calling endpoint I'm thinking of an HttpModule that accepts the inbound web service request, unpacks the request and converts the XML data types into our server applications "domain", calls the server and finally converts the server outputs back into XML for return down the http connection.
Does that make sense?
Critical comments welcomed.
In effect writing your own WS engine. Clearly doable, but quite a bit of work to get right from scratch. I guess if you find some open source implementation, then adapting it should be possible.
A rather dirtier alternative, but one I've seen applied in another context, is to go for a simgle WS interface
String call( String workkFlowName, String payload)
The payload and response are both Strings containing any XML. So the caller needs to undestand the schemas for those XMLs. From the client's perspective the amount of coding effort is not much different. Your coding effort would I think be significantly redcued.
an HttpModule that accepts the inbound
web service request, unpacks the
request and converts the XML data
types into our server applications
"domain", calls the server and finally
converts the server outputs back into
XML for return down the http
connection.
That is what all web service frameworks do (e.g. Metro, Axis). So I can't see your problem. What's your concern with this approach?
The downside for the client is that, as far as I understand it, availability of your services may change over time. So you should consider a way to inform the client if the service is available (other than getting a time out error because it is not there), e.g. WS-ResourceLifetime or UUDI.
I ended up creating a C# class that implements the IHttpHandler interface. The implementation serves up the WSDL of the services exposed from our app and accepts SOAP posts to invoke the services. In the end most of the work went on converting SOAP types to our types and vice versa.