Adding WSSE Security headers in SOAP request before making backend call

Not applicable

Scenario:

I am currently developing a reverse proxy type API which would accept request in the JSON format and then make a backend call to the SOAP service hosted on public url .

I am performing following steps in preflow.

  • Verify oauth access token
  • JSON threat protection
  • Extract Variable to get subscriber id from the JSON request received .
  • Assign Message to form SOAP Request required by the back end service .
  • Assign Message to assign request header required by the back end service .
  • Make a back end service call

With this flow I am able to connect the backend service but getting security error as the backend service needs WSSE security header in SOAP Header section as mentioned below. I have below two questions .

Questions:

  • I am planning to use Java call out to generate WSSE security details mentioned below . Please advice if I can use Java call out after step #3 mentioned below to add SOAP security headers. Please also advice if you have any document / example of java call out to handle WSSE headers .

Sample SOAP Header with WSSE security header details :

<soap:Envelope     xmlns:soap='soapuri'
                   xmlns:wsa="wsauri"
                   xmlns:wsu="wsuuri">
  <soap:Header>
    <wsa:Action soap:mustUnderstand="1">..Action name..</wsa:Action>
    <wsa:To soap:mustUnderstand="1" wsu:Id="_1">...Service URL...</wsa:To>
    <wsse:Security soap:mustUnderstand="1"
                   xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
      <wsu:Timestamp wsu:Id="Timestamp-18e1ce72-2097-42b3-a18e-d0e6e986f56f">
        <wsu:Created>2017-02-19T16:05:50-05:00</wsu:Created>
        <wsu:Expires>2017-02-19T21:10:50Z</wsu:Expires>
      </wsu:Timestamp>
      <wsse:BinarySecurityToken wsu:Id="SecurityToken-728895c5-2191-47bb-9126-62c292cecc2a"
                                EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"
                                ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3">...Base64-encoded-x509v3-token-here...</wsse:BinarySecurityToken>
      <Signature
          xmlns="http://www.w3.org/2000/09/xmldsig#">
        <SignedInfo>
          <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
          <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
          <Reference URI="#Timestamp-18e1ce72-2097-42b3-a18e-d0e6e986f56f">
            <Transforms>
              <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
            </Transforms>
            <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
            <DigestValue>...Digest Value..</DigestValue>
          </Reference>
          <Reference URI="#_1">
            <Transforms>
              <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
            </Transforms>
            <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
            <DigestValue>..Digest Value..</DigestValue>
          </Reference>
        </SignedInfo>
        <SignatureValue>..Signature Value..</SignatureValue>
        <KeyInfo>
          <wsse:SecurityTokenReference>
            <wsse:Reference URI="#SecurityToken-728895c5-2191-47bb-9126-62c292cecc2a" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" />
          </wsse:SecurityTokenReference>
        </KeyInfo>
      </Signature>
    </wsse:Security>
  </soap:Header>
  ...
</soap:Envelope>



Solved Solved
1 2 14.4K
1 ACCEPTED SOLUTION

Using a Java callout should be fine for generating the signed payload. You can use the Apache WS-Security libraries. (wss4j).

You will want to have the java callout call MessageContext.setVariable("request.content", payload)

You will want to store the private key used for signing in the encrypted KVM, or you can embed it directly into the callout jar as a resource, if the key will not often change.

To resolve the reference to Execution, you need to install the Apigee JAR files into your local (machine) repo. like this:

#!/bin/bash
# -*- mode:shell-script; coding:utf-8; -*-
#
# Created: <Tue Oct  6 11:46:13 2015>
# Last Updated: <2015-October-06 11:53:42>
#


echo
echo "This script downloads JAR files and installs them into the local Maven repo."
echo


curl -O https://raw.githubusercontent.com/apigee/api-platform-samples/master/doc-samples/java-cookbook/lib/e...


 mvn install:install-file \
  -Dfile=expressions-1.0.0.jar \
  -DgroupId=com.apigee.edge \
  -DartifactId=expressions \
  -Dversion=1.0.0 \
  -Dpackaging=jar \
  -DgeneratePom=true


rm expressions-1.0.0.jar 


curl -O https://raw.githubusercontent.com/apigee/api-platform-samples/master/doc-samples/java-cookbook/lib/m...


 mvn install:install-file \
  -Dfile=message-flow-1.0.0.jar \
  -DgroupId=com.apigee.edge \
  -DartifactId=message-flow \
  -Dversion=1.0.0 \
  -Dpackaging=jar \
  -DgeneratePom=true


rm message-flow-1.0.0.jar 


echo
echo done.
echo
 

The dependencies in the pom.xml file then look like this:

    <dependency>
      <groupId>com.apigee.edge</groupId>
      <artifactId>message-flow</artifactId>
      <version>1.0.0</version>
    </dependency>
    <dependency>
      <groupId>com.apigee.edge</groupId>
      <artifactId>expressions</artifactId>
      <version>1.0.0</version>
    </dependency>

And you can see a working example of a Java callout here (though it does not use wss4j):

https://github.com/DinoChiesa/ApigeeEdge-Java-Add-Xml-Node

I recommend that you write tests as well.

View solution in original post

2 REPLIES 2

Using a Java callout should be fine for generating the signed payload. You can use the Apache WS-Security libraries. (wss4j).

You will want to have the java callout call MessageContext.setVariable("request.content", payload)

You will want to store the private key used for signing in the encrypted KVM, or you can embed it directly into the callout jar as a resource, if the key will not often change.

To resolve the reference to Execution, you need to install the Apigee JAR files into your local (machine) repo. like this:

#!/bin/bash
# -*- mode:shell-script; coding:utf-8; -*-
#
# Created: <Tue Oct  6 11:46:13 2015>
# Last Updated: <2015-October-06 11:53:42>
#


echo
echo "This script downloads JAR files and installs them into the local Maven repo."
echo


curl -O https://raw.githubusercontent.com/apigee/api-platform-samples/master/doc-samples/java-cookbook/lib/e...


 mvn install:install-file \
  -Dfile=expressions-1.0.0.jar \
  -DgroupId=com.apigee.edge \
  -DartifactId=expressions \
  -Dversion=1.0.0 \
  -Dpackaging=jar \
  -DgeneratePom=true


rm expressions-1.0.0.jar 


curl -O https://raw.githubusercontent.com/apigee/api-platform-samples/master/doc-samples/java-cookbook/lib/m...


 mvn install:install-file \
  -Dfile=message-flow-1.0.0.jar \
  -DgroupId=com.apigee.edge \
  -DartifactId=message-flow \
  -Dversion=1.0.0 \
  -Dpackaging=jar \
  -DgeneratePom=true


rm message-flow-1.0.0.jar 


echo
echo done.
echo
 

The dependencies in the pom.xml file then look like this:

    <dependency>
      <groupId>com.apigee.edge</groupId>
      <artifactId>message-flow</artifactId>
      <version>1.0.0</version>
    </dependency>
    <dependency>
      <groupId>com.apigee.edge</groupId>
      <artifactId>expressions</artifactId>
      <version>1.0.0</version>
    </dependency>

And you can see a working example of a Java callout here (though it does not use wss4j):

https://github.com/DinoChiesa/ApigeeEdge-Java-Add-Xml-Node

I recommend that you write tests as well.

ashwithds123
Participant IV

Hi @DhwanitShah

How did you acheive it? Do you have the jar files?

Regard,

Ashwith