Call a Soap service and sign the request

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Call a Soap service and sign the request

bruno.buzzi
Alex/Erik,

Is it  possible to sign a request before call a Soap service ?

We have a platform with a pool of SOAP services.

But to call any of these service the request must be signed by the caller (Orbeon).

Is it possible to execute some code/process before Orbeon does the call and "attach" the result to the request ?

regards,
bruno

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Call a Soap service and sign the request

Alessandro  Vernet
Administrator
Hi Bruno,

What does the signature look like? Are you referring to SOAP-dsig [1]? In that case, I imagine you would want to have some kind of "hook" to automatically add a signature before an xf:submission is sent?

[1] https://www.w3.org/TR/SOAP-dsig/

Alex
--
Follow Orbeon on Twitter: @orbeon
Follow me on Twitter: @avernet
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Call a Soap service and sign the request

bruno.buzzi
Alex,

Actually to use a service the App (Orbeon) must call 2 Soap services.

1- Call a Soap Service (signing the request). This service answer a Token.
2- Call the actual Soap Service sending the Token of step 1.

Yes, i want some kind of hook to  to automatically add a signature before an xf:submission is sent.
But then take the result and call the actual service (step 2).

Here i have paste how the request looks like. Maybe seeing this you will know if it possible to do it with Orbeon.

To get the Token:
<s:Envelope xmlns:a="http://www.w3.org/2005/08/addressing" xmlns:s="http://schemas.xmlsoap.org/soap/envelope/">
        <s:Header>
                <a:Action s:mustUnderstand="1">http://schemas.xmlsoap.org/ws/2005/02/trust/Issue</a:Action>
                <a:MessageID>urn:uuid:9003ce2d-5bed-4692-a92b-bbeff24d1648</a:MessageID>
        </s:Header>
        <s:Body>
                <RequestSecurityToken xmlns="http://schemas.xmlsoap.org/ws/2005/02/trust">
                        <TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1</TokenType>
                        <AppliesTo xmlns="http://schemas.xmlsoap.org/ws/2004/09/policy">
                                <a:EndpointReference>
                                        <a:Address>http://testservicios.pge.red.uy/acce/consultaproveedores</a:Address>
                                </a:EndpointReference>
                        </AppliesTo>
                        <RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue</RequestType>
                        <Issuer>
                                <a:Address>urn:tokensimple</a:Address>
                        </Issuer>
                        <Base>
                                <saml1:Assertion xmlns:saml1="urn:oasis:names:tc:SAML:1.0:assertion" AssertionID="_ca5e2d34875af67eec79222d13731444" IssueInstant="2017-01-26T18:04:48.041Z" Issuer="AGESIC" MajorVersion="1" MinorVersion="0">
                                        <saml1:Conditions NotBefore="2017-01-26T17:49:48.041Z" NotOnOrAfter="2017-01-26T18:19:48.041Z"/>
                                        <saml1:AuthenticationStatement AuthenticationInstant="2017-01-26T18:04:48.041Z" AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password">
                                                <saml1:Subject>
                                                        <saml1:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">ou=gerencia de proyectos,o=agesic</saml1:NameIdentifier>
                                                        <saml1:SubjectConfirmation>
                                                                <saml1:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</saml1:ConfirmationMethod>
                                                        </saml1:SubjectConfirmation>
                                                </saml1:Subject>
                                        </saml1:AuthenticationStatement>
                                        <saml1:AttributeStatement>
                                                <saml1:Subject>
                                                        <saml1:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">ou=gerencia de proyectos,o=agesic</saml1:NameIdentifier>
                                                        <saml1:SubjectConfirmation>
                                                                <saml1:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</saml1:ConfirmationMethod>
                                                        </saml1:SubjectConfirmation>
                                                </saml1:Subject>
                                                <saml1:Attribute AttributeName="User" AttributeNamespace="urn:tokensimple">
                                                        <saml1:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">agesic</saml1:AttributeValue>
                                                </saml1:Attribute>
                                        </saml1:AttributeStatement>
                                        <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                                                <ds:SignedInfo>
                                                        <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                                                        <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
                                                        <ds:Reference URI="#_ca5e2d34875af67eec79222d13731444">
                                                                <ds:Transforms>
                                                                        <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                                                                        <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                                                                                <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="ds saml1 xs xsi"/>
                                                                        </ds:Transform>
                                                                </ds:Transforms>
                                                                <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                                                                <ds:DigestValue>3AUeBwbwYjNubHk6ya90VoHU86s=</ds:DigestValue>
                                                        </ds:Reference>
                                                </ds:SignedInfo>
                                                <ds:SignatureValue>
H29snRBVkJK5vabYxNl5RCctzfIEyi1fozGXrOfsKJEliKqOib47cVIPpbS7WAr2ZqQxllXoDy3Pc0
56umqTMHU7sMPPZv27XKBuXPgGPbQlZYh8Tc4da8RaFCFrf8tErpx3fJFPTUGUtUgbIpfjynUsY+
ptwjpbgtSlA0k5iELpI=
</ds:SignatureValue>
                                                <ds:KeyInfo>
                                                        <ds:X509Data>
                                                                <ds:X509Certificate>
MIIEDDCCAvSgAwIBAgIKWeuvVwADAAACbTANBgkqhkiG9w0BAQUFADAVMRMwEQYDVQQDEwpIR1Rp
dm9saUNBMB4XDTE0MDgxMjE5NDUyMFoXDTE5MDMxMDE3MjgzMVowgacxCzAJBgNVBAYTAlVZMRMw
EQYDVQQIEwpNb250ZXZpZGVvMRMwEQYDVQQHEwpNb250ZXZpZGVvMQ8wDQYDVQQKEwZBR0VTSUMx
HjAcBgNVBAsTFUdlcmVuY2lhIGRlIFByb3llY3RvczEXMBUGA1UEAxMOQWdlc2ljIFRlc3Rpbmcx
JDAiBgkqhkiG9w0BCQEWFXNvcG9ydGVAYWsfddlc2ljLmd1Yi51eTCBnzANBgkqhkiG9w0BAQEFAAOB
jQAwgYkCgYEAubXxDpedxviNrWfBwBW5aBvclZjylHF9wfMmQUCTn90TD1bh5rTxPKzas1tnzIGk
Xb2749kaGCqRjq0v6mJ5OvcmrCAXa0I3SYMljSLN4uIMVGF2zttn6uW14FzJoZ3yX1Ggov8UctdY
KA/Cuie4XvtoHQbrRdmD1skFgKBPuncCAwEAAaOCAU0wggFJMB0GA1UdDgQWBBSUZSvaQUtb2ROb
2z7VC5rR1kwDKDAfBgNVHSMEGDAWgBR3vUwkh3UtbfqnpBySXv90mp7oOjBEBgNVHR8EPTA7MDmg
N6A1hjNodHRwOi8vdGVzdC1jYS5wZ2UucmVkLnV5L0NlcnRFbnJvbGwvSEdUaXZvbGlDQS5jcmww
gcAGCCsGAQUFBwEBBIGzMIGwMFUGCCsGAQUFBzAChklodHRwOi8vdGVzdC1jYS5wZ2UucmVkLnV5
L0NlcnRFbnJvbGwvdGVzdC1jYS5wZ2UucmVkLnV5X0hHVGl2b2xpQ0EoMykuY3J0MFcGCCsGAQUF
BzAChktmaWxlOi8vXFx0ZXN0LWNhLnBnZS5yZWQudXlcQ2VydEVucm9sbFx0ZXN0LWNhLnBnZS5y
ZWQudXlfSEdUaXZvbGlDQSgzKS5jcnQwDQYJKoZIhvcNAQEFBQADggEBAHxW1+jh3Y9y9/6oiYpD
myNRbnJki9KeJYpBpPjgoa5yieYp2hk0igrUw3ct/9Qpj/eZXySIHDtkT+JkRPpIwgZte//eMDt6
XoNVrIm+DainYYhZf23NmtRFjsTt1k/2R34CKkpv/P8hU7sJnecKLLUAvy7ar2LSJC/YTL+1si+G
+qj2moZIJ2kipbilpM8OwrFc9D99/0v0ZXpMwoMzMRdKZfAubrwAAWTAdr1uP2MZ57dP+U/Ttkl5
qXrnOhgJfMRZyC5jjwBcOD+MXi58bnJjn5Jpl4i+v0LDB+sd7jYBPI7eFWaSSClE3ygVaC7o/95F
QbQb6tN2I4uVXYmjLdg=
</ds:X509Certificate>
                                                        </ds:X509Data>
                                                </ds:KeyInfo>
                                        </ds:Signature>
                                </saml1:Assertion>
                        </Base>
                        <SecondaryParameters>
                                <Rol>ou=gerencia de proyectos,o=agesic</Rol>
                        </SecondaryParameters>
                </RequestSecurityToken>
        </s:Body>
</s:Envelope>

The Actual service:
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ws="http://ws.rupe.acce.gub.uy/">
        <soapenv:Header>
                <a:Action xmlns:a="http://www.w3.org/2005/08/addressing" xmlns:e="http://schemas.xmlsoap.org/soap/envelope/">descripcion</a:Action>
                <a:MessageID xmlns:a="http://www.w3.org/2005/08/addressing" xmlns:e="http://schemas.xmlsoap.org/soap/envelope/">uuid:59bc89d6-0c29-4e03-ae0c-b50ffedf8714</a:MessageID>
                <a:To xmlns:a="http://www.w3.org/2005/08/addressing" xmlns:e="http://schemas.xmlsoap.org/soap/envelope/">http://testservicios.pge.red.uy/acce/consultaproveedores</a:To>
                <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" soapenv:actor="agesic">
                        <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" AssertionID="Assertion-uuiddbf9d807-0159-15d6-8f0c-90b05116dd05" IssueInstant="2017-01-26T18:11:41Z" Issuer="Urudata" MajorVersion="1" MinorVersion="1">
                                <saml:Conditions NotBefore="2017-01-26T17:56:40Z" NotOnOrAfter="2017-01-26T18:26:42Z">
                                        <saml:AudienceRestrictionCondition>
                                                <saml:Audience>http://testservicios.pge.red.uy/acce/consultaproveedores</saml:Audience>
                                        </saml:AudienceRestrictionCondition>
                                </saml:Conditions>
                                <saml:AuthenticationStatement AuthenticationInstant="2017-01-26T18:11:41Z" AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password">
                                        <saml:Subject>
                                                <saml:NameIdentifier>ou=gerencia de proyectos,o=agesic,o=presidencia de la republica,O=Poder Ejecutivo,O=Gobierno Nacional,o=Gobierno,C=UY</saml:NameIdentifier>
                                        </saml:Subject>
                                </saml:AuthenticationStatement>
                                <saml:AttributeStatement>
                                        <saml:Subject>
                                                <saml:NameIdentifier>ou=gerencia de proyectos,o=agesic,o=presidencia de la republica,O=Poder Ejecutivo,O=Gobierno Nacional,o=Gobierno,C=UY</saml:NameIdentifier>
                                        </saml:Subject>
                                        <saml:Attribute AttributeName="User" AttributeNamespace="urn:tokensimple">
                                                <saml:AttributeValue>agesic</saml:AttributeValue>
                                        </saml:Attribute>
                                </saml:AttributeStatement>
                                <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="uuiddbf9d808-0159-1b36-bf6c-90b05116dd05">
                                        <ds:SignedInfo>
                                                <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                                                <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
                                                <ds:Reference URI="#Assertion-uuiddbf9d807-0159-15d6-8f0c-90b05116dd05">
                                                        <ds:Transforms>
                                                                <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                                                                <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                                                                        <xc14n:InclusiveNamespaces xmlns:xc14n="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="saml"/>
                                                                </ds:Transform>
                                                        </ds:Transforms>
                                                        <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                                                        <ds:DigestValue>gUNUTZKHVpfuq96Daop2nRm3qOvg=</ds:DigestValue>
                                                </ds:Reference>
                                        </ds:SignedInfo>
                                        <ds:SignatureValue>ZqpgyKrWsdfBaZiv4XZK8gtmn6/vMXe4uz29Mop/4jh3V5KDh+nPpQX86RNRFoQnvs65T+MEYuOANvFJOJUMSYXr0PC0iyW7TEQuwevGqi15lRRlMElgTEm/BHAvEZvV8dSKgpoQUoQfQLBbOt+Cmd+UYqP+o8s0+JlEfBNtTLZRwk=</ds:SignatureValue>
                                        <ds:KeyInfo>
                                                <ds:X509Data>
                                                        <ds:X509Certificate>MIICBzCCAXCgAwIBAgIEQH26vjANBgkqhkiG9w0BAQQFADBIMQswCQYDVQQGEwJVUzEPMA0GA1UEChMGVGl2b2xpMQ4wDAYDVQQLEwVUQU1lQjEYMBYGA1UEAxMPZmltZGVtby5pYm0uY29tMB4XDTA0MDQxNDIyMjcxMFoXDsfTE3MTIyMjIyMjcxMFowSDELMAkGA1UEBhMCVVMxDzANBgNVBAoTBlRpdm9saTEOMAwGA1UECxMFVEFNZUIxGDAWBgNVBAMTD2ZpbWRlbW8uaWJtLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAiZ0D1X6rk8+ZwNBTVZt7C85m421a8A52Ksjw40t+jNvbLYDp/W66AMMYD7rB5qgniZ5K1p9W8ivM9WbPxc2u/60tFPg0e/Q/r/fxegW1K1umnay+5MaUvN3p4XUCRrfg79OvurvXQ7GZa1/wOp5vBIdXzg6i9CVAqL29JGi6GYUCAwEAATANBgkqhkiG9w0BAQQFAAOBgQBXiAhxm91I4m+g3YX+dyGc352TSKO8HvAIBkHHFFwIkzhNgO+zLhxg5UMkOg12X9ucW7leZ1IB0Z6+JXBrXIWmU3UPum+QxmlaE0OG9zhp9LEfzsE5+ff+7XpS0wpJklY6c+cqHj4aTGfOhSE6u7BLdI26cZNdzxdhikBMZPgdyQ==</ds:X509Certificate>
                                                </ds:X509Data>
                                        </ds:KeyInfo>
                                </ds:Signature>
                        </saml:Assertion>
                </wsse:Security>
                <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"/>
        </soapenv:Header>
        <soapenv:Body>
                <ws:descripcion/>
        </soapenv:Body>
</soapenv:Envelope>
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Call a Soap service and sign the request

Alessandro  Vernet
Administrator
Hi Bruno,

At a first glance, this behavior seems to be really too application-specific to be something that would really make sense in Orbeon Forms. Instead, would it be possible for you to implement this in a "trampoline service", which takes the unsigned request from Orbeon Forms, does the call to get the token, sends the request with the token to the backend service, and the response back to Orbeon Forms?

Alex
--
Follow Orbeon on Twitter: @orbeon
Follow me on Twitter: @avernet
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Call a Soap service and sign the request

bruno.buzzi
Alex,

Yesterday i was talking with the platform specialist and we knew that will be very difficult to find something so specific in Orbeon.

The solution that you mention ("trampoline service") already exist. We call it "connector".

To use the TS we have to migrate from Orbeon on Tomcat to Orbeon on JBoss.

I think on March we are going to migrate to Orbeon 2016.2.2 and at the same time to JBoss.

regards,
bruno
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Call a Soap service and sign the request

Alessandro  Vernet
Administrator
Hi Bruno,

I you already have this trampoline / connector service, then I image all is good. Out of curiosity, if you can share this with us, what is the rationale for migrating from Tomcat to JBoss?

Alex
--
Follow Orbeon on Twitter: @orbeon
Follow me on Twitter: @avernet
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Call a Soap service and sign the request

bruno.buzzi
Alex,

The so called connector runs on JBoss (and is tested on JBoss). This connector is one per application and we do not want to have Tomcat + JBoss in the same Centos VM. So migrating Orbeon to JBoss is the less expensive thing to do.

regards
bruno
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Call a Soap service and sign the request

Alessandro  Vernet
Administrator
Bruno, got it, it makes sense.

Alex
--
Follow Orbeon on Twitter: @orbeon
Follow me on Twitter: @avernet
Loading...