security and request/response format in RESTFUL web services
Hi, All, I am trying to use axis2/c to develop a web service client that will consume RESTFUL web services. I have the following questions: (1) What security mechanisms are supported for consuming restful web services? BASIC authentication (both plainText and Digest)? HTTPS/SSL? and anything else? I assume WS-security does not apply here, right? (2) I also wonder what the format of the request and resposne has to be for consuming RESTFUL web services? Do they have to be in XML format (including html)? or can be just anything like plaintext string or even empty? It seems to be that at least in HTTP GET, all you need is a URL that points to the resource, you really don't need anything in the payload. (3) I am wondering if AXIS2/c can deal with a request with no payload, and in the case of plainText string in the request and respone, how the payload is going to look like. The examples I read from the axis2/c distribution all suggests that an XML format (there are XML tags) is assume for the payload, is this assumption correct? Thanks! Vivian
RE: HTTPS/SSL through proxy server does not work!
Hi guys, I am wondering if anyone can give me some help on this. I debugged the axis2/c libray and it seems that all went well but when it tried to get the status_code from the response I am getting 403. The following two lines are from http_sender.c: = status_code = axis2_http_client_send (sender-client, env, request, ssl_pp, msg_ctx); status_code = axis2_http_client_recieve_header (sender-client, env, AXIS2_TRUE); == From the first line, the status_code is 1, but from the second line, it is 403. The http status code 403 usually means that the connection/communication is establised, but the server refused to respond for some reason. So I am suspecting if the server cert I created has some problem. But the confusing thing is, using this same server cert but without the proxy server involved, I am fine communicating with the same server throught https. It's only that when https works together with proxy, then I have the problem. By the way, I obtained the server cert by using the following command as in the axis2/c manuals: openssl s_client -connect serverHost:serverPort This command only works if NO proxy is involved, otherwise it will fail. Any suggestions? Thanks much in advance. Vivian Hi All, I am using axis2/c in my web service client application. I have tested https/ssl \ through a proxy server and found that it does not work. I have tested the following \ senario in my application: in case of no proxy : job calling http web service : ok job calling https web service : ok in case of proxy : job calling http web service : ok if parameter name=PROXY \ proxy_host=xyzsrv proxy_port=8080 proxy_username= proxy_password= \ locked=true / is added to the http sender in the axis2.xml job calling https web service : not ok. I tried adding the proxy parameter in http sender, or https sender, or both. no luck. I browsed through the jira bug repository and noticed that jira issue 1312 (https://issues.apache.org/jira/browse/AXIS2C-1312) has the similar concern (not sure \ if this is exactly same issue because my proxy does not need me to pass a username/password): Thanks! Vivian
Re: have to remove patented algorithms (IDEA, MDC2 and RC5) in OpenSSL, will this affect SSL and ws-security?
Yes, I did some debugging, but this seems to be a bug in axis2/c library. Or maybe I need to do something like call some APIs so that the status will be set and so users can get the status? My question is this, does a user need to specifically do something in order for get_http_status_code to work? if yes, what needs to be done? There doesn't seem to any info in the documentation. Thanks! Vivian From: Rajika Kumarasiri rajika.kumaras...@gmail.com To: Apache AXIS C Developers List axis-c-dev@ws.apache.org Sent: Wednesday, July 15, 2009 7:37:50 PM Subject: Re: how to get the http status code May be some debugging will help? Rajika On Thu, Jul 16, 2009 at 5:45 AM, Vivian Wang vivianwan...@yahoo.com wrote: Hi There, I am using axis2/c to make web service client call, like this: axiom_node_t * node = axis2_svc_client_send_receive(_wsf_service_client, _env, payload); After this, I am trying to use the following API to get the http status code, AXIS2_EXTERN int AXIS2_CALL axis2_svc_client_get_http_status_code(axis2_svc_client_t * svc_client, const axutil_env_t * env); I am expecting 408 for time out, 200 for success. However, I am always getting 0. How do I get the proper status code? Thanks! Vivian
how to get the http status code
Hi There, I am using axis2/c to make web service client call, like this: axiom_node_t * node = axis2_svc_client_send_receive(_wsf_service_client, _env, payload); After this, I am trying to use the following API to get the http status code, AXIS2_EXTERN int AXIS2_CALL axis2_svc_client_get_http_status_code(axis2_svc_client_t * svc_client, const axutil_env_t * env); I am expecting 408 for time out, 200 for success. However, I am always getting 0. How do I get the proper status code? Thanks! Vivian
Help -- Need to figure out what has changed in source code
Hi All, I am using axis2/c 1.5+ (checked out from trunk roughly one and half month before 1.6 release) for ws client. I have built my application first using 1.3. I notice that one piece of my code for freeing resources goes working fine in 1.3, crashes in 1.5+ and now working again in 1.6. I need to figure out what caused the crash in 1.5+ and what change make it work again in 1.6, as I am not ready yet to upgrade fully to 1.6. Please help me if you can. Thanks in advance! Here is the code: //freeing resources //axiom_output_t* om_output if (om_output) { axiom_output_free(om_output, env); om_output = NULL; } // axis2_svc_client_t* wsf_service_client if (wsf_service_client) { axis2_svc_client_free(wsf_service_client, env); wsf_service_client = NULL; } //axiom_stax_builder_t* om_builder if(om_builder) { axiom_stax_builder_free(om_builder, env); om_builder = NULL; } //axutil_env_t* env if (env) { axutil_env_free((axutil_env_t *) env); env = NULL; } I am using axiom_output_t* to serialize ws reply node (together with xml_write), and using axiom_stax_builder_t* to create the request payload. Thanks again! Vivian
WS-Policy support
Hi All, I am working on using axis2/c to built a web service client. I have a few questions regarding WS-policy support in axis2/c. From the manual in axis2/c web site, it seems that the WS-policy support is built in to the axis2/c. I would like to know the following: (1) Are there any documents regarding how to use WS-policy in axis2/c? (2) Are there any examples regarding how to use WS-policy in axis2/c? (3) I have a customer presenting me with a WSDL that contains some policy definitions and then referenced in operation/binding definitions, suppose I can parse the WSDL and extract all the policy information, at runtime, how do I use axis2/c to set the related policy in a operation/binding when I create a web service client (using axis2/c)? Any APIs? The afore mentioned WSDL (shortened to contain only related info) is pasted at the end of the message : Thanks much in advance! Vivian === wsdl:definitions wsp:UsingPolicy wsdl:required=true/ wsp:Policywsu:Id=BN_BN_BatchByIDQueryResponse_Binding wsp:ExactlyOne... /wsp:ExactlyOne /wsp:Policy wsp:Policywsu:Id=IF_IF_BatchByIDQueryResponse_In /wsdl:definitions xyzAdmin:CentralAdministration xmlns:xyzAdmin=http://www.xyz.com/webas/1000/soap/features101/wsp:Optional=true/ /wsp:Policy - wsp:Policywsu:Id=OP_IF_OP_BatchByIDQueryResponse_In xyzcomhnd:enableCommitxmlns:xyzcomhnd=http://www.xyz.com/NW05/soap/features/commit/;false/xyzcomhnd:enableCommit xyzblock:enableBlockingxmlns:xyzblock=http://www.xyz.com/NW05/soap/features/blocking/;true/xyzblock:enableBlocking /wsp:Policy wsdl:types . /wsdl:types ... wsdl:portTypename=BatchByIDQueryResponse_In wsp:Policy wsp:PolicyReference URI=#IF_IF_BatchByIDQueryResponse_In/ /wsp:Policy wsdl:operationname=BatchByIDQueryResponse_In wsp:Policy wsp:PolicyReference URI=#OP_IF_OP_BatchByIDQueryResponse_In/ /wsp:Policy wsdl:input message=tns:BatchByIDQuery_sync/ wsdl:output message=tns:BatchByIDResponse_sync/ wsdl:fault name=StandardMessageFaultmessage=tns:StandardMessageFault/ /wsdl:operation /wsdl:portType wsdl:bindingname=BatchByIDQueryResponse_Bindingtype=tns:BatchByIDQueryResponse_In wsp:Policy wsp:PolicyReference URI=#BN_BN_BatchByIDQueryResponse_Binding/ /wsp:Policy soap:binding transport=http://schemas.xmlsoap.org/soap/httpstyle=document/ wsdl:operationname=BatchByIDQueryResponse_In soap:operation soapAction=style=document/ wsdl:input soap:body use=literal/ /wsdl:input wsdl:output soap:body use=literal/ /wsdl:output wsdl:faultname=StandardMessageFault soap:fault name=StandardMessageFaultuse=literal/ /wsdl:fault /wsdl:operation /wsdl:binding ..
rampart/c usage get-started questions
Hi There, I am starting to use rampart/c for ws-security purpose together with axis2/c in a web service client application. I have the following get-me-started questions: (1) As a web service client, all the security configurations can be done in a policy file, there is no need to programmatically set the security parameters in my source code, all I need to do is to set the policy file location when I create the web service client. Is this right? I am asking this because when I browsed the rampart/c sample source code, I noticed that in some samples like saml_echo, you created a saml assertion and set it into client config, like this: assertion = create_saml_assertion(env); saml = rampart_saml_token_create(env, assertion, RAMPART_ST_CONFIR_TYPE_SENDER_VOUCHES); rampart_saml_token_set_token_type(saml, env, RP_PROPERTY_SIGNED_SUPPORTING_TOKEN); rampart_config_add_saml_token(client_config, env, saml); Can this be done in the policy configuration file so I don't have to do this in my source code? (2) And vice versa, can all the ws-securiy parameters done configured programmatically without using a policy file? I think for some applications, this will be more flexible. (3) When I (the web service client) subscribe to several services from different service providers, can I have multiple policy files with one for each service? and similarly I one service contains several operations, can I have more than one policy files with one for each operation? (4) With regard to ws-security username and password token, there is a parameter called password type, which can be Text or Digest. My question is this: If I choose to specify passwordType as Digest, can the actual password I set be in plainText? I mean in this case will rampart/c convert it into Digest format for me before sending? If I need to provide the Digest format, what algorithm should I use or what tool is available to me? Thanks in advance for answering my newbie questions. Vivian
Re: encountering problem when upgrading Axis2/c from 1.3 to 1.5 - this seems to be a critical bug
This seems to be a critical bug, can we get it fixed as soon as possible? I am sure I will need this very shortly. Thanks! V. From: Gelle, Sreenivasulu sreenivasulu.ge...@sap.com To: Apache AXIS C Developers List axis-c-dev@ws.apache.org; axis-c-u...@ws.apache.org Sent: Wednesday, February 4, 2009 3:30:09 PM Subject: RE: [LIKELY JUNK]RE: [LIKELY JUNK]encountering problem when upgrading Axis2/c from 1.3 to 1.5 From:Gelle, Sreenivasulu [mailto:sreenivasulu.ge...@sap.com] Sent: Wednesday, February 04, 2009 2:33 PM To: Apache AXIS C Developers List Subject: [LIKELY JUNK]RE: [LIKELY JUNK]encountering problem when upgrading Axis2/c from 1.3 to 1.5 Hi All, Now I narrowed down the problem. The fact that the response I got has left out the root node is because the axis2/c does not send over the query String properly (in a different way?) in http request, the web server (built using AXIS-J 1.4, a bit old I know) actually gets a different request and send back a different response accordingly. Here is my situation, the client send the request to the following end point: http://host:8080/products/servlet/webservices?ver=2.0 When I use axis2/c 1.3, it seems that all the information is sent over so that the server side can get the query string ver=2.0 using the following call: String queryString = request.getQueryString(); In which request is an HttpServletRequest. But in Axis2/c 1.5, I got a null value for the queryString. Is this a known issue or the query parameter is sent over differently and I should use a different method to get it? Thanks! Srini From:Gelle, Sreenivasulu [mailto:sreenivasulu.ge...@sap.com] Sent: Tuesday, February 03, 2009 5:11 PM To: Apache AXIS C Developers List Cc: Yuin, Maria Subject: [LIKELY JUNK]encountering problem when upgrading Axis2/c from 1.3 to 1.5 Hi All, I am encountering a serious problem upgrading axis2/c from 1.3 to 1.5. Basically, I noticed that in 1.5 the response always leaves out the root node in the soap message. I have the following simplified code snippet: === axiom_node_t * responseNode = axis2_svc_client_send_receive(_wsf_service_client, _env, payload); xml_writer = axiom_xml_writer_create_for_memory(_env, NULL, AXIS2_TRUE, 0, AXIS2_XML_PARSER_TYPE_BUFFER); om_output = axiom_output_create(_env, xml_writer); //add xsi namespace definition, this seems to be a bug in axiom. axiom_namespace_t* ns_xsi = axiom_namespace_create(_env, http://www.w3.org/2001/XMLSchema-instance;, xsi); axiom_element_t* node_ele = (axiom_element_t*) axiom_node_get_data_element(responseNode, _env); axiom_element_declare_namespace_assume_param_ownership(node_ele, _env, ns_xsi); axiom_node_serialize_sub_tree(node, _env, om_output); xmlreply = (axis2_char_t*)axiom_xml_writer_get_xml(xml_writer, _env); In Axis2/c 1.3, I used to have a response (xmlreply) like this: localtypes:pingVersion xmlns:localtypes=http://www.xxx.com/yyy/ServerXXX.xsd; xmlns:xsi=http://www.w3.org/2001/XMLSchema-instance;versionProduct version 12.2.0.0/version/localtypes:pingVersion But in 1.5, I ONLY got the following: versionProduct version 12.2.0.0/version That is, the root node localtypes:pingVersion is somehow missing. Is there anything I am missing, or the interface changed and I need to call a different method to serialize? Thanks much! Srini
does rampart/c depend on algorithms IDEA, MDC2 and RC5 in openSSL
Hi All, I am using axis2/c to build a web service client application, for which I plan to use rampart/c to provide ws-security support. I understand that rampart/c uses openSSL to do cryptograph related stuff. My question is, to support WS-security, does rampart/c requires algorithms IDEA, MDC2 and RC5? My employer requires me drop these algorithms from openSSL (so I need to build openSSL myself). Your response is very much appreciated! Vivian
apache module compilation error
Hi, All, I am trying to compile the apache axis2/c module, but I am getting the following error (Cannot open include file: 'httpd.h'): === apache2_out_transport_info.c apache2_stream.c apache2_worker.c mod_axis2.c ..\..\src\core\transport\http\server\apache2\mod_axis2.c(19) : fatal error C1083 : Cannot open include file: 'httpd.h': No such file or directory === I installed Apache Server 2.2, and set the path correctly in the configure file, but the httpd.h is nowhere to be found. I searched all the files in Apache server fold as well as axis2/c. I downloaded apache server from the following site: http://httpd.apache.org/download.cgi, using the following version (installer): Win32 Binary including OpenSSL 0.9.8i (MSI Installer): apache_2.2.10-win32-x86-openssl-0.9.8i.msi My question is: where should I expected to see the header file httpd.h? Thanks! Vivian
Re: What are the configurable ws-security parameters for incoming
The reference https://wso2.org/library/2702 really helps me a lot to understand the configurations. I've got another question though, give one configuration file, how can I configure several connections to different web servers for a single client? Can I have multiple configuration files and one for each connection? I imagine the configuration can be very different between connections to different servers. Thanks again! Vivian On Wed, 2008-11-05 at 10:30 -0800, Vivian Wang wrote: Thanks! But my question is really this: In WS-Policy, what parameters need to be or can be \ configured for incoming message (the response message from a client point of view)? \ I don't see much document in rampart/c site. From a user point of view, I would \ like to see something like soapUI in which the configurable parameters for \ WS-security are very clear. Is there anything like that in rampart/c in a \ configuration file? https://wso2.org/library/2702 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: What are the configurable ws-security parameters for incoming message
Thanks! But my question is really this: In WS-Policy, what parameters need to be or can be configured for incoming message (the response message from a client point of view)? I don't see much document in rampart/c site. From a user point of view, I would like to see something like soapUI in which the configurable parameters for WS-security are very clear. Is there anything like that in rampart/c in a configuration file? Thanks again! Vivian --- On Tue, 11/4/08, Samisa Abeysinghe [EMAIL PROTECTED] wrote: From: Samisa Abeysinghe [EMAIL PROTECTED] Subject: Re: What are the configurable ws-security parameters for incoming message To: Apache AXIS C Developers List axis-c-dev@ws.apache.org Cc: [EMAIL PROTECTED], [EMAIL PROTECTED] Date: Tuesday, November 4, 2008, 10:59 PM Rampart/C makes use of WS-Policy for configuring how it behaves. Samisa... Vivian Wang wrote: Hi, I am trying to use rampart/c along with axis2/c to support WS-security. Just wonder, what are the configurable ws-security parameters for incoming message, especially from a web service client point of view, which means, as a web service client, what can be configured to decrypt/interpret the response message from the web server. I've read through the manuals and also gone through the examples, but still I am afraid I don't have a complete picture about what can be configured. Is there any detailed document for this? I was also looking at soapUI, a free tool for web service testing, which also supports WS-security. In their manual, they have the following statements: Incoming WSS configurations are used to process incoming messages (responses, MockRequest and monitor requests/response) and decrypt/validate their encrypted/signed content. Since the WS-Security headers of an incoming message contain most of the information required to decrypt or validate a message, the only configuration needed by soapUI is which keystores that contain referenced keys and certificates for decryption and signature validation. Is this statement also true to rampart/c? I mean, the only configuration one need to do is which keystores that contain referenced keys and certificates for decryption and signature validation? Thanks much in advance! Vivian - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Internal Virus Database is out of date. Checked by AVG - http://www.avg.com Version: 8.0.175 / Virus Database: 270.8.5/1759 - Release Date: 10/31/2008 4:10 PM -- Samisa Abeysinghe Director, Engineering; WSO2 Inc. http://www.wso2.com/ - The Open Source SOA Company - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
What are the configurable ws-security parameters for incoming message
Hi, I am trying to use rampart/c along with axis2/c to support WS-security. Just wonder, what are the configurable ws-security parameters for incoming message, especially from a web service client point of view, which means, as a web service client, what can be configured to decrypt/interpret the response message from the web server. I've read through the manuals and also gone through the examples, but still I am afraid I don't have a complete picture about what can be configured. Is there any detailed document for this? I was also looking at soapUI, a free tool for web service testing, which also supports WS-security. In their manual, they have the following statements: Incoming WSS configurations are used to process incoming messages (responses, MockRequest and monitor requests/response) and decrypt/validate their encrypted/signed content. Since the WS-Security headers of an incoming message contain most of the information required to decrypt or validate a message, the only configuration needed by soapUI is which keystores that contain referenced keys and certificates for decryption and signature validation. Is this statement also true to rampart/c? I mean, the only configuration one need to do is which keystores that contain referenced keys and certificates for decryption and signature validation? Thanks much in advance! Vivian - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: a HTTPS/SSL question
Hi Shankar, So is there an option in axis2/c that I can turn off the certificate validation? I think this is important because from a client point of view, lots of times when I want to access a web service under SSL using https://.. I know that is the site I want to go. And just like you said, browsers will ask you if you want to trust the site and I can say yes or no.It would also be very inconvenient for a client to have to get the certificate from a service provide (they may not give you). Thanks! Vivian --- On Wed, 10/29/08, Uthaiyashankar [EMAIL PROTECTED] wrote: From: Uthaiyashankar [EMAIL PROTECTED] Subject: Re: a HTTPS/SSL question To: Apache AXIS C Developers List axis-c-dev@ws.apache.org Date: Wednesday, October 29, 2008, 2:32 AM Hi, When you access an https endpoint, the certificate of that endpoint should be validated whether it can be trusted. This validation is based on, whether we trust any of the CA's of the certificate. This is same as what happened in a browser. If you access any https and if the browser can't validate the trust path, it will not allow (or give you a warning) to access the end point. AFAIK, in Axis2/C, we give the certificate chain file to verify this. I think, soapUI allows you access the endpoint without validating the certificate. Regards, Shankar Vivian Wang wrote: Hi, there, I have a web service client using axis2/c to access a Salesforce.com web site that is protected with SSL (the url starts with https://). I didn't give a certificate chain file path in the configuration file axis2.xml, so the web service client failed. However, if I use soapUI (a free downloaded web service testing tool) to access the same serivce without giving any SSL related setting (just like accessing a service starting with http://), it all goes fine. What is the difference here? Is there any setting I can do in axis2/c to make it work as soapUI? I noticed another similar thing. When a wsdl parser (from axis-j 1.4) tring to retrieve a SSL-protected wsdl (I set it up in TOMCAT) using a URL that starts with https:, I have a provide a client keystore (using jsse system.setProperty()) otherwise I will get an error saying something like trustedstore not found, but soapUI was just fine loading the same wsdl. What's really going on? Any help is much appreciated! Vivian - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- S.Uthaiyashankar Software Architect WSO2 Inc. http://wso2.com/ - The Open Source SOA Company - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: a HTTPS/SSL question
Hi Dumindu, So is it hard to provide such an option (turn on/off validation)? I think this limitation really restrict axis2/c's usage under SSL. In my case, I would like to access salesforce web service using a WSDL refered to by the URL: https://na2.salesforce.com/services/wsdl/metadata All I know is this URL, and I don't know the CA certificate and server cert, and I am not sure if they have one. I also have no way to know they server host and port, so I won't be able to get their cert using the openSSL commands listed in the axis2/c manual. Any workarounds? Thanks! Vivian Hi Vivian, Please find my comment inline: On Wed, Oct 29, 2008 at 11:44 PM, Vivian Wang [EMAIL PROTECTED]wrote: So is there an option in axis2/c that I can turn off the certificate validation? No we don't support that at the moment. I think this is important because from a client point of view, lots of times when I want to access a web service under SSL using https://.. I know that is the site I want to go. Yes web browsers do support that, but in reality you don't know if that truly is the site that you want to access, if you don't have the server's certificate beforehand. (someone can spoof dns and appear themselves as https://foo.com). Yes I have neglected about well known Certificate Authorities for simplicity. If you trust the CA that issued the server cert, all you need is the CA's certificate. And just like you said, browsers will ask you if you want to trust the site and I can say yes or no.It would also be very inconvenient for a client to have to get the certificate from a service provide (they may not give you). Anyway, if it is only for testing, what you can do is to follow the Axis2/C manual and retrieve the server cert from the server. [1] (refer to sec. 13.1.2 Configuration). Well you can do this even if it was not for testing, but it is not recommended to do so. Thanks, Dumindu. [1] http://ws.apache.org/axis2/c/docs/axis2c_manual.html#ssl_client - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
a HTTPS/SSL question
Hi, there, I have a web service client using axis2/c to access a Salesforce.com web site that is protected with SSL (the url starts with https://). I didn't give a certificate chain file path in the configuration file axis2.xml, so the web service client failed. However, if I use soapUI (a free downloaded web service testing tool) to access the same serivce without giving any SSL related setting (just like accessing a service starting with http://), it all goes fine. What is the difference here? Is there any setting I can do in axis2/c to make it work as soapUI? I noticed another similar thing. When a wsdl parser (from axis-j 1.4) tring to retrieve a SSL-protected wsdl (I set it up in TOMCAT) using a URL that starts with https:, I have a provide a client keystore (using jsse system.setProperty()) otherwise I will get an error saying something like trustedstore not found, but soapUI was just fine loading the same wsdl. What's really going on? Any help is much appreciated! Vivian - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]