I'm using the Apache CXF library to consume a SOAP Web Service. This service requires a saml:assertion (SAML 1, not 2) in the payload header. I want to use an encoded SAML token that is given to me. How do I add this token into every request going to the external SOAP Web Service?
I've been playing around with the AbstractSoapInterceptor and the SamlTokenInterceptor, but I haven't gotten it to work yet. The interceptors require a Phase string, and I'm not sure which one suits my needs.
You could take a look at the CXF system tests. See here for a SAML example:
https://github.com/apache/cxf/blob/9e6d2aa86c57e600baf66e42538036c927cadcf5/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/action/ActionTest.java#L423
Spring configuration:
https://github.com/apache/cxf/blob/9e6d2aa86c57e600baf66e42538036c927cadcf5/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/action/client.xml#L351
If you already have a SAML token you can set that on the SAMLCallbackHandler directly via this method:
https://github.com/apache/wss4j/blob/eb3dc39b397f571746ee9183ecb96eac3206fa9f/ws-security-common/src/main/java/org/apache/wss4j/common/saml/SAMLCallback.java#L313
Related
I am trying to connect to a web service (WSDL file) in .NET from Java, but I am unable to authenticate. The authentication is based on ADFS SAML.
I have used all the libraries: Axis, Axis2, JAX-WS, Metro but none of them are working for me.
So then I just made a SOAPEnvelope in SAAJ and am just sending it without any other 3rd party library. Now I know exactly what is being sent.
What I don't know, is how to populate the header message correctly? The server is using TransportWithMessageCredential security mode with clientCredentialType="UserName".
Since its SAML, I need to send a message with credentials that will send be back a token that I can use in my subsequent messages.
How do I make that request message that returns me the SAML token?
In order to talk SAML to ADFS, you need a client-side SAML stack.
So you can authenticate via the SAML stack to ADFS and get a SAML token back.
There is a SOAP binding for SAML but it is not supported by ADFS.
In a simple #EnableZuulProxy application, requests with Content-Type application/x-www-form-urlencoded or multipart/form-data gets wrapped in a FormBodyRequestWrapper by FormBodyWrapperFilter. This decodes the content and reencode it for the backend.
However, from what I can see, requests of other content types (let's say application/json) in a service discovery enabled route will get their InputStream directly proxied to the client used through the RibbonCommandContext.
In Apache HttpClient for example, the input stream will be wrapped in a BasicHttpEntity in the RibbonApacheHttpRequest.
Why is this necessary? Couldn't we just handle all requests the same way?
See https://github.com/spring-cloud/spring-cloud-netflix/issues/109 for the original issue.
The zuul request wrapper buffers the request and it needed to be added back for the proxy. This is one of the reasons spring cloud gateway was built, since it doesn't have these problems.
I am new to spring integration and learning in the process.
I will have to make two SOAP calls.
1st SOAP call --->use the 1st call response as 2nd SOAP request.
And programmatically get the url and other request parameters from the database.
I was successfully able to make the call with this configuration
<int-ws:outbound-gateway id="Service" request-channel="requestChannel" reply-channel="responseChannel" uri="http://localhost:8080/core/v1" marshaller="marshaller" unmarshaller="marshaller"/>
I haven't used any activators or interceptors. just used xml and gateway interface. I have hardcoded the request values.
Can someone help me how to get values from database and build this in a much better way.
Use JDBC Outbound Gateway to retrieve data an pass it into WS Outbound Gateway.
You can find some samples on the matter: https://github.com/spring-projects/spring-integration-samples/tree/master/basic/jdbc
I'm struggling to design a SAML2.0 authentication for a REST API using a gateway. REST is used between my backend and my application. I'm using Java Servlet filter and Spring.
I see two possibilities:
Adding the SAML tokens into the header each time.
Authenticate once with SAML, then using a session or similar (secure conversation) between the client and the gateway.
Case 1: It's a good solution because we are still RESTful but:
SAML tokens are quite big. It's may generated problem due to big header size.
Replaying tokens is not the best way for security concern.
Case 2: It's no more stateless and I have to managed a link with the client. Since I use a gateway, the underlying services can still be RESTful.
Case 2 looks for the better choice despite the fact that it does not follow the rest constraints.
Is someone had already to do it and give me some pointers (for design or implementation)?
Is there a better way to do it with SAML?
Any help or advice are welcome.
It is still draft, but: the OAuth2 SAML bearer profile may a possible solution.
https://datatracker.ietf.org/doc/html/draft-ietf-oauth-saml2-bearer-17
Use a SAML2 to authenticate to an OAuth2 provider, then call your service with the OAuth2 token.
Also, you could generate a jwt token and put it inside of a SAML attribute: from this moment on you could pass the jwt inside of an http header.
It is sort of mixing oauth with saml but if you still need the latter for authentication it could be the way to go.
I am trying to use a third party web service which is exposed through a WSDL.
I am generating stubs using wsdl2java (axis) tool.
Now when I am using the same service (the same wsdl) through a SOAP client (SOUP UI Pro) it asks for authentication header info for all APIs (aprt from the normal args).
But in proxy classes (stubs) I am not seeing any API asking for this authentication header info argument.
I am not sure how to send the authentication header info with a SOAP request.
FYI: WSDL2Java is generating the Authentication header info class also, but none of the API is asking for this object argument.
Finally I got the answer.
Actually there is two types of header (defined in WSDL).
Implicit.
Explicit.
In case of explicit header generated stubs takes header as an argument but in case of implicit header we need to bind the header at the client side.
Explained nicely here (worked for me.)