• Global community
    • Language:
      • Deutsch
      • English
      • Español
      • Français
      • Português
  • 日本語コミュニティ
    Dedicated community for Japanese speakers
  • 한국 커뮤니티
    Dedicated community for Korean speakers
Exit
0

ColdFusion failed security in invoking a WebSphere web service

New Here ,
Jun 11, 2008 Jun 11, 2008

Copy link to clipboard

Copied

Hello,

I tried to call a web service hosted in a IBM WebSphere server, but could not pass WebSphere's security framework. After some talking with the guys in the WebSphere side, I'm not sure whether this is possible in ColdFusion because they ask for a <wsse:UsernameToken> in the SOAP envelope header. We did some testing, and they confirmed that ColdFusion could talk to the web service, by could not pass security validation. Would someone help me here? Must it be done in Java?

Here is my calling syntax in ColdFusion:

<cfinvoke webservice="https://WebServiceURL?wsdl" method="myMethod" username="myUserName" password="myPassword" returnVariable="ReturnCode">
<cfinvokeargument name="ParaName" value="ParameterValue">
</cfinvoke>

The web service is locked down, so the calling client must issue a SOAP message containing VALID security extensions:

<soapenv:Envelope
xmlns:soapenv=" http://schemas.xmlsoap.org/soap/envelope/"
xmlns:ws=" http://somedomain"
xmlns:wsse=" http://schemas.xmlsoap.org/ws/2002/07/secext">

<soapenv:Header>
<wsse:Security>
<wsse:UsernameToken>
<wsse:Username>myUserName</wsse:Username>
<wsse:Password>myPassword</wsse:Password>
</wsse:UsernameToken>
</wsse:Security>
</soapenv:Header>
<soapenv:Body>
... REMOVED as this depends on your individual SOAP service
</soapenv:Body>
</soapenv:Envelope>

The guys at WebSphere said that my ColdFusion SOAP call probably did not have the envelope security header. IIs there a way to capture the underlying actual SOAP call format? Here is the error msg:

AxisFault
faultCode: { http://schemas.xmlsoap.org/ws/2003/06/secext}FailedAuthentication
faultSubcode:
faultString: WSEC5075E: No security token found which satisfies any one of AuthMethods.
faultActor:
faultNode:
faultDetail:
{ http://xml.apache.org/axis/}stackTrace:WSEC5075E: No security token found which satisfies any one of AuthMethods.
at org.apache.axis.message.SOAPFaultBuilder.createFault(SOAPFaultBuilder.java:221)
at org.apache.axis


Larry
TOPICS
Advanced techniques

Views

2.2K

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Jun 11, 2008 Jun 11, 2008

Copy link to clipboard

Copied

Hi, try this:

<cfset UserName = "myUsername" />
<cfset Password = "myPassword" />
<cfset NameSpace = " http://schemas.xmlsoap.org/ws/2002/07/secext" />

<cfsavecontent variable="my_xml">
<Security xmlns="#NameSpace#">
<UsernameToken>
<Username>#Username#</Username>
<Password>#Password#</Password>
</UsernameToken>
</Security>
</cfsavecontent>

<cfset xml_obj = xmlparse(my_xml)>



<cfset WS = CreateObject('webservice', ' http://WebServiceUrl?wsdl') />
<cfset AddSOAPRequestHeader(WS, NameSpace, "Security", Security) />

Sam
Adobe Certified Flash and
Advanced ColdFusion Developer

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Jun 11, 2008 Jun 11, 2008

Copy link to clipboard

Copied

Hmm, I still got similar error after adding the header. Any more ideas? Here is my code:

<cfset UserName = "#Form.UserName#" />
<cfset Password = "#Form.Password#" />
<cfset NameSpace = " http://schemas.xmlsoap.org/ws/2002/07/secext" />

<cfsavecontent variable="my_xml">
<Security xmlns="#NameSpace#">
<UsernameToken>
<Username>#Username#</Username>
<Password>#Password#</Password>
</UsernameToken>
</Security>
</cfsavecontent>

<cfset xml_obj = xmlparse(my_xml)>
<cfset ws = CreateObject("webservice", "#Form.EndPoint#") />
<cfset AddSOAPRequestHeader(ws, NameSpace, "Security", xml_obj) />
<cfset ReturnCode = ws.getDealer("#Form.ParameterValue1#")>

Here is the error msg:

Error: coldfusion.xml.rpc.ServiceProxy$ServiceInvocationException: Could not perform web service invocation "getDealer".
Description: Could not perform web service invocation "getDealer". Here is the fault returned when invoking the web service operation:

AxisFault
faultCode: { http://schemas.xmlsoap.org/soap/envelope/}Server.generalException
faultSubcode:
faultString: com.ibm.wsspi.wssecurity.SoapSecurityException: The Application Server expected a Security header with the http://schemas.xmlsoap.org/ws/2003/06/secext or http://schemas.xmlsoap.org/ws/2002/07/secext or http://schemas.xmlsoap.org/ws/2002/04/secext namespace, but it was not found.
faultActor:
faultNode:
faultDetail:
{ http://xml.apache.org/axis/}stackTrace:com.ibm.wsspi.wssecurity.SoapSecurityException: The Application Server expected a Security header with the http://schemas.xmlsoap.org/ws/2003/06/secext or http://schemas.xmlsoap.org/ws/2002/07/secext or http://schemas.xmlsoap.org/ws/2002/04/secext namespace, but it was not found.
at org.apache.axis.message.SOAPFaultBuilder.createFault(SOAPFaultBuilder.java:221)
at org.apache.axis.message.SOAPFaultBuilder.endElement(SOAPFaultBuilder.java:128)
at org.apache.axis.encoding.DeserializationContext.endElement(DeserializationConte...

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Jun 11, 2008 Jun 11, 2008

Copy link to clipboard

Copied

Hmm. May be modifying the xml this way will do the trick:

<cfsavecontent variable="my_xml">
<UsernameToken xmlns="#NameSpace#">
<Username>#Username#</Username>
<Password>#Password#</Password>
</UsernameToken>
</cfsavecontent>

Sam
Adobe Certified Flash and
Advanced ColdFusion Developer

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Jun 11, 2008 Jun 11, 2008

Copy link to clipboard

Copied

I just found this out in CF documentation for AddSOAPRequestHeader(webservice, namespace, name, value [, mustunderstand]):

"If you pass XML in the value parameter, ColdFusion ignores the namespace and name parameters. If you require a namespace, define it within the XML itself."

But after reviewing the SOAP header definition in my initial post, I couldn't figure out how can you add a namespace to the envelope header.


Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Jun 11, 2008 Jun 11, 2008

Copy link to clipboard

Copied

I tried many combinations of generating the pre-defined SOAP header. None of them worked. All with the same error msg from WebSphere: "The Application Server expected a Security header ...., but it was not found."

Please help!

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Jul 08, 2008 Jul 08, 2008

Copy link to clipboard

Copied

so after pulling out most of my remaining hair and reading tons of docs, I finally got this to work. Hopefully this will save someone a LOT of time and aggravation. How to use CF with stupid WSSE security.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Jul 10, 2013 Jul 10, 2013

Copy link to clipboard

Copied

LATEST

Sadly, byrning's reply ended with just "how to use CF with stupid WSSE security", which leads readers to wonder if he meant to share more. For instance, was that supposed to be a link to a blog entry?

I did some digging, and I found an old google cache of another version of this forum, and it showed that he had included the following code, which somehow never made it into the message here:

<cfset myUsername = "yourUsername" />

<cfset myPassword = "yourPassword" />

<cfset myDate = DateFormat(DateConvert("local2Utc", now()),

"yyyy-mm-ddThh:mm:ssZ")>

<cfset myNonce = createPIN(33)> <!--- this is just a random alpha numeric

string 33 chars long - got the function at cflib.org --->

<cfset myPasswordDigest = ToBase64(Hash(myNonce & myDate & myPassword ))>

<cfscript>

        myObj = createObject("webservice", "http://urltoYourService?wsdl");

        headerElement = createObject("java",

"org.apache.axis.message.SOAPHeaderElement");

        headerElement.init("http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wss

ecurity-secext-1.0.xsd", "wsse:Security");

        headerElement.addChildElement("wsse:UsernameToken");

        headerElement.getFirstChild().addChildElement("wsse:Username").setValue(myUsern

ame);

        mypass = headerElement.getFirstChild().addChildElement("wsse:Password");

        mypass.setValue(myPasswordDigest);

        mypass.setAttribute("Type", "wsse:PasswordDigest");

        headerElement.getFirstChild().addChildElement("wsse:Nonce").setValue(

ToBase64(Hash(myNonce, "SHA")) );

        myCreated = headerElement.getFirstChild().addChildElement("wsu:Created");

        myCreated.setValue(myDate);

        myCreated.setAttribute("xmlns:wsu",

"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-ut....

xsd");

        headerElement.setMustUnderstand(1);

        headerElement.setActor("");

        myObj.setHeader(headerElement);

        result = myObj.methodtoCall(param1="yadda", param2="yadda")

</cfscript>    


/Charlie (troubleshooter, carehart.org)

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Dec 03, 2008 Dec 03, 2008

Copy link to clipboard

Copied

?

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Resources
Documentation