Intercepting encrypted SOAP message with SoapUI - encryption

I try to intercept encrypted soap message with SoapUI. The reference site of WS Security with Wildfly 8 and Eclipse IDE is
https://docs.jboss.org/author/display/JBWS/WS-Security#WS-Security-Authenticationandauthorization
WS Security implementation is successful and the response message is encrypted successfully. The main key in WS security is manifest.mf. I add the following lines in manifest.mf file and it works well in Eclipse IDE.
Manifest-Version: 1.0
Dependencies: org.apache.cxf.impl, org.apache.ws.security services
Class-Path:
But in SoapUI application soap message encryption is failed. Me reference site is
http://www.soapui.org/soapui-projects/ws-security.html
http://blog.thilinamb.com/2011/02/invoking-secured-web-service-with.html
The SEI throws the following exception.
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Body>
<soap:Fault>
<faultcode>soap:Server</faultcode>
<faultstring>These policy alternatives can not be satisfied:
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}ProtectionToken
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}IncludeTimestamp: Received Timestamp does not match the requirements
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}SymmetricBinding: Received Timestamp does not match the requirements
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}EndorsingSupportingTokens: The received token does not match the endorsing supporting token requirement
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}X509Token: The received token does not match the token inclusion requirement
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}EncryptedParts: {http://schemas.xmlsoap.org/soap/envelope/}Body not ENCRYPTED
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}SignedParts: {http://schemas.xmlsoap.org/soap/envelope/}Body not SIGNED</faultstring>
</soap:Fault>
</soap:Body>
</soap:Envelope>
The same exception was thrown in Eclipse IDE when I did not add the Dependancies line in manifest.mf file. Do you think those are related and have the same configuration problem?

Related

Sabre: GetReservation equivalent to TravelItineraryRead

I'm implementing GetReservation because TravelItineraryRead will soon be deprecated.
When creating a PNR, I get successful responses of GetReservation, but when I try to query the previously created PNR, Sabre WS rejects with "Viewership is restricted for the PNR, caused by [Viewership is restricted for the PNR (Unsupported security check), code: 700102, severity: MODERATE"
I'm connecting to Sabre WS via SOAP, in test endpoint https://sws-tls.cert.sabre.com.
The RQ I'm sending is:
<GetReservationRQ xmlns="http://webservices.sabre.com/pnrbuilder/v1_19" Version="1.19.0">
<Locator>XWYZA</Locator>
<RequestType>Stateless</RequestType>
<ReturnOptions PriceQuoteServiceVersion="3.2.0">
<SubjectAreas>
<SubjectArea>FULL</SubjectArea>
</SubjectAreas>
<ViewName>Full</ViewName>
<ResponseFormat>STL</ResponseFormat>
</ReturnOptions>
</GetReservationRQ>
I've tried with others Views and SubjectAreas, but I always get that response, what am I doing wrong?
The problem was that I needed to send RequestType: Stateful instead of Stateless
<GetReservationRQ xmlns="http://webservices.sabre.com/pnrbuilder/v1_19" Version="1.19.0">
<Locator>KDQPNP</Locator>
<RequestType>Stateful</RequestType>
<ReturnOptions PriceQuoteServiceVersion="3.2.0">
<SubjectAreas>
<SubjectArea>FULL</SubjectArea>
<SubjectArea>PRICE_QUOTE</SubjectArea>
</SubjectAreas>
<ViewName>Full</ViewName>
<ResponseFormat>STL</ResponseFormat>
</ReturnOptions>
</GetReservationRQ>

Basic Auth for SOAP Client Proxy within WebSphere Liberty

We are trying to deploy an EAR on WebSphere Liberty which has been running on WebSphere Application Server 7 before. The application calls an external SOAP Service. The WSDL of the service defines a wsp:Policy with http:BasicAuthentication xmlns:http="http://schemas.microsoft.com/ws/06/2004/policy/http"/
After deployment when we send a request to our application, which would trigger that SOAP-call we get an error:
None of the policy alternatives can be satisfied.
In addition, we get this Warning:
[WARNING ] No assertion builder for type {http://schemas.microsoft.com/ws/06/2004/policy/http}BasicAuthentication registered.
The server.xml file has this feature added:
<feature>wsSecurity-1.1</feature>
The Service Fetching
public IServiceFacade getBasicHttpBindingIServiceFacade() {
return super.getPort(new QName("http://tempuri.org/", "BasicHttpBinding_IService"), IServiceFacade.class);
}
We have previously on WAS 7 been setting the Basic Auth as follows:
IServiceFacade proxy = service.getBasicHttpBindingIServiceFacade();
Map<String, Object> requestContext = ((BindingProvider) proxy).getRequestContext();
((BindingProvider)proxy).getRequestContext().put(BindingProvider.ENDPOINT_ADDRESS_PROPERTY, endpoint);
/* Basic authentication */
requestContext.put(BindingProvider.USERNAME_PROPERTY, user);
requestContext.put(BindingProvider.PASSWORD_PROPERTY, password);
The following code has been functional on WAS 7 but is failing on Liberty.
UPDATE 1
The issue here seems to be that we are not able to access the cxf ClientProxy from the internal liberty-provided cxf client dependency. After some digging I found that liberty does not expose these libraries. The only solution being, that I need to exclude the jaxws-2.2 and provide all needed dependencies by myself, but as a result of that, I lose all built in functionality provided by liberty with regards to jax-ws's.
https://developer.ibm.com/answers/questions/236182/how-can-i-access-the-libertys-jaxrs-20-apache-cxf/
UPDATE 2
After providing my own cxf jars and excluding the jaxws-2.2 feature from Liberty. I can now access the HTTPConduit through usiing ClientProxy(proxy).getConduit(). However, now the issue seems to be that CXF does not support the provider: http://schemas.microsoft.com/ws/06/2004/policy/http.
It throws the following error:
DEBUG org.apache.cxf.ws.policy.PolicyEngineImpl - Alternative {http://schemas.microsoft.com/ws/06/2004/policy/http}BasicAuthentication is not supported
I have added the following deps to by pom:
<dependency>
<groupId>org.apache.cxf</groupId>
<artifactId>cxf-rt-rs-client</artifactId>
<version>3.2.0</version>
</dependency>
<dependency>
<groupId>org.apache.cxf</groupId>
<artifactId>cxf-rt-frontend-jaxws</artifactId>
<version>3.2.0</version>
</dependency>
<dependency>
<groupId>org.apache.cxf</groupId>
<artifactId>cxf-rt-transports-http</artifactId>
<version>3.2.0</version>
</dependency>
<dependency>
<groupId>org.apache.cxf</groupId>
<artifactId>cxf-rt-ws-security</artifactId>
<version>3.2.0</version>
</dependency>
I also tried adding the following, with no luck:
Endpoint endpoint = client.getEndpoint()
endpoint.getOutInterceptors().add(new WSS4JOutInterceptor())
UPDATE 3
After some help from IBM support I was instructed to follow the following link:
https://www.ibm.com/support/knowledgecenter/SSAW57_liberty/com.ibm.websphere.wlp.nd.multiplatform.doc/ae/twlp_sec_ws_basicauth.html
We added an ibm-ws-bnd.xml file to our META-INF folder (as per section 4 and below), in addition, we used #WebServiceRef to access the webservice defined in our tags in the xml file. The file looks as such:
<?xml version="1.0" encoding="UTF-8"?>
<webservices-bnd xmlns="http://websphere.ibm.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://websphere.ibm.com/xml/ns/javaee http://websphere.ibm.com/xml/ns/javaee/ibm-ws-bnd_1_0.xsd"
version="1.0">
<service-ref name="service/servicename">
<port name="BasicHttpBinding"
namespace="http://ibm.com/ws/jaxws/transport/security/"
username="username"
password="suchwowsecretpassword">
</port>
</service-ref>
</webservices-bnd>
Usign #WebServiceRef, I am getting back the service which is instantiated by the ibm-ws-bnd.xml file. However, the Basic Auth WS-policy is still not satisfied. Upon removing that policy assertion, we can see that the external service is failing with a 401-unauthorized error.
In addition, When we inspect the message in our handlerchain, we can see the following:
We can see that both username and pw values are null on the conduit properties. Which (as per my knowledge), should indicate that ibm-ws-bnd is not setting the actual Basic Auth header on our service.
We basically ran into the same problem a while back [1], but unfortunately were not able to solve this.
My suggestion would be to setup the entire SOAP-Client stuff in normal Java-code and not rely on anything from your Application Server, because then you are able to set the Authentication like the following snippet:
HTTPConduit http = (HTTPConduit) client.getConduit();
http.getAuthorization().setUserName("user");
http.getAuthorization().setPassword("pass");
Note: We actually did not solve our problem like that; We went for a workaround. Our usage of WebSphere Liberty was limited to the Developers-environment. On our Integration Test, Acceptance and Production-server, we use a 'real' WebSphere Application Server.
Our workaround was start to remove the policy line from the WSDL and
not use Basic Authentication in our developers test.
The real WebSphere still applies the HTTP Basic Authentication if it is configured to do so, even if the WSDL does not specify the policy anymore.
I hope you will manage to find a appropriate solution.
Cheers,
Marco
1: How to setup HTTP Basic Authentication for SOAP Client within WebSphere Liberty
Removing accidental edit

Get All Sales Order from Quick Book via QuickBook WebConnector using asp.net

I am using QuicBook Premier Edition UK , I have a company file open inside QuickBook. Build a sample WebService provided in samples and host in IIS. Added that application in WebConnector by using qwc file in samples.
I understood the callback methods required by WebConnector in soap service.
• authenticate
• clientVersion
• closeConnection
• connectionError
• getLastError
• receiveResponseXML
• sendRequestXML
I have tested web service by using WebConnector by using Update Selected button and it gives response 'OK' . But I am still confused how to get started with soap service , samples include 3 Xml request
CustomerQuery,
InvoiceQuery and
BillQuery .
How I test these request and see the response by using service . Can anyone explain the steps required to get me started with my own request of Get all Sales Order.
Thanks
Here is the screenshot
Here is the Last Output.
Version:
2.0.0.1
Message:
OK
Description:
Via closeConnection(): CloseConnection called to application.
Response received from application = OK
Explanation:
After calling authenticate(...), the Web Connector will call the sendRequestXML(...) method.
The sendRequestXML(...) method is essentially the Web Connector's way of saying "Hey, what do you want me to do?"
You should respond with a qbXML request telling QuickBooks/the Web Connector to do something. For example, if you are trying to get sales orders from QuickBooks, you could respond with a SalesOrderQuery qbXML request, something like this:
<?xml version="1.0" encoding="utf-8"?>
<?qbxml version="8.0"?>
<QBXML>
<QBXMLMsgsRq onError="stopOnError">
<SalesOrderQueryRq requestID="2">
</SalesOrderQueryRq>
</QBXMLMsgsRq>
</QBXML>
The Web Connector will then send that request to QuickBooks, it will be processed, and the Web Connector will then call your receiveResponseXML(...) method.
The receiveResponseXML(...) method is essentially the Web Connector's way of saying "Hey, you told me to do something, I did it, and here's all of the data I got back: ... (big blob of XML from QuickBooks here)".
TLDR:
Return a qbXML request from the sendRequestXML method. A qbXML response will be sent to you in the receiveResponseXML method.
More notes:
Bigger explanation of the Web Connector here: http://www.consolibyte.com/docs/index.php/QuickBooks_Web_Connector_Overview
Lots of qbXML examples here: http://www.consolibyte.com/docs/index.php/Example_qbXML_Requests
Hundreds of pages of documentation in the QuickBooks SDK: https://developer.intuit.com/docs/0250_qb/0020_get_set_up/sdk_downloads

How to consume secured API from IBM MobileFirst using http adapters

I'm trying to invoke an API which is having authentication. I'm getting an error like "Http request failed: java.net.SocketTimeoutException:Read timed out".
Generally when I run this url(http://samirkantalenka-test.apigee.net/zsubmitalv-3) on browser, It will ask for username and password. If I enter those credentials then it returns json data.
How can I give these credentials in Mobilefirst Http Adapters? Can any one help me out.
Adapter.xml
<?xml version="1.0" encoding="UTF-8"?>
<!--
Licensed Materials - Property of IBM
5725-I43 (C) Copyright IBM Corp. 2011, 2013. All Rights Reserved.
US Government Users Restricted Rights - Use, duplication or
disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
-->
<wl:adapter name="Apigee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:wl="http://www.ibm.com/mfp/integration"
xmlns:http="http://www.ibm.com/mfp/integration/http">
<displayName>Apigee</displayName>
<description>Apigee</description>
<connectivity>
<connectionPolicy xsi:type="http:HTTPConnectionPolicyType">
<protocol>http</protocol>
<domain>samirkantalenka-test.apigee.net</domain>
<authentication>
<basic/>
<serverIdentity>
<username>{myusername}</username>
<password>{mypassword}</password>
</serverIdentity>
</authentication>
<loadConstraints maxConcurrentConnectionsPerNode="2" />
<connectionTimeoutInMilliseconds>30000</connectionTimeoutInMilliseconds>
<socketTimeoutInMilliseconds>30000</socketTimeoutInMilliseconds>
<maxConcurrentConnectionsPerNode>50</maxConcurrentConnectionsPerNode>
<!-- Following properties used by adapter's key manager for choosing specific certificate from key store
<sslCertificateAlias></sslCertificateAlias>
<sslCertificatePassword></sslCertificatePassword>
-->
</connectionPolicy>
</connectivity>
<procedure name="getStories" connectAs="server"/>
</wl:adapter>
Here I'm getting error like "cvc-complex-type.2.4.a: Invalid content was found starting with element 'loadConstraints'. One of '{proxy,
sslCertificateAlias, sslCertificatePassword, maxConcurrentConnectionsPerNode}' is expected."
Looks like that endpoint is SAP Netweaver one?
In this case simply create the dedicated SAP Netweaver Gateway adapter type:
In the adapter XML file you can then specify username and password.
Might work for you.
See the user documentation, here: http://www-01.ibm.com/support/knowledgecenter/SSHS8R_7.0.0/com.ibm.worklight.dev.doc/devref/c_sap_adapters.html

Integration Testing of secure Spring Web Service

I am trying to write server side integration tests of my Spring Web Service Endpoint secured using
- Spring WS Security 2.1.2.RELEASE and
- WSS4j 1.6.9.
I am trying to follow Spring documentation http://static.springsource.org/spring-ws/sites/2.0/reference/html/server.html. With the setup that I have got so far, I can send a request payload
<myns:MyRequest xmlns:myns="...">
...
</myns:MyRequest>
using MockWebServiceClient as
mockWebServiceClient.sendRequest(withPayload(requestPayload)).andExpect(clientOrSenderFault());
which the integration test properly maps to the endpoint in the test context and I get a "Could not validate request: No WS-Security header found" error as expected.
Problem: Now the problem here is if I send a request in a SOAP envelope with a security header and body, I would get an endpoint not found exception.
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:myns="...">
<soapenv:Header>
...
</soapenv:Header>
<soapenv:Body>
<myns:MyRequest>
...
</myns:MyRequest>
</soapenv:Body>
</soapenv:Envelope>
since it will try to find an endpoint around "{http://schemas.xmlsoap.org/soap/envelope/}Envelope".
Is there a way to work around this problem?
The newer version of Spring WS Test which is 2.1 has two methods added in RequestCreaters: RequestCreators.withSoapEnvelope(Source soapEnvelope) and RequestCreators.withSoapEnvelope(Resource soapEnvelope) which allow sending SOAP envelopes for Integration testing. http://forum.springsource.org/showthread.php?135298-Integration-Testing-of-secure-Spring-Web-Service

Resources