We are trying to deploy an EAR on WebSphere Liberty which has been running on WebSphere Application Server 7 before. The application calls an external SOAP Service. The WSDL of the service defines a wsp:Policy with http:BasicAuthentication xmlns:http="http://schemas.microsoft.com/ws/06/2004/policy/http"/
After deployment when we send a request to our application, which would trigger that SOAP-call we get an error:
None of the policy alternatives can be satisfied.
In addition, we get this Warning:
[WARNING ] No assertion builder for type {http://schemas.microsoft.com/ws/06/2004/policy/http}BasicAuthentication registered.
The server.xml file has this feature added:
<feature>wsSecurity-1.1</feature>
The Service Fetching
public IServiceFacade getBasicHttpBindingIServiceFacade() {
return super.getPort(new QName("http://tempuri.org/", "BasicHttpBinding_IService"), IServiceFacade.class);
}
We have previously on WAS 7 been setting the Basic Auth as follows:
IServiceFacade proxy = service.getBasicHttpBindingIServiceFacade();
Map<String, Object> requestContext = ((BindingProvider) proxy).getRequestContext();
((BindingProvider)proxy).getRequestContext().put(BindingProvider.ENDPOINT_ADDRESS_PROPERTY, endpoint);
/* Basic authentication */
requestContext.put(BindingProvider.USERNAME_PROPERTY, user);
requestContext.put(BindingProvider.PASSWORD_PROPERTY, password);
The following code has been functional on WAS 7 but is failing on Liberty.
UPDATE 1
The issue here seems to be that we are not able to access the cxf ClientProxy from the internal liberty-provided cxf client dependency. After some digging I found that liberty does not expose these libraries. The only solution being, that I need to exclude the jaxws-2.2 and provide all needed dependencies by myself, but as a result of that, I lose all built in functionality provided by liberty with regards to jax-ws's.
https://developer.ibm.com/answers/questions/236182/how-can-i-access-the-libertys-jaxrs-20-apache-cxf/
UPDATE 2
After providing my own cxf jars and excluding the jaxws-2.2 feature from Liberty. I can now access the HTTPConduit through usiing ClientProxy(proxy).getConduit(). However, now the issue seems to be that CXF does not support the provider: http://schemas.microsoft.com/ws/06/2004/policy/http.
It throws the following error:
DEBUG org.apache.cxf.ws.policy.PolicyEngineImpl - Alternative {http://schemas.microsoft.com/ws/06/2004/policy/http}BasicAuthentication is not supported
I have added the following deps to by pom:
<dependency>
<groupId>org.apache.cxf</groupId>
<artifactId>cxf-rt-rs-client</artifactId>
<version>3.2.0</version>
</dependency>
<dependency>
<groupId>org.apache.cxf</groupId>
<artifactId>cxf-rt-frontend-jaxws</artifactId>
<version>3.2.0</version>
</dependency>
<dependency>
<groupId>org.apache.cxf</groupId>
<artifactId>cxf-rt-transports-http</artifactId>
<version>3.2.0</version>
</dependency>
<dependency>
<groupId>org.apache.cxf</groupId>
<artifactId>cxf-rt-ws-security</artifactId>
<version>3.2.0</version>
</dependency>
I also tried adding the following, with no luck:
Endpoint endpoint = client.getEndpoint()
endpoint.getOutInterceptors().add(new WSS4JOutInterceptor())
UPDATE 3
After some help from IBM support I was instructed to follow the following link:
https://www.ibm.com/support/knowledgecenter/SSAW57_liberty/com.ibm.websphere.wlp.nd.multiplatform.doc/ae/twlp_sec_ws_basicauth.html
We added an ibm-ws-bnd.xml file to our META-INF folder (as per section 4 and below), in addition, we used #WebServiceRef to access the webservice defined in our tags in the xml file. The file looks as such:
<?xml version="1.0" encoding="UTF-8"?>
<webservices-bnd xmlns="http://websphere.ibm.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://websphere.ibm.com/xml/ns/javaee http://websphere.ibm.com/xml/ns/javaee/ibm-ws-bnd_1_0.xsd"
version="1.0">
<service-ref name="service/servicename">
<port name="BasicHttpBinding"
namespace="http://ibm.com/ws/jaxws/transport/security/"
username="username"
password="suchwowsecretpassword">
</port>
</service-ref>
</webservices-bnd>
Usign #WebServiceRef, I am getting back the service which is instantiated by the ibm-ws-bnd.xml file. However, the Basic Auth WS-policy is still not satisfied. Upon removing that policy assertion, we can see that the external service is failing with a 401-unauthorized error.
In addition, When we inspect the message in our handlerchain, we can see the following:
We can see that both username and pw values are null on the conduit properties. Which (as per my knowledge), should indicate that ibm-ws-bnd is not setting the actual Basic Auth header on our service.
We basically ran into the same problem a while back [1], but unfortunately were not able to solve this.
My suggestion would be to setup the entire SOAP-Client stuff in normal Java-code and not rely on anything from your Application Server, because then you are able to set the Authentication like the following snippet:
HTTPConduit http = (HTTPConduit) client.getConduit();
http.getAuthorization().setUserName("user");
http.getAuthorization().setPassword("pass");
Note: We actually did not solve our problem like that; We went for a workaround. Our usage of WebSphere Liberty was limited to the Developers-environment. On our Integration Test, Acceptance and Production-server, we use a 'real' WebSphere Application Server.
Our workaround was start to remove the policy line from the WSDL and
not use Basic Authentication in our developers test.
The real WebSphere still applies the HTTP Basic Authentication if it is configured to do so, even if the WSDL does not specify the policy anymore.
I hope you will manage to find a appropriate solution.
Cheers,
Marco
1: How to setup HTTP Basic Authentication for SOAP Client within WebSphere Liberty
Removing accidental edit
Related
I'm currently using the sabre web service TravelItineraryReadLLSRQ (version 2.2.0) and I can successfully retrieve all on the PNR data. Now I'm trying to implement GetReservation but I'm getting the error below.
Not finding any further detail from the dev sabre portal - has anybody seen this and know what the 'fix' is?
"Viewership is restricted for the PNR, caused by [Viewership is restricted for the PNR (Unsupported security check), code: 700102, severity: MODERATE]"
<GetReservationRS xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<Errors xmlns="http://webservices.sabre.com/pnrbuilder/v1_18">
<Error>
<Code>700102</Code>
<Message>Viewership is restricted for the PNR, caused by [Viewership is restricted for the PNR (Unsupported security check), code: 700102, severity: MODERATE]</Message>
<Severity>MODERATE</Severity>
</Error>
</Errors>
</GetReservationRS>
You may want to try using "Stateful" since "Stateless" is only intended for airline customers. You can use Stateful together with a locator or without it, makes no difference.
You may also may want to be aware that the service can be called with the Full, Default and Simple View Names. Only Simple will return more updated data which you can obtain by using the required subject areas in the payload. Full and Default will ignore the subject areas you use.
We are trying to deploy an EAR on WebSphere Liberty.
Our application contains an EJB-module, which contains and EJB that makes a call to another SOAP server.
The WSDL of the service defines a wsp:Policy with ExactlyOne of http:BasicAuthentication xmlns:http="http://schemas.microsoft.com/ws/06/2004/policy/http"/
After deployment when we send a request to our application, which would trigger that SOAP-call we get an error: None of the policy alternatives can be satisfied.
I found some java-code on how to solve this
HTTPConduit http = (HTTPConduit) client.getConduit();
http.getAuthorization().setUserName("user");
http.getAuthorization().setPassword("pass");
But I do not want to do this in the Java-code but I want to make it part of the server config.
I found several helpful links, but still could not get it working.
Does anybody have any suggestions on how I can set this up?
https://www.ibm.com/support/knowledgecenter/en/SSEQTP_8.5.5/com.ibm.websphere.wlp.doc/ae/twlp_wssec_migrating.html
https://www.ibm.com/support/knowledgecenter/en/SSEQTP_8.5.5/com.ibm.websphere.wlp.doc/ae/twlp_sec_ws_clientcert.html
You could use the JNDI feature to express the userid and password in server.xml, then have your java code pull it out of JNDI.
https://www.ibm.com/support/knowledgecenter/en/SSD28V_8.5.5/com.ibm.websphere.wlp.core.doc/ae/twlp_dep_jndi.html
I'm trying to use SBT powered projects with Visual Studio Team Services, specifically the Packages plugin.
The packages plugin has explicit instructions for how to get it to work with Maven, but I haven't been able to determine a means to adapt the instructions for SBT as they seem to rely on a configuration-powered hack of the Maven HTTP interface.
The specific instructions I have are:
Add credentials to your user settings.xml inside the <servers> tag
<server>
<id>projectspace-visualstudio.com-java</id>
<configuration>
<httpHeaders>
<property>
<name>Authorization</name>
<!--Treat this auth token like a password. Do not share it with anyone, including Microsoft support. The generated token expires on or before 12/24/2017-->
<value>Basic dXNlci5uYW1lOjQ5ZmphMm1leUowZVhBZ09pSktWMVFpTENKaGJHY2lPaUpTVXpJMU5pSXNJbmcxZENJNkltOVBkbU42TlUxZk4zQXRTR3BKUzJ4R1dIbzVNM1ZmVmpCYWJ5SjkuZXlKdVlXMWxhV1FpT2lKak5qZGhORFZoWmkwME5UZ3lMVFpsTlRFdFltUXhNeTB6WTJRMk1HVTJPRGhpTmpjaUxDSnpZM0FpT2lKMmMyOHVaSEp2Y0Y5M2NtbDBaU0IyYzI4dWNHRmphMkZuYVc1blgzZHlhWFJsSWl3aVlYVnBJam9pWTJZM1l6ZGxaRGt0TXpVeE55MDBZalU1TFRrMk4yRXRaalZoWW1RNE16UTNaV1UySWl3aWMybGtJam9pWVdZek1XRXpOVEF0TXpBNVl5MDBNalF3TFdKbU1XRXRZelV4TURJek5HWXhPV0ppSWl3aWFYTnpJam9pWVhCd0xuWnpjM0J6TG5acGMzVmhiSE4wZFdScGJ5NWpiMjBpTENKaGRXUWlPaUpoY0hBdWRuTnpjSE11ZG1semRXRnNjMzFaR2x2TG1OdmJYeDJjMjg2WWpFME5tUTBZalF0TVRSaU55MDBOVE5qTFdJNU5qa3RZVEpoTXpsaFpEZGtNVGc0SWl3aWJtSm1Jam94TlRBMk16M016UTVMQ0psZUhBaU9qRTFNVFF4TkRNek5UQjkuQkJLY25Wa1dZbHYwTFJrZkVIQnpEY3loaFJodTFwTmhFNk51WTB5UEFDTDY4MktiRGVTRXNTUWFZSkJOcG82Y3Bnal9lZThBbkhqc1otUG1PYWY0aGtsVE1Dd3hwbDhuTXdSRzVYeGJWMTFFS1lTOFFhMTdvWFFGY1JIMl9JbG84MlJMMS1PWlAxXzExcEZ0TU1ST0tTVW85X0ttTGM3RzF2YWlJcXc5YkFrejEyemRGeUNobVJEWmFDdWFBV1NQaUU1VVRPaV9aMi1oS291UVBWd0E4N29oelpZMjU0X25fN0o3UFdnczUweXVOaXZRc3Q5Y1U5MGJPMWNZWHUyMmtLMEVyeC05ZlptMUlwWGRoQ1hkZm1aTDlxUWFSbnp5dW9QaGVFelJoZWd6bExNTjFSaVk1U0FwOENqR1FnR3NmWEZsNlNMTnNYYnhUOUd0YjVGRUJ3</value>
</property>
</httpHeaders>
</configuration>
</server>
Note: The credentials there are deliberately a bit scrambled from what was actually assigned for obvious reasons. The contents of the auth header being forced is a standard Auth-Basic Base64 username:password combination.
They further instruct
Add this to your project pom.xml inside both the <repositories> tag and the <distributionManagement> tag
<repository>
<id>projectspace-visualstudio.com-java</id>
<url>https://projectspace.pkgs.visualstudio.com/_packaging/java/maven/v1</url>
<releases>
<enabled>true</enabled>
</releases>
<snapshots>
<enabled>true</enabled>
</snapshots>
</repository>
I've tried breaking that username and password out, assigning them to a Credentials entry and attempting to publish to "https://projectspace.pkgs.visualstudio.com/_packaging/java/maven/v1" but it inevitably fails.
As near as I can tell, the VSTS package system doesn't give the standard HTTP Auth challenge with a Realm, and without the Realm SBT (or is it Ivy?) never attempts to send the credentials, giving up. Meanwhile Maven just sends the credentials on the first attempt.
Is there a way to make SBT send the credentials regardless, or similarly attach a mandatory header? (Or did I completely misdiagnose the issue?)
Thanks.
I think I stumbled upon the solution while attempting to add more information to my question.
Upon attempting to deliberately fail the upload with CURL, I discovered in the verbose output:
< WWW-Authenticate: Bearer authorization_uri=https://login.windows.net/67dd666e-d00e-4f5f-9f71-76760f050c78
< WWW-Authenticate: Basic realm="https://pkgsprodscussu2.app.pkgs.visualstudio.com/"
< WWW-Authenticate: TFS-Federated
Upon changing my realm to https://pkgsprodscussu2.app.pkgs.visualstudio.com/ SBT was suddenly able to publish.
Hooray. Unfortunately there seems to be no guarantee that realm value is stable, but it works for now at least.
For the reference of others, this is the solution I ended up with:
publishTo in ThisBuild := Some("vsts" at "https://projectspace.pkgs.visualstudio.com/_packaging/java/maven/v1/")
credentials in ThisBuild += {
import java.nio.charset.StandardCharsets
import java.util.Base64
val decodedArray: Array[Byte] = Base64.getDecoder.decode(
"""dXNlci5uYW1lOjQ5ZmphMm1leUowZVhBZ09pSktWMVFpTENKaGJHY2lPaUpTVXpJMU5pSXNJbmcxZENJNkltOVBkbU42TlUxZk4zQXRTR3BKUzJ4R1dIbzVNM1ZmVmpCYWJ5SjkuZXlKdVlXMWxhV1FpT2lKak5qZGhORFZoWmkwME5UZ3lMVFpsTlRFdFltUXhNeTB6WTJRMk1HVTJPRGhpTmpjaUxDSnpZM0FpT2lKMmMyOHVaSEp2Y0Y5M2NtbDBaU0IyYzI4dWNHRmphMkZuYVc1blgzZHlhWFJsSWl3aVlYVnBJam9pWTJZM1l6ZGxaRGt0TXpVeE55MDBZalU1TFRrMk4yRXRaalZoWW1RNE16UTNaV1UySWl3aWMybGtJam9pWVdZek1XRXpOVEF0TXpBNVl5MDBNalF3TFdKbU1XRXRZelV4TURJek5HWXhPV0ppSWl3aWFYTnpJam9pWVhCd0xuWnpjM0J6TG5acGMzVmhiSE4wZFdScGJ5NWpiMjBpTENKaGRXUWlPaUpoY0hBdWRuTnpjSE11ZG1semRXRnNjMzFaR2x2TG1OdmJYeDJjMjg2WWpFME5tUTBZalF0TVRSaU55MDBOVE5qTFdJNU5qa3RZVEpoTXpsaFpEZGtNVGc0SWl3aWJtSm1Jam94TlRBMk16M016UTVMQ0psZUhBaU9qRTFNVFF4TkRNek5UQjkuQkJLY25Wa1dZbHYwTFJrZkVIQnpEY3loaFJodTFwTmhFNk51WTB5UEFDTDY4MktiRGVTRXNTUWFZSkJOcG82Y3Bnal9lZThBbkhqc1otUG1PYWY0aGtsVE1Dd3hwbDhuTXdSRzVYeGJWMTFFS1lTOFFhMTdvWFFGY1JIMl9JbG84MlJMMS1PWlAxXzExcEZ0TU1ST0tTVW85X0ttTGM3RzF2YWlJcXc5YkFrejEyemRGeUNobVJEWmFDdWFBV1NQaUU1VVRPaV9aMi1oS291UVBWd0E4N29oelpZMjU0X25fN0o3UFdnczUweXVOaXZRc3Q5Y1U5MGJPMWNZWHUyMmtLMEVyeC05ZlptMUlwWGRoQ1hkZm1aTDlxUWFSbnp5dW9QaGVFelJoZWd6bExNTjFSaVk1U0FwOENqR1FnR3NmWEZsNlNMTnNYYnhUOUd0YjVGRUJ3"""
)
val decodedString = new String(decodedArray, StandardCharsets.UTF_8)
print("decoded: ")
println(decodedString)
val Array(userName, passwd) = decodedString.split(":", 2)
Credentials(
realm = "https://pkgsprodscussu2.app.pkgs.visualstudio.com/",
host = "projectspace.pkgs.visualstudio.com",
userName = userName,
passwd = passwd
)
}
For me it works this way:
You need go to Artifacts, choose you feed and open connect to feed. There are open Gradle and generate password, user name will be in Gradle settings on this page. And then use following settings in your build sbt.
val azureArtifactory ="Azure artifactory" at "https://projectspace.pkgs.visualstudio.com/_packaging/java/maven/v1/"
val azureArtifactoryCreds = Credentials(
""https://projectspace.pkgs.visualstudio.com",
"projectspace.pkgs.visualstudio.com", USER_NAME,
PASSWORD)```
.settings(publishTo in ThisBuild := Some(azureArtifactory),
credentials += azureArtifactoryCreds)
Right now, I am using a library java library:
<dependency>
<groupId>com.googlecode.linkedin-j</groupId>
<artifactId>linkedin-j-core</artifactId>
<version>1.0.429</version>
</dependency>
bUT this does not work anymore. I the library is using deprecated API :
/v1/people/~/current-status
and whenever ran it throws exception as follows:
Exception in thread "main" com.google.code.linkedinapi.client.LinkedInApiClientException: Unsupported PUT target {/v1/people/~/current-status}
So I look-up at LinkedIn documentation for new updates, BUT could NOT find the appropriate documentation for publishing user current profile status...
https://developer.linkedin.com/documents/profile-api
Current code that stopped working is similar as follows using LinkedInJ:
LinkedInApiClientFactory factory = LinkedInApiClientFactory.newInstance(getApiKey(), getSecretApiKey());
LinkedInAccessToken accessToken = new LinkedInAccessToken(promotion.getAccessToken(), promotion.getSecretAccessToken());
LinkedInApiClient client = factory.createLinkedInApiClient(accessToken);
client.updateCurrentStatus("my status message");
How to post STATUS UPDATES on LinkedIn via its api?
Read your own question.
I the library is using deprecated API :
deprecated means that it is no longer supported, which is concurrent with the error message you're receiving:
Unsupported PUT target {/v1/people/~/current-status}
This means that the deprecated lib you're using has a function updateCurrentStatus but under the covers the API endpoint the request is being made to doesn't support the PUT verb.
To get rid of that error you need to add the linked-j jar in your build path. Here is the link to download the jar http://www.java2s.com/Code/Jar/l/Downloadlinkedinjjar.htm
My issue was solved after adding the jar.
I created a key/value map using the platform API defined in this doc. I used the API-scoped url to create a key/value map named countrymap.
https://api.enterprise.apigee.com/v1/o/{org_name}/apis/{api_name}/keyvaluemaps
and plugged in the sample weather api I made while following the tutorials.
However I could not seem to refer to this map when I added a KeyValueMapOperations policy inside the API proxy. I tried adding a mapIdentifier="countrymap" to the definition (based on the samples) but it still does not see it.
<KeyValueMapOperations async="false" continueOnError="false" enabled="true" mapIdentifier="countrymap" name="keyvaluemapoperations-2">
<DisplayName>KeyValueMapOperations-2</DisplayName>
<FaultRules/>
<Properties/>
<ExclusiveCache>false</ExclusiveCache>
<ExpiryTimeInSecs>-1</ExpiryTimeInSecs>
<Get assignTo="my.country" index="1">
<Key>
<Parameter ref="apigee.countryCode"></Parameter>
</Key>
</Get>
<Scope>organization</Scope>
</KeyValueMapOperations>
The policy works if I add an <InitialEntries> definition to the code above.
According to the Key/Value Maps docs:
Key/ValueMaps provide an API for storing arbitrary name/value pairs
that can be access at runtime by custom policies, or for other custom
runtime requirements such as protocol support.
Do custom policies include the KeyValueMapOperations policy? What am I missing here?
As you mentioned, you put the KeyValueMap in the scope of the api. To access that KVM, you'll need to use:
<Scope>apiproxy</Scope>
See the details for configuring the policy here.
Step 1: Verify if teh keyvalumap is correctly created:
/v1/o/{org_name}/apis/{api_name}/keyvaluemaps" --> this should list the countrymap KVM
Step 2: Populate the KVM before trying to do a GET call on it.You can populate it either by using API Calls (apigee.com/docs/api/api_methods/62-update-keyvaluemap) , or by Using PUT operation of KeyValueMapOperations as shown here (apigee.com/docs/api-services/content/persist-data-using-keyvaluemap)
Step 3: Check the entries of KVM
/v1/o/{org_name}/apis/{api_name}/keyvaluemaps/countrymap
Step 4: You can use the same KeyValueMapOperations Polices as given in example to do a get on the KVM
I was also facing this issue and after making below change in KeyValueMapOperations, it started working for me.
<Scope>apiproxy</Scope>
<Parameter>apigee.countryCode</Parameter>