Skip to Content
Last modified by Danniar Firdausy on 2024/09/05 14:24
From version 45.1
edited by Carlijn Kokkeler
on 2024/08/23 14:20
Change comment: There is no comment for this version
To version 37.1
edited by Erik Bakker
on 2022/06/12 09:37
Change comment: There is no comment for this version

Summary

Details

Page properties
Title
... ... @@ -1,1 +1,1 @@
1 -Securing your SOAP Webservice
1 +SOAP Headers
Author
... ... @@ -1,1 +1,1 @@
1 -XWiki.CarlijnKokkeler
1 +XWiki.ebakker
Content
... ... @@ -1,113 +1,69 @@
1 1  {{container}}{{container layoutStyle="columns"}}(((
2 -In this microlearning, we’ll focus on securing your SOAP web service within eMagiz. Proper authentication is crucial to ensure that only authorized clients can access your service. We’ll cover the essentials of setting up authentication, including API key verification. By the end of this session, you'll understand how to configure your SOAP web service to handle client authentication securely. Let’s dive into how you can effectively set up and manage these security features.
2 +When communicating via SOAP web service calls it can happen that an exchange of data needs to happen between the message headers on your message and the SOAP headers. In this microlearning, we will learn about this exchange in both directions. SOAP Headers are headers within a SOAP Envelope that can be used to communicate metadata or authentication information between parties.
3 3  
4 4  Should you have any questions, please contact academy@emagiz.com.
5 5  
6 +* Last update: June 10th, 2021
7 +* Required reading time: 5 minutes
8 +
6 6  == 1. Prerequisites ==
7 7  * Basic knowledge of the eMagiz platform
8 8  
9 9  == 2. Key concepts ==
10 -This microlearning centers around configuring your SOAP web service.
13 +This microlearning centers around SOAP Headers.
11 11  
12 -By configuring, we mean: Designing and determining the characteristics of the SOAP web service
15 +By SOAP Headers, we mean: headers within a SOAP Envelope that can be used to communicate metadata or authentication information between parties
13 13  
14 -Crucial parts in the configuration are:
15 -* Operation Name
16 -* SOAP Webservice Namespace
17 -* Validation
18 -* Authentication
17 +You can exchange data from:
18 +* SOAP Header to Message Header
19 +* Message Header to SOAP Header
19 19  
20 -Of these four points, we will zoom in on the authentication part of our SOAP Webservice in this microlearning.
21 +In both cases ensure that the correct information is exchanged.
22 +
23 +== 3. SOAP Headers ==
21 21  
22 -== 3. Securing your SOAP Webservice ==
25 +When communicating via SOAP web service calls it can happen that an exchange of data needs to happen between the message headers on your message and the SOAP headers. In this microlearning, we will learn about this exchange in both directions. SOAP Headers are headers within a SOAP Envelope that can be used to communicate metadata or authentication information between parties.
23 23  
24 -When setting up a point at which your customers can talk to you eMagiz offers various methods of creating such a point. One of those options is by hosting a SOAP Webservice in eMagiz that handles XML messages asynchronously or synchronously. In this microlearning, we will zoom in on the part that security plays on a client level when hosting a SOAP web service.
27 +You can exchange data from:
28 +* SOAP Header to Message Header
29 +* Message Header to SOAP Header
25 25  
26 -Crucial parts in the configuration are:
27 -* Operation Name
28 -* SOAP Webservice Namespace
29 -* Validation
30 -* Authentication
31 +In both cases ensure that the correct information is exchanged.
31 31  
32 -Of these four points, we will zoom in on the authentication part of our SOAP Webservice in this microlearning. When hosting your SOAP web service in the eMagiz Cloud the endpoint will be HTTPS secured on default. If you want to mimic the same result for an on-premise environment you should define the valid SSL settings, as explained in this [[Q&A>>https://my.emagiz.com/p/question/172825635700357186||target="blank"]].
33 +In a previous microlearning, we already discussed one aspect of this. As you probably recall from our microlearning on [Securing your SOAP Webservice](novice-soap-web service-connectivity-securing-your-soap-webservice.md) we needed to exchange data between the SOAP header that our client was sending and a message header on the message so we could check whether or not the client was authorized to call the operation.
33 33  
34 -Apart from that aspect of security, we should also consider how clients that call the SOAP Web service will authenticate themselves upon entry. Within eMagiz, we advise a two-step approach. Each client that wants to call your SOAP Webservice should:
35 +In that microlearning, we also discussed the component that we need for this. The 'complex SOAP header mapper'.
35 35  
36 -* Send along a client certificate
37 -* Send along an API key in a SOAP Header that references to the word apiKey (i.e. apiKey)
37 +[[image:Main.Images.Microlearning.WebHome@novice-soap-webservice-connectivity-soap-headers--complex-soap-header-mapper.png]]
38 38  
39 -To verify both parts some configuration is needed. The first aspect, checking for a valid client certificate is done on cloud level. For more information on how to exactly configure this please take a look at the microlearning [Securing a hosted web service with certificates in the eMagiz Cloud](intermediate-securing-your-data-traffic-securing-a-hosted-webservice-with-certificates-in-the-emagiz-cloud.md).
39 +As you can see you can map from and to message headers with regards to the SOAP Headers. As we already discussed the first scenario in an earlier microlearning I will for now continue with the other scenario. This scenario is mainly needed when eMagiz calls a SOAP web service that is hosted by an external party. Since we would normally do this in an exit (gate/flow) let us open such an exit in eMagiz and enter "Start Editing" mode.
40 40  
41 -In this microlearning, we will focus on the second part of the configuration.
41 +The first step we need to take is to ensure that the information that we need to send to the SOAP web service in question (in this a unique reference number) is available in a message header. This can be done by verifying in all steps that preceded before the message entered the exit whether or not this piece of information was already added to a message header. In this case, we assume that this is the case since we want to focus on the 'complex SOAP header mapper' component and its relation to the web services outbound gateway. To correctly exchange data from a message header to a SOAP header we need to define a valid SpEL expression. See the help text of the component for a suggestion of what a valid SpEL expression is. The key part in this is knowing how the external party wants to receive the header(s) and how you (or one of your colleagues) has named the message header. When you have those two information elements you can write the correct expression. The result should be something as follows:
42 42  
43 -=== 3.1 API Key verification ===
43 +[[image:Main.Images.Microlearning.WebHome@novice-soap-webservice-connectivity-soap-headers--mapping-from-message-header.png]]
44 44  
45 -To verify whether the client has sent a valid API Key we need to change the configuration within the entry flow in the Create phase of eMagiz. The configuration consists of three steps:
45 +Once you are satisfied you can press Save and link the support object to the web service outbound gateway.
46 46  
47 -* Get value from SOAP Header
48 -* Check value against a list
49 -* Respond based on results
47 +With this information, you can place SOAP Headers on message headers and vice versa every time you need it.
50 50  
51 -==== 3.1.1 Get value from SOAP Header ====
49 +== 4. Assignment ==
52 52  
53 -Let us move to the entry flow by going to the Create phase of eMagiz, opening the correct flow, and entering "Start Editing" mode. After you have done so we need to add a support object to the flow. The support we need is called 'Complex SOAP header mapper'. In this component, we need the bottom section.
51 +Call an external web service and send along some SOAP Headers.
52 +This assignment can be completed with the help of the (Academy) project that you have created/used in the previous assignment.
54 54  
55 -[[image:Main.Images.Microlearning.WebHome@novice-soap-webservice-connectivity-securing-your-soap-webservice--complex-soap-header-mapper.png]]
54 +== 5. Key takeaways ==
56 56  
57 -Here we define a new header by entering a name and a valid XPath expression.
56 +* You can exchange data from:
57 + ** SOAP Header to Message Header
58 + ** Message Header to SOAP Header
59 +* You need the SOAP structure and the message header name to make it work
58 58  
59 -[[image:Main.Images.Microlearning.WebHome@novice-soap-webservice-connectivity-securing-your-soap-webservice--complex-soap-header-mapper-config.png]]
61 +== 6. Suggested Additional Readings ==
60 60  
61 -When you are satisfied you can press Save twice to store the support object. After we have configured the support object we need to link it to our web service inbound gateway. To do so open the component, navigate to the advanced tab and select the Header mapper you have just created.
63 +If you are interested in this topic and want more information on it please read the help text provided by eMagiz.
62 62  
63 -[[image:Main.Images.Microlearning.WebHome@novice-soap-webservice-connectivity-securing-your-soap-webservice--link-complex-soap-header-mapper.png]]
65 +== 7. Silent demonstration video ==
64 64  
65 -==== 3.1.2 Check value against list ====
67 +{{video attachment="novice-soap-webservice-connectivity-soap-headers.mp4" reference="Main.Videos.Microlearning.WebHome"/}}
66 66  
67 -Now that we placed the value the client has entered in the apiKey SOAP header on our message we can check whether the value exists in a list of predefined valid values. To do add two headers to the standard header enricher component in your flow. The first one ensures that the apiKey is removed from the header (to prevent the API key from being publicly seen by others). The second one searches for the client name that corresponds with the apiKey and returns the name of the client in the header. This search action is done with the help of a SpEL expression, more on that later on. In this case the SpEL expression we use is set up as follows:
68 -
69 -{{code}}headers['spwbsrv_apiKey'] != null and {${authentication.api-keys}}.contains(headers.spwbsrv_apiKey) ? {${authentication.tenant-ids}}[{${authentication.api-keys}}.indexOf(headers.spwbsrv_apiKey)] : null{{/code}}
70 -
71 -With this SpEL expression, we check whether there is an API key and whether that apiKey can be found in a predefined list. If so we search for the corresponding name based on the index of where a certain apiKey is within the list. If not the header is not created. Combining this logic in one component should look similar to the following.
72 -
73 -[[image:Main.Images.Microlearning.WebHome@novice-soap-webservice-connectivity-securing-your-soap-webservice--check-headers.png]]
74 -
75 -==== 3.1.3 Respond based on results ====
76 -
77 -After we have searched for the API key in the list and we have defined the client that is sending the information (or not) we can respond to the client whether or not the client is authorized to call our SOAP web service. To execute this check we first need a standard filter component. In this component, we will check whether the spwbsrv_client header we have just created is not null.
78 -
79 -[[image:Main.Images.Microlearning.WebHome@novice-soap-webservice-connectivity-securing-your-soap-webservice--standard-filter.png]]
80 -
81 -If it is indeed not null we can pass the empty message back to the client telling the client that the message was delivered successfully. If the header is null we need to tell the client that he/she is unauthorized to call the operation. To do so we need to add a component called 'custom error message activator'. In this component, we define the message we want to give back to the client in case of an error. In this case, we simply give back 'Unauthorized'.
82 -
83 -[[image:Main.Images.Microlearning.WebHome@novice-soap-webservice-connectivity-securing-your-soap-webservice--custom-error-message.png]]
84 -
85 -With all this done we have successfully secured our SOAP web service according to the best practices.
86 -
87 -== 4. Key takeaways ==
88 -
89 -* Crucial parts in the configuration are:
90 - ** Operation Name
91 - ** SOAP Webservice Namespace
92 - ** Validation
93 - ** Authentication
94 -* Hosting your SOAP web service in the eMagiz cloud results in standard HTTPS
95 -* Use a combination of client certificate + API key for authentication
96 -
97 -== 5. Suggested Additional Readings ==
98 -
99 -* [[Novice (Menu)>>doc:Main.eMagiz Academy.Microlearnings.Novice.WebHome||target="blank"]]
100 -** [[SOAP Web service Connectivity (Navigation)>>doc:Main.eMagiz Academy.Microlearnings.Novice.SOAP Web service Connectivity.WebHome||target="blank"]]
101 -*** [[Configure your SOAP web service (Explanation)>>doc:Main.eMagiz Academy.Microlearnings.Novice.SOAP Web service Connectivity.novice-soap-webservice-connectivity-configure-your-soap-webservice-gen3.WebHome||target="blank"]]
102 -*** [[Validate Incoming Messages (Explanation)>>doc:Main.eMagiz Academy.Microlearnings.Novice.SOAP Web service Connectivity.novice-soap-webservice-connectivity-validate-incoming-messages-gen3.WebHome||target="blank"]]
103 -*** [[Endpoint Check (Explanation)>>doc:Main.eMagiz Academy.Microlearnings.Novice.SOAP Web service Connectivity.novice-soap-webservice-connectivity-endpoint-check-gen3.WebHome||target="blank"]]
104 -*** [[SOAP Headers (Explanation)>>doc:Main.eMagiz Academy.Microlearnings.Novice.SOAP Web service Connectivity.novice-soap-webservice-connectivity-soap-headers||target="blank"]]
105 -*** [[Calling a SOAP Web service (Explanation)>>doc:Main.eMagiz Academy.Microlearnings.Novice.SOAP Web service Connectivity.novice-soap-webservice-connectivity-calling-a-soap-webservice||target="blank"]]
106 -*** [[Authorization - Calling a SOAP Webservice (Explanation)>>doc:Main.eMagiz Academy.Microlearnings.Novice.SOAP Web service Connectivity.novice-soap-webservice-connectivity-authorization-calling-a-soap-webservice||target="blank"]]
107 -* [[Intermediate (Menu)>>doc:Main.eMagiz Academy.Microlearnings.Intermediate Level.WebHome||target="blank"]]
108 -** [[SOAP Web service Connectivity (Navigation)>>doc:Main.eMagiz Academy.Microlearnings.Intermediate Level.SOAP Web service Connectivity.WebHome||target="blank"]]
109 -* [[Expert (Menu)>>doc:Main.eMagiz Academy.Microlearnings.Expert Level.WebHome||target="blank"]]
110 -** [[Webservice Security (Menu)>>doc:Main.eMagiz Academy.Microlearnings.Expert Level.Webservice Security.WebHome||target="blank"]]
111 -
112 -
113 113  )))((({{toc/}}))){{/container}}{{/container}}