Howto proces SOAP Header with security info
My incoming Soap messages contain security info in the soapenv:Header part.
However, I only need the contents of the Body element.
If I do NOT handle the Soap Message, then an Exception is thrown: something like: 'Do not know how to handle MustUnderstand'.
So something must be done with the Security info in the header, but I do not know how. Do I have to remove the header completely in the Soap handler, after checking the singning? If somebody can point me to some examples of Soap header processing for this case it would be helpful.
kind regs.
Harry
Hi Harry
The header in Soap Messages is optional. Is is used to carry security information, that is security on the level of the Soap message. So when the header of an incoming Soap message is 'handled', the header is of no use any longer and can (must) be discarded. Indeed discarded, because the rest of the handlers don't expect a header in the Soap message. They extract the 'contents' from the body of the Soap message, and deliver that to you backend system.
I will describe the header handling in the webservice: to get access to the Soap message in your code, you have to write a 'handler' Class. This Class should implement the Handler Interface or extend the abstract GenericHandler Class. To handle only the incoming Soap messages, the 'Requests', the method 'handleRequest' should be implemented. This handleRequest method has 1 parameter (mc) with type MessageContext. This parameter contains the original Soap message in Object format. You can access the original header information via:
SOAPMessageContext smc = (SOAPMessageContext)mc;
SOAPMessage message = smc.getMessage();
SOAPPart part = message.getSOAPPart();
SOAPEnvelope envelope = part.getEnvelope();
SOAPHeader header = envelope.getHeader();
With: Iterator iterator = header.getChildElements();
you can navigate through the header elements and do whatever you like. If you decide that security info in this header does not match the contents of the body for instance, you can issue an Exception and log it.
After processing the header you have to discard it with:
header.detachNode(); and let your handleRequest method return 'true'.
The rest of the webservice processing takes the contents from the body element, and delivers that to your application.
To let you webservice make use of your Handler, you have to name it in the web-services.xml as follows:
<webservices>
<handler-chains>
<handler-chain name="myChain">
<handler class-name="a.b.c.MyHandler" />
</handler-chain>
</handler-chains>
<web-service name="MyService">
<operations>
<operation ... handler-chain="myChain" .... />
</operations>
When the webservice 'MyService' gets a request, the handler 'MyHandler' is automatically invoked. you can have more handlers in a chain. Also you can declare more chains in your <webservices> section and refer to them from the <operation> elements.
Items of interest:
javax.xml.rpc.handler.soap.*
javax.xml.rpc.handler.*
javax.xml.namespace.*
javax.xml.soap.*
May be this of use for you :).
Similar Messages
-
Extended SOAP Scenario with Security
Hi All,
Could anyone send me the step by step procedure for "Extended SOAP Scenario with Security"?
Regards,
Sai.Hello,
Please use the search option on SDN.
There are no step by step guides as such and you will have to combine multiple different activities to achieve this, including set up of Server SSL on XI and then set up of the SOAP adapter to use the certificates.
Refer to the guides on SDN for these.
Regards
Bhavesh -
Reading custom SOAP header with XHeaderName1
Hello Experts,
I have a SOAP to File scenario and I am trying to do dynamic receiver determination by looking at the SOAP request header info. I am adding a custom field (System_ID) that I want rules to run against in Receiver Determination..
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:urn="urn:*******************">
<soapenv:Header>
<System_ID>100</System_ID>
</soapenv:Header>
<soapenv:Body>
</soapenv:Body>
</soapenv:Envelope>
In the Receiver Determination I have multiple rules using SOAP context object to XHeaderName1 = the System_ID (100) to pass the message to the right system at runtime according to the System_ID.
In the SOAP sender channel I have Set Adapter-Specific Message Attributes and Variable Transport Binding checked. I also have the variable name System_ID in the first Variable Header (XHeaderName1).
In the SOAP sender Conversion Parameters I have Do Not Use SOAP Envelope and Keep Headers checked, as well as nosoap=true in the SOAP request URL.
I'm getting the System ID to show in XI in sxmb_moni in the Header but no where do I see it being used with XHeaderName1.
Am I using XHeaderName1 right? If not could you advise as to how XHeaderName1 should be used?
My requirement is to read system ID from Header, not payload.
Thank you!
TimI was able to find a solution to my problem.
I created a basic senario below to test:
1.A basic Asynchronous scenario is created using a SOAP sender adapter to 2 possible flat file receivers.
2.The SOAP sender channel will have the option u201CDo Not Use SOAP envelopeu201D checked and SOAPUI URL will have u201C&nosoap=trueu201D added to the end.
3.The receiver system name will be stored in the WS-Addressing u201CActionu201D field sent from SOAPUI.
4.Two ABAP mappings are created. One mapping will extract the system number from the WS-Addressing u201CActionu201D field. The other mapping will extract just the body of the SOAP message to send along. Using regex and string manipulation in the ABAP mappings we can reuse the mappings for any SOAP message.
5.Enhanced (Extended) Receiver Determination is selected and interface mapping using system/XI ReceiverDetermination service interface is used to capture the receiver system.
While this is a solution is not the best, it is a solution. Upon research I found a recent SAP Note 1385579 talking about implementing a SAP delivered generic SOAP Sender AXIS handler com.sap.aii.axis.soap.HeaderExtractionHandler to extract SOAP Header elements and place in message attributes. I will be trying this out. -
SOAP Adapter with Security Levels - HTTP & HTTPS
We have a successfully working interface scenario where SAP XI is hosting a web service and the partner systems calling it using SOAP Adapter URL http://host:port/XISOAPAdapter/MessageServlet?channel=:service:channel with Security Level HTTP on the SOAP Sender Communication channel.
Going forward, for other similar interfaces (SAP XI hosting Web Service and partner systems calling it), we would like to use HTTPS and/or certificates.
If we enable HTTPS on XI J2EE server as per the guide How to configure the [SAP J2EE Engine for using SSL - Notes - PDF|https://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/964f67ec-0701-0010-bd88-f995abf4e1fc]....
can partner systems still use the URL http://host:port/XISOAPAdapter/MessageServlet?channel=:service:channel or should they switch to https://host:port/XISOAPAdapter/MessageServlet?channel=:service:channel?
can we continue to have the existing interface working using HTTP Security Level i.e. partners not having to send the certificate with each message?
If we use HTTPS security level, is it mandatory for the partner system need to send the certificate? Is it possible to have an HTTPS scenario w/o certificates?
What is the difference between Security Levels 'HTTPS Without Client Authentication' & 'HTTPS with Client Authentication'?
I appreciate your inputs on this.
thx in adv
praveen
PS: We are currently on SAP PI 7.0 SP17Hi Praveen,
There is no need to change the interface and It is manditory for the partners to send certificates in order to validate each other. Use the https in url.
HTTPS With Client authentication:
The HTTPS client identifies itself with a certificate that is to be verified by the server. To validate the HTTPS clientu2019s certificate, the HTTPS server must have a corresponding CA certificate that validates this certificate. After validation of the clientu2019s certificate, the server maps the certificate to an actual system user executing the HTTP request.
and check this link.
http://help.sap.com/saphelp_nw04/helpdata/en/14/ef2940cbf2195de10000000a1550b0/frameset.htm
Regards,
Prasanna -
Adding WS Security in SOAP header for calling soap services from PI
When i am calling a wss enabled webservice from soapui with the header parameters
Username , Password and Password Type - PasswordText , it is able to get results. The soapui tool automatically adds the following in the soap header -
<wsse:Security soapenv:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wsse:UsernameToken wsu:Id="UsernameToken-9368150" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsse:Username>xxxxx</wsse:Username>
<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">xxxxx</wsse:Password>
<wsse:Nonce>aOA1P6t2hJPRyuraQ/IliQ==</wsse:Nonce>
<wsu:Created>2009-07-10T14:58:33.781Z</wsu:Created>
</wsse:UsernameToken>
</wsse:Security>
However , in PI when the following configurations are made -
Web Services Security option selected in soap receiver adapter
In Receiver Agrrement -
Security Standard - http://docs.oasis ....
Security Procedure (Request) - None
Security Procedure (response) - None
the user tokens don't seem to generated and it is giving an authentication error . Is there any process of generating this in the outgoing soap header from PI.
SOAP Axis framework is not installed at present and working on PI 7.1 SP6.
Looking forward for your repliessame issue for me too.
Try using WS adapter on receiver side .
If you are able to attach SOAP header with WSSE fields using SOAP adapter at reciever channel let me know how you did it. -
Hello,
I created a web service proxy using WSDL and XSD files. Then, I created a sample request from client interface and sent the request as an object to call the web services. However, I am not directly calling the webservices as I am doing it through a Gateway. Here, the problem is, the Gateway accepts only empty SOAP headers and the Gateway inserts the security details in that SOAP header and will send a request to the original web services. Even if we add any element in the SOAP header, it is not accepting the request.
While sending a request through the client interface(Java class), I am not able to generate a empty SOAP header and send as request. I tried several ways adding a empty header. but no result. Is there any way we can add empty SOAP header while sending a requesting through Java class(Client interface)?
Thanks
sekharThanks for your reply.
I have tried different approaches for adding empty SOAP header with no elements. But, none of them worked. The only solution for this issue is to add OSB proxy which has the functionality to send empty SOAP header which worked for me.
Thanks
sekhar -
How to Capture Runtime SOAP Header in ABAP Webservice
Hi All,
I have created a WebService from a ABAP Function Module, and an external (Java Based) system is able consume to it. But while making the call, the external System enriches the SOAP header with certain values, and I need to capture these values in ABAP Function Module.
How can read the enriched SOAP Header in my ABAP Function Module? is there any Class/Function Module which I can call to get the Runtime SOAP-HEADER or is the runtime SOAP-header available in one of the structures similar to SYST?
Thanks,
GaneshHi Ganesh,
Please go through this link.
http://www.sapag.co.in/SAP-XI-SOAP-Adapter-FAQ'S.html
I think this would be helpful for you..
Reward points if useful,
Swamy Kunche -
Can anyone please tell me how to add following security header in Webservices (WS 1.0 ) client using java code? (I m using axis 1.4)
<soap:Header>
<wsse:Security soap:mustUnderstand="1">
<wsse:UsernameToken>
<wsse:Username>[email protected]</wsse:Username>
<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wssusername-
token-profile-1.0#PasswordText">adminOnDemand</wsse:Password>
</wsse:UsernameToken>
</wsse:Security>
</soap:Header>XML snippit
<soapenv:Envelope
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:con="urn:crmondemand/ws/contact/"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:con1="urn:/crmondemand/xml/contact">
<soapenv:Header>
<wsse:Security>
<wsse:UsernameToken>
<wsse:Username>your_site/your_login</wsse:Username>
<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">your_password</wsse:Password>
</wsse:UsernameToken>
</wsse:Security>
</soapenv:Header>
This isn't exactly what you are looking for but you can use this to add a header to a axis web service call.
SOAPHeaderElement header = new SOAPHeaderElement("http://your.xsd", "your tag");
SOAPHeaderElement header1 = new SOAPHeaderElement("http://your other.xsd", "your other tag");
header1.setAttribute("Id", "your value");
header.addChild(header1);
SOAPElement node = header1.addChildElement("more text");
node.addTextNode("more text");
SOAPElement nodepwd = header1.addChildElement("another tag");
nodepwd.addTextNode("more text");
nodepwd.setAttribute("Type", "http://another url");
((Stub)service2).setHeader(header);
Hope this is more helpful than confusing. -
Simulating SOAP Header in Testsuite
Hi all,
I'm using an BPEL Process with a custom soap header. Can anybody tell me how I can create a testcase, that fills in the custom soap header with testdata?
Thanks in advance.
Regards MarkusHi Guys,
thanks for the hint to SoapUI, but we have our complete integrated continuous integration process build up opon the testsuite of the bpel engine. So a switch is to expensive.
Regards Markus -
Soap header authentication in as2
Is there any way to pass a SOAP header with Uname/password in Actionscript 2 webservice.
I need to authenticate the SOAP request.
Please help me..............Hi Laxmi,
follow this guide last section deploying SDA file using JSPM .
If you are not able to see your SDA file then run the comand which i have mentioned iin last section.
http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/00b4a020-4ae6-2c10-5a95-fed4ad9a4b60?quicklink=index&overridelayout=true
Also take care of the extension of .SDA file.
Extract it properly in a folder . After adding content again create SDA and start deployement
thanks
sandeep -
Adding element RelatesTo to the soap header
Hi All,
I need to replace wsa05:MessageID element in the soap header with the following value
<wsa05:MessageID>fn-bea:uuid()</wsa05:MessageID>
<wsa05:RelatesTo>$header/wsa05:MessageID/text()</wsa05:RelatesTo>
How would I do that in OSB proxy service?You may use Insert or Assign or Replace action -
http://download.oracle.com/docs/cd/E17904_01/doc.1111/e15867/proxy_actions.htm#CIHEFDFB
Regards,
Anuj -
Unable to process SOAP Header child element 'wsse:Security' with 'mustUnder
Hello everyone.
In have created project in Jdeveloper. In this one i have one external reference for Siebel Service.
At composite, for external reference service(Siebel Service) i have added a security policy i.e. *"oracle_wss_username_token_client_policy"*.
[Right click on SiebelService->configure WS policies->under security tab i have selected above policy]
So apart from this i have added property for the policy
<property name="oracle.webservices.auth.username" type="xs:string"
many="false" override="may">SADMIN</property>
<property name="oracle.webservices.auth.password" type="xs:string"
many="false" override="may">SADMIN</property>
But its returning following error,
Unable to process SOAP Header child element 'wsse:Security' with 'mustUnderstand="1"'(SBL-EAI-08000)
This really pushed back me in development.
Really i am in need of help. Help me out of this issue.
Thanks in advance,
ShridharUnable to process SOAP Header child element 'wsse:Security' with 'mustUnderstand="1"'(SBL-EAI-08000)The problem is at Siebel side. It is not able to understand the security mechanism being used at SOA side. There are two options -
1. Use the custom policy and assertion at SOA side (please refer to metalink note - 1419373.1)
2. Write your own custom message handler class and use it at Siebel side to negotiate security gap
Regards,
Anuj -
Create XML with digital sign and SOAP header...
Hi.
With ABAP, I need create an XML file iwith SOAP envelope. The message has to be signed and the sign data saved in the ws-security part in the SOAP header. I have to sign the file with a X509v3 certificate in base64.
Somebody can tell me how can create the SOAP header and sign it with ABAP for the XML.
Thanks.Please refrain from implementing WS-Security yourself.
NWAS ABAP 7.x provides support for WS-Security - in both roles, as Consumer and Provider.
The right approach is to generate a proxy based on a given WSDL.
What kind of (message-based) authentication is demanded by the WS Provider?
Other info source: see https://wiki.sdn.sap.com/wiki/display/Security/SingleSignonforWeb+Services
Edited by: Wolfgang Janzen on Jul 8, 2009 12:11 AM -
SOAP element wsse:Security with mustUnderstand="1"(SBL-EAI-08000)
Attempting to access Siebel (CRM On Demand) web service using Weblogic web service data control in JDeveloper, set web service security policy to "oracle/wss_username_token_client_policy", receiving the following error:
The Web Service call failed. The service returned a SOAP fault with the message: [SOAP-ENV:MustUnderstand] Unable to process SOAP Header child element 'wsse:Security' with 'mustUnderstand="1"'(SBL-EAI-08000)
How can I set mustUnderstand="0" in the SOAP request? (I cannot change the web service to accept mustUnderstand="1")
Thanks!
Edited by: user507901 on Dec 12, 2009 2:09 PMI am experiencing the exact same problem. From my research, it appears that the problem has to do with the namespace and WS-Security version compatibility.
Here's some related information:
wsse security property in partnerLinkBinding not work in 10.1.3.4 MLR3
Re: Exception with security-enabled web service proxy
Similar problems when connecting from Microsoft to Siebel:
http://social.msdn.microsoft.com/Forums/en/wcf/thread/cc48f572-7082-40d1-9b6b-dcdc7223bc85
(google cache of information that is very relevant)
http://74.125.47.132/search?q=cache:v9gAA2zDcqgJ:soa-howto.blogspot.com/2008/04/invoking-ws-security-compliant-web.html+siebel+ws-security+oasis+2004&cd=9&hl=en&ct=clnk&gl=us&client=firefox-a
http://74.125.47.132/search?q=cache:nIe07-zdum0J:soasol.blogspot.com/2009/06/missing-in-soap-header-when-calling.html+wsseOASIS2004Compliant&cd=3&hl=en&ct=clnk&gl=us&client=firefox-a
Documentation from SOA Suite 10g. Search for "wsseOASIS2004Compliant":
http://download-west.oracle.com/docs/cd/B31017_01/integrate.1013/b28982.pdf
I've tried a number of different ways to set the "wsseOASIS2004Compliant" property to "false" for my partner link, but it simply has no effect in 11g.
Edited by: user12107520 on Dec 15, 2009 10:36 AM -
How to add security credentials to SOAP header for EBS Web Service call..
All,
I am trying to invoke a webservice that I successfully exposed as a WSDL Web Service using EBS Integrated SOA Gateway. I am using OBIEE 11g Action Framework which uses WebLogic.
Here are the steps I completed:
- I exposed a WSDL web service in EBS R12 via Integrated SOA Gateway
- I granted the access to this service in EBS R12 to user SYSADMIN
- I used OBIEE 11g to make a Action to call the Web service (using Action Framework) by searching for the WSDL
- When I try to execute the action: I get the error:
Action could not be invoked.
ServiceExecutionFailure :
Error invoking web service HR_PHONE_API_Service at endpoint http://ip-10-87-33-3.ec2.internal:8000/webservices/SOAProvider/plsql/hr_phone_api/ Missing <wsse:Security> in SOAP Header
PROBLEM: I am unsure how to add the credentials for SYSADMIN user and password to add the SOAP username/pwd to the outgoing call. Anyone on this forum know how to set up the SOAP to call with the correct credentials? I have been looking at the documentation but it is not clearly explained.Dear Heiko,
did you solve this problem?
We are facing the same problem. Every parameter that requries "cmd" does not work. I guess we don´t use this paramter the right way.
Best, Chris
Maybe you are looking for
-
I am currently running a PowerPC G5 imac and have a wired broadband modem via ethernet with airport wireless network turned on, on the G5. I have the computer in the bedroom and have an airport express wired into a mixer that connects to my stereo. I
-
Why do I have 2 icons for WD Mybook Edition II?
I have two icons on my desktop title line (don't know if this is correct name for the top horizontal bar) for my WD Mybook Edition II backup. I had a problem with the WD a few months ago and I somehow got it fixed but am unsure how that happened. N
-
Quality results with purchase order information
Is there any standard report in whichi I can have data like purchase order, vendor, contract, material and quality results? Thanks in advance
-
Can some one help. There are multiple tabs on this site about privacy but i cant find the one with the shredded Constitution, the burning US flag and the video of the board of dictators/directors giving the finger to 110 million loyal paying customer
-
Using Netgear Router - attempting to aquire WEP for additional computer
I have been using another internet provider at our previous home until yesterday when we finally got Verizon DSL here at our new home. I am using my router from my previous location and so far I have no problem with the two computers that were prev