Changes for page Securing your SOAP Webservice

Last modified by Danniar Firdausy on 2024/09/05 14:24

From 30.1 to 30.2 From 48.1 to 49.1

From version 30.2

edited by Erik Bakker
on 2022/06/10 13:23

Change comment: Update document after refactoring.

To version 48.1

edited by Danniar Firdausy
on 2024/09/04 10:40

Change comment: There is no comment for this version

Raw
Rendered

Summary

Page properties (3 modified, 0 added, 0 removed)

Details

Page properties

Title

@@ -1,1 +1,1 @@
--novice-file-based-connectivity-characterset
++Securing your SOAP Webservice

Author

@@ -1,1 +1,1 @@
--XWiki.ebakker
++XWiki.dfirdausy

Content

@@ -1,104 +1,114 @@
  {{container}}{{container layoutStyle="columns"}}(((
--In some cases, you want to treat each unique part of your input file as its message instead of processing the complete file as its message. In this microlearning, we will learn how you can process a (large) file on a per-line basis.
++In this microlearning, we’ll focus on securing your SOAP web service within eMagiz. Proper authentication is crucial to ensure that only authorized clients can access your service. We’ll cover the essentials of setting up authentication, including API key verification. By the end of this session, you'll understand how to configure your SOAP web service to handle client authentication securely. Let’s dive into how you can effectively set up and manage these security features.
--Should you have any questions, please contact [[academy@emagiz.com>>mailto:academy@emagiz.com]].
++Should you have any questions, please contact academy@emagiz.com.
--* Last update: May 31th, 2021
--* Required reading time: 7 minutes
--
  == 1. Prerequisites ==
--
  * Basic knowledge of the eMagiz platform
  == 2. Key concepts ==
++This microlearning centers around configuring your SOAP web service.
--This microlearning centers around learning how to process an incoming file per line.
++By configuring, we mean: Designing and determining the characteristics of the SOAP web service
--By processing per line, we mean: Splitting up the input into discernable pieces that each will become a unique message
++Crucial parts in the configuration are:
++* Operation Name
++* SOAP Webservice Namespace
++* Validation
++* Authentication
--* Easy way of reading a file line by line and sending it to eMagiz (Low on memory)
--* Ability to process each line based on distinctive logic that is relevant on line level
--* Can be used for flat file as well as XML input files
++Of these four points, we will zoom in on the authentication part of our SOAP Webservice in this microlearning.
--== 3. Processing a File per Line ==
++== 3. Securing your SOAP Webservice ==
--In some cases, you want to treat each unique part of your input file as its message instead of processing the complete file as its message. In this microlearning, we will learn how you can process a (large) file on a per-line basis.
++When setting up a point at which your customers can talk to you eMagiz offers various methods of creating such a point. One of those options is by hosting a SOAP Webservice in eMagiz that handles XML messages asynchronously or synchronously. In this microlearning, we will zoom in on the part that security plays on a client level when hosting a SOAP web service.
--To make this work in eMagiz you need to navigate to the Create phase of eMagiz and open the entry flow in which you want to retrieve the file to a certain location. Within the context of this flow, we need to add functionality that will ensure that each line is read and processed separately and will become its unique message. To do so first enter "Start Editing" mode on flow level. After you have done so please add a file item reader message source to the flow. We will use this component to read and process our input file on a per-line basis.
++Crucial parts in the configuration are:
++* Operation Name
++* SOAP Webservice Namespace
++* Validation
++* Authentication
--The first step would be to define the directory from which we read our messages. As always reference to the directory with the help of a property.
++Of these four points, we will zoom in on the authentication part of our SOAP Webservice in this microlearning. When hosting your SOAP web service in the eMagiz Cloud the endpoint will be HTTPS secured on default. If you want to mimic the same result for an on-premise environment you should define the valid SSL settings, as explained in this [[Q&A>>https://my.emagiz.com/p/question/172825635700357186||target="blank"]].
--[[image:Main.Images.Microlearning.WebHome@novice-file-based-connectivity-processing-a-file-per-line--file-item-reader-directory.png]]
++Apart from that aspect of security, we should also consider how clients that call the SOAP Web service will authenticate themselves upon entry. Within eMagiz, we advise a two-step approach. Each client that wants to call your SOAP Webservice should:
--Secondly, just as when reading the file as a whole ensure that you use a filter to retrieve only the correct files from the directory.
++* Send along a client certificate
++* Send along an API key in a SOAP Header that references to the word apiKey (i.e. apiKey)
--=== 3.1 Item reader Type ===
++To verify both parts some configuration is needed. The first aspect, checking for a valid client certificate is done on cloud level. For more information on how to exactly configure this please take a look at the  [[Securing a hosted web service with certificates in the eMagiz Cloud>>Main.eMagiz Academy.Microlearnings.Intermediate Level.Securing Data Traffic.intermediate-securing-your-data-traffic-securing-a-hosted-webservice-with-certificates-in-the-emagiz-cloud||target="blank"]] microlearning.
--Now it is time to select our Item reader Type. As the help text of the eMagiz component suggest there are two choices with this component. The first (and most frequently used) option is the Flat file item reader. With this option, you can read each line within the flat file input file and output is at a separate message. The second option is called the Stax event item reader. With this option, you can read your input XML and output messages on a per-record basis.
++In this microlearning, we will focus on the second part of the configuration.
--[[image:Main.Images.Microlearning.WebHome@novice-file-based-connectivity-processing-a-file-per-line--item-reader-type-options.png]]
++=== 3.1 API Key verification ===
--Based on your choice the exact configuration will differ.
++To verify whether the client has sent a valid API Key we need to change the configuration within the entry flow in the Create phase of eMagiz. The configuration consists of three steps:
--==== 3.1.1 Stax Event Item Reader ====
++* Get value from SOAP Header
++* Check value against a list
++* Respond based on results
--For the Stax event item reader, you need to define the name of the element on which you want to split the XML and define whether you want to throw an error in case no such element exists in the input file (By (de)selecting the option Strict). The default setting of eMagiz is advisable for this option.
++==== 3.1.1 Get value from SOAP Header ====
--[[image:Main.Images.Microlearning.WebHome@novice-file-based-connectivity-processing-a-file-per-line--stax-event-item-reader-config.png]]
++Let us move to the entry flow by going to the Create phase of eMagiz, opening the correct flow, and entering "Start Editing" mode. After you have done so we need to add a support object to the flow. The support we need is called 'Complex SOAP header mapper'. In this component, we need the bottom section.
--==== 3.1.2 Flat File Item Reader ====
++[[image:Main.Images.Microlearning.WebHome@novice-soap-webservice-connectivity-securing-your-soap-webservice--complex-soap-header-mapper.png]]
--For the Flat File item reader, there are some more choices and configurations to be made. There are three options you can choose from:
--- Pass through line mapper
--- Default line mapper
--- Pattern matching composite line mapper
++Here we define a new header by entering a name and a valid XPath expression.
--Each of these options has some advantages and disadvantages. Adhering to the best practices of eMagiz (i.e. no transformation in the entry) the best option would be to use the pass-through line mapper. As the name suggests this option does nothing except give a string back to the flow on a per line basis. However, choosing this option means that the actual transformation from that string to XML needs to happen later in the process (most likely in the onramp) with the help of a flat-file to XML transformer (more on that component in a later course).
++[[image:Main.Images.Microlearning.WebHome@novice-soap-webservice-connectivity-securing-your-soap-webservice--complex-soap-header-mapper-config.png]]
--The other two options transform the input line into an XML output. So you win one step in the process. However, no standard eMagiz error handling is advisable when you start transforming data within the entry. So in case, something goes wrong to analyze the error will become more difficult. Furthermore, another potential disadvantage is that when one line fails the processing of the rest of the file also halts.
++When you are satisfied you can press Save twice to store the support object. After we have configured the support object we need to link it to our web service inbound gateway. To do so open the component, navigate to the advanced tab and select the Header mapper you have just created.
--For the remainder of this microlearning, we will assume that the option pass through line mapper is chosen.
++[[image:Main.Images.Microlearning.WebHome@novice-soap-webservice-connectivity-securing-your-soap-webservice--link-complex-soap-header-mapper.png]]
--[[image:Main.Images.Microlearning.WebHome@novice-file-based-connectivity-processing-a-file-per-line--flat-file-item-reader-passthrough.png]]
++==== 3.1.2 Check value against list ====
--As you can see on the Basic level we are done. However, it is always good to check out the settings on the Advanced tab, especially in this case, to see if there are additional configuration options that could benefit us. The setting of most interest, in this case, is the Lines to Skip setting (default setting is 0). With this setting, you can define whether or not you want to process the header line(s) that exists within your input file. The remainder of the settings is (in most cases) good the way eMagiz has set them up.
++Now that we placed the value the client has entered in the apiKey SOAP header on our message we can check whether the value exists in a list of predefined valid values. To do add two headers to the standard header enricher component in your flow. The first one ensures that the apiKey is removed from the header (to prevent the API key from being publicly seen by others). The second one searches for the client name that corresponds with the apiKey and returns the name of the client in the header. This search action is done with the help of a SpEL expression, more on that later on. In this case the SpEL expression we use is set up as follows:
--[[image:Main.Images.Microlearning.WebHome@novice-file-based-connectivity-processing-a-file-per-line--flat-file-item-reader-passthrough-advanced.png]]
++{{code}}headers['spwbsrv_apiKey'] != null and {${authentication.api-keys}}.contains(headers.spwbsrv_apiKey) ? {${authentication.tenant-ids}}[{${authentication.api-keys}}.indexOf(headers.spwbsrv_apiKey)] : null{{/code}}
--=== 3.2 Poller ===
++With this SpEL expression, we check whether there is an API key and whether that apiKey can be found in a predefined list. If so we search for the corresponding name based on the index of where a certain apiKey is within the list. If not the header is not created. Combining this logic in one component should look similar to the following.
--Now that we have selected and configured the item reader type it becomes time to fill in the last part of the configuration, the poller. For polling eMagiz offers three options:
++[[image:Main.Images.Microlearning.WebHome@novice-soap-webservice-connectivity-securing-your-soap-webservice--check-headers.png]]
--- Fixed Delay Trigger
--- Fixed Rate Trigger
--- Cron Trigger
++==== 3.1.3 Respond based on results ====
--Of these options, the cron trigger is used most frequently in eMagiz. The reason being is that you can define this option via a property that you can alter without having to alter the flow version in Create.
++After we have searched for the API key in the list and we have defined the client that is sending the information (or not) we can respond to the client whether or not the client is authorized to call our SOAP web service. To execute this check we first need a standard filter component. In this component, we will check whether the spwbsrv_client header we have just created is not null.
--[[image:Main.Images.Microlearning.WebHome@novice-file-based-connectivity-processing-a-file-per-line--poller-config.png]]
++[[image:Main.Images.Microlearning.WebHome@novice-soap-webservice-connectivity-securing-your-soap-webservice--standard-filter.png]]
--After finishing all these configuration steps we can press Save to save our work and ensure that we can process the input file on a per-line basis.
++If it is indeed not null we can pass the empty message back to the client telling the client that the message was delivered successfully. If the header is null we need to tell the client that he/she is unauthorized to call the operation. To do so we need to add a component called 'custom error message activator'. In this component, we define the message we want to give back to the client in case of an error. In this case, we simply give back 'Unauthorized'.
--== 4. Assignment ==
++[[image:Main.Images.Microlearning.WebHome@novice-soap-webservice-connectivity-securing-your-soap-webservice--custom-error-message.png]]
--Configure an entry in which you define the component and configuration needed to process a file on a per-line basis.
--This assignment can be completed with the help of the (Academy) project that you have created/used in the previous assignment.
++With all this done we have successfully secured our SOAP web service according to the best practices.
--== 5. Key takeaways ==
++== 4. Key takeaways ==
--* Easy way of reading a file line by line and sending it to eMagiz (Low on memory)
--* Ability to process each line based on distinctive logic that is relevant on line level
--* Can be used for flat file as well as XML input files
--* Try to avoid complex transformations within the entry
++* Crucial parts in the configuration are:
++    ** Operation Name
++    ** SOAP Webservice Namespace
++    ** Validation
++    ** Authentication
++* Hosting your SOAP web service in the eMagiz cloud results in standard HTTPS
++* Use a combination of client certificate + API key for authentication
--== 6. Suggested Additional Readings ==
++== 5. Suggested Additional Readings ==
--There are no suggested additional readings on this topic
++* [[Novice (Menu)>>doc:Main.eMagiz Academy.Microlearnings.Novice.WebHome||target="blank"]]
++** [[SOAP Web service Connectivity (Navigation)>>doc:Main.eMagiz Academy.Microlearnings.Novice.SOAP Web service Connectivity.WebHome||target="blank"]]
++*** [[Configure your SOAP web service (Explanation)>>doc:Main.eMagiz Academy.Microlearnings.Novice.SOAP Web service Connectivity.novice-soap-webservice-connectivity-configure-your-soap-webservice-gen3.WebHome||target="blank"]]
++*** [[Validate Incoming Messages (Explanation)>>doc:Main.eMagiz Academy.Microlearnings.Novice.SOAP Web service Connectivity.novice-soap-webservice-connectivity-validate-incoming-messages-gen3.WebHome||target="blank"]]
++*** [[Endpoint Check (Explanation)>>doc:Main.eMagiz Academy.Microlearnings.Novice.SOAP Web service Connectivity.novice-soap-webservice-connectivity-endpoint-check-gen3.WebHome||target="blank"]]
++*** [[SOAP Headers (Explanation)>>doc:Main.eMagiz Academy.Microlearnings.Novice.SOAP Web service Connectivity.novice-soap-webservice-connectivity-soap-headers||target="blank"]]
++*** [[Calling a SOAP Web service (Explanation)>>doc:Main.eMagiz Academy.Microlearnings.Novice.SOAP Web service Connectivity.novice-soap-webservice-connectivity-calling-a-soap-webservice||target="blank"]]
++*** [[Authorization - Calling a SOAP Webservice (Explanation)>>doc:Main.eMagiz Academy.Microlearnings.Novice.SOAP Web service Connectivity.novice-soap-webservice-connectivity-authorization-calling-a-soap-webservice||target="blank"]]
++* [[Intermediate (Menu)>>doc:Main.eMagiz Academy.Microlearnings.Intermediate Level.WebHome||target="blank"]]
++** [[SOAP Web service Connectivity (Navigation)>>doc:Main.eMagiz Academy.Microlearnings.Intermediate Level.SOAP Web service Connectivity.WebHome||target="blank"]]
++* [[Expert (Menu)>>doc:Main.eMagiz Academy.Microlearnings.Expert Level.WebHome||target="blank"]]
++** [[Webservice Security (Menu)>>doc:Main.eMagiz Academy.Microlearnings.Expert Level.Webservice Security.WebHome||target="blank"]]
++* [[SOAP Web service (Search Result)>>url:https://docs.emagiz.com/bin/view/Main/Search?sort=score&sortOrder=desc&highlight=true&facet=true&r=1&f_space_facet=0%2FMain.&f_type=DOCUMENT&f_locale=en&f_locale=&f_locale=en&text=%22soap+web+service%22||target="blank"]]
--== 7. Silent demonstration video ==
--This video demonstrates how you could have handled the assignment and gives you some context on what you have just learned.
--
--{{video attachment="novice-file-based-connectivity-processing-a-file-per-line.mp4" reference="Main.Videos.Microlearning.WebHome"/}}
--
  )))((({{toc/}}))){{/container}}{{/container}}