SOAP, usernameToken issue - web-services

and need to know few things as I am getting Internal error from server and I think it is related how am I generating Header port of SOAP.
Here is how it should look like:
<soapenv:Header>
<wsse:Security soapenv:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsse:UsernameToken wsu:Id="UsernameToken-CA07017CE54cDFC14720230904344">
<wsse:Username>test</wsse:Username>
<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">******</wsse:Password>
<wsse:Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">xgy3s2Owe4zUNGc/2t3twA==</wsse:Nonce>
<wsu:Created>2016-08-24T07:18:10.434Z</wsu:Created>
</wsse:UsernameToken>
</wsse:Security>
</soapenv:Header>
ok, so:
- username is username :)
- password is cleardText from what I can see
- Nonce I am generating like this:
var nonce = new Date().getTime() * 1000;
nonce = new Buffer(nonce.toString()).toString('base64'); (Nodejs)
- And date is generated like below in sample.
My questions:
- UsernameToken ID: how this is generated? Must this be presented?
If my SOAP request looks like this, is this ok:
<soap:Header>
<wsse:UsernameToken>
<wsse:Password>1231231</<wsse:Password>
<wsse:Nonce>1232132131</wsse:Nonce>
<wsu:Created>2016-08-24T07:18:10.434Z</wsu:Created>
</wsse:UsernameToken>
</soap:Header>
Or must I put all http stuff end etc?
thank you very much!
MIha

Related

How to config Outgoing WS-Security in Postman?

The request works in SoapUI but as we are using Postman-Newman for Automation of this API so how to make this work in Postman.
I saw some solutions where it says to add security tag in request body but what's the username to provide there as we don't provide any user name in SoapUI.
How I config in SoapUI
Select Keystores and select the certificate and add password
Set "Outgoing WS-Security Configurations" attaching screenshot to show what we have to send in that. keystore, password, key identifier Type and parts
Postman config:
Added the certificate in postman using settings as well added the password.
Created a request and added the request body
in request body I tried below but I am not sure what is the username or nonce as we don't give this info in SoapUI. This returns an error The SOAP request has not been signed, or is signed incorrectly
<wsse:Security xmlns:wsse='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wsswssecurity-secext-1.0.xsd' xmlns:wsu='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd'>
<wsu:Timestamp wsu:Id='TS-11b7d3261c994de099eb8c431b33947b'>
<wsu:Created>2019-09-06T12:09:15.604Z</wsu:Created>
<wsu:Expires>2019-09-06T12:09:25.619Z</wsu:Expires>
</wsu:Timestamp>
<wsse:UsernameToken wsu:Id='UsernameToken-238be95be3bf445fb8534666a7a8693c'>
<wsse:Username>***login***</wsse:Username>
<wsse:Password Type='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-usernametoken-profile-1.0#PasswordDigest'>***Base64 (SHA-1 (nonce + created + password) )***</wsse:Password>
<wsse:Nonce EncodingType='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soapmessage-security-1.0#Base64Binary'>***Base64 nonce***</wsse:Nonce>
<wsu:Created>2019-09-06T12:09:15.604Z</wsu:Created>
</wsse:UsernameToken>
</wsse:Security>
Also tried below and here I get soap fault
<wsse:Security soapenv:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wsse:UsernameToken>
<wsse:Username>XXXXX</wsse:Username>
<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">XXXXX</wsse:Password>
</wsse:UsernameToken>
</wsse:Security>
Also tried below solution but not sure what username to provide here as we only provide Password in SoapUI and not UserName
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wsse:UsernameToken xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wsse:Username>Whattogivehere</wsse:Username>
<wsse:Password>******</wsse:Password>
</wsse:UsernameToken>
</wsse:Security>
Include the WS-Security header part in your soap header like bellow. Also please make sure to enter the correct Username and Password as plaintext.
<soapenv:Header>
------
> <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
> <wsse:UsernameToken wsu:Id="UsernameToken-16" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
> <wsse:Username>XXXXX</wsse:Username>
> <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">XXXXX</wsse:Password>
> </wsse:UsernameToken>
> </wsse:Security>
----
</soapenv:Header>

How to write custom handler (axis2 handler) to read custom headers message and validate user/password against the user store in WSO2 ESB

I wish to add custom handler (axis2 handler) for to read custom headers in my message and validate user/password against the user store.
How would i achieve this.
My request security header will come like this
<soapenv:Header>
<pr:authent soapenv:actor="http://schemas.xmlsoap.org/soap/actor/next" soapenv:mustUnderstand="0" xmlns:pr="http://hh.eeeee.com/hh">
<pr:user>ssp</pr:user>
<pr:password>MW</pr:password>
</pr:authent>
</soapenv:Header>
Where as wso2 esb expecting WSSE standard format so the request is like this
<
soapenv:Header>
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" soapenv:mustUnderstand="1">
<wsu:Timestamp wsu:Id="TS-4">
<wsu:Created>2014-06-02T07:15:21Z</wsu:Created>
<wsu:Expires>2014-06-02T08:38:41Z</wsu:Expires>
</wsu:Timestamp>
<wsse:UsernameToken wsu:Id="UsernameToken-3">
<wsse:Username>admin</wsse:Username>
<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">admin</wsse:Password>
<wsse:Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">byWKVY4stEATvTqaoNMswQ==</wsse:Nonce>
<wsu:Created>2014-06-02T07:15:21.304Z</wsu:Created>
</wsse:UsernameToken>
</wsse: >
</soapenv:Header>
How would i change the header as per wso2 standard or how to write security policy as per my client request for validating aganist of default userstore.
Thanks in Advance

Add a soap Header to BizTalk SOAP adapter

We have the webservice xml request as below. for this I have developed the Orchestration. But while we are sending the request to client, we need to add the SOAP header.
Could you suggest me, how can I do this?
WebService XML Request
<?xml version="1.0" encoding="utf-8" ?>
<Request xmlns="http://modeler.ass.abc/efgh/">
<HeaderReq>
<PartnerID>E0</PartnerID>
<TimeStampSubmitted>2013-11-21T18:19:11</TimeStampSubmitted>
<Version>3.0</Version>
</HeaderReq>
<ApplicationREQ>
<ID>1</ID>
</ApplicationREQ>
</Request>
SOAP Header
<soapenv:Header>
<wsse:Security xmlns:wsse="http://adb.ddad-sdfad.org/wss/2010/01/fasd-201201-wss-wssecurity-secext-1.0.xsd">
<wsu:Timestamp wsu:Id="TS-10">
<wsu:Created>2013-10-11T17:26:52.890Z</wsu:Created>
<wsu:Expires>2013-10-11T17:51:52.890Z</wsu:Expires>
</wsu:Timestamp>
<wsse:UsernameToken wsu:Id="UsernameToken-10">
<wsse:Username>User</wsse:Username>
<wsse:Password Type="http://adb.ddad-sdfad.org/wss/2010/01/fasd-201201-wss-username-token-profile-1.0#PasswordText">xxxxxxx</wsse:Password>
<wsse:Nonce EncodingType="http://adb.ddad-sdfad.org/wss/2010/01/fasd-201201-wss-soap-message-security-1.0#Base64Binary">xxxxxxx</wsse:Nonce>
<wsu:Created>2013-10-11T17:26:52.889Z</wsu:Created>
</wsse:UsernameToken>
</wsse:Security>
</soapenv:Header>
You would need to use the property WCF.OutboundCustomHeaders
Example:
xmlDoc.LoadXml("<headers><Origination>Home</Origination><Destination>Work</Destination></headers>");
And then
RequestMessageInstance(WCF.OutboundCustomHeaders) = xmlDoc.OuterXml;
I found this example at this page: http://msdn.microsoft.com/en-us/library/bb246026.aspx
Hope this helps!

WS-Security: What is the correct way to include multiple user identities in the SOAP Security header?

I want to pass username/password of userA and userB in one SOAP message. Therefore I want to pass two UsernameToken in one SOAP message.
I am thinking in two options:
Option 1)
UsernameToken elements inside Security element:
<soapenv:Header>
<wsse:Security xmlns:wsse="sec" xmlns:wsu="ut">
<wsse:UsernameToken wsu:Id="UsernameToken-3">
<wsse:Username>userA</wsse:Username>
<wsse:Password Type="text">passA</wsse:Password>
</wsse:UsernameToken>
<wsse:UsernameToken wsu:Id="UsernameToken-4">
<wsse:Username>userB</wsse:Username>
<wsse:Password Type="text">passB</wsse:Password>
</wsse:UsernameToken>
</wsse:Security>
</soapenv:Header>
Option 2)
A Security element for each UsernameToken:
<soapenv:Header>
<wsse:Security xmlns:wsse="sec" xmlns:wsu="ut">
<wsse:UsernameToken wsu:Id="UsernameToken-3">
<wsse:Username>userA</wsse:Username>
<wsse:Password Type="text">passA</wsse:Password>
</wsse:UsernameToken>
</wsse:Security>
<wsse:Security xmlns:wsse="sec" xmlns:wsu="ut">
<wsse:UsernameToken wsu:Id="UsernameToken-4">
<wsse:Username>userB</wsse:Username>
<wsse:Password Type="text">passB</wsse:Password>
</wsse:UsernameToken>
</wsse:Security>
</soapenv:Header>
--
What is the most standard option 1) or 2)? or other?
The most common case of using several users I might recollect is passing message through several intermediate nodes. In terms of SOAP specification they are named Actors and requires separate wsse:Security element with different soap:actor attributes. It corresponds to option 2) from your question.
Consider the next example from here:
<soap:Header>
<wsse:Security xmlns:wsse="http://schemas.xmlsoap.org/ws/2003/06/secext">
<wsse:UsernameToken wsu:Id="sample" xmlns:wsu="http://schemas.xmlsoap.org/ws/2003/06/utility">
<wsse:Username>sample</wsse:Username>
<wsse:Password Type="wsse:PasswordText">oracle</wsse:Password>
</wsse:UsernameToken>
</wsse:Security>
<wsse:Security soap:actor="oracle" xmlns:wsse="http://schemas.xmlsoap.org/ws/2003/06/secext">
<wsse:UsernameToken wsu:Id="oracle" xmlns:wsu="http://schemas.xmlsoap.org/ws/2003/06/utility">
<wsse:Username>oracle</wsse:Username>
<wsse:Password Type="wsse:PasswordText">oracle</wsse:Password>
</wsse:UsernameToken>
</wsse:Security>
</soap:Header>
This example contains two blocks. The one with "oracle" attribute is used to authenticate the end-user, another without this attribute is used for authentication on the front-end gateway.
You may consider option 1) from your question if your use case supposes simultaneous authentication of several users that are not SOAP actors.

How to resolve failure of JAX_WS web service invocation "MustUnderstand headers are not understood"?

I'm using SOAPUI tool to access JAX-WS web services deployed in Weblogic 10.3.2
Request:
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ws="http://ws.pc3.polk.com/">
<soapenv:Header>
<wsse:Security soapenv:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wsu:Timestamp wsu:Id="Timestamp-1" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsu:Created>2010-12-03T21:10:43Z</wsu:Created>
<wsu:Expires>2010-12-03T21:44:03Z</wsu:Expires>
</wsu:Timestamp>
<wsu:Timestamp wsu:Id="Timestamp-60" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsu:Created>2010-12-03T20:10:39Z</wsu:Created>
<wsu:Expires>2010-12-03T20:43:59Z</wsu:Expires>
</wsu:Timestamp>
<wsse:UsernameToken wsu:Id="UsernameToken-59" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsse:Username>rwerqre</wsse:Username>
<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">ewrqwrwerqer</wsse:Password>
<wsse:Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">Nmw0ksmiOX+hkiSoWb2Rjg==</wsse:Nonce>
<wsu:Created>2010-12-03T20:10:39.649Z</wsu:Created>
</wsse:UsernameToken>
</wsse:Security>
</soapenv:Header>
<soapenv:Body>
<ws:getMetadata/>
</soapenv:Body>
</soapenv:Envelope>
Response:
<S:Envelope xmlns:S="http://schemas.xmlsoap.org/soap/envelope/">
<S:Body>
<SOAP-ENV:Fault xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
<faultcode>SOAP-ENV:MustUnderstand</faultcode>
<faultstring>MustUnderstand headers:[{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security] are not understood</faultstring>
</SOAP-ENV:Fault>
</S:Body>
</S:Envelope>
You can configure a dummy SOAPHandler for {http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security that would mark this header as 'understood'.
Or you could change the SOAP request (on the caller side) to set mustUnderstand="0" in the security header.
Example security SOAP header with mustUnderstand="0":
<S:Header xmlns:S="http://schemas.xmlsoap.org/soap/envelope/">
<wsse:Security S:mustUnderstand="0" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wsse:UsernameToken>
<wsse:Username>USERNAME</wsse:Username>
<wsse:Password wsse:Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">PASSWORD</wsse:Password>
</wsse:UsernameToken>
</wsse:Security>
</S:Header>
After much research, this article solves this issue.
http://dwuysan.wordpress.com/2012/04/02/jax-ws-wsimport-and-the-error-mustunderstand-headers-not-understood/#comment-215
As per WS security specification:
The processor MUST, after decrypting the encrypted header block, process the decrypted header block according to the SOAP processing guidelines. The receiver MUST raise a fault if any content required to adequately process the header block remains encrypted or if the decrypted SOAP header is not understood and the value of the S12:mustUnderstand or S11:mustUnderstand attribute on the decrypted header block is true. Note that in order to comply with SOAP processing rules in this case, the processor must roll back any persistent effects of processing the security header, such as storing a received token.
So please check Configuration of CallbackHandlers.
Issue is with the Handlers. You need to add following in handler implementation
public Set<QName> getHeaders() {
final QName securityHeader = new QName(
"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd",
"Security",
"wsse");
final HashSet headers = new HashSet();
headers.add(securityHeader);
return headers;
}
In SOAP UI Navigator,
right-click your project->Show Project View->WS-Security Configurations->Outgoing WS-Security Configurations
Uncheck Must Understand, and then send request.