Processing WS-Security headers within a web service

Similar Messages

• Add WS Security Headers to a Web-Service Request in JDeveloper

  I'm using JDeveloper to create a composite that performs a query against CRMOnDemand.  In order to access CRMOnDemand in a stateless manner, I have to create a SOAP request with the following in the header:
  <wsse:UsernameToken>
            <wsse:Username>USERNAME</wsse:Username>
            <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">PASSWORD</wsse:Password></wsse:UsernameToken>
  How do I add these to the SOAP header message within the JDEVEOPER ui?

  I've figured out...
  Map<String, Object> reqCtx =
  ((BindingProvider)iditInterface).getRequestContext();
  Map<String, List> reqHttpHeader =
  (Map<String, List>)reqCtx.get(MessageContext.HTTP_REQUEST_HEADERS);
  if (null == reqHttpHeader) {
  reqHttpHeader = new Hashtable<String, List>();
  List header1 = new ArrayList();
  header1.add("[header1-value]");
  reqHttpHeader.put("[header1name]", header1);
  List header2 = new ArrayList();
  header2.add("[header2-value]");
  reqHttpHeader.put("[header2name]", header2);
  reqCtx.put(MessageContext.HTTP_REQUEST_HEADERS, reqHttpHeader);
  I used the above code to add the HTTP headers, before I call the webservice interface.

• Error invoking a web service within another web service

  Hi all!
  I have to develop a web service which needs to invoke another web service, thus the first web service is acting as a client of the second one. To get this, the first web service uses the proxy provided by the home page of the second one. However, when the first service invokes the second service, the body within the soap message is modified in such a way that it is not valid for the second service, because some namespaces declarations are added, in spite of the fact that they already exist. Then, I find the following:
  Body of the SOAP request created by the first web service:
  <a:request attribute1="urn:attribute:one"
  xmlns:a="urn:namespace:one" xmlns:b="urn:namespace:two">
  <b:body>Hello</b:body>
  </a:request>
  Body of the SOAP request received by the second web service:
  <a:request xmlns:a="urn:namespace:one"
  attribute1="urn:attribute:one"
  xmlns:a="urn:namespace:one" xmlns:b="urn:namespace:two">
  <b:body xmlns:b="urn:namespace:two">Hello</b:body>
  </a:request>
  I have also tried to run a client using this proxy outside the web service, and everything is ok. So, from my point of view, the problem is when running the proxy inside a web service. I wonder if I have to do something special with this proxy in order to use it within a web service.
  Has anybody run into this situation?
  Could anybody be so kind as to tell me how to solve it or if, on the contrary, it is an oc4j bug, please?
  Thank you very much in advance.
  Inma.

  Hi,
  Thanx it is working now.
  BTW can you give me some urls with info of this kind of setting which i need to do for other kind of integarions in J2EE platform.Sorry if i am asking too much as i am a starter in this technology.

• Open client socket from within a Web Service

  Hello,
  I need to open a client TCP/IP socket from within a Web Service-type WebLogic
  Workshop app. When I try to read from the socket, the socket read operation hangs.
  When I use the same code in a J2SE Java app on the same machine using Eclipse
  everything works fine. It also works fine from within WebLogic, if I use a "URL"
  object instead of a "Socket" object. (However, I cannot use this type of connection.)
  Can anyone tell me how to work with raw TCP/IP sockets in this situation?

  Hi Udi,
  I have tested my code from within a Servlet and it works fine.
  The Servlet and the Web Service both call the same simple JAVA class. This class wants to access a DB, and therefor, I am using the Data Source.
  When the Servlet calls the class, everything works fine. But when I use the Web Service to call this class, I get the Exception "No attributes are implemented".
  I hope this information helps you understanding my problem?
  Thank you very much for your help.
  Kind regards,
       Nadine

• Security-role for java web services developed using j-developer 10.1.2.1

  I have developed a java web service using j-developer 10.1.2.1, I have deployed this web service to oracle 10g (10.1.2.1) application server successfully. Now I want to add security-role to my web service deployment descriptor so that only a group of users that belong to a group can access my web service.
  How can I do this? Can any one please let me know.
  Thanks,
  SC.

  Hi.
  I suspect you have a proxy server between your localhost and the
  drive-app1.drivesoftwaresolutions.com
  Probably in Jdev that proxy is setup nicely in Tools->Preferences->Web Browser and Proxy
  But maybe your OC4J container running BPEL on localhost does not have that proxy setup.
  You need to add startup parameters to the JVM. In 10.1.3 you can do this via the "AS Control" administration pages (there is a link on the SOA suite welcome page). Go to JVM, click on the container and switch to the "Administration" tab.
  The properties are proxySet, proxyHost, proxyPort and nonProxyHosts
  When deploying from JDev, the compilation in JDev works fine (uses the proxy). But when the JAR is transferred to the server, it is compiled again. This fails because the proxy is not used on the server side and it cannot read the wsdl.

• Security for SOA and Web Services

  Dipak Chopra's 09 Dec 04 "Security for SOA and Web Services" piece has been a terrific starter for me as I start to delve into this topic. Does SAP/the SDN plan to publish an SAP-specific roadmap to show the adherence to and adoption of these standards in NetWeaver? (Or maybe there is such a published roadmap that I am unaware of?)

  Hi Randy
  SAP follows and participates in Security and other Web services standards very closely as we recognize the opportunity they present our customers for developing solutions and integrating systems faster at lower cost.
  However many of the standards are still in development and so are not quite yet ready for "prime time". This means that we can't really publish a "road map" as it would be continually changing. However, if you want an idea on which standards SAP thinks are important, please take a look at this presentation [1] which was delivered at the last Tech Ed.
  David
  [1] https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/com.sap.km.cm.docs/documents/a1-8-4/the impact of industry standards on sap netweaver.pdf

• Security issues with calling web services from within Oracle?

  I'd like to use a trigger to initiate pushing data to a web service, so I thought we should call the web service from PL/SQL in a DBMS job, or perhaps create a .NET stored proc to call the service. Our DB Lead is concerned about security, since the standard model is for clients to call the database, and not for the database to function as a client.
  Does this pose any security risk? Can you refer me to any best practices or articles on this?
  Thanks in advance.
  Edited by: Kit.net on Nov 9, 2010 11:28 AM

  First, a trigger is there to for a single sole purpose - guaranteeing the integrity of the data and the transaction. It is not there to interact with external services and processes (like mail, web and other services). Doing that exposes the transaction to those other processes/services. The transaction can now fail. not because of a business rule validation, but because of a network error when the trigger accesses an external service. How on earth can a business transaction fail when the transaction is valid, but a the transaction's trigger hit an external access error!?
  And what happens do that event you have fired off in the trigger, when the transaction is rolled back? How do you undo that event you have created in the trigger that was based on uncommitted data?
  So using a trigger like this is simply stupid (and yes, I have seen it too often in practice with horrible results to sugarcoat such an idiotic approach).
  As for calling a web service from the database, using the database as the client in such a case. This is not a security risk. This is not unusual. In fact, it is very common in my experience. We have a lot of databases, ranging from SE to EE and several RAC clusters. All of them function as a client at some stage during processing. Some use a db link - and as a client fire off a SQL via that db link to a database server to obtain data. Some use ftp and act as a ftp clients, transferring processed data (XML format) to a server. Some call web services to extract data from 3rd party systems to reconcile the differences between local data sets and 3rd party data sets..
  This is common between server and server. I do not see anything unusual in the database server using another server (and acting as a client when it does). Security between servers should not be a major problem (in fact, it can easily be done in a very robust way using trusted and encrypted communication).
  The problem occurs when a client connects to the server and client and server roles are swapped at some stage (like the server "writing" a file directly to the client's filesystem). This very seldom makes any sense. And this is where authentication and security become an issue.

• SOAPFaultException with wsse:Security Tag consuming a Web-Service

  hello,
  i'm trying to consume a Web-Service of a Document-Server implementing the new CMIS-Interface.
  When i call the Service i get the exception:
  javax.xml.ws.soap.SOAPFaultException: An error was discovered processing the <wsse:Security> header
  my code (in an EJB 3.0 of NWCE 7.1 CE Server) is as follows:
  @Stateless(name="DocRepBean")
  public class AlfRepBean implements DocRepLocal {
       @WebServiceRef(name="RepositoryService")
       private RepositoryService rService;
       public String repServiceList ()
            String result = "";
            RepositoryServicePort rPort = rService.getRepositoryServicePort();
            try
                 String rList = "";
                 for (CmisRepositoryEntryType rEntry : rPort.getRepositories())
                      rList = rList + "REntry:ID="+rEntry.getRepositoryID()+";Name="+rEntry.getRepositoryName()+";URI="+rEntry.getRepositoryURI()+":";
                 result = rList;
            catch (Exception ex)
                 result = "!Exeption:" + ex.toString();
                 ex.printStackTrace();
                          // here the exception is thrown
            return result;
  Is there maybee a problem with authentification? but how can i set user and password calling that service then?
  Sorry for this maybe easy questions but i'm new in consuming other webservices.
  regards
  matthias hayk

  Found solution for this particular problem myself but ran into an follow-up error

• How to forward security credentials from one web service to another

  Here is what I am trying to do... I have a standalone client that invokes a message-level secured web service (WEBSERVICE A) on a Weblogic 9.1 server (SERVER A) with a username and a password, and this web service (WEBSERVICE A) uses the same username and password from the client, and invokes another message-level secured web service (WEBSERVICE B) deployed on a different WebLogic 9.1 server (SERVER B).
  Does WebLogic 9.X automatically asserts the same client credentials when the WEBSERVICE A invokes WEBSERVICE B on a different server? If it doesn't, what is the best way to do that? Thanks.

  You can save the site (spweb) as a template, and then use the template to create a new site in another web application. 
  When you save the site, it's saved to the solutions gallery. You can download the saved site from the solutions gallery, and then use it to create the new site collection. 
  If the site is a publishing site, you'll need to de-activate the publishing features first.
  You can save the site as a template via the sites settings page, or via SharePoint designer.
  Have a look here: http://office.microsoft.com/en-us/sharepoint-designer-help/save-a-sharepoint-site-as-a-template-HA101782501.aspx
  Regards, Matthew
  MCPD | MCITP
  My Blog
  View
  Matthew Yarlett's profile
  See my webpart on the TechNet Gallery that allows administrative users to upload, crop and format user profile photos. Check it out here:
  Upload and Crop User Profile Photos

• Java.security.PrivilegedActionException while invoking web service on OC4J

  Hi,
  I have a developed web service in Jdeveloper which is hosted on OC4J app server. I am able to invoke it properly and get results using the web service end point in browser window.
  Now I created a java proxy for this WS in Jdeveloper and tried invoking it inside another web service. I get the following error while the 1st WS is invoked:
  2010-03-09 17:15:04.607 WARNING Unable to connect to URL: <internal web service URL> due to java.security.PrivilegedActionException: javax.xml.soap.SOAPException: Message send failed: Connection refused: connect
  10/03/09 17:15:04 java.rmi.RemoteException: ; nested exception is:
       HTTP transport error: javax.xml.soap.SOAPException: java.security.PrivilegedActionException: javax.xml.soap.SOAPException: Message send failed: Connection refused: connect
  10/03/09 17:15:04      at autoauthorise.runtime.VehicleTypeSpecsWSSoapHttp_Stub.getVehicleTypeSpecs(VehicleTypeSpecsWSSoapHttp_Stub.java:91)
  10/03/09 17:15:04      at com.bt.vehtype.ws.VehicleTypeSpecsWSSoapHttpPortClient.getVehicleTypeSpecs(VehicleTypeSpecsWSSoapHttpPortClient.java:40)
  10/03/09 17:15:04      at com.bt.fleet.willow.ws.AutoAuthorise.autoAuthorise(AutoAuthorise.java:20)
  10/03/09 17:15:04      at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
  10/03/09 17:15:04      at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
  10/03/09 17:15:04      at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
  10/03/09 17:15:04      at java.lang.reflect.Method.invoke(Method.java:585)
  10/03/09 17:15:04      at oracle.j2ee.ws.server.ImplInvocationHandler.invoke(ImplInvocationHandler.java:126)
  10/03/09 17:15:04      at $Proxy0.autoAuthorise(Unknown Source)
  10/03/09 17:15:04      at com.bt.fleet.willow.ws.runtime.AutoAthoriseWSSoapHttp_Tie.invoke_autoAuthorise(AutoAthoriseWSSoapHttp_Tie.java:62)
  10/03/09 17:15:04      at com.bt.fleet.willow.ws.runtime.AutoAthoriseWSSoapHttp_Tie.processingHook(AutoAthoriseWSSoapHttp_Tie.java:161)
  10/03/09 17:15:04      at oracle.j2ee.ws.server.StreamingHandler.handle(StreamingHandler.java:287)
  10/03/09 17:15:04      at oracle.j2ee.ws.server.JAXRPCProcessor.doEndpointProcessing(JAXRPCProcessor.java:356)
  10/03/09 17:15:04      at oracle.j2ee.ws.server.WebServiceProcessor.invokeEndpointImplementation(WebServiceProcessor.java:283)
  10/03/09 17:15:04      at oracle.j2ee.ws.server.JAXRPCProcessor.doRequestProcessing(JAXRPCProcessor.java:272)
  10/03/09 17:15:04      at oracle.j2ee.ws.server.WebServiceProcessor.processRequest(WebServiceProcessor.java:94)
  10/03/09 17:15:04      at oracle.j2ee.ws.server.JAXRPCProcessor.doService(JAXRPCProcessor.java:128)
  10/03/09 17:15:04      at oracle.j2ee.ws.server.WebServiceServlet.doPost(WebServiceServlet.java:170)
  10/03/09 17:15:04      at javax.servlet.http.HttpServlet.service(HttpServlet.java:763)
  Please help, I cant see any problem.
  Edited by: Ankit_Screen on Mar 11, 2010 6:27 AM

  can't anybody help me?

• Securing a 1.5 web service using J2EE security and JDev 11g

  Hello,
  I'm looking for a tutorial or similar that will help me create a secure (1.5 EE with annotations) web service. I'm interested in just the development view at this point - xml file mods, etc.
  I did find a good resource on how to do this in 10.1:
  http://www.oracle.com/technology/products/jdev/101/howtos/securews/index.html
  and am wondering if it has been updated (even beta!) or in another form.
  Thanks

  Steve,
  The WSDLBaseURL property just prepends a string to the WSDL URL property so that you can abstract out the protocol, server and port values separately depending on the target system you wish to hit for the service call.
  Regards,
  Sam

• Java.security.PrivilegedActionException in a web service proxy

  Hello.
  I have developed a simple web service with an oracle tutorial : http://www.oracle.com/technology/obe/obe1013jdev/ws/wsandascontrol.htm
  I have created the proxy to test it and i get the next error:
  ADVERTENCIA: impossible to connect URL: http://localhost:8888/URJCWebServices-AudioStreamSerie1-context-root/AudioStreamSerie1SoapHttpPort debido a java.security.PrivilegedActionException: javax.xml.soap.SOAPException: Message send failed: Connection refused: connect
  java.rmi.RemoteException: ; nested exception is:
       HTTP transport error: javax.xml.soap.SOAPException: java.security.PrivilegedActionException: javax.xml.soap.SOAPException: Message send failed: Connection refused: connect
       at audiostreamserie1proxy.runtime.AudioStreamSerie1SoapHttp_Stub.startTransmission(AudioStreamSerie1SoapHttp_Stub.java:95)
       at audiostream.AudioStreamSerie1SoapHttpPortClient.startTransmission(AudioStreamSerie1SoapHttpPortClient.java:41)
       at audiostream.AudioStreamSerie1SoapHttpPortClient.main(AudioStreamSerie1SoapHttpPortClient.java:29)
  Caused by: HTTP transport error: javax.xml.soap.SOAPException: java.security.PrivilegedActionException: javax.xml.soap.SOAPException: Message send failed: Connection refused: connect
       at oracle.j2ee.ws.client.http.HttpClientTransport.invokeImpl(HttpClientTransport.java:174)
       at oracle.j2ee.ws.client.http.HttpClientTransport.invoke(HttpClientTransport.java:150)
       at oracle.j2ee.ws.client.StreamingSender._sendImpl(StreamingSender.java:176)
       at oracle.j2ee.ws.client.StreamingSender._send(StreamingSender.java:113)
       at audiostreamserie1proxy.runtime.AudioStreamSerie1SoapHttp_Stub.startTransmission(AudioStreamSerie1SoapHttp_Stub.java:79)
       ... 2 more
  What could be the problem? i have followed the steps of the tutorial.
  Thank you.
  Edited by: [email protected] on 17-abr-2009 1:57

  can't anybody help me?

• Processing of a Form when a WEB Service is not available

  Has anyone else noticed this or has a work-around suggestion? Note I am very new to this product. Background: We tied a WEB service call to a button on our PDF Form. When the user started the process they filled in the form but did not use the button to access the service to verify the data on the form. When they clicked on Complete it appeared that the process started but it never arrived at the first operation in the workflow. Upon investigation it was found that the workflow never started. It was as if when the workflow engine saw that the WEB Service was offline it threw the request away. When we loaded the form into WorkBench we did get an alert box telling us the server was unavailable and that the WSDL could not be loaded for the Data Connection. As the first user interaction is not coded in the workflow we are not sure how to trap this incident and prevent the user form thinking their process was accepted by LiveCycle for action. Thank you for your help in advance.

  Hi Steph
  I very much doubt that not calling the web service could have caused any problems directly.
  Does the workflow start correctly if you completely remove the web service invocation?
  How do you know that the process didn't start?
  Is the process long-lived?
  Do you have an xfa-form as an input variable of your process?
  Have you added the correct Workflow fields to your form, or just a single submit button?
  Howard
  http://www.avoka.com

• How secure is the default web services?

  Just curious how secure the default web services configuration is.
  Would mod_security need to be installed?
  The server would only host 2 sites but I am concerned about basic security.

  Your question is too vague to be answerable.
  Any web server security depends largely on what you're doing.
  If you're just serving static pages then its pretty secure - there isn't much anyone can do to compromise your server.
  If you're running any kind of dynamic content then your security depends on a) the server-side engine you use (e.g. PHP, Java, Ruby, etc.) and b) the competency of whoever's writing your code.
  If you're using any kind of database-driven content then your security also depends on your database engine, and your ability to secure your database.
  The upshot is that the software as delivered is only as good as how you configure and run it. mod_security (if you take the time to configure it) offers some protection, but it doesn't beat taking the time to code your application correctly.

• Securing DSP calls via Web Services Mediator API

  I have been implementing a client of DSP 3.0 services using the static Web Services Mediator API. I am successfully calling these through the AL Service Bus, where I have deployed the WSDL generated from the DSP. We are calling this from a rich client (i.e. the client is not running in any container). My company has chosen to use SAML-based security on all web services deployed in the service bus.
  I know how to use general-purpose web service clients to pass SAML tokens to the web service. My question is, how do I do this when using the Web Services Mediator API. I have noticed the XMLHelper class and the RequestConfig class, but I have not seen much in the way of examples of using them.
  Related question:
  Is it possible to insert additional content into the SOAPHeader, or configure attributes on the Port?
  Thanks,
  Jeff
  Edited by jhoffmanme at 02/13/2008 8:06 AM

  I'm checking into the SAML question.
  Regarding the soap header - whatever is in the contract defined in the WSDL.