Skip to Content

Changes for page Endpoint Check

Last modified by Danniar Firdausy on 2024/09/04 10:26
From version 36.2
edited by Erik Bakker
on 2022/06/12 09:36
Change comment: Update document after refactoring.
To version 38.1
edited by Erik Bakker
on 2022/06/12 09:38
Change comment: There is no comment for this version

Summary

Details

Page properties
Title
... ... @@ -1,1 +1,1 @@
1 -novice-soap-webservice-connectivity-soap-headers
1 +Securing your SOAP Webservice
Content
... ... @@ -1,5 +1,5 @@
1 1  {{container}}{{container layoutStyle="columns"}}(((
2 -When setting up a point at which your customers can talk to you eMagiz offers various methods of creating such a point. One of those options is by hosting a SOAP Webservice in eMagiz that handles XML messages asynchronously or synchronously. In this microlearning, we will zoom in on the part that validation of the messages plays when offering such a SOAP web service.
2 +When setting up a point at which your customers can talk to you eMagiz offers various methods of creating such a point. One of those options is by hosting a SOAP Webservice in eMagiz that handles XML messages asynchronously or synchronously. In this microlearning, we will zoom in on the part that security plays on a client level when hosting a SOAP web service.
3 3  
4 4  Should you have any questions, please contact academy@emagiz.com.
5 5  
... ... @@ -20,11 +20,11 @@
20 20  * Validation
21 21  * Authentication
22 22  
23 -Of these four points, we will zoom in on the validation part of our SOAP Webservice in this microlearning.
23 +Of these four points, we will zoom in on the authentication part of our SOAP Webservice in this microlearning.
24 24  
25 -== 3. Validate Incoming Messages ==
25 +== 3. Securing your SOAP Webservice ==
26 26  
27 -When setting up a point at which your customers can talk to you eMagiz offers various methods of creating such a point. One of those options is by hosting a SOAP Webservice in eMagiz that handles XML messages asynchronously or synchronously. In this microlearning, we will zoom in on the part that validation of the messages plays when offering such a SOAP web service.
27 +When setting up a point at which your customers can talk to you eMagiz offers various methods of creating such a point. One of those options is by hosting a SOAP Webservice in eMagiz that handles XML messages asynchronously or synchronously. In this microlearning, we will zoom in on the part that security plays on a client level when hosting a SOAP web service.
28 28  
29 29  Crucial parts in the configuration are:
30 30  * Operation Name
... ... @@ -32,70 +32,62 @@
32 32  * Validation
33 33  * Authentication
34 34  
35 -Of these four points, we will zoom in on the validation part of our SOAP Webservice in this microlearning. The SOAP Webservice serves as a point of entry where people with the rights credentials (security) and the right answers (validation) are allowed to enter and perform their actions. In the next microlearning, we will talk about the security part. In this microlearning, we talk about the validation part.
35 +Of these four points, we will zoom in on the authentication part of our SOAP Webservice in this microlearning. When hosting your SOAP web service in the eMagiz Cloud the endpoint will be HTTPS secured on default. If you want to mimic the same result for an on-premise environment you should define the valid SSL settings (https://my.emagiz.com/p/question/172825635700357186).
36 36  
37 -As you have learned from the crash course you can validate an XML message with the help of an XSD. This XSD describes dataTypes, order, associations, and length of attributes. You can use such an XSD for the validation of what your clients send you. eMagiz will automatically define a WSDL based on the XSD that you provide that stores metainformation and stores the XSD for validation purposes. This way you can communicate the WSDL (location) to external parties as a reference document upon which they can build their solution. If you keep the eMagiz defaults you can access the WSDL via http://host:port/ws/ws-name/ws-name.wsdl. Note that you need to all values (except for the ws and .wsdl part) with actual values.
37 +Apart from that aspect of security, we should also consider how clients that call the SOAP Web service will authenticate themselves upon entry. Within eMagiz, we advise a two-step approach. Each client that wants to call your SOAP Webservice should:
38 38  
39 -What eMagiz does need from you is the correct XSD for validation. As a starting point you should download the XSD that eMagiz has generated based on the system message(s) you have defined in the Design phase. Once you have that you can structure the XSD correctly. A valid XSD start with a schema segment. In this segment you need to define your SOAP WS namespace:
39 +* Send along a client certificate
40 +* Send along an API key in a SOAP Header that references to the word apiKey (i.e. apiKey)
40 40  
41 -<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
42 -<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema"
43 - xmlns="http://www.academy.emagiz.com/ns/mlacade-bus/spwbsrv-connector/1.0/"
44 - attributeFormDefault="unqualified" elementFormDefault="unqualified"
45 - targetNamespace="http://www.academy.emagiz.com/ns/mlacade-bus/spwbsrv-connector/1.0/">
42 +To verify both parts some configuration is needed. The first aspect, checking for a valid client certificate is done on cloud level. For more information on how to exactly configure this please take a look at the microlearning [Securing a hosted web service with certificates in the eMagiz Cloud](intermediate-securing-your-data-traffic-securing-a-hosted-webservice-with-certificates-in-the-emagiz-cloud.md).
46 46  
47 -Once you have that you need to copy all complex and simple types from the XSD that you downloaded and paste them below the lines you have created:
44 +In this microlearning, we will focus on the second part of the configuration.
48 48  
49 -<xs:complexType name="Input">
50 - <xs:sequence>
51 - <xs:element name="String" type="nonEmptyString"/>
52 - <xs:element minOccurs="0" name="Decimal" type="xs:decimal"/>
53 - <xs:element name="Enum" type="Enum"/>
54 - <xs:element name="Integer" type="xs:long"/>
55 - <xs:element name="Boolean" type="xs:boolean"/>
56 - <xs:element minOccurs="0" name="DateTime" type="xs:dateTime"/>
57 - </xs:sequence>
58 - </xs:complexType>
59 - <xs:simpleType name="nonEmptyString">
60 - <xs:restriction base="xs:string">
61 - <xs:minLength value="1"/>
62 - </xs:restriction>
63 - </xs:simpleType>
64 - <xs:simpleType name="Enum">
65 - <xs:restriction base="xs:string">
66 - <xs:enumeration value="URGENT"/>
67 - <xs:enumeration value="HIGH"/>
68 - <xs:enumeration value="MEDIUM"/>
69 - <xs:enumeration value="LOW"/>
70 - <xs:enumeration value="PLANNING"/>
71 - </xs:restriction>
72 - </xs:simpleType>
46 +=== 3.1 API Key verification ===
73 73  
74 -To wrap things up you need to define your Request and Response element and close the schema:
48 +To verify whether the client has sent a valid API Key we need to change the configuration within the entry flow in the Create phase of eMagiz. The configuration consists of three steps:
75 75  
76 -<xs:element name="SendNptRequest">
77 - <xs:complexType>
78 - <xs:sequence>
79 - <xs:element name="Input" type="Input"/>
80 - </xs:sequence>
81 - </xs:complexType>
82 - </xs:element>
83 - <xs:element name="SendNptResponse">
84 - <xs:complexType/>
85 - </xs:element>
86 - </xs:schema>
50 +* Get value from SOAP Header
51 +* Check value against a list
52 +* Respond based on results
87 87  
88 -Combining this will result in a valid XSD for my example. In your case, you will need to enter other values. When you are done with the creation of the XSD save it with a name such as spwbsrv-connector.xsd and upload it to the flow. After you have uploaded the XSD link it to the connector-xsd support object in your entry.
54 +==== 3.1.1 Get value from SOAP Header ====
89 89  
90 -[[image:Main.Images.Microlearning.WebHome@novice-soap-webservice-connectivity-validate-incoming-messages--uploaded-file.png]]
56 +Let us move to the entry flow by going to the Create phase of eMagiz, opening the correct flow, and entering "Start Editing" mode. After you have done so we need to add a support object to the flow. The support we need is called 'Complex SOAP header mapper'. In this component, we need the bottom section.
91 91  
92 -[[image:Main.Images.Microlearning.WebHome@novice-soap-webservice-connectivity-validate-incoming-messages--file-linked-to-xsd-component.png]]
58 +[[image:Main.Images.Microlearning.WebHome@novice-soap-webservice-connectivity-securing-your-soap-webservice--complex-soap-header-mapper.png]]
93 93  
94 -With this done you have successfully added validation to your SOAP web service.
60 +Here we define a new header by entering a name and a valid XPath expression.
95 95  
62 +[[image:Main.Images.Microlearning.WebHome@novice-soap-webservice-connectivity-securing-your-soap-webservice--complex-soap-header-mapper-config.png]]
63 +
64 +When you are satisfied you can press Save twice to store the support object. After we have configured the support object we need to link it to our web service inbound gateway. To do so open the component, navigate to the advanced tab and select the Header mapper you have just created.
65 +
66 +[[image:Main.Images.Microlearning.WebHome@novice-soap-webservice-connectivity-securing-your-soap-webservice--link-complex-soap-header-mapper.png]]
67 +
68 +==== 3.1.2 Check value against list ====
69 +
70 +Now that we placed the value the client has entered in the apiKey SOAP header on our message we can check whether the value exists in a list of predefined valid values. To do add two headers to the standard header enricher component in your flow. The first one ensures that the apiKey is removed from the header (to prevent the API key from being publicly seen by others). The second one searches for the client name that corresponds with the apiKey and returns the name of the client in the header. This search action is done with the help of a SpEL expression, more on that later on. In this case the SpEL expression we use is set up as follows: headers['spwbsrv_apiKey'] != null and {${authentication.api-keys}}.contains(headers.spwbsrv_apiKey) ? {${authentication.tenant-ids}}[{${authentication.api-keys}}.indexOf(headers.spwbsrv_apiKey)] : null
71 +
72 +With this SpEL expression, we check whether there is an API key and whether that apiKey can be found in a predefined list. If so we search for the corresponding name based on the index of where a certain apiKey is within the list. If not the header is not created. Combining this logic in one component should look similar to the following.
73 +
74 +[[image:Main.Images.Microlearning.WebHome@novice-soap-webservice-connectivity-securing-your-soap-webservice--check-headers.png]]
75 +
76 +==== 3.1.3 Respond based on results ====
77 +
78 +After we have searched for the API key in the list and we have defined the client that is sending the information (or not) we can respond to the client whether or not the client is authorized to call our SOAP web service. To execute this check we first need a standard filter component. In this component, we will check whether the spwbsrv_client header we have just created is not null.
79 +
80 +[[image:Main.Images.Microlearning.WebHome@novice-soap-webservice-connectivity-securing-your-soap-webservice--standard-filter.png]]
81 +
82 +If it is indeed not null we can pass the empty message back to the client telling the client that the message was delivered successfully. If the header is null we need to tell the client that he/she is unauthorized to call the operation. To do so we need to add a component called 'custom error message activator'. In this component, we define the message we want to give back to the client in case of an error. In this case, we simply give back 'Unauthorized'.
83 +
84 +[[image:Main.Images.Microlearning.WebHome@novice-soap-webservice-connectivity-securing-your-soap-webservice--custom-error-message.png]]
85 +
86 +With all this done we have successfully secured our SOAP web service according to the best practices.
87 +
96 96  == 4. Assignment ==
97 97  
98 -Add validation to the SOAP Webservice we have been configuring.
90 +Secure a SOAP web service to confirm the outlined approach above. Focus on the apiKey part.
99 99  This assignment can be completed with the help of the (Academy) project that you have created/used in the previous assignment.
100 100  
101 101  == 5. Key takeaways ==
... ... @@ -105,9 +105,8 @@
105 105   ** SOAP Webservice Namespace
106 106   ** Validation
107 107   ** Authentication
108 -* Validation is done with the help of an XSD
109 -* The WSDL is used for external documentation
110 -* Use the XSD generated by eMagiz based on the system message as a starting point
100 +* Hosting your SOAP web service in the eMagiz cloud results in standard HTTPS
101 +* Use a combination of client certificate + API key for authentication
111 111  
112 112  == 6. Suggested Additional Readings ==
113 113  
... ... @@ -115,6 +115,6 @@
115 115  
116 116  == 7. Silent demonstration video ==
117 117  
118 -{{video attachment="novice-soap-webservice-connectivity-validate-incoming-messages.mp4" reference="Main.Videos.Microlearning.WebHome"/}}
109 +{{video attachment="novice-soap-webservice-connectivity-securing-your-soap-webservice.mp4" reference="Main.Videos.Microlearning.WebHome"/}}
119 119  
120 120  )))((({{toc/}}))){{/container}}{{/container}}