on 03-05-2012 6:02 AM
Hi,
Currently we are developing a SOAP to RFC scenario for our client. We will receive the request from a website and process the data and send back the response to the website itself. We have successfully implemented the interface, but the source system owners are not happy with enclosing the username and password in the URL itself. They feel it as a security threat to enclose the username and password in it. Currently we have provided the url in the below format,
https://hostname:port/XISOAPAdapter/MessageServlet?channel=:Businesssystem:CommunnicationChannel&nosoap=true&sap-user=username&sap-password=password
Is there anything that could be done, so that we don't have to provide the username and password in the URL. Also they mentioned that they don't have a provision like the SOAP UI tool to enter the username and password in their system, where they can only pass the URL. The source application uses Java for their development.
Kindly help me on this.
Hi,
When you provide a username and password in SOAP UI, it is then passed to the SOAP Header, and later on it is read by PI from there for authentication test. Using user name and password in URL is only an alternative for this basic method.
Now, since the sender system is some Java tool, it can use the normal SOAP authentication in the SOAP Header. Please find an example here on how you can add the SOAP Header Authentication to a web service call:
http://www.codeproject.com/Articles/4398/Authentication-for-Web-Services-using-SOAP-headers
And just like Mark and Shabarish, I would definitely not recommend turning off the authentication for the whole adapter. It is by far less safe then providing user name and password in the URL
Hope this helps,
Greg
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Gregorz,
The point you have suggested makes a lot of sense in my issue.
Before going to the sender system owners, i tried adding the below parameters to my SOAP request header.
<soap:Header>
<AUTHHEADER>
<USERNAME>string</USERNAME>
<PASSWORD>string</PASSWORD>
</AUTHHEADER>
</soap:Header>
I tested it by leaving the Username and Password as blank in the SOAP UI tool and gave the credentials in the SOAP header itself, but then it failed. I have a doubt on what to give as the namespace when i do this modification.
Please guide me on how to go about it.
Hi again,
As this topic seems really interesting to me, I have done some further investigation on this. I have found this FAQ document:
http://www.xigenie.com/xi-arch/adapters/79-soap-adapter-faq
It says makes some interesting statement:
The user authentication of the SOAP adapter is not part of the SOAP adapter but of the web container of the J2EE engine.
This seems to mean that I was wrong about the SOAP Header Authentication. Rather, HTTP Header authentication should be used I guess. I am planning to have some further testing on that today in the evening, so I hope I will be able to give you more details about it later on.
Regards,
Greg
Hi,
I got that figured out, I made a test in SOAP UI and it works fine. What you need to do is to add a HTTP header entry as follows:
Parameter name: Authorization
Parameter value: Basic (base64-encoded username:password)
Let me give you an example. Assuming that your username is "someuser" and your password is "somepass", you concatenate it with a colon as a separator to get: "someuser:somepass". Then you encode "someuser:somepass" (without quotes) with base64 to get c29tZXVzZXI6c29tZXBhc3M= So finally the HTTP Header entry has to be:
Name: Authorization
Value: Basic c29tZXVzZXI6c29tZXBhc3M=
You can verify it in SOAP UI that it works - I have just done it myself. Just instead of giving the name and password in the "Aut" tab, put the Parameter and Value in the Header tab.
Also, find an example of how to add a HTTP Header from JAVA code here:
http://dpastov.blogspot.com/2010/11/very-nice-soap-client.html
Focus on the httpConn.setRequestProperty statement.
Hope this helps,
Greg
HI Grzegorz,
Thanks for the honest efforts you had put in to find a solution for my requirement.
I did try the way you suggested.
I tried by giving the URL without usename and password. Then i gave values in the Headers tab in SOAP UI tool by generating the Base 64 bit encoding. My question is that, should i still go ahead and give the username and password in the left side tab in the SOAP UI tool or can i give it blank. Because, when i leave it blank, it throws an error and runs successfully when i give the username and password in the tab.
Please correct me if i am wrong here.
Well, it is strange what you are saying. I have successfully tested it in SOAP UI without the credentials in the Aut tab, just with the HTTP Header. Please refer to this blog I have created on this topic in the meantime to check if your configuration is correct:
I have included a screenshot from SOAP UI there, to help you with this verification.
Greg
Hi Greg,
We have exactly the same requirement where we need to call web service by encoding the user id and password in Base64.
How do we achieve this in the channel configuration? or is it possible to set the base64 encoded user id and password in the HTTP header using java mapping.
Kindly advise.
Thanks
Manoj
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hello,
Is there anything that could be done, so that we don't have to provide the username and password in the URL. Also they mentioned that they don't have a provision like the SOAP UI tool to enter the username and password in their system, where they can only pass the URL. The source application uses Java for their development.
Disabling the authentication will disable it for the whole SOAP sender adapter. You can check the replies in this thread by Bhavesh regarding the creation of a userID
Hope this helps,
Mark
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
90 | |
10 | |
10 | |
10 | |
7 | |
7 | |
6 | |
5 | |
4 | |
3 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.