Reputation: 11
Handle WS-Security PasswordDigest mode in a c++ WWSAPI web service
I inherited an existing and working web service written in c++ with WWSAPI. I must implement the security mechanism based on WS-Security using passworddigest in the soap header, like this one:
<soapenv:Header>
<wsse:Security soapenv:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsse:UsernameToken wsu:Id="UsernameToken-5094D0E1418B986BF215754539660332">
<wsse:Username>test</wsse:Username>
<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest">sqPh/Bap7ER6j+n+2iYlI+4Qt9A=</wsse:Password>
<wsse:Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">1ROYkV/ZftvGi17KmsvgnQ==</wsse:Nonce>
<wsu:Created>2019-12-04T10:06:06.032Z</wsu:Created>
</wsse:UsernameToken>
</wsse:Security>
I'm neither a web service expert nor a WWSAPI expert, but I understand the basics of a web service. I tried to understand the WWSAPI documentation, but didn't understand where to start to implement this security.
I tested by using the binding WS_STRING_USERNAME_MESSAGE_SECURITY_BINDING_TYPE, for which I can define a password validator callback, which seems to work with a simple user/password scheme. But where/how to define a password digest security mechanism ?
With the API, I was expecting a simple setting to define the basic digest mechanism and a callback to receive the nonce, the date created, the username, and the password, but I don't understand where to start. I don't understand if this needs simple declarations (bindings + properties + callback), or if I need to write some code, for example to manually parse the xml header.
As someone implemented a WWSAAPI web service with WS-Security and how ?
Upvotes: 1
Views: 256
Answers (1)
Reputation: 11
Ok, so, nobody seems to implement web services in pure c++ ? Anyway, I found the answer: this must be done (pratically) by hand. The main points are:
- An authorization callback must be defined in the WS_SERVICE_POINT structure
- The WS-security header must be read and checked in this callback, through the following operations:
- Get the input message (it contains the header and the body) with the WsGetOperationContextProperty function and the parameter WS_OPERATION_CONTEXT_PROPERTY_INPUT_MESSAGE
- Check that the message state is not empty (property WS_MESSAGE_PROPERTY_STATE)
- Get the header buffer (property WS_MESSAGE_PROPERTY_HEADER_BUFFER)
- Create a XML reader (WsCreateReader)
- Initialize this reader with the header buffer (WsSetInputToBuffer)
- Parse the XML to find the WS-Security tags with the function WsGetReaderNode (see the example provided with WWSAPI).
- Call WsMarkHeaderAsUnderstood at the position of the found attribute "mustUnderstand"
- Now that the XML is parsed, you can do whatever you want with the WS-Security tags to verify that they are valid
- Before exiting the authorization callback, you just decide to authorize or not the access, by setting the parameter *authorized to TRUE or FALSE
Upvotes: 0
Related Questions
- WS Security 1.2 in SOAP web services Delphi XE8 for sign body
- How to set password type "PasswordText" in the WSSE Security Header with WCF
- How to generate UsernameToken for WS-Security?
- How do I remove WSS-Password Type requirement in WCF Service?
- How to consume a web service with WS Security in c# setting credentials at run-time?
- consume SOAP web service with WS-Security
- Consume a Web Service that requires WS-Security from ASP.NET 4.5 Application
- Invoking a web service with WS Security from .NET
- With C#, WCF SOAP consumer that uses WSSE plain text authentication?
- How do I use WS-Security with WCF?