Skip to Content
Last modified by Danniar Firdausy on 2024/09/05 14:24
From version 44.1
edited by Carlijn Kokkeler
on 2024/08/21 16:30
Change comment: There is no comment for this version
To version 38.1
edited by Erik Bakker
on 2022/06/12 09:38
Change comment: There is no comment for this version

Summary

Details

Page properties
Author
... ... @@ -1,1 +1,1 @@
1 -XWiki.CarlijnKokkeler
1 +XWiki.ebakker
Content
... ... @@ -3,6 +3,9 @@
3 3  
4 4  Should you have any questions, please contact academy@emagiz.com.
5 5  
6 +* Last update: June 10th, 2021
7 +* Required reading time: 7 minutes
8 +
6 6  == 1. Prerequisites ==
7 7  * Basic knowledge of the eMagiz platform
8 8  
... ... @@ -18,7 +18,7 @@
18 18  * Authentication
19 19  
20 20  Of these four points, we will zoom in on the authentication part of our SOAP Webservice in this microlearning.
21 -
24 +
22 22  == 3. Securing your SOAP Webservice ==
23 23  
24 24  When setting up a point at which your customers can talk to you eMagiz offers various methods of creating such a point. One of those options is by hosting a SOAP Webservice in eMagiz that handles XML messages asynchronously or synchronously. In this microlearning, we will zoom in on the part that security plays on a client level when hosting a SOAP web service.
... ... @@ -29,7 +29,7 @@
29 29  * Validation
30 30  * Authentication
31 31  
32 -Of these four points, we will zoom in on the authentication part of our SOAP Webservice in this microlearning. When hosting your SOAP web service in the eMagiz Cloud the endpoint will be HTTPS secured on default. If you want to mimic the same result for an on-premise environment you should define the valid SSL settings, as explained in this [[Q&A>>https://my.emagiz.com/p/question/172825635700357186||target="blank"]].
35 +Of these four points, we will zoom in on the authentication part of our SOAP Webservice in this microlearning. When hosting your SOAP web service in the eMagiz Cloud the endpoint will be HTTPS secured on default. If you want to mimic the same result for an on-premise environment you should define the valid SSL settings (https://my.emagiz.com/p/question/172825635700357186).
33 33  
34 34  Apart from that aspect of security, we should also consider how clients that call the SOAP Web service will authenticate themselves upon entry. Within eMagiz, we advise a two-step approach. Each client that wants to call your SOAP Webservice should:
35 35  
... ... @@ -64,10 +64,8 @@
64 64  
65 65  ==== 3.1.2 Check value against list ====
66 66  
67 -Now that we placed the value the client has entered in the apiKey SOAP header on our message we can check whether the value exists in a list of predefined valid values. To do add two headers to the standard header enricher component in your flow. The first one ensures that the apiKey is removed from the header (to prevent the API key from being publicly seen by others). The second one searches for the client name that corresponds with the apiKey and returns the name of the client in the header. This search action is done with the help of a SpEL expression, more on that later on. In this case the SpEL expression we use is set up as follows:
70 +Now that we placed the value the client has entered in the apiKey SOAP header on our message we can check whether the value exists in a list of predefined valid values. To do add two headers to the standard header enricher component in your flow. The first one ensures that the apiKey is removed from the header (to prevent the API key from being publicly seen by others). The second one searches for the client name that corresponds with the apiKey and returns the name of the client in the header. This search action is done with the help of a SpEL expression, more on that later on. In this case the SpEL expression we use is set up as follows: headers['spwbsrv_apiKey'] != null and {${authentication.api-keys}}.contains(headers.spwbsrv_apiKey) ? {${authentication.tenant-ids}}[{${authentication.api-keys}}.indexOf(headers.spwbsrv_apiKey)] : null
68 68  
69 -{{code}}headers['spwbsrv_apiKey'] != null and {${authentication.api-keys}}.contains(headers.spwbsrv_apiKey) ? {${authentication.tenant-ids}}[{${authentication.api-keys}}.indexOf(headers.spwbsrv_apiKey)] : null{{/code}}
70 -
71 71  With this SpEL expression, we check whether there is an API key and whether that apiKey can be found in a predefined list. If so we search for the corresponding name based on the index of where a certain apiKey is within the list. If not the header is not created. Combining this logic in one component should look similar to the following.
72 72  
73 73  [[image:Main.Images.Microlearning.WebHome@novice-soap-webservice-connectivity-securing-your-soap-webservice--check-headers.png]]
... ... @@ -84,8 +84,13 @@
84 84  
85 85  With all this done we have successfully secured our SOAP web service according to the best practices.
86 86  
87 -== 4. Key takeaways ==
88 +== 4. Assignment ==
88 88  
90 +Secure a SOAP web service to confirm the outlined approach above. Focus on the apiKey part.
91 +This assignment can be completed with the help of the (Academy) project that you have created/used in the previous assignment.
92 +
93 +== 5. Key takeaways ==
94 +
89 89  * Crucial parts in the configuration are:
90 90   ** Operation Name
91 91   ** SOAP Webservice Namespace
... ... @@ -94,20 +94,12 @@
94 94  * Hosting your SOAP web service in the eMagiz cloud results in standard HTTPS
95 95  * Use a combination of client certificate + API key for authentication
96 96  
97 -== 5. Suggested Additional Readings ==
103 +== 6. Suggested Additional Readings ==
98 98  
99 -* [[Novice (Menu)>>doc:Main.eMagiz Academy.Microlearnings.Novice.WebHome||target="blank"]]
100 -** [[SOAP Web service Connectivity (Navigation)>>doc:Main.eMagiz Academy.Microlearnings.Novice.SOAP Web service Connectivity.WebHome||target="blank"]]
101 -*** [[Configure your SOAP web service (Explanation)>>doc:Main.eMagiz Academy.Microlearnings.Novice.SOAP Web service Connectivity.novice-soap-webservice-connectivity-configure-your-soap-webservice-gen3.WebHome||target="blank"]]
102 -*** [[Validate Incoming Messages (Explanation)>>doc:Main.eMagiz Academy.Microlearnings.Novice.SOAP Web service Connectivity.novice-soap-webservice-connectivity-validate-incoming-messages-gen3.WebHome||target="blank"]]
103 -*** [[Endpoint Check (Explanation)>>doc:Main.eMagiz Academy.Microlearnings.Novice.SOAP Web service Connectivity.novice-soap-webservice-connectivity-endpoint-check-gen3.WebHome||target="blank"]]
104 -*** [[SOAP Headers (Explanation)>>doc:Main.eMagiz Academy.Microlearnings.Novice.SOAP Web service Connectivity.novice-soap-webservice-connectivity-soap-headers||target="blank"]]
105 -*** [[Calling a SOAP Web service (Explanation)>>doc:Main.eMagiz Academy.Microlearnings.Novice.SOAP Web service Connectivity.novice-soap-webservice-connectivity-calling-a-soap-webservice||target="blank"]]
106 -*** [[Authorization - Calling a SOAP Webservice (Explanation)>>doc:Main.eMagiz Academy.Microlearnings.Novice.SOAP Web service Connectivity.novice-soap-webservice-connectivity-authorization-calling-a-soap-webservice||target="blank"]]
107 -* [[Intermediate (Menu)>>doc:Main.eMagiz Academy.Microlearnings.Intermediate Level.WebHome||target="blank"]]
108 -** [[SOAP Web service Connectivity (Navigation)>>doc:Main.eMagiz Academy.Microlearnings.Intermediate Level.SOAP Web service Connectivity.WebHome||target="blank"]]
109 -* [[Expert (Menu)>>doc:Main.eMagiz Academy.Microlearnings.Expert Level.WebHome||target="blank"]]
110 -** [[Webservice Security (Menu)>>doc:Main.eMagiz Academy.Microlearnings.Expert Level.Webservice Security.WebHome||target="blank"]]
105 +If you are interested in this topic and want more information on it please read the help text provided by eMagiz.
111 111  
107 +== 7. Silent demonstration video ==
112 112  
109 +{{video attachment="novice-soap-webservice-connectivity-securing-your-soap-webservice.mp4" reference="Main.Videos.Microlearning.WebHome"/}}
110 +
113 113  )))((({{toc/}}))){{/container}}{{/container}}