Datapower to SFDC integration - session management - web-services

I am trying a scenario where Datapower invokes a web-service on SFDC. For Datapower to be able to invoke services, it needs to first get the authentication token from SFDC and use that token in each web-service request to be able to invoke the web-service.
Is there a simple way in datapower to do this? As the token generated by SFDC is valid for some time, can datapower manage this information internally or will we need to maintain it on a cache (XC10?) and deal with accessing the cache from the integration box ?
Your inputs would be really helpful..

You don't need an XC10 device here, XC10 is needed when you want to cache a lot of name/value pairs. After you call the SFDC service from a Web Service Proxy (WSP) via url-open/soap-call you get the authentication token from SFDC and store it in a local/context variable and also store the current timestamp, and session timeout parameters in other local/context variables, and use them in further SFDC webservice calls. There are other ways of doing this and I hope you got the idea.

Related

django-rest-framework-social-auth requires a client secret for convert token

I am making an Android application with a Django based backend.
The Django server has a REST API to serve user data which I want to protect. I only want my users to log in via Google (or FB which I'm going to implement in the future).
I am using django-rest-framework-social-auth to implement the authorization in the backend.
So the flow as I understand is like this:
The client (my android application), does the whole Google OAuth2.0
flow and obtains the access token
The the client then wants to
convert the Google access token with one with which it can access my
backend server API endpoints. To do this it calls the convert-token
API endpoint implemented in django-rest-framework-social-auth
Now that it has the API access token, it can include that in the header of all further API calls and receive the private data.
Now my concern is, the django-rest-framework-social-auth convert-token endpoint also needs the client-id and client-secret generated by django-oauth for the application. So I will have to store the client-secret somewhere in my mobile app, which entirely defeats the purpose of authenticating whether the request came from the app or not, because someone can decompile the apk and get the app and make token exchange requests on my app's behalf.
Is there any way around this? Is there a "standard" way to implement this which I don't know?

Stateful SOAP webservice example

I am trying to do a POC where i need to invoke a Stateful SOAP webservice . I need to do a login call first to SOAP webservice and get the session id(or cookie or something like that) and use the session id for making subsequent calls to the webservice . I want to know if there is any sample stateful SOAP webservice hosted on the internet for which i can generate the client and try invoking the webservice to verify Stateful operation. Any other pointers on how i can do this is also very welcome.
If this POC is successful we will be invoking a Stateful SOAP webservice hosted by one of our vendors and we will be using a TIBCO BW client to call the SOAP webservice.
You can invoke the WebServiceDefinitionLanguage from the WSDL attached in the link It brings encouraging quotes.
You may use SOAP activity in BW or import the WSDL as a resource first and then use any SOAP or web service activity.
Check this java project in github is a multi cloud java project that invokes WebServices and Rest services from many Cloud providers and Many sites. It gives you an idea on how to do it.
Of course in BW is really easy to do it. Basically: start activity, SOAP activity, log, call subprocess, catch errors, end process.
Stateful or Stateless SOAP webservice call is just like any another web-service call. In your case, since you have to get the response(i.e. receiving token) of the first webservice call and use it in the subsequent calls, I think you should focus on how would you cache the cookie/token that you receive from the first call. Also, if there is an expiry associated to the life of the token received in your response, work on the technique of refreshing the token for which the SOAP API provider will have to provide you an token expiry interval.

Security about a simple REST web service

Here is my little API with two URL :
/api/location/list -> GET
/api/location/detail -> GET
I'm looking for a process to secure this service with authentication. For now, it can be accessed by only one user (me).
I think oAuth is too complex in my case and I found this resource for designing a simple API.
I understand the principle of private/public key and HMAC but I have a big concern about this :
Say my webservice is consumed by an ajax request with GET verb. I have something like /api/location/list?apikkey=userid&hash=abcde.
A end user can easily sniffed the network during the request (via a simple chrome console), capture full url and access directly to the service multiple times (I think it's a case of replay attacks).
Differents resources talk about timestamp or nonce to make a request unique but I'm a bit lost with implementation.
Any ideas ?
You can try JWToken auth specs, simpler than Oauth, but avoid authorization data as url parameter if possible and use Header's request instead.
If needed consider also ssl encryption at tcp level.
Perhaps you could try to use a token-based approach for security, as described in this blog post:
Implementing authentication with tokens for RESTful applications - https://templth.wordpress.com/2015/01/05/implementing-authentication-with-tokens-for-restful-applications/
The idea is to authenticate to an authentication resource (that can be part of your application) to get temporary token that can be refreshed with a refresh token when expired.
With the use of HTTPS, it seems to be appropriate.
I think that it depends on the security level you expect. Signature-based authentication (the AWS approach) is great but is a bit complex to implement by hand.
Hope it helps you,
Thierry

Does WSO 2 API Manager prevent to XSS and CRSF security error

I'm researching WSO2 API Manager and I discover that if I use WSO2 API Publisher and API Store, I would meet XSS and CSRF security errors. With XSS, I see that WSO2 didn't encode HTML character input. With CSRF, I see that WSO2 didn't create token when I request from client to server and vise versa.
Does everyone know how to config WSO2 to prevent these security error or how to fix them.
Thanks in advanced.
On our side, there are a few things we do when publishing/consuming APIs via the API Publisher and API Store:
Set the Transports property to just HTTPS so that we can limit API availability to just HTTPS.
For each HTTP method, we set the Auth Type to either Application, Application User or both, but never none. This will force the client to utilize the WSO2 Access Token scheme to invoke the APIs hosted on the API Store.
On the client side, we have been invoking the Token API to generate and renew user and application access token so that we don't have to manually re-generate keys in the API Store.
Utilize API in-sequence to escape special characters.
We fix these type of security issues in our next release AM V 1.7.1. You can expect it in 3rd week of September.

Passing user credentials to a Webservice

We have a website that calls a remote web service. This web service is stateless and needs the credentials every time to get the data back. How do we pass the credentials back and forth? for example a call to
string GetAddress( userid,password)
Is it ok to store the credentials in a session and pass them across https in post ? What is the best way to do this?
According to me it is ok to use session as they will be at server.
another alternative as per me I dont know it will be useful to you or not but use XML to share credential. I have used such application on my previous project so on that basis I am suggesting you to use xml. OR session over ssl will also be good..
Check it if better way exists.