This question is of two parts
Is it possible to provide Path Variables for Spring Web Flow?
Is it possible to hide the execution key in the URL
The current URL is as follows: http://localhost/bugs/ticket/?execution=e2s1
Here, the associated Web Flow location pattern is
<flow:flow-location-pattern value="/**/flow.xml" />
where the Folder Structure is: bugs/ticket/flow.xml
Is it possible to provide the ticket ID in the URL itself and point to the appropriate flow - i.e. the URL should be http://localhost/bugs/ticket/102?execution=e2s1, but still the flow is taken from bugs/ticket/flow.xml
I tried with the following patterns - value="/**/*/flow.xml", flow-path id="bugs/ticket/*" etc, but to no avail.
Also, is it possible to hide the execution key also in the URL? Is it possible to send it via say HTTP header which can be pulled in at Spring Web Flow ?
This does not answer all your questions
This is how I send parameters into the flow
External Page
Enter Flow
Flow
<view-state>
<on-entry>
<set name="variable2.field" value="requestParameters.uid"/>
</on-entry>
</view-state>
Related
I am trying to generate a soap message for a WCF service. The service is using UserNameOverTransport with message security version WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10.
I got the header sample
<o:UsernameToken u:Id="uuid-7f6455d4-42ab-49fa-8b25-35427c00bb7a-1">
<o:Username>xxx#xxx.com</o:Username>
<o:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">yyyyy</o:Password>
</o:UsernameToken>
The client is not going to be in .Net. Can anyone help me in figuring out how the id is generated.
If you ask this question because your authentification is not working, you likely don't need the Id label.
As we can see in this specification from xmlsoap.org website,
4.1. UsernameToken Element
/UsernameToken/#Id
A string label for this security token.
This element is just a label and its goal is just to provide identification to the UsernameToken element (you can name it with "myToken" or something else).
I am trying to build an app in VS Pro 2012 (VB.NET) that will invoke RoyalMail's MailMark WSDL which has methods such as RetrieveActiveSupplyChains which are expecting a single parameter (request).
I have used svcutil with the /l:vb switch to download the WSDL and referenced it in my project and I can see methods being exposed once I have done
Dim client As PosterUploadClient = New PosterUploadClient()
Now typing client. brings up all the methods I expect to see and I can pass authentication and see the state change when I do client.open() but what I can't figure out is how to provide the parameters the actual methods need. According to their documentation, RetrieveActiveSupplyChains doesn't need a parameter but they have provided an xml example of the request structure so my assumption is that I'd need to construct this as xml with the appropriate values and send it as "request"?
Does this sound right? I know this is probably meat and veg for a web programmer but not something I have attempted before. The xml they supplied as an example looks like the below:
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<s:Header>
<a:Action s:mustUnderstand="1">http://rm-manifest.com/2014/01/service/IPosterUpload/RetrieveAllActiveSupplyChains</a:Action>
<a:MessageID>urn:uuid:ab5e32a3-812e-4d91-97a8-de00a08874e9</a:MessageID>
<a:ReplyTo>
<a:Address>http://www.w3.org/2005/08/addressing/anonymous</a:Address>
</a:ReplyTo>
<a:To s:mustUnderstand="1">https://rm-manifest.com/PosterUpload2/PosterUpload.svc/service</a:To>
<o:Security s:mustUnderstand="1" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<u:Timestamp u:Id="_0">
<u:Created>2014-10-03T14:32:58.480Z</u:Created>
<u:Expires>2014-10-03T14:37:58.480Z</u:Expires>
</u:Timestamp>
<o:UsernameToken u:Id="uuid-dfaaf0b0-3823-4f75-b607-33f7434295dc-1">
<o:Username>NetworkAccess</o:Username>
<o:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">p1</o:Password>
</o:UsernameToken>
</o:Security>
</s:Header>
<s:Body>
<RetrieveAllActiveSupplyChains xmlns="http://rm-manifest.com/2014/01/service">
<request xmlns:b="http://rm-manifest.com/2014/01/messages" xmlns:i="http://www.w3.org/2001/XMLSchema-instance"/>
</RetrieveAllActiveSupplyChains>
</s:Body>
</s:Envelope>
But I'm still not sure how it actually needs to be submitted, certainly if I read that sample one in with a new xmltextreader it doesn't like it with the following error message
Value of type 'System.Xml.XmlTextReader' cannot be converted to 'MM_TEST.Mosaic.EIB.PosterUploadService.Core.Messages.RetrieveActiveSupplyChainsRequest'
My assumption was the WSDL replaces the need to actually create a "New HttpRequest" in my code but not sure. I've done a lot of googling but not getting anything that quite works like this
The WSDL is here if this helps:
https://customertest.rm-manifest.com/PosterUpload/PosterUpload.svc
Just call the method. The provided XML is what is actually sent to the server by the WCF proxy when you call the method. You don't need to use it at all.
If you use a tool like Fiddler, you'll see that simply calling client.RetrieveAllActiveSupplyChains will send an HTTP request with a body similar to the XML sample.
In fact, everything outside the RetrieveAllActiveSupplyChains tag isn't related to the method at all - it's security and addressing data used to establish and execute a connection with a web service in general. All of this is handled by WCF.
I wish to restrict access to certain methods in my RESTful API. I am trying to do this via products for simplicity allowing access to the resource /athletes* but I don't see a way of any finer control i.e. I wish to only allow GET requests and not POST and DELETE. Is there a syntax for expressing this in the custom resource path section of a product or do I need to handle this via a conditional flow e.g. to check for the product name to see if they can access?
I do this with Scopes but I had to do one little kludge at the end. This assumes you're using at least client_credentials grants for access_tokens (VerifyAPIKey policy doesn't directly support Scopes).
First create an API Proxy for, say, /v1/content (base path /v1, path suffix /content). Then create two resources.
<Flows>
<Flow name="Content Read">
<Description/>
<Request>
<Step>
<FaultRules/>
<Name>RegEx-Check-Scope-READ-Content</Name>
</Step>
</Request>
<Response />
<Condition>(proxy.pathsuffix MatchesPath "/content") and (request.verb = "GET")</Condition>
</Flow>
<Flow name="Content Create">
<Description/>
<Request>
<Step>
<FaultRules/>
<Name>RegEx-Check-Scope-POST-Content</Name>
</Step>
</Request>
<Response />
<Condition>(proxy.pathsuffix MatchesPath "/content") and (request.verb = "POST")</Condition>
</Flow>
Then create a product with scopes for CONTENT-READ and CONTENT-WRITE something like this:
Now, you could either create a second product with only CONTENT-READ to restrict some apps to Read only or you could generate your access_token with scopes like this:
<OAuthV2 name="GenerateAccessTokenClient">
<Operation>GenerateAccessToken</Operation>
<ExpiresIn>3600000</ExpiresIn>
<SupportedGrantTypes>
<GrantType>client_credentials</GrantType>
</SupportedGrantTypes>
<GrantType>request.formparam.grant_type</GrantType>
<Scope>request.formparam.scope</Scope>
<GenerateResponse/>
</OAuthV2>
Probably easier to enforce the App level using two products, but passing scopes also let the User is a 3-legged Oauth add restrictions. Regardless, when you generated the access_token the policy will create an Apigee variable called "scope" which will include the scopes you included when you generated the access_token. If you don't specify scopes when you generate the access_token you will get ALL scopes from the product included in the scopes variable like this:
scope: CONTENT-READ CONTENT-WRITE
It's just one long string, separated by spaces. And there didn't seem to be an easy way to put this into the Condition for the flow, so I added a RegEx policy to check if the allowed scope is in the scope variable, like this:
<RegularExpressionProtection async="false" continueOnError="false" enabled="true" name="RegEx-Check-Scope-POST-Content">
<DisplayName>RegEx Check Scope POST-Content</DisplayName>
<FaultRules/>
<Properties/>
<IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables>>
<Variable name="scope">
<Pattern>^((?!CONTENT-WRITE).)*$</Pattern>
</Variable>
<Source>request</Source>
</RegularExpressionProtection>
Where the regex returns true if CONTENT-WRITE is not in the scope string. And if the regex returns true, then it raises a fault and stops processing so the App doesn't get to POST.
Let me know if that makes sense (it's a few steps...)
On the API proxies page (not the Product page), you can add resources. Therein, you can indicate the method (or request verb) you allow. This is the same as using conditions on your Flows based on the request verb. For instance, if you add <Condition>(request.verb = "POST")</Condition> to your API flow in your bundle, that means that particular flow will execute only when your request verb is POST. All other verbs for the base path of that bundle will be ignored.
This way, you only allow specific request verbs for your API bundle.
If you're trying to have fine control of resource + verb using API Products, you can set the variable flow.resource.name within the API proxy code to be:
"/" + request.verb + "/" + proxy.pathsuffix
This will leave you with something like /GET/products/1234-567. The variable flow.resource.name is the one that's validated against the API Resource Paths configured for the API products, when using the VerifyAPIKey policy.
I customized the tutorial http://assets.spring.io/wp/WebSocketBlogPost.html into my application . When sending message from the application to the server using SimpMessageSendingOperations.convertAndSendToUser("fabrice","/stayawakews2/shakebaby", "mano") the log show :
/stayawakews2/shakebaby*-userltmei5cm* .I dont know why it add the value -userltmei5cm .
thanks
this is explained in the reference docs, see the section on user destinations and also these slides.
ltmei5cm - this is a websocket session id. This value generates on client side.
One logined user can have some websocket sessions.
For each webscocket connection(session) spring create individual queue.
If you send message to specific user, message will be added to some queues.
For this reason, the user name is replaced with the webcoket session id.
From JavaDoc comment to DefaultUserDestinationResolver.java:
When a user attempts to subscribe to "/user/queue/position-updates",
the "/user" prefix is removed and a unique suffix added, resulting in
something like "/queue/position-updates-useri9oqdfzo" where the suffix
is based on the user's session and ensures it does not collide with
any other users attempting to subscribe to
"/user/queue/position-updates". When a message is sent to a user
with a destination such as "/user/{username}/queue/position-updates",
the "/user/{username}" prefix is removed and the suffix added,
resulting in something like "/queue/position-updates-useri9oqdfzo".
I get a really strange security error when trying to load data from one URL to another. Essentially my facebook canvas URL points to http://www.tonyamoyal.com/stuff/path/ and that has an fb:swf tag which points to http://www.tonyamoyal.com/stuff/path/Quiz.swf. The facebook app loads fine but when I try to call a service that resides on another URL, I get a security error:
http://www.tonyamoyal.com/stuff/path/Quiz.swf cannot load data from http://www.somedomain.com/path/path/service.aspx
The cross-domain on tonyamoyal.com is set up to allow all domains to pass. The cross-domain on somedomain.com has a line specifically allowing calls from www.tonyamoyal.com:
<allow-access-from domain="www.tonyamoyal.com" />
Any idea why there would be a security issue here?
At application startup try to load the policy file by doing:
Security.loadPolicyFile("http://www.somedomain.com/crossdomain.xml");