Thanks to Gaurav Mantri for answering my earlier question Azure ACS Set Up in C#.
However can someone explains to me, how the following line is secured?
if (!ClaimsPrincipal.Current.Identity.IsAuthenticated)
The client in the ACS schema is conveniently a man in the middle, he might fail loging into Facebook, for example and this gets relayed to ACS (I'm assuming this portion is secured), but now ACS is telling the client to go back to the relying party about the failure.
How is that last part secured? What stops the client from tampering the ACS message "Fail" to "Success"? How would Asp.Net even knows how to verify signature and decrypt the message?
For that matter what key was it using to encrypt/sign the message exchange? And how would that work in a webfarm/Azure environment?
You specify the key which will be used for message exchange.
When you configure Azure ACS in the management portal, you specify private key which will be used to sign tokens(Certificates and Keys tab).
When you configure web application to use Azure ACS, reference to the certificate to validate signature is added to web.config:
<issuerNameRegistry type="System.IdentityModel.Tokens.ValidatingIssuerNameRegistry, System.IdentityModel.Tokens.ValidatingIssuerNameRegistry">
<authority name="https://xxxxx.accesscontrol.windows.net/">
<keys>
<add thumbprint="XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" />
</keys>
<validIssuers>
<add name="https://xxxxx.accesscontrol.windows.net/" />
</validIssuers>
</authority>
</issuerNameRegistry>
UPDATE
The certificate is passed to the web application by ACS along with signed security token in the X509Certificate element (I've removed namespaces):
<RequestSecurityTokenResponse>
<Lifetime>
<Created>2013-06-19T06:15:16.618Z</Created>
<Expires>2013-06-19T07:15:16.618Z</Expires>
</Lifetime>
<AppliesTo>
<EndpointReference>
<Address>http://xxx.cloudapp.net/</Address>
</EndpointReference>
</AppliesTo>
<RequestedSecurityToken>
<Assertion ID="xxx" IssueInstant="2013-06-19T06:15:16.636Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
<Issuer>https://xxx.accesscontrol.windows.net/</Issuer>
<Signature>
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
<Reference URI="xxx">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<DigestValue>xxx</ds:DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>xxx</SignatureValue>
<KeyInfo>
<X509Data>
<X509Certificate>xxx</X509Certificate>
</X509Data>
</KeyInfo>
</Signature>
<Subject>
<NameID>iiiii</NameID>
<SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer" />
</Subject>
<Conditions NotBefore="2013-06-19T06:15:16.618Z" NotOnOrAfter="2013-06-19T07:15:16.618Z">
<AudienceRestriction><Audience>http://xxx.cloudapp.net/</Audience></AudienceRestriction>
</Conditions>
<AttributeStatement>
<Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"><AttributeValue>aaa</AttributeValue></Attribute>
</AttributeStatement>
<AuthnStatement AuthnInstant="2013-06-19T06:15:15.999Z">
<AuthnContext>
<AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef>
</AuthnContext>
</AuthnStatement>
</Assertion>
Related
Using VS2019, ASP.NET project running .net 4.0.
I created the soap client adding the Service Reference to the wsdl file. Now I'm configuring the certificate and calls method.
This way worked in the old soap server, but now the soap server changed. I tested with SoapUI using the same Basic Auth configuration and works perfectly, but not with my .Net 4.0 client...
Web.config
<system.serviceModel>
<bindings>
<customBinding>
<binding name="PLATAFORMA">
<textMessageEncoding messageVersion="Soap11WSAddressing10" />
<security
authenticationMode="MutualCertificateDuplex"
messageProtectionOrder="SignBeforeEncrypt"
messageSecurityVersion="WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10">
<secureConversationBootstrap />
</security>
<httpsTransport />
</binding>
</customBinding>
</bindings>
<behaviors>
<endpointBehaviors>
<behavior name="CERT">
<clientCredentials>
<clientCertificate findValue="ClientCert" storeLocation="CurrentUser" storeName="My" x509FindType="FindBySubjectName" />
<serviceCertificate>
<defaultCertificate findValue="*.ServerCert.com" storeLocation="CurrentUser" storeName="My" x509FindType="FindBySubjectName" />
</serviceCertificate>
</clientCredentials>
</behavior>
</endpointBehaviors>
</behaviors>
<client>
<endpoint
address="endpointURI"
binding="customBinding"
bindingConfiguration="PLATAFORMA"
behaviorConfiguration="CERT"
contract="ServiceReference1.RequestPort1"
name="Request.Request1">
<identity>
<dns value="*.ServerCert.com" />
</identity>
</endpoint>
</client>
</system.serviceModel>
XML Outoing header (catched with intercerptor):
<s:Envelope xmlns:a="http://www.w3.org/2005/08/addressing" xmlns:s="http://schemas.xmlsoap.org/soap/envelope/">
<s:Header>
<a:Action s:mustUnderstand="1">peticionSincrona</a:Action>
<a:MessageID>urn:uuid:e3a5c4bd-f159-48c1-8f3f-cf22da6b7e3b</a:MessageID>
<ActivityId CorrelationId="035f2491-0772-4b1e-a286-9be30720d5ea" xmlns="http://schemas.microsoft.com/2004/09/ServiceModel/Diagnostics">4d7f76c2-0486-4a81-93ad-32aecf02b035</ActivityId>
<a:ReplyTo>
<a:Address>http://www.w3.org/2005/08/addressing/anonymous</a:Address>
</a:ReplyTo>
<VsDebuggerCausalityData xmlns="http://schemas.microsoft.com/vstudio/diagnostics/servicemodelsink">uIDPo9ph/BcvvnBFuLQYdch+LyYAAAAAHsOKxYeqzk+Do5pQmamNIPUdiXOiYjpBl1dsV5pp+SMACQAA</VsDebuggerCausalityData>
</s:Header>
I understand that some information is needed, how can I specify to sign as XMLDsig? why is not soap/envelope/encoding? I need help to configure the soap client.
The server return error 500 with a default tomcat error, is not even soapenv:fault or similar. I think the request envelope is not generating properly.
EDIT: Must be over soap11
Is this the client configuration generated after changing the SOAP server? If it requires the Basic authentication, why do we not need to provide username/password, but just need to provide a client certificate(according to the binding type)?
I suggest you re-generate a client proxy class by adding service reference. this also generates a proper configuration in the webconfig file.
Besides, since the server changes, the server’s certificate used to implement HTTPS security may also change, so the default certificate we provide on the client-side should also be changed.
<serviceCertificate>
<defaultCertificate findValue="*.ServerCert.com" storeLocation="CurrentUser" storeName="My" x509FindType="FindBySubjectName" />
</serviceCertificate>
Mutual certificate authentication requires a trust relationship between the client and the server.
<security
authenticationMode="MutualCertificateDuplex"
Not only do we need to install a client certificate on the new server in order to trust the client, we also need to install the server’s certificate on the client-side.
For details,
https://learn.microsoft.com/en-us/dotnet/framework/wcf/feature-details/transport-security-with-certificate-authentication
https://learn.microsoft.com/en-us/dotnet/framework/wcf/feature-details/message-security-with-a-certificate-client
Feel free to let me know if there is anything I can help with.
We have 2 machines running Keycloak 4.8.3.Final (WildFly Core 6.0.2.Final) in domain mode. First of them host1 is going to run the domain controller and is going to be our master. Host2 is our slave and registers itself to the master. From our understanding, Domain mode solves this problem by providing a central place to store and publish configuration.
The first one is started by executing the command:
/opt/keycloak/bin/domain.sh --host-config host-master.xml -Djboss.bind.address=0.0.0.0 -Djboss.bind.address.management=0.0.0.0 -Djava.security.egd=file:/dev/urandom -Dkeycloak.profile.feature.token_exchange=enabled -Djboss.node.name=host1
The second one by executing the command:
/opt/keycloak/bin/domain.sh --host-config host-slave.xml -Djboss.bind.address=0.0.0.0 -Djboss.bind.address.management=0.0.0.0 -Djboss.domain.master.username=slave -Djboss.domain.master.address={host1_ip} -Dkeycloak.profile.feature.token_exchange=enabled -Djava.security.egd=file:/dev/urandom -Djboss.node.name=host2
Both of them start successfully and the slave manages to connect to the master one. We are using a MySQL machine that both the server point to for data persistence.
First, we used the default domain.xml that comes with keycloak distribution and our initial expectations was that by creating something on host1, the changes would be propagated to the host2. Unfortunately, this did not happen. When we were creating a user, the user would appear after some time to host2. When we created a realm or a client in a realm from host1, the changes could not be seen from host2 until after we restarted both servers and the sync of info was forced.
Next step was to change the domain.xml configuration at the infinispan directive and make the cache replicated across all machines.
<subsystem xmlns="urn:jboss:domain:infinispan:7.0">
<cache-container name="keycloak">
<transport lock-timeout="60000" />
<replicated-cache name="authenticationSessions" />
<replicated-cache name="clientSessions" />
<replicated-cache name="offlineClientSessions" />
<replicated-cache name="authorization" />
<replicated-cache name="work" />
<replicated-cache name="keys" />
<replicated-cache name="actionTokens"></replicated-cache>
<replicated-cache name="realms" />
<replicated-cache name="users" />
<replicated-cache name="sessions" />
<replicated-cache name="offlineSessions" />
<replicated-cache name="loginFailures" />
<replicated-cache name="work" />
<replicated-cache name="realmVersions" />
</cache-container>
<cache-container name="server" aliases="singleton cluster" default-cache="default" module="org.wildfly.clustering.server">
<transport lock-timeout="60000" />
<replicated-cache name="default">
<transaction mode="BATCH" />
</replicated-cache>
</cache-container>
<cache-container name="web" default-cache="dist" module="org.wildfly.clustering.web.infinispan">
<transport lock-timeout="60000" />
<distributed-cache name="dist">
<locking isolation="REPEATABLE_READ" />
<transaction mode="BATCH" />
<file-store />
</distributed-cache>
</cache-container>
<cache-container name="ejb" aliases="sfsb" default-cache="dist" module="org.wildfly.clustering.ejb.infinispan">
<transport lock-timeout="60000" />
<distributed-cache name="dist">
<locking isolation="REPEATABLE_READ" />
<transaction mode="BATCH" />
<file-store />
</distributed-cache>
</cache-container>
<cache-container name="hibernate" module="org.infinispan.hibernate-cache">
<transport lock-timeout="60000" />
<local-cache name="local-query">
<object-memory size="10000" />
<expiration max-idle="100000" />
</local-cache>
<invalidation-cache name="entity">
<transaction mode="NON_XA" />
<object-memory size="10000" />
<expiration max-idle="100000" />
</invalidation-cache>
<replicated-cache name="timestamps" />
</cache-container>
</subsystem>
However, we have the same problems especially the issue that if you regenerate a secret for a client, the secret is not propagated to the slave host nor the other way around.
Has anybody else experience that issue and what did you do in order to resolve it? Any help will be much appreciated!
The problem was that our cloud provider is not supporting multicast and the two servers could not find and talk to each other! I made a change to the configuration and started using TCPPING instead of PING that just uses UDP.
I spent so much time trying to figure that out so please make sure that your provider is supporting multicast in order to just use Keycloak out of the box. Also, I found out the following article that provides information on how to setup Keycloak https://www.keycloak.org/2019/04/keycloak-cluster-setup.html. If only this article was created when I was trying to deal with this problem...
I'm new to Application Insights.
The details in this ticket relate to a specific API, written in C# with .NET Framework (not Core), running in IIS on a Windows Server 2012 R2 Datacenter virtual machine.
We have a lot of the Application Insights metrics for this API coming through as expected, including some custom telemetry we coded ourselves that has been extremely useful.
But a few key things such as the requests per second and the failed requests per second are not coming through.
I've done some digging, and I've found some trace information in the Application Insights logs for that specific API that look like they might be related, but I'm not sure what to do with them.
Here's one example:
AI: Error collecting 3 of the configured performance counters. Please check the configuration.
Counter \ASP.NET Applications(??APP_W3SVC_PROC??)\Requests/Sec: Failed to perform the first read for performance counter. Please make sure it exists. Category: ASP.NET Applications, counter: Requests/Sec, instance _LM_W3SVC_4_ROOT
Counter \ASP.NET Applications(??APP_W3SVC_PROC??)\Request Execution Time: Failed to perform the first read for performance counter. Please make sure it exists. Category: ASP.NET Applications, counter: Request Execution Time, instance _LM_W3SVC_4_ROOT
Counter \ASP.NET Applications(??APP_W3SVC_PROC??)\Requests In Application Queue: Failed to perform the first read for performance counter. Please make sure it exists. Category: ASP.NET Applications, counter: Requests In Application Queue, instance _LM_W3SVC_4_ROOT
Another example:
AI: ApplicationInsights configuration file loading failed. Type 'Microsoft.ApplicationInsights.StatusMonitor.SdkSourceTelemetryInitializer, Microsoft.AI.StatusMonitor' was not found. Type loading was skipped. Monitoring will continue.
Here's the ApplicationInsights.config file for the website in question:
<?xml version="1.0" encoding="utf-8"?>
<ApplicationInsights xmlns="http://schemas.microsoft.com/ApplicationInsights/2013/Settings">
<TelemetryInitializers>
<Add Type="Microsoft.ApplicationInsights.DependencyCollector.HttpDependenciesParsingTelemetryInitializer, Microsoft.AI.DependencyCollector" />
<Add Type="Microsoft.ApplicationInsights.WindowsServer.AzureRoleEnvironmentTelemetryInitializer, Microsoft.AI.WindowsServer" />
<Add Type="Microsoft.ApplicationInsights.WindowsServer.AzureWebAppRoleEnvironmentTelemetryInitializer, Microsoft.AI.WindowsServer" />
<Add Type="Microsoft.ApplicationInsights.WindowsServer.BuildInfoConfigComponentVersionTelemetryInitializer, Microsoft.AI.WindowsServer" />
<Add Type="Microsoft.ApplicationInsights.Web.WebTestTelemetryInitializer, Microsoft.AI.Web" />
<Add Type="Microsoft.ApplicationInsights.Web.SyntheticUserAgentTelemetryInitializer, Microsoft.AI.Web">
<!-- Extended list of bots:
search|spider|crawl|Bot|Monitor|BrowserMob|BingPreview|PagePeeker|WebThumb|URL2PNG|ZooShot|GomezA|Google SketchUp|Read Later|KTXN|KHTE|Keynote|Pingdom|AlwaysOn|zao|borg|oegp|silk|Xenu|zeal|NING|htdig|lycos|slurp|teoma|voila|yahoo|Sogou|CiBra|Nutch|Java|JNLP|Daumoa|Genieo|ichiro|larbin|pompos|Scrapy|snappy|speedy|vortex|favicon|indexer|Riddler|scooter|scraper|scrubby|WhatWeb|WinHTTP|voyager|archiver|Icarus6j|mogimogi|Netvibes|altavista|charlotte|findlinks|Retreiver|TLSProber|WordPress|wsr-agent|http client|Python-urllib|AppEngine-Google|semanticdiscovery|facebookexternalhit|web/snippet|Google-HTTP-Java-Client-->
<Filters>search|spider|crawl|Bot|Monitor|AlwaysOn</Filters>
</Add>
<Add Type="Microsoft.ApplicationInsights.Web.ClientIpHeaderTelemetryInitializer, Microsoft.AI.Web" />
<Add Type="Microsoft.ApplicationInsights.Web.OperationNameTelemetryInitializer, Microsoft.AI.Web" />
<Add Type="Microsoft.ApplicationInsights.Web.OperationCorrelationTelemetryInitializer, Microsoft.AI.Web" />
<Add Type="Microsoft.ApplicationInsights.Web.UserTelemetryInitializer, Microsoft.AI.Web" />
<Add Type="Microsoft.ApplicationInsights.Web.AuthenticatedUserIdTelemetryInitializer, Microsoft.AI.Web" />
<Add Type="Microsoft.ApplicationInsights.Web.AccountIdTelemetryInitializer, Microsoft.AI.Web" />
<Add Type="Microsoft.ApplicationInsights.Web.SessionTelemetryInitializer, Microsoft.AI.Web" />
<Add Type="Microsoft.ApplicationInsights.StatusMonitor.SdkSourceTelemetryInitializer, Microsoft.AI.StatusMonitor" />
</TelemetryInitializers>
<TelemetryModules>
<Add Type="Microsoft.ApplicationInsights.DependencyCollector.DependencyTrackingTelemetryModule, Microsoft.AI.DependencyCollector">
<ExcludeComponentCorrelationHttpHeadersOnDomains>
<!--
Requests to the following hostnames will not be modified by adding correlation headers.
This is only applicable if Profiler is installed via either StatusMonitor or Azure Extension.
Add entries here to exclude additional hostnames.
NOTE: this configuration will be lost upon NuGet upgrade.
-->
<Add>core.windows.net</Add>
<Add>core.chinacloudapi.cn</Add>
<Add>core.cloudapi.de</Add>
<Add>core.usgovcloudapi.net</Add>
</ExcludeComponentCorrelationHttpHeadersOnDomains>
</Add>
<Add Type="Microsoft.ApplicationInsights.Extensibility.PerfCounterCollector.PerformanceCollectorModule, Microsoft.AI.PerfCounterCollector">
<!--
Use the following syntax here to collect additional performance counters:
<Counters>
<Add PerformanceCounter="\Process(??APP_WIN32_PROC??)\Handle Count" ReportAs="Process handle count" />
...
</Counters>
PerformanceCounter must be either \CategoryName(InstanceName)\CounterName or \CategoryName\CounterName
NOTE: performance counters configuration will be lost upon NuGet upgrade.
The following placeholders are supported as InstanceName:
??APP_WIN32_PROC?? - instance name of the application process for Win32 counters.
??APP_W3SVC_PROC?? - instance name of the application IIS worker process for IIS/ASP.NET counters.
??APP_CLR_PROC?? - instance name of the application CLR process for .NET counters.
-->
</Add>
<Add Type="Microsoft.ApplicationInsights.Extensibility.PerfCounterCollector.QuickPulse.QuickPulseTelemetryModule, Microsoft.AI.PerfCounterCollector" />
<Add Type="Microsoft.ApplicationInsights.WindowsServer.DeveloperModeWithDebuggerAttachedTelemetryModule, Microsoft.AI.WindowsServer" />
<Add Type="Microsoft.ApplicationInsights.WindowsServer.UnhandledExceptionTelemetryModule, Microsoft.AI.WindowsServer" />
<Add Type="Microsoft.ApplicationInsights.WindowsServer.UnobservedExceptionTelemetryModule, Microsoft.AI.WindowsServer" />
<Add Type="Microsoft.ApplicationInsights.Web.RequestTrackingTelemetryModule, Microsoft.AI.Web">
<Handlers>
<!--
Add entries here to filter out additional handlers:
NOTE: handler configuration will be lost upon NuGet upgrade.
-->
<Add>System.Web.Handlers.TransferRequestHandler</Add>
<Add>Microsoft.VisualStudio.Web.PageInspector.Runtime.Tracing.RequestDataHttpHandler</Add>
<Add>System.Web.StaticFileHandler</Add>
<Add>System.Web.Handlers.AssemblyResourceLoader</Add>
<Add>System.Web.Optimization.BundleHandler</Add>
<Add>System.Web.Script.Services.ScriptHandlerFactory</Add>
<Add>System.Web.Handlers.TraceHandler</Add>
<Add>System.Web.Services.Discovery.DiscoveryRequestHandler</Add>
<Add>System.Web.HttpDebugHandler</Add>
</Handlers>
</Add>
<Add Type="Microsoft.ApplicationInsights.Web.ExceptionTrackingTelemetryModule, Microsoft.AI.Web" />
</TelemetryModules>
<TelemetryChannel Type="Microsoft.ApplicationInsights.WindowsServer.TelemetryChannel.ServerTelemetryChannel, Microsoft.AI.ServerTelemetryChannel" />
<TelemetryProcessors>
<Add Type="Microsoft.ApplicationInsights.Extensibility.PerfCounterCollector.QuickPulse.QuickPulseTelemetryProcessor, Microsoft.AI.PerfCounterCollector" />
<Add Type="Microsoft.ApplicationInsights.WindowsServer.TelemetryChannel.AdaptiveSamplingTelemetryProcessor, Microsoft.AI.ServerTelemetryChannel">
<MaxTelemetryItemsPerSecond>5</MaxTelemetryItemsPerSecond>
</Add>
</TelemetryProcessors>
<!--
Learn more about Application Insights configuration with ApplicationInsights.config here:
http://go.microsoft.com/fwlink/?LinkID=513840
Note: If not present, please add <InstrumentationKey>Your Key</InstrumentationKey> to the top of this file.
-->
<InstrumentationKey>**removed**</InstrumentationKey>
<ResourceID>**removed**</ResourceID>
<StatusMonitor>2.3.0</StatusMonitor>
</ApplicationInsights>
The host machine is running Windows Server 202 R2 Datacenter as part of an Azure VM.
Because I'm new to this, I'm not really sure where to start. I've tried googling the error messages but I'm not coming up with much that seems useful to my current situation.
Any pointers in the right direction greatly appreciated.
What is the version of the SDKs you are using? And did you add application insights SDK to the application itself, or used Status Monitor to instrument the app at runtime?
The error about PerfCounters indicates that the SDK encountered error trying to collect the counters mentioned. Are you seeing other counters like Process CPU, Memory etc? If yes, then the issue is with Asp.Net related counters only. Can you use a tool like perfmon and validate that these counters do exist in the machine?
You can remove the following line from Ai.Config to get rid of the error about StatusMonitor initialier - I am not sure what does it do, but it cannot explain why you are missing some data.
<Add Type="Microsoft.ApplicationInsights.StatusMonitor.SdkSourceTelemetryInitializer, Microsoft.AI.StatusMonitor" />
To really explain why you are not seeing 'Requests' related metric, need to see web.config of your application. You may be hitting this issue:
https://github.com/Microsoft/ApplicationInsights-dotnet-server/issues/569
Please share some more information - sdk version, web.config, how onboarded etc and I am try to help more.
I am working with the Oracle Fusion Middleware 12.1.3, and I am developing a BPEL process which has to invoke a remote REST service that needs a Basic Authentication.
I created an External reference to the Rest Service, and in my composite.xml, it looks like this :
....
<component name="MyCompositeBASProcess" version="2.0">
<implementation.bpel src="BPEL/MyCompositeBASProcess.bpel"/>
<componentType>
<service name="mycompositebasprocess_client" ui:wsdlLocation="WSDLs/MyCompositeBASProcess.wsdl">
<interface.wsdl interface="http://xmlns.oracle.com/myPartitionSOA/MyCompositeBAS/MyCompositeBASProcess#wsdl.interface(MyCompositeBASProcess)"
callbackInterface="http://xmlns.oracle.com/myPartitionSOA/MyCompositeBAS/MyCompositeBASProcess#wsdl.interface(MyCompositeBASProcessCallback)"/>
</service>
<reference name="CMProxyRS" ui:wsdlLocation="WSDLs/CMProxyRS.wsdl">
<interface.wsdl interface="http://xmlns.oracle.com/myPartitionSOA/MyCompositeBAS/CMProxyRS#wsdl.interface(CMProxyRS_ptt)"/>
</reference>
</componentType>
<property name="bpel.config.oneWayDeliveryPolicy" type="xs:string" many="false">async.persist</property>
</component>
<reference name="CMProxyRS" ui:wsdlLocation="WSDLs/CMProxyRS.wsdl">
<interface.wsdl interface="http://xmlns.oracle.com/myPartitionSOA/MyCompositeBAS/CMProxyRS#wsdl.interface(CMProxyRS_ptt)"/>
<binding.rest config="Adapters/CMProxyRS.wadl" location="http://server_WITHOUT_basic-auth/cmproxy/resources/v2/" />
</reference>
....
With this code I invoke a REST service which is not secured by a BASIC_Auth, and it works fine.
Now, when I switch to a remote environment which needs a basic authentication, I did not manage to succeed.
I found some examples to invoke SOAP services with basic auth, but nothing really interesting for REST services. But, in the Oracle Fusion stack 12.1.3, REST services are "adapted" to SOAP services before being used, so I thought that I could use the examples I found.
So, I updated my composite.xml to add the user/password and the policy :
....
<reference name="CMProxyRS" ui:wsdlLocation="WSDLs/CMProxyRS.wsdl">
<interface.wsdl interface="http://xmlns.oracle.com/myPartitionSOA/MyCompositeBAS/CMProxyRS#wsdl.interface(CMProxyRS_ptt)"/>
<binding.rest config="Adapters/CMProxyRS.wadl" location="http://server_WITH_basic-auth/cmproxy/resources/v2/">
<wsp:PolicyReference URI="oracle/wss_username_token_client_policy" orawsp:category="security" orawsp:status="enabled"/>
<!-- <property name="oracle.webservices.auth.username">weblogic</property> -->
<!-- <property name="oracle.webservices.auth.password">password</property> -->
<property name="oracle.webservices.preemptiveBasicAuth">true</property>
<property name="javax.xml.ws.security.auth.username" many="false" override="may">weblogic</property>
<property name="javax.xml.ws.security.auth.password" many="false" override="may">password</property>
</binding.rest>
</reference>
....
As you can see, I tried with the javax.xml.ws.security.auth. properties and with the oracle.webservices.auth. properties. But both failed : on the remote, I do not get any Basic Authentication in the requests.
I also updated my CMProxyRS.wadl to add the Authorization key in the HTTP Header. For example :
<resources>
<resource path="/documents">
<method name="GET" soa:wsdlOperation="searchDocument">
<request>
<param name="Authorization" style="header" soa:expression="$msg.request/tns:Authorization" default="" type="xsd:string"/>
<param name="queryText" style="query" soa:expression="$msg.request/tns:queryText" default="" type="xsd:string"/>
<param name="fields" style="query" soa:expression="$msg.request/tns:fields" default="id,name,originalName,originalFormat,originalExtension,alternateFormat,alternateExtension,revision" type="xsd:string"/>
<param name="waitForIndexing" style="query" soa:expression="$msg.request/tns:waitForIndexing" default="false" type="xsd:boolean"/>
</request>
<response status="200">
....
And this Authorization was "replicated" in the WSDL.CMProxyRS.wsdl :
<element name="searchDocument_params">
<complexType>
<sequence>
<element name="Authorization" type="string"/>
<element name="queryText" type="string"/>
<element name="fields" type="string"/>
<element name="waitForIndexing" type="boolean"/>
</sequence>
</complexType>
</element>
This did not help. In fact, I am really not sure that what I added in my composite.xml (the properties username, password, preemptiveBasicAuth) is used by the SOA Engine to build the REST request.
(I would like to specify that it is not a user/password issue : when I test this REST query with the same user/password from Postman, it work fine.)
How can I manage to invoke a REST service with basic Authentication from a soa-composite ?
You can send custom HTTP headers in BPEL.
Take a look at this post. You need to add oracle.webservices.http.headers on the reference service and then you can populate variables and send them on your REST invoke acticity in BPEL.
You can try OWSM oracle/http_jwt_token_client_policy to pass the required headers in the request.
I had the same issue initially trying to invoke WADL from Oracle SOA 12c.
It started working after applying the following OWSM security policy:
oracle/http_jwt_token_client_policy
I am trying to create entity fm on asp.net MVC 5 with existing oracle database.I installed Oracle.ManageDataAccess & Entity client from nuget pm. But I am still getting this error when try to create entity framwork using ADO.NET.
TNS:Could not resolve the connect identifier specified
Here is I have done in web.config with related Oracle Client and connectionString:
<oracle.manageddataaccess.client>
<version number="*">
<settings>
<setting name="TNS_ADMIN" value="C:\app\tcetin\product\12.1.0\dbhome_1\NETWORK\ADMIN" />
</settings>
<dataSources>
<dataSource alias="SptsDataSource" descriptor="(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=******)(PORT=1521))(CONNECT_DATA=(SERVER=dedicated)(SERVICE_NAME=*****)))" />
</dataSources>
</version>
</oracle.manageddataaccess.client>
<connectionStrings>
<add name="OracleDbContext" providerName="Oracle.ManagedDataAccess.Client" connectionString="User Id=****;Password=*****;Data Source=SptsDataSource" />
</connectionStrings>
How can I solve this issue?
Thanks
I don't think this is your problem, but you are referencing a TNS_ADMIN, but then specifying your datasource directly. You shouldn't need the TNS_ADMIN part when specifying the datasource directly. My guess is your datasource definition isn't quite right.