Changes for page Securing your SOAP Webservice

Last modified by Danniar Firdausy on 2024/09/05 14:24

From 40.1 to 39.1 From 44.1 to 43.1

From version 43.1

edited by Carlijn Kokkeler
on 2024/08/21 16:29

Change comment: There is no comment for this version

To version 40.1

edited by Erik Bakker
on 2023/01/23 08:28

Change comment: There is no comment for this version

Raw
Rendered

Summary

Page properties (2 modified, 0 added, 0 removed)

Details

Page properties

Author

@@ -1,1 +1,1 @@
--XWiki.CarlijnKokkeler
++XWiki.ebakker

Content

@@ -64,10 +64,8 @@
  ==== 3.1.2 Check value against list ====
--Now that we placed the value the client has entered in the apiKey SOAP header on our message we can check whether the value exists in a list of predefined valid values. To do add two headers to the standard header enricher component in your flow. The first one ensures that the apiKey is removed from the header (to prevent the API key from being publicly seen by others). The second one searches for the client name that corresponds with the apiKey and returns the name of the client in the header. This search action is done with the help of a SpEL expression, more on that later on. In this case the SpEL expression we use is set up as follows:
++Now that we placed the value the client has entered in the apiKey SOAP header on our message we can check whether the value exists in a list of predefined valid values. To do add two headers to the standard header enricher component in your flow. The first one ensures that the apiKey is removed from the header (to prevent the API key from being publicly seen by others). The second one searches for the client name that corresponds with the apiKey and returns the name of the client in the header. This search action is done with the help of a SpEL expression, more on that later on. In this case the SpEL expression we use is set up as follows: headers['spwbsrv_apiKey'] != null and {${authentication.api-keys}}.contains(headers.spwbsrv_apiKey) ? {${authentication.tenant-ids}}[{${authentication.api-keys}}.indexOf(headers.spwbsrv_apiKey)] : null
--{{code}}headers['spwbsrv_apiKey'] != null and {${authentication.api-keys}}.contains(headers.spwbsrv_apiKey) ? {${authentication.tenant-ids}}[{${authentication.api-keys}}.indexOf(headers.spwbsrv_apiKey)] : null{{/code}}
--
  With this SpEL expression, we check whether there is an API key and whether that apiKey can be found in a predefined list. If so we search for the corresponding name based on the index of where a certain apiKey is within the list. If not the header is not created. Combining this logic in one component should look similar to the following.
  [[image:Main.Images.Microlearning.WebHome@novice-soap-webservice-connectivity-securing-your-soap-webservice--check-headers.png]]
@@ -84,8 +84,13 @@
  With all this done we have successfully secured our SOAP web service according to the best practices.
--== 4. Key takeaways ==
++== 4. Assignment ==
++Secure a SOAP web service to confirm the outlined approach above. Focus on the apiKey part.
++This assignment can be completed with the help of the (Academy) project that you have created/used in the previous assignment.
++
++== 5. Key takeaways ==
++
  * Crucial parts in the configuration are:
      ** Operation Name
      ** SOAP Webservice Namespace
@@ -94,20 +94,12 @@
  * Hosting your SOAP web service in the eMagiz cloud results in standard HTTPS
  * Use a combination of client certificate + API key for authentication
--== 5. Suggested Additional Readings ==
++== 6. Suggested Additional Readings ==
--* [[Novice (Menu)>>doc:Main.eMagiz Academy.Microlearnings.Novice.WebHome||target="blank"]]
--** [[SOAP Web service Connectivity (Navigation)>>doc:Main.eMagiz Academy.Microlearnings.Novice.SOAP Web service Connectivity.WebHome||target="blank"]]
--*** [[Configure your SOAP web service (Explanation)>>doc:Main.eMagiz Academy.Microlearnings.Novice.SOAP Web service Connectivity.novice-soap-webservice-connectivity-configure-your-soap-webservice-gen3||target="blank"]]
--*** [[Validate Incoming Messages (Explanation)>>doc:Main.eMagiz Academy.Microlearnings.Novice.SOAP Web service Connectivity.novice-soap-webservice-connectivity-validate-incoming-messages-gen3.WebHome||target="blank"]]
--*** [[Endpoint Check (Explanation)>>doc:Main.eMagiz Academy.Microlearnings.Novice.SOAP Web service Connectivity.novice-soap-webservice-connectivity-endpoint-check-gen3.WebHome||target="blank"]]
--*** [[SOAP Headers (Explanation)>>doc:Main.eMagiz Academy.Microlearnings.Novice.SOAP Web service Connectivity.novice-soap-webservice-connectivity-soap-headers||target="blank"]]
--*** [[Calling a SOAP Web service (Explanation)>>doc:Main.eMagiz Academy.Microlearnings.Novice.SOAP Web service Connectivity.novice-soap-webservice-connectivity-calling-a-soap-webservice||target="blank"]]
--*** [[Authorization - Calling a SOAP Webservice (Explanation)>>doc:Main.eMagiz Academy.Microlearnings.Novice.SOAP Web service Connectivity.novice-soap-webservice-connectivity-authorization-calling-a-soap-webservice||target="blank"]]
--* [[Intermediate (Menu)>>doc:Main.eMagiz Academy.Microlearnings.Intermediate Level.WebHome||target="blank"]]
--** [[SOAP Web service Connectivity (Navigation)>>doc:Main.eMagiz Academy.Microlearnings.Intermediate Level.SOAP Web service Connectivity.WebHome||target="blank"]]
--* [[Expert (Menu)>>doc:Main.eMagiz Academy.Microlearnings.Expert Level.WebHome||target="blank"]]
--** [[Webservice Security (Menu)>>doc:Main.eMagiz Academy.Microlearnings.Expert Level.Webservice Security.WebHome||target="blank"]]
++If you are interested in this topic and want more information on it please read the help text provided by eMagiz.
++== 7. Silent demonstration video ==
++{{video attachment="novice-soap-webservice-connectivity-securing-your-soap-webservice.mp4" reference="Main.Videos.Microlearning.WebHome"/}}
++
  )))((({{toc/}}))){{/container}}{{/container}}