My requirement is to send list of broker properties using postman header.
Broker properties
MessageId : abcdef
Correlationid: qwertyuuhjjdjd
My problem is that I am new to postman and I am not sure how to send list of value in header as in header we can add only key value but as per my requirement we have one key with multiple key value.
Related
How to identify operation from xml content posted to WCF Service Url?
Suppose WCF Service Url is http://single.mat.nn.com and client dont want to include operation name in Url.
Problem is to identify operation on the basis of xml content posted .
I am not able to find any solution for this problem. Is it feasible to do configuration in WCF Service that can identify operation method on the basis of xml content posted to WCF Service URL.
One of the scenarios possible in Extending Dispatchers is:
Custom Operation Dispatching. Users can implement dispatching on something other than action – for example, on the body element, or on a custom message property. This can be done using the IDispatchOperationSelector interface.
Implmenting IDispatchOperationSelector will give you access to the incoming message to parse and decide which method you want to forward the request to.
The SOAP web service based on the corresponding method of the SOAPAction field request in the HTTP request. See the screenshot below.
The SOAPAction field and the method section in the request body can view the operation name of the specific request. If you want to recognize this value, we can intercept the SOAP message through the following two interfaces and get the value of the field.
https://learn.microsoft.com/en-us/dotnet/framework/wcf/extending/how-to-inspect-or-modify-messages-on-the-client
https://learn.microsoft.com/en-us/dotnet/api/system.servicemodel.dispatcher.idispatchmessageinspector?view=netframework-4.8
these two interfaces could capture the SOAP message during the communication. We could retrieve the field value and modify it.
Feel free to let me know if there is anything I can help with.
I am developing REST webService , and some of my client will use my webservices , so for identify the genuine client , I have decided to give them a unique Application Token to each genuine client . The client will encode this Token and they will put this Token in Request header and I have configure a REST filter in my REST webservices to verify Token . I dont want to use https . My problem is that any one can take that Token from my client site and can consume my REST webservices . How I can stop this ?
Since you dont want to use https, I assume confidentiality is not an issue here, and that you only want to authorize requests based on who is making them. Instead of passing a plain token, which could get stolen, you should ask your clients to sign their requests. You have a good explanation over here:
Implementing HMAC authentication for REST API with Spring Security
Using HMAC to authenticate Web service requests
websec.io - API Authentication
In short, and taken from Implementing HMAC authentication for REST API with Spring Security:
Client and server share a secret access key and a public access key.
Client create a request that contains three fundamental elements: the public key header (in plain text), a date header, a signature string calculated hashing some data of the request with the secret access key. This hash usually contains the http method, the uri path, the value of the date header (for reply attacks), all the content of the request (for POST and PUT methods) and the content type.
Client send the request to the server.
Server read the public key header and use it to retrieve the corresponding private access key.
Server use the private access key to calculate the signature in the same way as the client did.
Server check if the just-calculated signature matches with the one sent by the client.
(OPTIONAL) To prevent reply attacks, server checks that the value in the date header is within an acceptable limit (usually between 5 and 15 minutes to account clock discrepancy). The value cannot be manipulated by malicious attacker because the date it's used as part of the signature. If someone change the date header, the server will calculated a different signature of that calculated by the client, so step 6 will fail.
This logic can be implemented using any programming language. Following is a pseudo-code signature example in java:
//clientId is the public client identifier
//secretKey is the key shared between server and client
//requestContent is a string representation of the HTTP request (HTTP verb, body, etc.
//init signing key and mac
SecretKeySpec signingKey = new SecretKeySpec(secretKey.getBytes(), "HmacSHA1");
Mac mac = Mac.getInstance("HmacSHA1");
mac.init(signingKey);
//sign the request content
byte[] rawHmac = mac.doFinal(requestContent.getBytes());
//encode to base64
String result = base64(rawHmac);
//store in header
request.setHeader("Authorization", "MyAPI " + clientId + ":" + result);
On the server side, when you receive that request, you extract the clientId and signature from the header, retrieve the secret key corresponding to the clientId received, re-compute the signature (exactly as above) and compare the results. It it matches client is authorized, if not you return an HTTP 403 (or whatever error you want).
There is then no more "secrets" to steal for a potential man in the middle, BUT there are still keys that need to be securely stored on both the clients and the server. Leaking those keys will compromise the whole system.
As token cannot be securely transmitted on HTTP layer one can easily get this token. You can ask genuine client to encrypt this token by combining some logic having timestamp so that every time token is encrypted using some different algorithm and on server side you should follow similar algorithm to decrypt it. This way even if someone get hold of token that can't be reused. One way is to club this encryption logic with Google Authenticator. (http://www.techrepublic.com/blog/google-in-the-enterprise/use-google-authenticator-to-securely-login-to-non-google-sites/)
Use the checksum to secure the messages as below
MD5 or SHA1 checksum should be used to validate a password without passing the actual password.
The server sends a random string to the client.
The client appends his password to the random string, and returns an MD5/SHA1 sum of the result to the server.
On the server, do the same and compare the MD5/SHA1 sums.
If both MD5/SHA1 are identicals then the password is good and message is not changed.
I was testing below SOAP web service security example.
http://www.mulesoft.org/documentation/display/current/SOAP+Web+Service+Security+Example
Here in the soap component configuration, key value pair is action and UsernameToken TimeStamp. In Enabling WS-Security it is mentioned that key value are constant of WSHandlerContant class. But if instead of UsernameToken i use the constant variable USERNAME_TOKEN of WSHandlerContant class i am getting errors.
Can anyone tell me where i can find possible value of key value for SOAP security.
http://www.mulesoft.org/documentation/display/current/Enabling+WS-Security
http://people.apache.org/~coheigea/stage/wss4j/1.5.5/site/apidocs/org/apache/ws/security/handler/WSHandlerConstants.html#PW_CALLBACK_CLASS
Below are the contant field values that we can use in SOAP Security configuration.
http://people.apache.org/~coheigea/stage/wss4j/1.5.5/site/apidocs/constant-values.html#org.apache.ws.security.handler.WSHandlerConstants.RECEIVE
How do i retrieve the values of MULE Headers like X-MULE_ROOT_MESSAGE_ID and X-MULE_SESSION. When I try to use them from #[message.inboundProperties[X-MULE_ROOT_MESSAGE_ID] I am not able to get values. How do I also get the client IP address from Mule HTTP inbound end point?
These X- headers are extracted and set directly as message properties or a session object.
So you'll find the content of X-MULE_ROOT_MESSAGE_ID by calling getMessageRootId() on the MuleMessage and you'll get the values serialized in X-MULE_SESSION directly in the current MuleSession object.
Read this How to correctly use Mule remote client address property to learn more about the remote IP address.
#[header:INBOUND:MULE_CORRELATION_ID]
you can get like this.
if you need to retrive in the java, you can get all the inbound as map (inbound properties) from message context.
Use Mule expressions to get the mule session id
Architecture of project
my wcf expose 11 endpoints,one of the endpoint ment for authentication and autherization. which returns the accountid of the user.this accountid is sent by client in every method for recozination.
need
i dont want to send the account id to every method ,all i want a way that can give me the accoint id automatically if the client is loggedin
Limitation...
1> i cant use membership.
2>i can,t use persession mode of wcf becose it creates new session for every endpoint
3> cant use outgoinfheaders on client side ..
is there any custom way to solve this problem
That looks like scenario for federated security but it would conflict with some of your requirements.
You don't need membership.
You don't need per session services
You need somehow pass the token - if you cannot use custom outgoing SOAP header and configure it in some central place, you will have to pass the token inside the message body and you will have to configure it as a parameter for each service call.