cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

User authentication for SOAP service

Go to solution
sherin_jose4
Participant

on ‎03-05-2012 6:02 AM

0 Kudos

Hi,

Currently we are developing a SOAP to RFC scenario for our client. We will receive the request from a website and process the data and send back the response to the website itself. We have successfully implemented the interface, but the source system owners are not happy with enclosing the username and password in the URL itself. They feel it as a security threat to enclose the username and password in it. Currently we have provided the url in the below format,

https://hostname:port/XISOAPAdapter/MessageServlet?channel=:Businesssystem:CommunnicationChannel&nosoap=true&sap-user=username&sap-password=password

Is there anything that could be done, so that we don't have to provide the username and password in the URL. Also they mentioned that they don't have a provision like the SOAP UI tool to enter the username and password in their system, where they can only pass the URL. The source application uses Java for their development.

Kindly help me on this.

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

former_member184681
Active Contributor
‎03-05-2012 11:08 AM
0 Kudos

Hi,

When you provide a username and password in SOAP UI, it is then passed to the SOAP Header, and later on it is read by PI from there for authentication test. Using user name and password in URL is only an alternative for this basic method.

Now, since the sender system is some Java tool, it can use the normal SOAP authentication in the SOAP Header. Please find an example here on how you can add the SOAP Header Authentication to a web service call:

http://www.codeproject.com/Articles/4398/Authentication-for-Web-Services-using-SOAP-headers

And just like Mark and Shabarish, I would definitely not recommend turning off the authentication for the whole adapter. It is by far less safe then providing user name and password in the URL

Hope this helps,

Greg

Show replies
Show replies
sherin_jose4
Participant
‎03-06-2012 8:13 AM
0 Kudos

Hi Gregorz,

The point you have suggested makes a lot of sense in my issue.

Before going to the sender system owners, i tried adding the below parameters to my SOAP request header.

<soap:Header>
    <AUTHHEADER>
      <USERNAME>string</USERNAME>
      <PASSWORD>string</PASSWORD>
    </AUTHHEADER>
  </soap:Header>

I tested it by leaving the Username and Password as blank in the SOAP UI tool and gave the credentials in the SOAP header itself, but then it failed. I have a doubt on what to give as the namespace when i do this modification.

Please guide me on how to go about it.

former_member184681
Active Contributor
‎03-07-2012 1:25 PM
0 Kudos

Hi again,

As this topic seems really interesting to me, I have done some further investigation on this. I have found this FAQ document:

http://www.xigenie.com/xi-arch/adapters/79-soap-adapter-faq

It says makes some interesting statement: 

The user authentication of the SOAP adapter is not part of the SOAP adapter but of the web container of the J2EE engine.

This seems to mean that I was wrong about the SOAP Header Authentication. Rather, HTTP Header authentication should be used I guess. I am planning to have some further testing on that today in the evening, so I hope I will be able to give you more details about it later on.

Regards,

Greg

Shabarish_Nair
Active Contributor
‎03-07-2012 1:26 PM
0 Kudos

Yes you are correct.

It is HTTP headers

former_member184681
Active Contributor
‎03-07-2012 2:13 PM
0 Kudos

Hi,

I got that figured out, I made a test in SOAP UI and it works fine. What you need to do is to add a HTTP header entry as follows:

Parameter name: Authorization
Parameter value: Basic (base64-encoded username:password)

Let me give you an example. Assuming that your username is "someuser" and your password is "somepass", you concatenate it with a colon as a separator to get: "someuser:somepass". Then you encode "someuser:somepass" (without quotes) with base64 to get c29tZXVzZXI6c29tZXBhc3M= So finally the HTTP Header entry has to be:

Name: Authorization
Value: Basic c29tZXVzZXI6c29tZXBhc3M=

You can verify it in SOAP UI that it works - I have just done it myself. Just instead of giving the name and password in the "Aut" tab, put the Parameter and Value in the Header tab.

Also, find an example of how to add a HTTP Header from JAVA code here:

http://dpastov.blogspot.com/2010/11/very-nice-soap-client.html

Focus on the httpConn.setRequestProperty statement.

Hope this helps,

Greg

Shabarish_Nair
Active Contributor
‎03-07-2012 2:40 PM
0 Kudos

I was just in the middle of a blog outlining this solution

Do you mind me completing it? Or else you could go ahead and post this.

former_member184681
Active Contributor
‎03-07-2012 3:04 PM
0 Kudos

Honestly I am also almost done with a blog on this topic, with the conclusions I have included above and some additional information. So I would rather post it myself if you don't mind, as I was the first one to provide a solution here.

Shabarish_Nair
Active Contributor
‎03-07-2012 3:19 PM
0 Kudos

no issues at all

sherin_jose4
Participant
‎03-08-2012 6:10 AM
0 Kudos

HI Grzegorz,

Thanks for the honest efforts you had put in to find a solution for my requirement.

I did try the way you suggested.

I tried by giving the URL without usename and password. Then i gave values in the Headers tab in SOAP UI tool by generating the Base 64 bit encoding. My question is that, should i still go ahead and give the username and password in the left side tab in the SOAP UI tool or can i give it blank. Because, when i leave it blank, it throws an error and runs successfully when i give the username and password in the tab.

Please correct me if i am wrong here.

former_member184681
Active Contributor
‎03-08-2012 6:27 AM
0 Kudos

Well, it is strange what you are saying. I have successfully tested it in SOAP UI without the credentials in the Aut tab, just with the HTTP Header. Please refer to this blog I have created on this topic in the meantime to check if your configuration is correct:

I have included a screenshot from SOAP UI there, to help you with this verification.

Greg

sherin_jose4
Participant
‎03-08-2012 7:36 AM
0 Kudos

Hi Gregorz,

Thanks a lot for the efforts.

It worked perfectly fine in my SOAP UI tool.

Hope this approach would be helpful for a lot other people.

manoj_khavatkopp
Active Contributor
‎03-04-2015 10:29 AM
0 Kudos

Hi Greg,

   We have exactly the same requirement where we need to call web service by encoding the user id and password in Base64.

How do we achieve this in the channel configuration? or is it possible to set the base64 encoded user id and password in the HTTP header using java mapping.

Kindly advise.

Thanks

Manoj

Former Member
‎01-19-2016 1:04 PM
0 Kudos

Hi Manoj

Did u achieve it? if so please let me know how u did?

Regards

Sandeep

manoj_khavatkopp
Active Contributor
‎01-19-2016 2:40 PM
0 Kudos

Sendeep,

Well I guess we used Java mapping to build custom soap envelope with headers base64 encrypted.. But I would suggest you to try Addsoapheaderbean or dynamic config first if this dosnt work you can go for Java mapping or xslt.

Br,

Manoj

Former Member
‎01-19-2016 3:52 PM
0 Kudos

Hello Manoj

Can you please share how does header looks?

regards

Sandeep

Answers (2)

Answers (2)

Shabarish_Nair
Active Contributor
‎03-05-2012 10:59 AM
0 Kudos

yes. currently there is indeed an option to disable the authentication but it is not at a specific soap adapter level but the entire soap adapter component itself.

refer the solution here that is not recommended for production scenarios

Show replies
Show replies
markangelo_dihiansan
Active Contributor
‎03-05-2012 6:17 AM
0 Kudos

Hello,

Is there anything that could be done, so that we don't have to provide the username and password in the URL. Also they mentioned that they don't have a provision like the SOAP UI tool to enter the username and password in their system, where they can only pass the URL. The source application uses Java for their development.

Disabling the authentication will disable it for the whole SOAP sender adapter. You can check the replies in this thread by Bhavesh regarding the creation of a userID

Hope this helps,

Mark

Show replies
Show replies
Ask a Question