WS-Security for SOAP Requests

ramnath_ananth · 01-05-2017 07:41 PM

Hi,

Does apigee support WS-Security for SOAP requests ? I have created a pass thru SOAP request and need to authenticate the request using WS-Security standards.

Can anyone help on this ?

Apigee Edge will authenticate the request based on the SOAP Security header

 <soapenv:Header>
      <wsse:Security soapenv:mustUnderstand="111" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
         <wsse:UsernameToken wsu:Id="UsernameToken-459">
            <wsse:Username>username</wsse:Username>
            <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">password</wsse:Password>
         </wsse:UsernameToken>
      </wsse:Security>
   </soapenv:Header>

Username and password are passed in the header. Is there an out of the box approach to validate the soap security header without extracting the credentials ?

Or an out of the box approach to process the security header ?

Thanks

DChiesa

you said, "pass-through"

But which party in the chain is verifying the WS-Security header? Apigee Edge, or the backend system? The reason I ask: if it is "pass-through" normally the backend system is already doing the WS-Sec validation. Few people are building "new" SOAP systems now, and there are very few new deployments of WS-Sec. If you are doing pass-through of a SOAP/WS-Sec transation, normally Apigee Edge wouldn't need to do anything. It is the backend system that validates, and obvs there is nothing Apigee Edge needs to do to the message.

But maybe it is not pass-through. If for some reason you want Apigee Edge itself to validate the WS-Sec header, then yes, it is possible. It depends on the type of token passed in the header. Apigee Edge can do:

Username token
X.509
SAML Bearer
and maybe other variants

Probably not Kerberos (but I hope you're not using Krb with WS-Sec). What are your specific requirements?

Former Community Member

For this specific example, you can use a combination of Extract Variable policy with the LDAP Policy (assuming you are running this on premises) to validate the user and password.

mohana_monangi

Hi @Dino & @Srinandan Sridhar I have similar kind of requirement as below.

We need to expose a SOAP web service endpoint to an external partner.
The web service will need to be secured using WS-Security X.509 certificate.

Can you please confirm whether Apigee can handle the WS-Security header and perform the authentication and pass the request through to a target internal SOAP endpoint that is not secured.

Is there any working example which I can refer for the X.509 certificate authentication. Looking for your advise. Thanks in advance.

dchiesa1

Hi

Can you please post this as a new quesrtion, rather than as a comment to a 1-year old question?

jorgeflores

I have a similar requirement. Did anyone find a working solution for authenticating SOAP requests with WS-Security UsernameToken?

dchiesa1

Jorge, I suppose it would be pretty easy to

insert an ExtractVariables policy to extract the username and password
validate that username and password against some external service (ServiceCallout?) or internal database (JavaScript or KVM lookup).

This seems like an easy thing to do with 2 policies.

Have you tried it? Does the configuration of the ExtractVariables and then the following credentials verification seem like something you could accomplish? or do you need more guidance on that?

jorgeflores

Yes you are right. I see the original post was in reference to the PasswordText scenario. I'm really interested in a working solution covering the PasswordDigest scenario. I guess I'll post a new question for that. Thanks!

http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest"