8 Replies Latest reply on Jul 10, 2013 8:58 AM by charlie@carehart.org

    ColdFusion failed security in invoking a WebSphere web service


      I tried to call a web service hosted in a IBM WebSphere server, but could not pass WebSphere's security framework. After some talking with the guys in the WebSphere side, I'm not sure whether this is possible in ColdFusion because they ask for a <wsse:UsernameToken> in the SOAP envelope header. We did some testing, and they confirmed that ColdFusion could talk to the web service, by could not pass security validation. Would someone help me here? Must it be done in Java?

      Here is my calling syntax in ColdFusion:

      <cfinvoke webservice="https://WebServiceURL?wsdl" method="myMethod" username="myUserName" password="myPassword" returnVariable="ReturnCode">
      <cfinvokeargument name="ParaName" value="ParameterValue">

      The web service is locked down, so the calling client must issue a SOAP message containing VALID security extensions:

      xmlns:soapenv=" http://schemas.xmlsoap.org/soap/envelope/"
      xmlns:ws=" http://somedomain"
      xmlns:wsse=" http://schemas.xmlsoap.org/ws/2002/07/secext">

      ... REMOVED as this depends on your individual SOAP service

      The guys at WebSphere said that my ColdFusion SOAP call probably did not have the envelope security header. IIs there a way to capture the underlying actual SOAP call format? Here is the error msg:

      faultCode: { http://schemas.xmlsoap.org/ws/2003/06/secext}FailedAuthentication
      faultString: WSEC5075E: No security token found which satisfies any one of AuthMethods.
      { http://xml.apache.org/axis/}stackTrace:WSEC5075E: No security token found which satisfies any one of AuthMethods.
      at org.apache.axis.message.SOAPFaultBuilder.createFault(SOAPFaultBuilder.java:221)
      at org.apache.axis