Can I have the soap:address location in a WSDL relative to the WSDL location, or at least relative to the server?
For instance I want to write:
<soap:address location="https://exampleserver.com/axis2/services/ExampleService" />
as:
<soap:address location="/axis2/services/ExampleService" />
This would enable faster deployment to multiple servers, like test servers. Also, in the case of axis2c if I want my service to be used both from HTTP or HTTPS life becomes harder for developers using my service as they can't simply import the WSDL from it's default location "?WSDL".
The WSDL describes to clients the message formats, types, parameters etc needed to interact with the web service. This is then used by tools like WSDL2C to generate the code needed for the interaction.
But even if you expose your service on HTTP or HTTPS, the client stub code will be the same. You don't regenerate your client stubs for each endpoint address. The client stays the same, it's the access point that changes.
This address should not be hardcoded in the generated client code, it must be a configurable URL inside the client application.
Sure, you have an URL specified inside the WSDL and it's a nuisance when you deploy your web service in the dev server, and then to staging and next into production. The endpoints will be different in each environment (maybe multiplied by 2 for HTTP + HTTPS) but at this point your developers are not affected because you don't regenerate the code.
When it comes to access the web service, you would still have different addresses (for dev, staging and prod servers) even if it would be relative to something or absolute. So I don't see how it is helpful to have relative address inside the WSDL since you still have to manage the access points into the client configuration.
There are two ways of getting the WSDL.
One where a hard-coded wsdl is served, for example:
https://hostname/contextname/services/myAPIService/myAPI.wsdl
and another one where a generated wsdl is served, for example:
https://hostname/contextname/services/myAPIService?wsdl
If you use the dynamic option it will use this code:
req.getRequestURL().toString();
to get the URL that will be used in the generated WSDL. This code is in the class ListingAgent (in the package org.apache.axis2.transport.http).
From what you mentioned in your question if you want to have relative location it must be because you want to use it in multiple servers, so you would need to use the dynamic option.
One problem I found with the dynamic options is that if in the original WSDL the location is using HTTP, then in the generated one it will still use HTTP even if you have used HTTPS to access it. (This happens in version 1.5 which is the one my project is using)
Another problem is if you are using a load balancer, because the generated WSDL will be generated with the location of the final server instead of the balancer. An option for this would be to extend the classes AxisServlet and ListingAgent to replace the code mentioned above.
After a long search I'm almost sure that soap:address's location attribute has to be an absolute URL. This gets things more complicated if you work with different environments, such as development, test and production.
Maybe a workaround would be to read, on the client side, the first part of the URL from a config file (e.g. https://exampleserver.com) and the final part from the WSDL (e.g. /axis2/services/ExampleService) and combine them to build an absolute path. The former will allow you to switch among environments.
Related
I have tried everything but I cant seem to fix this issue that is happening for only one client behind a corporate proxy/firewall. Our Silverlight application connects to Amazon S3 for downloading/Uploading some documents. On one client and one client only it returns a 407 error and after that the application fails to save anything.
Inner Exception:
System.ServiceModel.ProtocolException: [UnexpectedHttpResponseCode]
Arguments: 407,Proxy Authentication Required
We had something similar at a different client but there was more of a CORS issue. to resolve this I used cloud-front to fake a sub-domain that then accesses the S3 bucket and it solved the issue. I was hoping it would fix it with this client as well but it didnt.
I have tried adding this code to web.config as suggested by a lot of answers
<system.net>
<defaultProxy useDefaultCredentials="true" >
</defaultProxy>
</system.net>
I have read articles about passing a proxy headers with basis authentication using username and password but I am not sure how this would help us. The Proxy server is used by client and any authentication it requires is outside our domain.
**Additional Information**
The Silverlight code references 2 services. One is our wcf service that retrieves all the data for the application. One is The Amazon S3 service that uses the amazon Soap api, the endpoint for which is at http://s3.amazonaws.com/doc/2006-03-01/AmazonS3.wsdl?
If I go into our app and only use part of the system that dont make any calls to the Amazon S3 api the application works fine. As soon as I go to a part of the system that makes a call to the S3, the problem starts. funny enough the call to S3 goes fine and I can retrieve the doc fine but then any calls to our wcf service return 407.
Any ideas?
**Update 2**
Based on comments from Elliot Nelson I check the stack we were using for making http requests in our application. Turns out we are using client http for both http and https requests by default. Here is the code we have in the App.xaml constructor
public App()
{
Startup += Application_Startup;
UnhandledException += Application_UnhandledException;
InitializeComponent();
WebRequest.RegisterPrefix("http://", WebRequestCreator.ClientHttp);
WebRequest.RegisterPrefix("https://", WebRequestCreator.ClientHttp);
}
Now, to understand the differences between clienthttp and browserhttp and when to use them. Also, the potential impacts/issues of switching to browserhttp.
**Update 3**
Is there a way to request browsers to run your in-browser Silverlight application in trusted mode and would it help bypass this issue?
(Answer #2)
So, most likely (for corporate environments like this network), almost nothing can be done without whatever custom proxy settings are set in IE, usually pushed by corporate policy. To take advantage of these proxy settings, you want to use WebRequestCreator.BrowserHttp, which automatically uses the browser's default settings when making requests.
There's a table of the differences between these two clients available in the Microsoft docs. I'm guessing you were using something (maybe setting custom headers or reading the raw response body) that wasn't supported in BrowserHttp.
For security reasons, you can't "ask" the browser what its proxy settings are and use them, so this is a tricky situation. You can specify Browser vs Client handling by domain, or even for a specific request (the same page above describes how); you may be able in this case to get away with just using ClientHttp for your service calls and BrowserHttp for your S3 calls, and avoid the problem altogether!
For next steps, I'd try that approach; if it doesn't work, I'd try switching wholesale to BrowserHttp just to see if it bypasses the proxy issue (there's almost no chance the application will actually work, since you're probably using ClientHttp-only options).
Long term, you may want to consider making changes to your services so they are usable by a BrowserHttp-only application (this would require you to be pretty basic in your requests/responses, but using only BrowserHttp would be a guarantee you'd work in pretty much any corp network).
Running in trusted mode is probably a group policy thing which would require their AD admins to approve / whitelist your app.
I think the underlying issue you are facing is that the proxy requires NTLM authentication and for whatever reason the browser declines to provide your app with that context.
One way to prove that it's an NTLM auth issue is to test with curl - get it to make a req through the proxy, then it should be a bit easier to code to. EG the following curl will get you through 99% of Windows corporate proxies (assuming the proxy is at proxy-host.corp:3128):
C:\> curl.exe -v --proxy proxy-host:3128 --proxy-user : --proxy-ntlm https://www.google.com
NOTE The --proxy-user : tells curl to use the current user session to perform the NTLM challenge.
So if you can get the client to run that, you can at least identify that NTLM works, then it's a just a matter of getting the app to perform the NTLM challenge using the default credentials (which may or may not be provided by the browser session)
Since you described this as a silverlight application, I'm going to assume you can't use classic browser-proxy troubleshooting like "move browser to public network" or "try a different browser", to isolate the problem.
You should try to isolate the proxy server, and have the customer use the required proxy-auth.
The application is making request, but it might be intercepted by a transparent proxy, or the result might be coming from what you consider a web server.
In the early days, the 401 error was pretty strictly associated with web-auth, and 407 was for proxy-auth.
Architecturally, the separation is a convenience, a web server can have both web server, proxy, and reverse-proxy behaviors.
What happens is your customer's environment is making a web connection to the destination, but it receives a HTTP 407 status from some host, probably their network, or sometimes the provider. Almost certainly the request is received not forwarded. The HTTP client your application lives in needs to provide the credentials that host requires. Companies have environments that are complex enough where often your customer will say this is the first time they have heard of this (some proxy-auth is also dynamic or destination specific).
Also, in some corporate environments, the operator will allow temporary or permanent white-listing from the proxy-auth service. You should see if they can do this, even temporarily, to confirm there aren't going to be other problems.
In the end, it sounds like your application might not robustly support proxy-auth, or the proxy-auth type they use in their environment.
I have configured my AWS application load balancer to have the following rules:
/images/* forward to server A (https://servera.com)
/videos/* forward to server B (https://serverb.com)
And this is correctly forwarding to the respective servers. However, I don't want the load balancer to forward the request as https://servera.com/images & https://serverb.com/videos. I just want the respective servers to be hit without the path pattern as https://servera.com & https://serverb.com (without the path patterns in the request).
I don't want to modify my request parameters or change my server side code for this. Is there a way I can tell the application load balancer to not forward the path patterns?
Is there a way I can tell the application load balancer to not forward the path patterns?
No, there isn't. It's using the pattern to match the request, but it doesn't modify the request.
I don't want to modify my request parameters or change my server side code for this.
You'll have to change something.
You shouldn't have to change your actual code. If you really need this behavior, you should be able to accomplish it using the web server configuration -- an internal path rewrite before the request is handed off to the application by the web server should be a relatively trivial reconfigurarion in Nginx, Apache, HAProxy, or whatever is actually listening on the instances.
Also, it seems to me that you are making things difficult on yourself by wanting the server to respond to a path different than what is requested by the browser. Such a configuration will tend to make it more difficult to ensure correct test results and correct handling of relative and absolute paths, since the applications will have an inaccurate internal representation of what the browser is requesting or will need to request.
I need to change the JAX-WS generat WSDL because of a soap:address error (contextRoot it is not correct due to a WebService remapping of the Application Server).
I Read about the WSDLGeneratorExtension system but I can not use it, i placed a com.sun.xml.ws.api.wsdl.writer.WSDLGeneratorExtension file under /META-INF/services with insite de class name of my implementation, but it is never called.
How can i let it work? Or Can i follow another way to corret the soap:address location of the generated WSDL?
Thank you!
Usual practice is not to use (or even include) actual service URL into WSDL (unless it's some sort of public service which is supposed to be 'well known'). Reasons being that different environments running the same service would have different URLs, for example.
As part of WS client initialization you could provide different URL (usually from some sort of config file). So you perhaps should not think in terms of fixing URL in WSDL but instead pass proper URL in your client initialization.
I`m working on a SAP project, where i have to call a non-sap service with jsessionid in binding url. I already generated a proxy class out of the wsdl and defined a logical port with my URL. In my case it should be dynamic like: {host}/service/foo/binding;jsessionid={xxx} but its static like: {host}/service/foo/binding
How can i achieve that session handling?
EDIT: The problem here is, its not only for authentification its also for load balancing. The jsessionid MUST be submitted via URL rewriting. Any ideas?
You should be able to configure this with the soamanager transaction:
Go to the service configuration screen and select your consumer proxy
Edit the existing, or create a new logical port
Go to the transport settings tab and change the URL access path
Once saved, you can find the logical port as a destination in transaction SM59. It's one of the generated ones in the external HTTP connections tree.
Providing a value for the parameter will probably require a modification of the SAP software though. The system uses the cl_http_client=>create_by_destination method to obtain a client object to perform the http call, so maybe you can implement some custom code there.
We have installed an ASP.NET web site on a client's server. This site has a web service with a couple of web methods that are called by a Flash object in order to display a news feed. If you browse to their site (ex: www.domain.com), everything's working fine except the flash.
The issue is that when we browse to the .asmx, the header shows that the Host is a subdomain internal to their network (internal.domain.com). Obviously this doesn't resolve to any public IP when browsing from outside of their network. This causes the Flash to fail since the flash object is embedded on a page and is therefore running client side.
I checked the computer name on the server in question, and it doesn't even match "internal.domain.com" - it is something completely different. Where is it getting this information from. It is not coming from IIS, since we have no host headers set up, and the IP for the site is set to (all unassigned).
We either need to force the web service to run against a specific host, or we need to change something on the server so that it resolves to a valid public-facing host name. Any and all help is greatly appreciated!!!!
The solution is to add a host header for www.domain.com
More details here
While you probably did this already, it's always a good first step:
Do a global Find in the source code of both the Flash object and the web service for the string in question.
It sounds like someone may have configured/coded the internal.domain.com string into the Flash object's request. (Host: is a HTTP Request header, not Response header, IIRC.)
Does the Flash object get the web service URL from the C# code? If so, it might be getting the default web service URL that you choose when adding a Web Reference to your project in VS. Therefore it might be pointing to a URL locally to the developer's machine/server which is not recognized on the live server.