in the documentation of jaeger, it's written that we can configure jaeger via environment variables. for configuring jaeger to use w3c trace context header we need to set JAEGER_PROPAGATION env var to w3c. i have done the same configuration but wso2am doesn't use w3c trace context. it uses uber trace context header. how can I make wso2am to use w3c trace context while using jaeger?
Related
We are using spring ws as a filter to perform WS-Security based on Token, timestamp and signature on the incoming soap request.
We wants to prevent the XXE attack using the same filter and wondering if its possible.
We're using 'org.springframework.ws.soap.axiom.AxiomSoapMessageFactory' as a messageFactory and it has two setters 'setSupportingExternalEntities' & 'setReplacingEntityReferences' which are by default false.
<!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///c:/windows/win.ini"> ]>
Now if a entity is decalared using doctype in soap request and it is referred using &xxe; then spring framework throws back an error
org.apache.axiom.soap.SOAPProcessingException: A SOAP message cannot contain entity references because it must not have a DTD
2018-05-18T13:14:33,272 DEBUG [org.springframework.ws.soap.server.SoapMessageDispatcher] Endpoint invocation resulted in exception - responding with Fault
org.apache.axiom.soap.SOAPProcessingException: A SOAP message cannot contain entity references because it must not have a DTD
at org.apache.axiom.soap.impl.builder.StAXSOAPModelBuilder.createEntityReference(StAXSOAPModelBuilder.java:359) ~[axiom-api-1.2.15.jar:1.2.15]
at org.apache.axiom.om.impl.builder.StAXOMBuilder.next(StAXOMBuilder.java:279) ~[axiom-api-1.2.15.jar:1.2.15]
But then this error does not come if we replace &name; with & ;xxe; or & xxe; Spring ws framework let it go through.
I don't want it to go through to any further processing so may be if possible we can somehow don't allow doctype declaration itself in the soap request.
thanks for any help and pointer(s) to resolve this
Adding how I got it resolved. Did not find a way to handle it in the spring-ws filter and Spring was not mis-behaving as it was not trying ti resolve the passed entity.
Later in the flow in our project, we're using standard java DOM parser lib and by adding
factory.setFeature(DISALLOW_DOCTYPE_DECL_FEATURE, true);
we were able to stop the DTD declaration which resolved the XXE issue.
How can I authenticate with HTTP Basic, via the application server domain/secure realm, using a Session Bean published as a #WebService?
In a Web project one could use web.xml to map Roles to Groups, but I have no idea how to do it in a EJB-JAR project. I don't think it can be done with ejb-jar.xml.
Sample code, which works fine without the roles annotations:
#Stateless
#WebService(portName="RestrictedServicePort")
#DeclareRoles(value = "Administrators")
public class RestrictedServiceBean {
#RolesAllowed(value = "Administrators")
public String restrictedOperation() {
return "Secret information";
}
}
Error:
<faultstring>[EJB:010160]Security Violation: User: '<anonymous>' has insufficient permission to access EJB: type=<ejb>
Basic Credentials Header:
Authorization: Basic d2VibG9naWM6d2VsY29tZTE=
I suspect it must be done via vendor-specific configuration. I am using WebLogic 10.3.6, Java EE 5 / EJB 3.0.
Basic Auth via Policy
From the v10 docs:
A Web service can have zero or more WS-Policy files associated with
it. WS-Policy files follow the guidelines of the WS-Policy
specification. WebLogic Server uses WS-Policy files to specify the
details of the message-level security (digital signatures and
encryption) and reliable messaging capabilities of a Web service. You
can attach a WS-Policy file to a Web service endpoint, which means
that the policy assertions apply to all the operations of a Web
service endpoint. You can also attach a WS-Policy file to an
operation, which means that the policy assertions apply only to the
specific operation. In addition, you can attach a WS-Policy file to
the inbound or outbound SOAP message, or both.
It would appear you can attach a basic auth policy to your service:
<sp:TransportToken>
<wsp:Policy>
<sp:HttpBasicAuthentication/>
</wsp:Policy>
</sp:TransportToken>
You can apply this custom policy via the administrative console via the steps outlined here or you can consider referencing one of the Oracle-preconfigured policies.
Mapping Roles to Groups
The WebLogic (v12) documentation mentions the following when discussing usage of #RolesAllowed in an EJB:
You can also use the annotation to explicitly declare roles that are implicitly declared if you use the #RolesAllowed annotation on the class or a method of the class.
You create security roles in WebLogic Server using the Administration Console. For details, see "Manage Security Roles" in the Oracle WebLogic Server Administration Console Help.
The Manage Security Roles section continues on to discuss scoped roles.
You can then create a scoped role for a specific EJB that contains highly sensitive business logic. When you create a policy for the EJB, you can specify that only the scoped role can access the EJB.
More information on managing scoped roles is here.
Solved adding the role mapping as it is done in any web module, but using the proprietary weblogic-ejb-jar.xml, as follows:
<wls:security-role-assignment>
<wls:role-name>Administrators</wls:role-name>
<wls:principal-name>myweblogicgroup</wls:principal-name>
</wls:security-role-assignment>
The "myweblogicgroup" is the group created in the WebLogic security realm for which the system user used to authenticated to the web service is associated.
This link helped me.
I have a problem when calling web Services in ASP.net MVC , I do the following
add the web service by add service reference to solution, and I include the service.cs file to the solution also, but when I try to create object in home controller , I have the following error
Could not find default endpoint element that references contract 'Service' in the ServiceModel client configuration section. This might be because no configuration file was found for your application, or because no endpoint element matching this contract could be found in the client element.
can any one help me please
thanks
There's a couple things going on here. First, you're using SVCUTIL to generate a proxy and configuration settings for a non-WCF service - .asmx is legacy. I was able to generate a proxy and config settings, but to overcome the error you got you need to call one of the overloaded versions of WeatherHttpClient.
I'm not 100% sure, but this is what I think based on what I observed.
The reason is because there are two endpoints defined in the configuration file (one for SOAP 1.1 and one for SOAP 1.2), and since both endpoints are named there is no default endpoint to choose from.
When I used var x = new WeatherHttpClient(new BasicHttpBinding("WeatherSoap"), new EndpointAddress("http://wsf.cdyne.com/WeatherWS/Weather.asmx")); I was able to create the proxy just fine.
However, when I called GetCityForecastByZip I got the following error:
Server did not recognize the value of HTTP Header SOAPAction: http://ws.cdyne.com/WeatherWS/WeatherHttpGet/GetCityForecastByZIPRequest.
So then I used WSDL.exe to generate the proxy a la .ASMX style. I included that in my project, and the following code returned a result (after including a reference to System.Web.Services - I was using a console app):
var x = new Weather();
ForecastReturn result = x.GetCityForecastByZip("91504");`
I would suggest for simplicity using WSDL.exe to generate the proxy for your service, as it seems to be simpler.
I will also add that I've done very little MVC, but I don't think this is an MVC issue. I hope this helps you.
Using Visual Studio I have a Class Library (C#) where I added a reference to a Service (more preciselly a Web Service).
The Web Service classes and interfaces where generated correctly, and I am trying to consume them using the following code (the web service receives an returns a string):
CallWS request = new CallWS();
request.input = "input string";
WSClient client = new WSClient();
CallWSResponse response = client.CallWS(request);
The last line originates the following exception:
Could not find default endpoint element that references contract 'WS_INTER' in the ServiceModel client configuration section. This might be because no configuration file was found for your application, or because no endpoint element matching this contract could be found in the client element.
How do I solve this?
You have to add an application configuration file and set up system.serviceModel section defining the address of a service.
You can certainly do that in code. Check this or MSDN for description
I am running blazeds on the server side. I would like to filter http requests using an http header. My goal is to send extra parameters to the server without changing the signatures of my blazeds services.
On the client side, I am using Flex RemoteObject methods.
With Flex WebService components, it is possible to set an http header using the property httpHeaders. I have not found anything similar on the RemoteObject class...
I couldnt modify http request from flex, instead I can add custom headers to the mx.messaging.messages.IMessage that RemoteObject sends to the server and there, extending flex.messaging.services.remoting.adapters.JavaAdapter (used for accessing Spring beans), it's posible to read the header parameters and put them into the HTTPRequest.
In the flex part, I had to extend mx.rpc.AsyncRequest:
declares a new property "header" and overwrites invoke method that checks if there is a not null value for set the msg.headers.
and mx.rpc.remoting.mxml.RemoteObject:
the constructor creates a new instance of our custom AsyncRequest and overwrite old AsyncRequest and it defines a setHeaders method that set the argument to the custom AsyncRequest.
com.asfusion.mate.actions.builders.RemoteObjectInvoker (extra :P):
this one reads the param declared in the Mate's map RemoteObjectInvoker and puts in the RemoteObject header.
I hope it will be understandable (with my apache english xDDD)
Bye. Agur!
This worked for me using BlazeDS and Spring-Flex 1.5.2
Flex:
use namespace mx_internal;
var service:RemoteObject = new RemoteObject(destination);
var operation:Operation = service[functionName];
operation.asyncRequest.defaultHeaders = {company:'company'};
var token:AsyncToken = operation.send();
Java Spring-Flex:
public class FlexJavaCustomAdapter extends JavaAdapter{
#Override
public Object invoke(Message message) {
String locale = (String) message.getHeader("com.foo.locale");
return super.invoke(message);
}
}
dispatcher-servlet.xml
<bean id="customAdapter" class="org.springframework.flex.core.ManageableComponentFactoryBean">
<constructor-arg value="com.codefish.model.flex.FlexJavaCustomAdapter"/>
</bean>
<flex:message-broker id="_messageBroker" services-config-path="classpath*:/com/codefish/resources/spring/services-config.xml" >
<flex:remoting-service default-adapter-id="customAdapter"
default-channels="my-amf, my-secure-amf" />
</flex:message-broker>
</bean>
RemoteObject uses AMF as the data channel, and is managed in a completely different way than HttpService or WebService (which use Http).
What you can do, is call setCredentials(username,password) and then capture this on the server side using the FlexLoginCommand (either the standard one for your container, or derive your own).
Lookup setCredentials and how you should handle this on both sides (client and server).
I have similar problem, and I afraid there is no simple way to set HTTP header when using AMF. But I've designed following solution.
Flex uses HTTP to transfer AMF, but invokes it through browser interfaces, this allows you to set cookie. Just in document containing application invoke following JavaScript
document.cookie="clientVersion=1.0;expires=2100-01-01;path=/";
Browser should transfer it to server, and you can filter (problem will be if the user will have cookies turned off).
Much more you can invoke JavaScript functions from Flex (more is here: http://livedocs.adobe.com/flex/3/html/help.html?content=passingarguments_4.html).
You might be trying to re-invent the wheel. Is there a reason you can't use the standard HTTP(s) authentication?
A reason I was thinking too to use http headers was for the server to be able to 'recognize' the flex client in the a context of service versionning.
On the server I can always build an indirection/proxy that would allow the different clients to only use 1 end point and route to the right adapter depending on the client version.
The question is on the client side. How would the server identify the flex client token or 'version'. One way is certainly via authentication. But, assuming there is not authentication involved?
We recently run into the same issue and this is how we added our custom headers without creating a subclass:
var operation:AbstractOperation = _remoteSession.getOperation('myRemoteOperation');
var async:AsyncRequest = operation.mx_internal::asyncRequest;
async.defaultHeaders = {my_header:'my_value'};
The AsyncRequest object is actually accessible via the operation object via the mx_internal namespace.
You can debug the $GLOBALS in PHP to see that.
I think this is in the
$GLOBALS['HTTP_RAW_POST_DATA'];
or you can simple do
file_get_contents('php://input');