Skip to Content

Changes for page Endpoint Check

Last modified by Danniar Firdausy on 2024/09/04 10:26
From version 44.1
edited by Erik Bakker
on 2022/12/30 12:24
Change comment: There is no comment for this version
To version 38.1
edited by Erik Bakker
on 2022/06/12 09:38
Change comment: There is no comment for this version

Summary

Details

Page properties
Title
... ... @@ -1,1 +1,1 @@
1 -Endpoint Check
1 +Securing your SOAP Webservice
Parent
... ... @@ -1,1 +1,1 @@
1 -Main.eMagiz Academy.Microlearnings.Novice.SOAP Web service Connectivity.WebHome
1 +WebHome
Default language
... ... @@ -1,1 +1,0 @@
1 -en
Content
... ... @@ -1,109 +1,104 @@
1 1  {{container}}{{container layoutStyle="columns"}}(((
2 -When setting up a point at which your customers can talk to you eMagiz offers various methods of creating such a point. One of those options is by hosting a SOAP Webservice in eMagiz that handles XML messages asynchronously or synchronously. One last check to perform before you can communicate with the external parties that the endpoint is available to receive messages and up and running. In this microlearning, we will learn how you can perform such a check.
2 +When setting up a point at which your customers can talk to you eMagiz offers various methods of creating such a point. One of those options is by hosting a SOAP Webservice in eMagiz that handles XML messages asynchronously or synchronously. In this microlearning, we will zoom in on the part that security plays on a client level when hosting a SOAP web service.
3 3  
4 4  Should you have any questions, please contact academy@emagiz.com.
5 5  
6 +* Last update: June 10th, 2021
7 +* Required reading time: 7 minutes
8 +
6 6  == 1. Prerequisites ==
7 7  * Basic knowledge of the eMagiz platform
8 8  
9 9  == 2. Key concepts ==
10 -This microlearning centers around the endpoint check.
13 +This microlearning centers around configuring your SOAP web service.
11 11  
12 -By endpoint check, we mean: determine whether the WSDL is accessible on the correct endpoint so we can forward the URL to the WSDL + the URL to call to our external parties
15 +By configuring, we mean: Designing and determining the characteristics of the SOAP web service
13 13  
14 -The endpoint consists of the following elements:
15 -* Starts with https:// or http://
16 -* Second part is the host (i.e. where is the endpoint running)
17 -* Third part is the port on which the incoming traffic is accepted
18 -* These three things combined make up the first part of our endpoint that will vary per environment
19 -* Following that we have a static remainder of the endpoint that is build up as follows: /ws/{path-specific-servlet-mapping}/
20 -* If you want to get to the WSDL simply add the name of the WSDL and the .wsdl extension to the endpoint when viewing it in the browser
17 +Crucial parts in the configuration are:
18 +* Operation Name
19 +* SOAP Webservice Namespace
20 +* Validation
21 +* Authentication
21 21  
22 -== 3. Endpoint Check ==
23 +Of these four points, we will zoom in on the authentication part of our SOAP Webservice in this microlearning.
24 +
25 +== 3. Securing your SOAP Webservice ==
23 23  
24 -When setting up a point at which your customers can talk to you eMagiz offers various methods of creating such a point. One of those options is by hosting a SOAP Webservice in eMagiz that handles XML messages asynchronously or synchronously. One last check to perform before you can communicate with the external parties that the endpoint is available to receive messages and up and running. In this microlearning, we will learn how you can perform such a check.
27 +When setting up a point at which your customers can talk to you eMagiz offers various methods of creating such a point. One of those options is by hosting a SOAP Webservice in eMagiz that handles XML messages asynchronously or synchronously. In this microlearning, we will zoom in on the part that security plays on a client level when hosting a SOAP web service.
25 25  
26 -The endpoint consists of the following elements:
27 -* Starts with https:// or http://
28 -* Second part is the host (i.e. where is the endpoint running)
29 -* Third part is the port on which the incoming traffic is accepted
30 -* These three things combined make up the first part of our endpoint that will vary per environment
31 -* Following that we have a static remainder of the endpoint that is build up as follows: /{context-path}/{path-specific-servlet-mapping}/
32 -* If you want to get to the WSDL simply add the name of the WSDL and the .wsdl extension to the endpoint when viewing it in the browser
29 +Crucial parts in the configuration are:
30 +* Operation Name
31 +* SOAP Webservice Namespace
32 +* Validation
33 +* Authentication
33 33  
34 -As you can see the endpoint can be divided into two parts. One part is dynamic across environments and one part is static across environments. Let us first determine how we can find out the first part of our endpoint.
35 +Of these four points, we will zoom in on the authentication part of our SOAP Webservice in this microlearning. When hosting your SOAP web service in the eMagiz Cloud the endpoint will be HTTPS secured on default. If you want to mimic the same result for an on-premise environment you should define the valid SSL settings (https://my.emagiz.com/p/question/172825635700357186).
35 35  
36 -=== 3.1 HTTPS or HTTP ===
37 +Apart from that aspect of security, we should also consider how clients that call the SOAP Web service will authenticate themselves upon entry. Within eMagiz, we advise a two-step approach. Each client that wants to call your SOAP Webservice should:
37 37  
38 -We start at the top with the determination of HTTPS or HTTP. A simple rule of thumb is that when running in the eMagiz Cloud the endpoint starts with https:// and when the endpoint is running locally (i.e. on-premise) the endpoint starts with http:// (unless you secure it yourself, more on that later).
39 +* Send along a client certificate
40 +* Send along an API key in a SOAP Header that references to the word apiKey (i.e. apiKey)
39 39  
40 -=== 3.2 Host ===
42 +To verify both parts some configuration is needed. The first aspect, checking for a valid client certificate is done on cloud level. For more information on how to exactly configure this please take a look at the microlearning [Securing a hosted web service with certificates in the eMagiz Cloud](intermediate-securing-your-data-traffic-securing-a-hosted-webservice-with-certificates-in-the-emagiz-cloud.md).
41 41  
42 -The next part of the endpoint is the host. The host is effectively the (virtual) machine on which the endpoint is running. When hosting an endpoint in the eMagiz cloud the host part is the combination between the DNS left-most label on Route level and the cloudslot on which your environment is running. The first part of the equation can be found under Deploy -> Architecture. The second part can be found under Deploy -> Properties by looking for the {technicalnameproject}.amqp01.host. You need to combine the two elements via a dash -. An example of this would then be spwbsrv-test-cloud0001.emagizcloud.com. In case of an on-premise installation, you should ask your customer what the IP address or DNS name is to connect to the machine on which your runtime is running. If the runtime is running locally on your laptop the host equals localhost.
44 +In this microlearning, we will focus on the second part of the configuration.
43 43  
44 -=== 3.3 Port ===
46 +=== 3.1 API Key verification ===
45 45  
46 -Whether or not the port needs to be defined to get to the endpoint is once again determined by the location. If the endpoint is hosted in the eMagiz Cloud the port is *not* part of the endpoint. However, when you host your endpoint locally the endpoint becomes part of your endpoint. Note that to make this piece work in the eMagiz Cloud you should set up your Route properly. More on that in our Cloud Management courses. You can determine the port, for the endpoint or the route, by navigating to the infra flow of the runtime through which you host your SOAP web service. In the infra flow you can also find the remainder of the path to get to the WSDL location.
48 +To verify whether the client has sent a valid API Key we need to change the configuration within the entry flow in the Create phase of eMagiz. The configuration consists of three steps:
47 47  
48 -In the infra flow there is a support object of the type "Dynamic WSDL". In here you see the default location of the hosted SOAP endpoint, which is http://localhost:${entry.connector.ws.port}/ws/{soap WS name}/. Based on this, you can find the WSDL by adding {soap WS name}.wsdl to the URI. In this example, when hosting the SOAP web service on-premise, a valid URI would be "http://localhost:8099/ws/soapgn3-connector/soapgn3-connector.wsdl".
50 +* Get value from SOAP Header
51 +* Check value against a list
52 +* Respond based on results
49 49  
50 -{{info}}Note that when running your web service in the eMagiz cloud, the first part (the host part) will change depending on your configuration in Deploy Architecture and the cloud slot on which you are running. An example URI, in that case, would be "https://soap-test-cloud0000.emagizcloud.com/ws/soapgn3-connector/soapgn3-connector.wsdl"{{/info}}
54 +==== 3.1.1 Get value from SOAP Header ====
51 51  
52 -[[image:Main.Images.Microlearning.WebHome@novice-soap-webservice-connectivity-validate-incoming-messages-gen3--dynamic-wsdl-support-object-infra.png]]
56 +Let us move to the entry flow by going to the Create phase of eMagiz, opening the correct flow, and entering "Start Editing" mode. After you have done so we need to add a support object to the flow. The support we need is called 'Complex SOAP header mapper'. In this component, we need the bottom section.
53 53  
54 -First, we navigate to the all entry we have created and open the Jetty component. The first segment of the Jetty Server talks about the server connector. In this part, the port is defined (either via a property or statically).
58 +[[image:Main.Images.Microlearning.WebHome@novice-soap-webservice-connectivity-securing-your-soap-webservice--complex-soap-header-mapper.png]]
55 55  
56 -[[image:Main.Images.Microlearning.WebHome@novice-soap-webservice-connectivity-endpoint-check--server-connector-settings.png]]
60 +Here we define a new header by entering a name and a valid XPath expression.
57 57  
58 -If it is defined via a property you can search for the corresponding value under Deploy -> Properties by checking on the property name and filtering on runtime level to get to the port. If it is defined statically you can simply read it here. Note that the best practice is to use a property value as that allows you to use a different range for your port numbering between environments. In other words, it allows you to use the 9000 range for Test, the 8000 range for Acceptance, and the 9000 range for Production. This is also to safeguard against someone accidentally sending data to the wrong environment.
62 +[[image:Main.Images.Microlearning.WebHome@novice-soap-webservice-connectivity-securing-your-soap-webservice--complex-soap-header-mapper-config.png]]
59 59  
60 -=== 3.3 Context Path ===
64 +When you are satisfied you can press Save twice to store the support object. After we have configured the support object we need to link it to our web service inbound gateway. To do so open the component, navigate to the advanced tab and select the Header mapper you have just created.
61 61  
62 -The first part of the static remainder of the endpoint is the context. By default, this is filled with /ws but you as a user can alter this. You can check the current value by opening the Jetty component again and looking at the context path that is filled in.
66 +[[image:Main.Images.Microlearning.WebHome@novice-soap-webservice-connectivity-securing-your-soap-webservice--link-complex-soap-header-mapper.png]]
63 63  
64 -[[image:Main.Images.Microlearning.WebHome@novice-soap-webservice-connectivity-endpoint-check--context-path.png]]
68 +==== 3.1.2 Check value against list ====
65 65  
66 -=== 3.4 Path Specific Servlet Mapping ===
70 +Now that we placed the value the client has entered in the apiKey SOAP header on our message we can check whether the value exists in a list of predefined valid values. To do add two headers to the standard header enricher component in your flow. The first one ensures that the apiKey is removed from the header (to prevent the API key from being publicly seen by others). The second one searches for the client name that corresponds with the apiKey and returns the name of the client in the header. This search action is done with the help of a SpEL expression, more on that later on. In this case the SpEL expression we use is set up as follows: headers['spwbsrv_apiKey'] != null and {${authentication.api-keys}}.contains(headers.spwbsrv_apiKey) ? {${authentication.tenant-ids}}[{${authentication.api-keys}}.indexOf(headers.spwbsrv_apiKey)] : null
67 67  
68 -The last part of our endpoint is determined by the path-specific servlet mapping. You can once again find the value (and change it if you want to) within the Jetty component. In this component, you can see the servlet mappings and see the path that belongs to that servlet. For SOAP Webservice the best practice is to have only one servlet-mapping and in 99% of the cases, the auto-generated value of eMagiz is more than fine.
72 +With this SpEL expression, we check whether there is an API key and whether that apiKey can be found in a predefined list. If so we search for the corresponding name based on the index of where a certain apiKey is within the list. If not the header is not created. Combining this logic in one component should look similar to the following.
69 69  
70 -[[image:Main.Images.Microlearning.WebHome@novice-soap-webservice-connectivity-endpoint-check--path-specific-servlet-mapping.png]]
74 +[[image:Main.Images.Microlearning.WebHome@novice-soap-webservice-connectivity-securing-your-soap-webservice--check-headers.png]]
71 71  
72 -Combining all of this, assuming we run in the eMagiz Cloud, will result in the following endpoint for our Test environment:
73 -* https://spwbsrv-test-cloud0001.emagizcloud.com/ws/spwbsrv-connector/
76 +==== 3.1.3 Respond based on results ====
74 74  
75 -Combining all of this, assuming we run locally on our laptop, will result in the following endpoint for our Test environment:
76 -* http://localhost:9091/ws/spwbsrv-connector/
78 +After we have searched for the API key in the list and we have defined the client that is sending the information (or not) we can respond to the client whether or not the client is authorized to call our SOAP web service. To execute this check we first need a standard filter component. In this component, we will check whether the spwbsrv_client header we have just created is not null.
77 77  
78 -=== 3.5 Getting the WSDL name ===
80 +[[image:Main.Images.Microlearning.WebHome@novice-soap-webservice-connectivity-securing-your-soap-webservice--standard-filter.png]]
79 79  
80 -To get to the WSDL to verify if it is available to be shared with external parties the last thing you need is the WSDL name. You can find this one, surprisingly enough, in the Jetty component. To get to the WSDL name double click on the servlet that is defined under the heading Servlets and navigate to the Advanced tab. Here you will see the name of the WSDL. If you have adhered to the default of eMagiz the name will mimic the name of your path-specific servlet mapping.
82 +If it is indeed not null we can pass the empty message back to the client telling the client that the message was delivered successfully. If the header is null we need to tell the client that he/she is unauthorized to call the operation. To do so we need to add a component called 'custom error message activator'. In this component, we define the message we want to give back to the client in case of an error. In this case, we simply give back 'Unauthorized'.
81 81  
82 -[[image:Main.Images.Microlearning.WebHome@novice-soap-webservice-connectivity-endpoint-check--wsdl-name.png]]
84 +[[image:Main.Images.Microlearning.WebHome@novice-soap-webservice-connectivity-securing-your-soap-webservice--custom-error-message.png]]
83 83  
84 -With this information we could reach the WSDL via the following endpoint, assuming we run in the eMagiz Cloud:
85 -* https://spwbsrv-test-cloud0001.emagizcloud.com/ws/spwbsrv-connector/spwbsrv-connector.wsdl
86 +With all this done we have successfully secured our SOAP web service according to the best practices.
86 86  
87 -With this information we could reach the WSDL via the following endpoint, assuming we run locally on our laptop:
88 -* http://localhost:9091/ws/spwbsrv-connector/spwbsrv-connector.wsdl
89 -
90 -With this information, you should be able to access the WSDL and communicate both the endpoint as well as the WSDL to your external parties.
91 -
92 92  == 4. Assignment ==
93 93  
94 -Determine the endpoint of your SOAP Webservice and retrieve the WSDL.
90 +Secure a SOAP web service to confirm the outlined approach above. Focus on the apiKey part.
95 95  This assignment can be completed with the help of the (Academy) project that you have created/used in the previous assignment.
96 96  
97 97  == 5. Key takeaways ==
98 98  
99 -* The endpoint consists of the following elements:
100 - ** Starts with https:// or http://
101 - ** Second part is the host (i.e. where is the endpoint running)
102 - ** Third part is the port on which the incoming traffic is accepted
103 - ** These three things combined make up the first part of our endpoint that will vary per environment
104 - ** Following that we have a static remainder of the endpoint that is build up as follows: /{context-path}/{path-specific-servlet-mapping}/
105 - ** If you want to get to the WSDL simply add the name of the WSDL and the .wsdl extension to the endpoint when viewing it in the browser
106 -* The relevant information can be derived from the Jetty component and by determining where the endpoint is hosted
95 +* Crucial parts in the configuration are:
96 + ** Operation Name
97 + ** SOAP Webservice Namespace
98 + ** Validation
99 + ** Authentication
100 +* Hosting your SOAP web service in the eMagiz cloud results in standard HTTPS
101 +* Use a combination of client certificate + API key for authentication
107 107  
108 108  == 6. Suggested Additional Readings ==
109 109  
... ... @@ -111,6 +111,6 @@
111 111  
112 112  == 7. Silent demonstration video ==
113 113  
114 -{{video attachment="novice-soap-webservice-connectivity-endpoint-check.mp4" reference="Main.Videos.Microlearning.WebHome"/}}
109 +{{video attachment="novice-soap-webservice-connectivity-securing-your-soap-webservice.mp4" reference="Main.Videos.Microlearning.WebHome"/}}
115 115  
116 116  )))((({{toc/}}))){{/container}}{{/container}}