Comments on: SOAP headers in Flex and WS-Security http://www.svendens.com/flex/soap-headers-in-flex-and-ws-security/ deserialize me Tue, 04 May 2010 22:52:15 +0200 http://wordpress.org/?v=2.8.6 hourly 1 By: Matt http://www.svendens.com/flex/soap-headers-in-flex-and-ws-security/comment-page-1/#comment-2516 Matt Tue, 04 May 2010 22:52:15 +0000 http://www.svendens.be/blog/archives/27#comment-2516 Same problem as Ankur. getUsernameTokenAsArray is undefined. Is it deprecated? Same problem as Ankur.
getUsernameTokenAsArray is undefined.
Is it deprecated?

]]> By: Clay http://www.svendens.com/flex/soap-headers-in-flex-and-ws-security/comment-page-1/#comment-2269 Clay Thu, 25 Feb 2010 21:18:06 +0000 http://www.svendens.be/blog/archives/27#comment-2269 Anyone know if the WSDL Wizard in Flash Builder 4 also has the problem? I've been having... issues. Anyone know if the WSDL Wizard in Flash Builder 4 also has the problem? I’ve been having… issues.

]]> By: Gaurav http://www.svendens.com/flex/soap-headers-in-flex-and-ws-security/comment-page-1/#comment-2264 Gaurav Wed, 24 Feb 2010 05:41:06 +0000 http://www.svendens.be/blog/archives/27#comment-2264 Thanks for this wonderful post. I would like to add that the statement "Let me start off by saying that the Import Web Service (WSDL) wizard in Flex 3 doesn’t work as it should!" by Sven is completely true. But we have the, generated proxies working fine with Apache CXF hosted webservice using Security headers with a couple of tweaks. In order to implement the fix we need to understand the design using which the proxy files are generated. Here is how the proxies work: Let us suppose Demo being the service name. There is one DemoWebService.as file which is derived from interface IDemoService.as. There is another file called BaseDemoWebService.as which actually does the SOAP serialization and deserialization. The DemoWebService.as (ServiceImpl) delegates all the opreations to the BaseDemoWebService instance which is composed in it. Now in order to add the SOAP security headers we should add a method in the DemoWebService.as like setAuthentication(or whatever you like). This code is similar to what Sven did in his post. Clearing and adding the security headers. My custom method looks like: public function setAuthentication(userName:String, password:String):void { import be.svendens.util.SOAPHeaderUtil; import mx.rpc.soap.SOAPHeader; if (_baseService != null) { var customHeader:SOAPHeader = SOAPHeaderUtil.returnWSSEHeaderWithoutNonceAndTimestamp(userName, password); //customHeader.mustUnderstand = true; _baseService.clearHeaders(); _baseService.addHeader(customHeader); } } The second and most important issue that needs to be fixed is in the BaseDemoWebService.as which is the core file. Here all the headers that we add are ignored as its everytime does the new for Header array. The simple fix is in BaseDemoService file. Find the line in method call soap = enc.encodeRequest(args,headers); and replace it with soap = enc.encodeRequest(args, super.headers); Just compile and verify the system will send your WSSE security headers to the webservice endpoint URI. All these fixes can be automated easily by writing a simple tool. We have created one tool which runs on the generated proxies and patches the proxies to support the WSSE headers exactly as mentioned above. Please contact us in case you need that tool for free :) or in case you have any other issue. Regards Gaurav gaurav_handa@nthdimenzion.com Thanks for this wonderful post. I would like to add that the statement “Let me start off by saying that the Import Web Service (WSDL) wizard in Flex 3 doesn’t work as it should!” by Sven is completely true. But we have the, generated proxies working fine with Apache CXF hosted webservice using Security headers with a couple of tweaks.

In order to implement the fix we need to understand the design using which the proxy files are generated.

Here is how the proxies work:

Let us suppose Demo being the service name.

There is one DemoWebService.as file which is derived
from interface IDemoService.as.
There is another file called BaseDemoWebService.as which actually does the SOAP serialization and deserialization.

The DemoWebService.as (ServiceImpl) delegates all the opreations to the BaseDemoWebService instance which is composed in it.

Now in order to add the SOAP security headers we should add a method in the DemoWebService.as like setAuthentication(or whatever you like). This code is similar to what Sven did in his post. Clearing and adding the security headers.

My custom method looks like:

public function setAuthentication(userName:String, password:String):void
{
import be.svendens.util.SOAPHeaderUtil;
import mx.rpc.soap.SOAPHeader;
if (_baseService != null) {
var customHeader:SOAPHeader = SOAPHeaderUtil.returnWSSEHeaderWithoutNonceAndTimestamp(userName, password);

//customHeader.mustUnderstand = true;
_baseService.clearHeaders();
_baseService.addHeader(customHeader);
}
}

The second and most important issue that needs to be fixed is in the BaseDemoWebService.as which is the core file. Here all the headers that we add are ignored as its everytime does the new for Header array.

The simple fix is in BaseDemoService file.

Find the line in method call

soap = enc.encodeRequest(args,headers);

and replace it with

soap = enc.encodeRequest(args, super.headers);

Just compile and verify the system will send your WSSE security headers to the webservice endpoint URI.

All these fixes can be automated easily by writing a simple tool. We have created one tool which runs on
the generated proxies and patches the proxies to support the WSSE headers exactly as mentioned above.

Please contact us in case you need that tool for free :) or in case you have any other issue.

Regards
Gaurav
gaurav_handa@nthdimenzion.com

]]> By: pramod http://www.svendens.com/flex/soap-headers-in-flex-and-ws-security/comment-page-1/#comment-1535 pramod Tue, 13 Oct 2009 12:30:36 +0000 http://www.svendens.be/blog/archives/27#comment-1535 But after adding the security data in header how to fetch the same at the service side.. is at possible? because in headers object at service side m able to fetch all data except this security tag data.. But after adding the security data in header how to fetch the same at the service side.. is at possible? because in headers object at service side m able to fetch all data except this security tag data..

]]> By: web services new bee http://www.svendens.com/flex/soap-headers-in-flex-and-ws-security/comment-page-1/#comment-1514 web services new bee Fri, 09 Oct 2009 17:47:46 +0000 http://www.svendens.be/blog/archives/27#comment-1514 hi, i am trying to add digest authentication to client side, can some one let me how to write spring client for consuming spring web service which requires digest authentication. should i populate soap headers? if so, how to do that. i am using axis thanks hi, i am trying to add digest authentication to client side, can some one let me how to write spring client for consuming spring web service which requires digest authentication. should i populate soap headers? if so, how to do that.
i am using axis
thanks

]]> By: Wojciech http://www.svendens.com/flex/soap-headers-in-flex-and-ws-security/comment-page-1/#comment-1426 Wojciech Thu, 17 Sep 2009 21:11:16 +0000 http://www.svendens.be/blog/archives/27#comment-1426 In WSSEUsernameToken class in the getUsernameTokenAsArray function there is changed order of lines. Line: nonce = base64Encode(nonce); should be after the line: var password64:String = getBase64Digest(nonce, created, password); or it's better to provide a new variable: var encodedNonce:String = base64Encode(nonce); var created:String = generateTimestamp(timestamp); var password64:String = getBase64Digest(nonce, created, password); var token:Array = new Array(username, password64, encodedNonce, created); In WSSEUsernameToken class in the getUsernameTokenAsArray function there is changed order of lines.
Line:
nonce = base64Encode(nonce);
should be after the line:
var password64:String = getBase64Digest(nonce, created, password);

or it’s better to provide a new variable:
var encodedNonce:String = base64Encode(nonce);
var created:String = generateTimestamp(timestamp);
var password64:String = getBase64Digest(nonce, created, password);
var token:Array = new Array(username, password64, encodedNonce, created);

]]> By: Stuart http://www.svendens.com/flex/soap-headers-in-flex-and-ws-security/comment-page-1/#comment-1421 Stuart Tue, 15 Sep 2009 11:26:01 +0000 http://www.svendens.be/blog/archives/27#comment-1421 OK, it seems to be sorted now. The cause was that I added SOAP-ENV:mustUnderstand="1" as an attribute under the wsse:Security element. Note that this is not present in Sven's code so it was pretty much a problem of my own making. However, in the interests of disclosure... Adding this attribute seems, at least in the implementation I'm working with, to make the server pay attention to the wsu:Id attribute in the UsernameToken element along with the Created and Expires elements in the Timestamp (i.e. If you pass a different Id attribute value through the same browser session before the Timestamp has expired then it's throwing an error). There's two ways I've found to get around this: 1. Exclude the mustUnderstand attribute - I'm not sure if this is desirable or not (and I also have no idea what this would do to any implementations that actually track sessions for a reason), but the WSS specs (http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0.pdf) state: "When a header includes a mustUnderstand="true" attribute: The receiver MUST generate a SOAP fault if does not implement the WSS: SOAP Message Security specification corresponding to the namespace. Implementation means ability to interpret the schema as well as follow the required processing rules specified in WSS: SOAP Message Security. The receiver must generate a fault if unable to interpret or process security tokens contained in the header block according to the corresponding WSS: SOAP Message Security token profiles. Receivers MAY ignore elements or extensions within the element, based on local security policy." 2. Keep the Id attribute value consistent until the Timestamp expires (or in theory throughout the life of the session) - This would seem to be a slightly more official way of doing it. Either of these will make it work with the server implementation I'm using right now, although I'm storngly leaning towards the second option. Again, all the usual caveats apply regarding this being a fix for my specific implementation and relying on the server-side guys to have locked things down well enough from a security angle that I can't actually implement an insecure solution. ;) OK, it seems to be sorted now. The cause was that I added SOAP-ENV:mustUnderstand=”1″ as an attribute under the wsse:Security element.

Note that this is not present in Sven’s code so it was pretty much a problem of my own making. However, in the interests of disclosure…

Adding this attribute seems, at least in the implementation I’m working with, to make the server pay attention to the wsu:Id attribute in the UsernameToken element along with the Created and Expires elements in the Timestamp (i.e. If you pass a different Id attribute value through the same browser session before the Timestamp has expired then it’s throwing an error).

There’s two ways I’ve found to get around this:

1. Exclude the mustUnderstand attribute – I’m not sure if this is desirable or not (and I also have no idea what this would do to any implementations that actually track sessions for a reason), but the WSS specs (http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0.pdf) state:

“When a header includes a mustUnderstand=”true” attribute:

The receiver MUST generate a SOAP fault if does not implement the WSS: SOAP Message Security specification corresponding to the namespace. Implementation means ability to interpret the schema as well as follow the required processing rules specified in WSS: SOAP Message Security.

The receiver must generate a fault if unable to interpret or process security tokens contained in the header block according to the corresponding WSS: SOAP Message Security token profiles.

Receivers MAY ignore elements or extensions within the element, based on local security policy.”

2. Keep the Id attribute value consistent until the Timestamp expires (or in theory throughout the life of the session) – This would seem to be a slightly more official way of doing it.

Either of these will make it work with the server implementation I’m using right now, although I’m storngly leaning towards the second option.

Again, all the usual caveats apply regarding this being a fix for my specific implementation and relying on the server-side guys to have locked things down well enough from a security angle that I can’t actually implement an insecure solution. ;)

]]> By: Stuart http://www.svendens.com/flex/soap-headers-in-flex-and-ws-security/comment-page-1/#comment-1416 Stuart Mon, 14 Sep 2009 16:32:15 +0000 http://www.svendens.be/blog/archives/27#comment-1416 Heh. You'd have thought I'd haven taken the whole parsing issue into account for posting XML, but no. The header (now with added entities) should read: <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" soapenv:mustUnderstand="1"> <wsse:UsernameToken> <wsse:Username>username</wsse:Username> <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest">encoded pasword</wsse:Password> <wsse:Nonce>encoded nonce</wsse:Nonce> <wsu:Created xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2009-09-14T10:53:01Z</wsu:Created> </wsse:UsernameToken> <wsu:Timestamp xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"> <wsu:Created>2009-09-14T10:53:01Z</wsu:Created> <wsu:Expires>2009-09-14T10:58:01Z</wsu:Expires> </wsu:Timestamp> </wsse:Security> Heh. You’d have thought I’d haven taken the whole parsing issue into account for posting XML, but no. The header (now with added entities) should read:

<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" soapenv:mustUnderstand="1">
<wsse:UsernameToken>
<wsse:Username>username</wsse:Username>
<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest">encoded pasword</wsse:Password>
<wsse:Nonce>encoded nonce</wsse:Nonce>
<wsu:Created xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2009-09-14T10:53:01Z</wsu:Created>
</wsse:UsernameToken>
<wsu:Timestamp xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsu:Created>2009-09-14T10:53:01Z</wsu:Created>
<wsu:Expires>2009-09-14T10:58:01Z</wsu:Expires>
</wsu:Timestamp>
</wsse:Security>

]]> By: Stuart http://www.svendens.com/flex/soap-headers-in-flex-and-ws-security/comment-page-1/#comment-1415 Stuart Mon, 14 Sep 2009 16:21:04 +0000 http://www.svendens.be/blog/archives/27#comment-1415 I've got it working to a point right now. We've used Axis to implement WSS on our server so I used this to knock together a java client then checked the password and nonce encoding were working correctly in the flex client (which they are). Basically in the end all I needed to do was to implement the timestamp token within the security element on the header: 2009-09-14T10:53:01Z 2009-09-14T10:58:01Z (This'll be pretty badly formatted but it should be decipherable). The java client set the expiry time for the header as creation time + 5 mins, so I set the Flex entry to be the same (the created value is the same as the created entry within the UsernameToken). Having said that I supposed it's possible that the requirement for the timestamp may be Axis and/or implementation specific, so it may not be the solution to anyone's problems bar mine but it's a starting point. There's still one problem I haven't overcome yet which is that if you call the same webservice operation a few times in a row after succeeding the first couple of times it permanently falls over with the error: soapenv:Server.userException - org.xml.sax.SAXParseException: The prefix "soapenv" for attribute "soapenv:mustUnderstand" is not bound. Once I get a solution for this I'll post it here (I'm guessing it's probably a server-side issue). I’ve got it working to a point right now. We’ve used Axis to implement WSS on our server so I used this to knock together a java client then checked the password and nonce encoding were working correctly in the flex client (which they are). Basically in the end all I needed to do was to implement the timestamp token within the security element on the header:

2009-09-14T10:53:01Z
2009-09-14T10:58:01Z

(This’ll be pretty badly formatted but it should be decipherable).

The java client set the expiry time for the header as creation time + 5 mins, so I set the Flex entry to be the same (the created value is the same as the created entry within the UsernameToken).

Having said that I supposed it’s possible that the requirement for the timestamp may be Axis and/or implementation specific, so it may not be the solution to anyone’s problems bar mine but it’s a starting point.

There’s still one problem I haven’t overcome yet which is that if you call the same webservice operation a few times in a row after succeeding the first couple of times it permanently falls over with the error:

soapenv:Server.userException – org.xml.sax.SAXParseException: The prefix “soapenv” for attribute “soapenv:mustUnderstand” is not bound.

Once I get a solution for this I’ll post it here (I’m guessing it’s probably a server-side issue).

]]> By: Sven Dens http://www.svendens.com/flex/soap-headers-in-flex-and-ws-security/comment-page-1/#comment-1412 Sven Dens Sat, 12 Sep 2009 09:36:23 +0000 http://www.svendens.be/blog/archives/27#comment-1412 Nothing wrong with the download link as far as I can tell Ankur. A perfectly working solution has not been found by anybody just yet as you can tell from the other comments. I'll have to test what Stuart writes, comparing the headers from a Java-originated call to those of a Flex-originated call to see why the Flex ones won't validate. I'll also have to test it against different versions of SOAP etc... Hope to have a new post on the subject soon that FINALLY contains a 100% working solution. Kind regards, Sven Nothing wrong with the download link as far as I can tell Ankur.

A perfectly working solution has not been found by anybody just yet as you can tell from the other comments. I’ll have to test what Stuart writes, comparing the headers from a Java-originated call to those of a Flex-originated call to see why the Flex ones won’t validate.
I’ll also have to test it against different versions of SOAP etc…

Hope to have a new post on the subject soon that FINALLY contains a 100% working solution.

Kind regards,
Sven

]]>