I have a web service using WS-Security UsernameToken authentication configured by a WebService Protocol framework component on an HTTP Direct acceptor. Data transport is not secured since this is not a public service and the authentication is used just to manage the clients. The problem is that I need the authenticated username when processing the request, but the broker drops all WS-Security SOAP headers from the request before it reaches the ESB process. Note that headers outside WS-Security namespace are passed as expected.
If I set the broker role to both ultimateReceiver and next (Progress SonicMQ Deployment Guide V7.5 pages 550-551) AND comment out the policy in the WSDL (attached) the headers go through and I get the response alright, but the user is obviously not authenticated. If the policy is in effect, I get the following fault response:
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <soapenv:Body> <soapenv:Fault> <faultcode xmlns:ns1="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">ns1:InvalidSecurity</faultcode> <faultstring>An error was discovered processing the wsse:Security header.</faultstring> <faultactor>http://schemas.xmlsoap.org/soap/actor/next</faultactor> <detail> <string>Message has no required security header</string> </detail> </soapenv:Fault> </soapenv:Body></soapenv:Envelope>
It there a solution or a workaround for this? I have found a couple of mentions that Sonic provides the SOAP headers as message headers, or that declaring the SOAP headers in WSDL binding section would make them available in the unwrap step, but I haven't seen this information in the message headers nor have I had success with declaring the security headers in the WSDL.
I'm using Sonic 7.5.1.
If an intermediary acts as a SOAP Actor, then it is required to remove any soap headers that it processes. This is why you can't have the broker both process the headers and pass them on. However, the broker does copy many of the security headers value into the mms message. Are you sure the value you want is not there?
The value in User Name field in the general tab of WebService Endpoint URL Properties can be found in the message, in JMS header "JMSXUserID". But it only works if User Name is hardcoded. If I select "AUTHENTICATED" in the User Name field, which would probably do what I'm looking for, it forces SSL Certificate on in Access Control tab. If I uncheck SSL Certificate, management console will check it again. With User Name "AUTHENTICATED" I get the following fault:
http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> soapenv:Server.HTTP_AUTHENTICATION_FAILURE Server failed to authenticate the user.
Does this mean that unless I add SSL certificates in the mix, there's no way to find out which authenticated user sent the request, once we are inside the process?
This question is still unanswered.
Yuruki, you can find some information about the filtering strategy beans and how to configure them to create additional message parts which contain the SOAP header highest order elements.
See the post on Capuring the SOAP envelope, it contains the information I think you need at the very end. We had to use this to get wsse:security and Session header elements into the ESB/JMS message:
The method suggested in that thread is only applicable to Sonic version 8.