3 Replies Latest reply on Jun 19, 2007 4:08 PM by Sean Hughes

    WS-Security, WSE, Web Services, Authentication and Flex 2

    Sean Hughes
      Hey All,

      I've been working hard on getting Flex to communicate with a Microsoft .NET 2.0 Web Services project enabled with WSE 3.0 WS-Security. I can't seem to get the headers into the SOAP request that I need.

      For example, I can get a SOAP header into the message like so:

      <SOAP-ENV:Envelope xmlns:SOAP-ENV=" http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd=" http://www.w3.org/2001/XMLSchema" xmlns:xsi=" http://www.w3.org/2001/XMLSchema-instance">
      <SOAP-ENV:Header>
      <ns0:Security xmlns:ns0=" http://tempuri.org/">
      <ns0:password>pass</ns0:password>
      <ns0:username>DOMAIN\Administrator</ns0:username>
      </ns0:Security>
      </SOAP-ENV:Header>
      <SOAP-ENV:Body>
      <HelloWorld xmlns=" http://tempuri.org/" />
      </SOAP-ENV:Body>
      </SOAP-ENV:Envelope>

      .. but, this isn't what my WSE, WS-Security enabled service expects. Which is:

      <soap:Envelope xmlns:soap=" http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi=" http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd=" http://www.w3.org/2001/XMLSchema" xmlns:wsa=" http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:wsse=" http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu=" http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
      <soap:Header>
      <wsa:Action> http://tempuri.org/HelloWorld</wsa:Action>
      <wsa:MessageID>urn:uuid:5be8b55a-df7b-4547-8def-76282fcd8b47</wsa:MessageID>
      <wsa:ReplyTo>
      <wsa:Address> http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</wsa:Address>
      </wsa:ReplyTo>
      <wsa:To> http://localhost/CampaignMojoAPI.asmx</wsa:To>
      <wsse:Security soap:mustUnderstand="1">
      <wsu:Timestamp wsu:Id="Timestamp-aab299a8-81e3-4d8a-bfa4-555f38978584">
      <wsu:Created>2007-06-06T20:26:37Z</wsu:Created>
      <wsu:Expires>2007-06-06T20:31:37Z</wsu:Expires>
      </wsu:Timestamp>
      <wsse:UsernameToken xmlns:wsu=" http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="SecurityToken-b43668b1-51a3-4ba1-a90a-69eca3b98b66">
      <wsse:Username>DOMAIN\Administrator</wsse:Username>
      <wsse:Password Type=" http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#Passwor dText">pass</wsse:Password>
      <wsse:Nonce>IK4ZemfS1pj3kpdYO5+FBg==</wsse:Nonce>
      <wsu:Created>2007-06-06T20:26:37Z</wsu:Created>
      </wsse:UsernameToken>
      </wsse:Security>
      </soap:Header>
      <soap:Body>
      <HelloWorld xmlns=" http://tempuri.org/" />
      </soap:Body>
      </soap:Envelope>

      I've tried "addSimpleHeader" and "addHeader", but both seem to inject nested xml elements. Can anyone help me shape this WS call into the format I need it in? Would it be possible to call this WS manually via a direct HTTP post from Flex 2?

      Thanks!,
      Sean
        • 2. Re: WS-Security, WSE, Web Services, Authentication and Flex 2
          oconq
          I've the same problem and I've not any solutions;

          I call Adobe to know if the will implement WS-Security in Flex 3. Their answer was: "I don't know"...
          • 3. Re: WS-Security, WSE, Web Services, Authentication and Flex 2
            Sean Hughes Level 1
            Yeah,

            Hey guys - thanks for the responses. I looked into this and it seems no one uses WS-Security from the browser. That's why even Google's APIs use alternative key logins, etc. I read from one user that in the next version of Microsoft's AJAX platform that they might support it, but that's about it. For now, it looks like there's not even an AJAX/Javascript way to do this. If we could do it via Javascript, then we could use the FABridge. I don't think Flex supports it. I've tried to manipulate the headers into place via Flex classes and I don't think enough control is there to get the output in the form that's needed.

            I think it's possible to write it in Javascript. But right now my time budget just doesn't allow for it. I already spent two whole days re-writing how Flex makes Web Service calls so they're synchronous with timeouts instead of this massive amount of asynchronous code they want you to write, so no more re-writing/extending of components for me for a while.

            But if anyone wants to work together to support it via AJAX/Javascript, I would invest money into developing it.

            I would like a public WS-Security AJAX/Javascript framework for making these calls via WS-Security so I can offer customers a standard way of accessing/authenticating against our public API set. It would also make it possible for Flex to access standard web services with WS-Security enabled.

            Let me know what you guys think, or if anyone else has any good suggestions/software.

            Thanks much,
            S.