Hi I have a Webservice exposed in FUSE ESB using Apache CXF endpoint. Client is required to pass the user name as password as below. Please advice How I can read this in my server from the Camel Exchange object.
((BindingProvider) serviceMnmtApi).getRequestContext().put(BindingProvider.USERNAME_PROPERTY, "admin");
((BindingProvider) serviceMnmtApi).getRequestContext().put(BindingProvider.PASSWORD_PROPERTY, "password");
If you are using JBoss Fuse 6.1, you should be able to setup the the username and password from the endpoint URI option. It is addressed in CAMEL-7145.
Related
I am trying to setup saml sso configuration for my application which is deployed in websphere.
Idp- Azure AD
SP - Websphere application server when my target application deployed
Done TAI configuration as per the Ibm document . But when I hit the test button from idp I could see the saml response in network tab. but i couldn't login to my application and also didn't get any trace related to saml in log files also however i have enabled logs for saml in Troubleshoot. My doubt is sometimes am getting trace which are related to TAI during server stop. For each request should i be getting TAI trace ? and why my saml response not getting intercepted in TAI. How exactly the interception happen with saml response and how do we get to know that saml response got validated.
[15/4/21 16:18:42:855 IST] 00000096 TrustAssociat A SECJ0121I: Trust Association Init class com.ibm.ws.security.web.saml.ACSTrustAssociationInterceptor loaded successfully
acs url -> https://localhost:/browserTest (which is my actual target application url)
metadata and signing certificates also imported correctly.
Thanks for your help.
The acs URL has format like this:
https://<hostname>:<sslport>/samlsps/<any URI pattern string>
if you want to use your application URL
https://localhost:/browserTest
as acs URL, this UR must be able to accept HTTP POST.
I created a web service client to handle cxf soap web services with apache camel.
String serviceUri = "cxf:http://localhost:10000/myservice?serviceClass=" +
MyRequest.class.getCanonicalName();
from(uri).to("mock:xyz");
The web service receives the soap call but throws an exception since the request requires a handling for wss.
org.apache.cxf.binding.soap.SoapFault: MustUnderstand headers: [{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security] are not understood.
The reason is, that the service requires ws security, which can be seen by lloking at the request.
<SOAP-ENV:Header><wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" SOAP-ENV:mustUnderstand="1">
I found out that I need to implement an interceptor to handle header properties.
My questions:
How can I add an interceptor to handle the header attributes with Camel Java-DSL?
Will this be sufficient to get rid of the SOAP Fault?
You can do it through
cxfEndpointConfigurer option #see: Camel-CXF configuration
(I use Spring (it is much easier)), but I guess for DSL URI will look like:
String serviceUri = "cxf:http://localhost:10000/myservice?serviceClass=" +
MyRequest.class.getCanonicalName() +
"&cxfEndpointConfigurer="+ MyConfigurer.class.getCanonicalName();
by implementing org.apache.camel.component.cxf.CxfEndpointConfigurer you have ability to add an Interceptor inside configureServer method
server.getEndpoint().getInInterceptors().add(new MyJAASLoginInterceptor());
if you run your Camel in container with JAAS (like JBOSS) you can use extension from
org.apache.cxf.interceptor.security.JAASLoginInterceptor
with needed callback handler.
Simple example which validates user/password from WSS header against JBOSS users:
public class MyJAASLoginInterceptor extends javax.security.auth.callback.JAASLoginInterceptor {
#Override
protected CallbackHandler getCallbackHandler(String name, String password) {
return new org.apache.cxf.interceptor.security.NamePasswordCallbackHandler(name, password, "setCredential");
}
}
Objective: Get information (using Apache CXF) from a third party (thus no control or access to the service backend) web service
which use WS-Trust i.e. it authenticates the user using a Secure Token Service in this case with UsernameToken authentication.
I have spent a LONG time trying to learn about the WS-* security standards and at the same time trying out different frameworks and
tools (Axis, Apache CXF, METRO with NetBeans, Microsoft .net, SoapUI plugin for Eclipse etc.) to connect to a specific service in
the cloud. I am trying to develop a backend client that fetch information from the service. Apache CXF is attractive here
because it seems to be the only Java framework which does not assume that everyone connecting to web services use clients deployed on a web application server.
The service providers have provided the necessary certificates and user credentials to connect to the service using STS.
They have also provided a detailed user guide using NetBeans and METRO to create a web application that is deployed on a GlassFish server.
I have followed this guide and managed to get data from the web service. Conclusion so far: The certificates are valid.
There are three certificates stored in a keystore (including chains):
webservice-encryption-certificate.cer (keystore alias: webservice-encryption)
token-signing-certificate.cer (keystore alias:
token-signing)
token-encryption-certificate.cer (keystore alias: token-encryption)
=================================================================
NetBeans configuration:
Service client:
Keystore -> token-signing-certificate.cer
Truststore -> webservice-encryption-certificate.cer
STS client:
Truststore -> token-encryption-certificate.cer
Username -> user
Password -> xxx
=================================================================
THE BIG QUESTION: How can I make a similar configuration in CXF as in NetBeans?
I'm using CXF version: 3.0.2
"Translating" this to CXF gives me the follownig exception:
WARNING: Interceptor for {http://schemas.microsoft.com/ws/2008/06/identity/securitytokenservice}SecurityTokenService#{http://schemas.microsoft.com/ws/2008/06/identity/securitytokenservice}Trust13IssueAsync has thrown exception, unwinding now
org.apache.cxf.binding.soap.SoapFault: The signature or decryption was invalid
at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.createSoapFault(WSS4JInInterceptor.java:841)
Here is what i tried in CXF (amongst MANY other things):
MyService service = new MyService(); // Stub created from WSDL (real service name has been renamed to MyService)
MyServiceInterface port = service.getPort();
org.apache.cxf.endpoint.Client client = ClientProxy.getClient(port);
Bus bus = ((EndpointImpl) client.getEndpoint()).getBus();
STSClient stsClient = new STSClient(bus);
stsClient.setWsdlLocation("https://login.some-domain.com/adfs/services/trust/mex"); // Web service is using ADFS 2.0 with MEX
stsClient.setServiceQName(new QName("http://schemas.microsoft.com/ws/2008/06/identity/securitytokenservice", "SecurityTokenService"));
stsClient.setEndpointQName(new QName("http://schemas.microsoft.com/ws/2008/06/identity/securitytokenservice", "UserNameWSTrustBinding_IWSTrust13Async"));
stsClient.setSendRenewing(false);
stsClient.getRequestContext().put("ws-security.sts.token.properties", "clientTruststore.properties");
stsClient.getRequestContext().put("ws-security.sts.token.username", "webservice-encryption"); // MOST LIKELY WRONG - WHERE DO I PUT THIS CERTIFICATE?
Map<String, Object> ctx = ((BindingProvider) port).getRequestContext();
ctx.put("ws-security.sts.prefer-wsmex", true); // If set to false some policies will not be satisfied
ctx.put("ws-security.username", "user"); // REQUIRED OR FAIL WITH: No username available
ctx.put("ws-security.password", "xxx"); // REQUIRED OR FAIL: No username available
ctx.put("ws-security.encryption.properties", "clientTruststore.properties"); // REQUIRED OR FAIL WITH: A encryption username needs to be declared
ctx.put("ws-security.encryption.username", "token-encryption"); // REQUIRED OR FAIL WITH: A encryption username needs to be declared
ctx.put("ws-security.signature.properties", "clientTruststore.properties");
ctx.put("ws-security.signature.username", "token-signing");
ctx.put("ws-security.is-bsp-compliant", "false");
ctx.put("ws-security.sts.client", stsClient);
port.callSomething(createMyRequestObject());
I have tried to "decrypt" the meaning of the properties used in the code snippet above based on the following link (along many other tutorials and articles on the subject) to make sense in relation to WS-Trust and the certificates at hand.
http://cxf.apache.org/javadoc/latest/org/apache/cxf/ws/security/SecurityConstants.html
I have tried all sorts of combinations using the constants but with no success.
How do I "pass" the service certificate (webservice-encryption) to the STS to tell it "this is the service that I want to use"?
By the way I have captured the traffic with Fiddler, and the request looks perfectly right compared to traffic captured with the NetBeans solution i.e. it contains timestamp, encrypted sections etc.
I KEEP GETTING "The signature or decryption was invalid"
Can anyone help please?
What does the response method from the STS look like? Is it an error message or does it look like the call succeeded? If it is an error message then it looks like you may be using the wrong certificates...you will need to enable logging on the service to figure out what the exact error is. If the call succeeded, then enable DEBUG logging on the client side and see what the problem is.
Colm.
We had a similar problem. Perhaps you must add JCE Unlimited Strength Policy jar files to JDK?
I am a very beginner in ESB. So, kindly excuse me for this basic question.
Currently we have web services created with Apache CXF and Spring running. Now, we need to create proxy services for these in WSo2 ESB. Can someone please let us know how can we do this?
I created Pass Through proxy and use wsdl definition as from URL, but when i use try it option i get he endpoint reference (EPR) for the Operation not found is /services/ and the WSA Action = null.
If this EPR was previously reachable,please contact the server administrator.
Since ESB 4.6, pass-through transport is enabled by default : The message body is not build so, SOAP Body based dispatching is not supported => in this case, the error you're speaking about is thrown
One solution could be to add this parameter in your proxy conf : <parameter name="disableOperationValidation" locked="false">true</parameter>
Have a look there for other options : Using WSO2 ESB PassThrough Proxy on WebLogic (Spring) Web Service
How did you create the proxy service? If you have the wsdl of the Backend service you can use it to create the proxy service like follows.
<proxy xmlns="http://ws.apache.org/ns/synapse" name="testProxy2" transports="https,http" statistics="disable" trace="disable" startOnLoad="true">
<target>
<outSequence>
<send/>
</outSequence>
<endpoint>
<wsdl service="SimpleStockQuoteService"
port="SimpleStockQuoteServiceHttpSoap11Endpoint"
uri="http://localhost:9000/services/SimpleStockQuoteService?wsdl"/>
</endpoint>
</target>
<description/>
</proxy>
The ESB gets the endpoint url from the Service name and Port defined in the WSDL. For SOAP 1.1 the WSA action will be the SOAPAction header and for SOAP 1.2 the WSA action goes with the action element of Content-Type header. For example,
Content-Type: application/soap+xml;charset=UTF-8;action="TheSoapAction"
Try to use a SOAP client like SOAPUI to test your proxy service.
I want to integrate salesforce with mule. In Salesforce i am using Outbound message. In outbound Message asking Endpoint URL. but i need integrate with salesforce to mule. so How i can give the Endpoint URL Address. Which Endpoint URL is suitable for connect with Mule. how can i connect and Which Endpoint Component will go to use in mule. how i receive the Outbound message in mule from salesforce. In salesforce i know the outbound message creation. I don't know the Endpoint URL. Normal Salesforce Endpoint URL link to some other Webpage. but here i should need Mule Endpoint URL. How i can give this. Please Suggest it. Thanks.
you need to create a http-endpoint in your mule flow, and specify to which URL it should listen to.
example of such endpoint declaration is:
<http:endpoint name="myEndpoint" address="http://myExample.info/exampleAddress" exchange-pattern="request-response"/>
update
set the address for endpoint to the available port, so if 80 is not occupied - it's ok to have it for example address="http://localhost:80/exampleAddress/"