This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

Adding WSSE Security headers in SOAP request before making backend call

Posted on 02-20-2017 01:12 PM
Not applicable
Reply posted on --/--/---- --:-- AM

Scenario:

I am currently developing a reverse proxy type API which would accept request in the JSON format and then make a backend call to the SOAP service hosted on public url .

I am performing following steps in preflow.

  • Verify oauth access token
  • JSON threat protection
  • Extract Variable to get subscriber id from the JSON request received .
  • Assign Message to form SOAP Request required by the back end service .
  • Assign Message to assign request header required by the back end service .
  • Make a back end service call

With this flow I am able to connect the backend service but getting security error as the backend service needs WSSE security header in SOAP Header section as mentioned below. I have below two questions .

Questions:

  • I am planning to use Java call out to generate WSSE security details mentioned below . Please advice if I can use Java call out after step #3 mentioned below to add SOAP security headers. Please also advice if you have any document / example of java call out to handle WSSE headers .

Sample SOAP Header with WSSE security header details :

<soap:Envelope     xmlns:soap='soapuri'
                   xmlns:wsa="wsauri"
                   xmlns:wsu="wsuuri">
  <soap:Header>
    <wsa:Action soap:mustUnderstand="1">..Action name..</wsa:Action>
    <wsa:To soap:mustUnderstand="1" wsu:Id="_1">...Service URL...</wsa:To>
    <wsse:Security soap:mustUnderstand="1"
                   xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
      <wsu:Timestamp wsu:Id="Timestamp-18e1ce72-2097-42b3-a18e-d0e6e986f56f">
        <wsu:Created>2017-02-19T16:05:50-05:00</wsu:Created>
        <wsu:Expires>2017-02-19T21:10:50Z</wsu:Expires>
      </wsu:Timestamp>
      <wsse:BinarySecurityToken wsu:Id="SecurityToken-728895c5-2191-47bb-9126-62c292cecc2a"
                                EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"
                                ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3">...Base64-encoded-x509v3-token-here...</wsse:BinarySecurityToken>
      <Signature
          xmlns="http://www.w3.org/2000/09/xmldsig#">
        <SignedInfo>
          <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
          <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
          <Reference URI="#Timestamp-18e1ce72-2097-42b3-a18e-d0e6e986f56f">
            <Transforms>
              <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
            </Transforms>
            <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
            <DigestValue>...Digest Value..</DigestValue>
          </Reference>
          <Reference URI="#_1">
            <Transforms>
              <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
            </Transforms>
            <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
            <DigestValue>..Digest Value..</DigestValue>
          </Reference>
        </SignedInfo>
        <SignatureValue>..Signature Value..</SignatureValue>
        <KeyInfo>
          <wsse:SecurityTokenReference>
            <wsse:Reference URI="#SecurityToken-728895c5-2191-47bb-9126-62c292cecc2a" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" />
          </wsse:SecurityTokenReference>
        </KeyInfo>
      </Signature>
    </wsse:Security>
  </soap:Header>
  ...
</soap:Envelope>
Solved Solved
1 2 15K
Topic Labels
Jump to Solution
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
DChiesa
Staff
Reply posted on --/--/---- --:-- AM

Using a Java callout should be fine for generating the signed payload. You can use the Apache WS-Security libraries. (wss4j).

You will want to have the java callout call MessageContext.setVariable("request.content", payload)

You will want to store the private key used for signing in the encrypted KVM, or you can embed it directly into the callout jar as a resource, if the key will not often change.

To resolve the reference to Execution, you need to install the Apigee JAR files into your local (machine) repo. like this: 

#!/bin/bash
# -*- mode:shell-script; coding:utf-8; -*-
#
# Created: <Tue Oct  6 11:46:13 2015>
# Last Updated: <2015-October-06 11:53:42>
#


echo
echo "This script downloads JAR files and installs them into the local Maven repo."
echo


curl -O https://raw.githubusercontent.com/apigee/api-platform-samples/master/doc-samples/java-cookbook/lib/e...


 mvn install:install-file \
  -Dfile=expressions-1.0.0.jar \
  -DgroupId=com.apigee.edge \
  -DartifactId=expressions \
  -Dversion=1.0.0 \
  -Dpackaging=jar \
  -DgeneratePom=true


rm expressions-1.0.0.jar 


curl -O https://raw.githubusercontent.com/apigee/api-platform-samples/master/doc-samples/java-cookbook/lib/m...


 mvn install:install-file \
  -Dfile=message-flow-1.0.0.jar \
  -DgroupId=com.apigee.edge \
  -DartifactId=message-flow \
  -Dversion=1.0.0 \
  -Dpackaging=jar \
  -DgeneratePom=true


rm message-flow-1.0.0.jar 


echo
echo done.
echo

The dependencies in the pom.xml file then look like this: 

    <dependency>
      <groupId>com.apigee.edge</groupId>
      <artifactId>message-flow</artifactId>
      <version>1.0.0</version>
    </dependency>
    <dependency>
      <groupId>com.apigee.edge</groupId>
      <artifactId>expressions</artifactId>
      <version>1.0.0</version>
    </dependency>

And you can see a working example of a Java callout here (though it does not use wss4j):

https://github.com/DinoChiesa/ApigeeEdge-Java-Add-Xml-Node

I recommend that you write tests as well.

View solution in original post

Jump to Solution
0 Likes
2 REPLIES 2
Top Solution Authors
View all