I have to write client for webservice which is using private key to encrypt the xml data and send it over wire.
I am unable to find anything useful which help me to build my understanding over same.
Most probably I have to do this with spring ws security.
--> my server is using wso2 framework for the same.
Kindly help me out with ur experience.
you can use rampart (ws security module comes with WSO2 framework) at the client side as well.
You need to set the policy at the client side and invoke the client using the relevant modules please have a look here[1].
If your server uses WSO2 platform there is an option to generate the client using the admin console. If you have engaged the security to the service generated client has those policies.
Take a look at the rampart[2] samples as well.
[1] http://wso2.org/library/3190
[2] http://axis.apache.org/axis2/java/rampart/
Related
I've built a JHipster application with oauth2 authentication. The latter is implemented by Keycloak through the generated docker-compose file.
Everything works fine in the browser for "human" users. But I need to make some external programs use the API while beng authenticated.
So I started to simulate direct access to API with Postman. I read about XSRF-TOKEN cookie. But to be frank, I don't understand the process of authentication.
Can anyone explain how to perform authenticated requests to the JHipster API regarding keycloak ?
Maybe it isn't the appropriate approach : I also read about implementing a Configuration based on another authentication mecanism, that should be used for controllers exposed on a different endpoint.
Any help figuring out all of that would be really appreciated !
You need machine to machine authentication. Generally Open ID Connect (OIDC) offers client credentials flow for this case. So in theory you just enable it in the Keycloak client configuration and you may use it. But it depends on your API auth implementation. Your API very likely uses different OIDC flow for humans and it may not be ready for client credentials flow.
I got it working: Jan's tip show me the way.
Mainly I followed this tutorial.
The solution would be to add a client configured with Standard flow, Service account and Authorization enabled. Then I added the JHipster client scope provided by the generated docker-compose setup.
Once that was configured, I configured the request to use the Oauth2 authentication. I filled the configuration form for token request according to the tutorial. And I was good to go !
Many thx !
We just started off with BURP for the web application. We use SOAP UI for WS-Security SOAP Web services. We are planning to extend the security testing to SOAP Web services using BURP. Can you kindly provide any directions on how can we achieve this. Thanks
I couldn't find any information on directly accessing the web service requests in BURP. We need to have a proxy(SOAP UI) to intercept the request. Below is the link for additional details.
http://www.fishofprey.com/2013/01/using-burp-suite-to-test-web-service.html
We have intranet based notes applications. We need to create a web service provider from notes and it needs to be consumed from other internet based application.
Note- the consumer will be triggered from external environment not from our network.
For Eg: Network X is ours, all the note application works only in network X(not in internet). It means that single sign on is not enabled. The external application is in network Y.
We have a provider and it works fine in our end. But we need to consume it from the external application, it is ASP .Net.
Question :
Does Single Sign on need to be enabled in our domino server?
Is there any possible to consume my provider without enabling single sign on from external application?
Which is the secured web service scenario in Lotus notes domino?
We are using notes 8.5.3.
Thanks in advance
I will start a response, but I'm afraid that you didn't gave enough information to get the response you need.
Basically, your WS provider is anonymous, so a consumer calling it from the Y network will act as anonymous.
[edited]
From your network Y, simply open the WSDL to check that you have access:
//server/yourdb.nsf/WS_name?wsdl
Using tool like SoapUI, try to consume it.
According to you remark (hello word) you don't need what I mention below about security. I suggest you to read Creating your first Web Service provider and consumer in LotusScript and Java.
Security
If the data you want to send are publicly accessible, you have not to care about security and SSO. If in contrast you need to give access thru your WS to a limited audience, you will have to read and do what IBM recommends:
How to secure a web service hosted on a Domino server
I suggest you to provide some information:
in which language is the WS (LS / Java)
how/what ganularity did you implement the security (reader field, or ACL)
What is the data you
are returning with your WS
I'm working on a master's degree project which the main goal is wso2 study.
Through wso2 I need to be able to:
Do protocol Bridging (eg: rest to soap);
Apply data transformation (apply xslt on xml);
Content based routing;
Load balancing;
Create authentication and authorization layer to legacy services (authentication via oauth 1.0a);
Exception shielding;
Service monitoring;
Services lifecycle control;
So, my question is: do I need any other wso2 product, or ESB is just fine? For example to implement the security layer and all the load balance stuff do I need to add wso2 identity server and wso2 elastic load balancer?
Or even more: do I need to extend the esb by writing custom code to solve any of this issues? In which cases extend the esb is the only way to go?
I hope to do not be naive trying to solve all this complicated issues, but I'm kinda lost on this big swiss knife that wso2 is.
Thanks
Please find my answer..
Do protocol Bridging (eg: rest to soap ---> ESB
Apply data transformation (apply xslt on xml) ----> ESB
Content based routing ----> ESB
Load balancing ---> ESB can be used. But i prefer Apache HTTP and Nginx. They are more intended for that purpose
Create authentication and authorization layer to legacy services (authentication via oauth 1.0a) --> ESB can be used. But you need an OAuth2 Authorization server for token validation. Also, XACML PDP for policy validation. Both are available with Identity Server. According to the Carbon, you can install those features with ESB as well. But it is not recommended much. Please see more details from here
Exception shielding ---> ESB
Service monitoring ----> ESB can be used. But if more, you can use BAM
Services lifecycle control ---> ESB can be used. If needed more, you can install G-reg features
I think. It is only enough to use WSO2 ESB and WSO2 IS for this purpose. Sometime you may need to write some code. But it is easy as there are lot of samples are available freely.
We are currently looking to use MonoTouch to develop a iPad app. We have an existing web service and client that connects fine, using basic httpbinding with a mProxy.Security.Mode of TransportWithMessageCredential (HTTPS).
We then add the client credentials using:
mProxy.ClientCredentials.UserName.UserName = "Username";
mProxy.ClientCredentials.UserName.Password = "P#ssword";
However when we migrate this code to MonoTouch its errors verifying the security. We looked at the raw message recieved in both the windows and monotouch version and the monotouch version does not have any security credentials. I've read we will have to build these in manually. Is that the proper approach? Is there an easier way, or am I missing an easier way to do this. Please advise.
As of today, MonoTouch does not support WCF's Message Security mode. They do mention that it is a work in progress.
I had the same requirement as you did and ended up following a recipe that uses basicHttpBinding, Transport security, basic credentials, and a custom HTTP module that uses the basic credentials in the HTTP "Authorization" header to authenticate a user (against the ASP.NET Membership Provider).
You can find implementation details here:
How To – Use Username Authentication with Transport Security in WCF from Windows Forms