I have a service with federated security that I am calling.
I have inserted a keystore to the encryption field in soap UI (within WS-Security Configurations) and specified in what namespace (http://urn:oasis:names:tc:SAML:1.0:assertion) my field is that I want to encrypt but the problem is that the field never encrypts in the request.
I have xml SAML that I have inserted which is what I am trying to encrypt which starts like this:
The request that gets generated (captured with Fiddler) is like this and it looks like it skips this SAML XML all together.
I have tried encrypting the body of the message with no problem but I cannot seem to be able to encrypt the SAML XML.
Can someone please help me with this? What am I missing?
Related
I am looking to do the following:
Perform a secured mutual authentication connection with the interface server.
Encrypt the SOAP body for all web service requests
Sign all SOAP requests using the client private certificate, before sending the request via this interface.
I am struggling with how to encrypt the SOAP body.
Using Chilkat.Crypt2 I can encrypt the entire file - however this includes the headers and not what is required.
Looking for some guidance please!
I am thinking of creating a web api application using .Net. Here is what I am thinking of how to implement this.
The application will be serving clients who's credentials I will create separately.
These credentials will be encrypted using my own private key.
I will provide them this encrypted text.
They will use this encrypted text in the Authorization header.
On the server I will implement an AuthorizationFilterAttribute.
In here I will decrypt and validate the user.
And allow it to go to the resource.
I honestly do not understand this topic in depth. Therefore I was wondering if my approach will work.
In my tests I have seen that all requests do hit the AuthorizationFilterAttribute which means I will have the chance to check credentials on every request.
Bearer Token might not work as for that I will need (my understanding) at least 2 requests one to get token and next one to get actual resource. Please guide.
Thanks
An online webhook API I have started using uses HMAC to verify the authenticity of the HTTP POST request.
From my understanding you can only verify the contents of the body of the request if you have the secret key (which was supplied to the service originally).
However, the secret key is included in the JSON data in the body of the request itself.
Is this still reliable? Couldn't a man-in-the-middle read the key, then change the POST contents, recalculate the HASH using the key and change the header as well before forwarding the data? Or am I totally on the wrong track here?
It isn't secure - I let the owners of the API know and they concur and are fixing the issue asap.
I'm in the long process of creating an HTTP POST request. I am trying to find the easiest way possible to add password and and username info. for authentication purposes and have concluded that HTTP Basic Access Authentication might be good.
My question is does HTTP Basic Access Authentication require ApacheHTTPClient or any 3rd party libraries?
Basic Authentication is easy to implement. What you need is just a library for Base64.
Build a string by concatenating the user ID, a colon and the password. That is, "{userid}:{password}".
Encode the string by Base64.
Prepend "Basic " to the encoded string.
Set the resultant string to Authorization HTTP header.
I'm developing an API using ASP.Net WebAPI, and authorizing clients with an access token. I want to know which source is more standard to put the access token? Headers, Uri or Body?
For example in Instagram API, clients should pass access token in uri as a query string. But I think in Twitter API the request must include an Authorization header.
Let me know if there is an standard rule.
Security related information such as an API Token go in the Authorization header. That is what it is designed for.
Putting api keys in the URI increases the chances of the API keys getting stored in the log file and it makes public caching far less effective.