I am connecting to an external soap endpoint using Apache CXF. I am going through a proxy server (using credentials) before I hit the https/SSL external endpoint. The team that supports the external web service is saying that they do not see my basic authentication header. I logged the header and payload from my workstation before just before it leaves my workstation. I can see both the basic authentication and the proxy authentication headers.
My question is really twofold:
1. At what point is the SSL message from my computer actually encrypted?
2. Is it possible for something in the network to be dropping the Basic authorization header?
3. What additional troubleshooting steps can I take?
I found the issue, my proxy server was dropping any header with the word Basic in it.
Thanks,
Brian
Related
I have an internal REST API (running as a Windows service on a specific port number) that needs to be setup for external access. It only supports/requires NTLM (Windows) authentication and doesn't accept another authentication method. However, the client only supports Basic authentication.
Is there a way to set-up a (Windows-based) reverse proxy server, that is able to accept "Basic authenticated" requests and can pass them through using NTLM authentication instead? So, basically what I'm looking for, is a way to change the authentication method from Basic (client) to NTLM (server).
A simple IIS url rewrite won't solve this matter, of course. I thought I had found a solution here, however, I guess this will only work if both client and server authenticate via NTLM (and thus only acts as a "passthrough" solution), which is not what I'm looking for.
Does anyone know a way of solving this?
I want to call a third party web service from TIBCO BW6.X via SOAP over HTTPS by using basic authentication.
I can do it with SOAPUI just by adding authorization as a HTTP header with the key (like Authorization: Basic QWxhZGRpbjpPcGVuU2VzYW1) and it works fine. But using BW, I have to create an SSL resource with certifcates to use HTTPS.
My question is : Can I connect to a web service using HTTPS URL without SSL/certificates? If yes, then how? else, why can I do it with SOAPUI?
Thanks.
The answer depends on the soap client you are using. Basically you need just ignore the certificate validation as far as i interpret your question.
Example for php:
Disable certificate verification in PHP SoapClient
I have an IIS 7.5 on Windows Server 2008 R2. It has the Basic, Anonymous and Windows Authentication modes enabled. I have hosted a restful WCF service in it.
I make an http request with Authorization header from my client within the LAN/VPN, all goes well. On the service side I could see that the OperationContext.Current.IncomingMessageHeaders contains the Authorization header with the right value.
When I attempt to do the same from outside the LAN/VPN, (I used a different Internet connection and also a public proxy), the OperationContext.Current.IncomingMessageHeaders seems to have missing Authorization header.
I am unsure as to what exactly removes the header. I suspect a misconfigured IIS. Any clues?
If you want your service to always do windows authentication as the question seems to suggest, remove disable all other auth modes in IIS, requests from LAN are passing probably because people requesting it are from the same domain, in an internet (putting this simply) will go for the least required auth mode, which in this case would be anonymous.
I have a server with SSL certificate and would like to implement a WCF service with username authentication. Can anyone point me to a simple current example?
I find lots that use the 509 certificate and I don't understand why that additional piece would be needed. I don't think I want to give the certificate I have for the SSL to the client either.
I think to use SSL is just setting up the web.config appropriately with wshttpbinding and using https: in the uri that calls the service.
In this case I will have only one or two users (applications at the client actually) that need to use the service so I don't see the overhead for building a database for the store for lots of login credentials or anything like that. I've read you can pass the credentials in the request header. I hope I can just have the service itself check them without tons of overhead.
I'm really struggling to get how a simple authenticate can work for a service but I know I need something in addition to the service being SSL encrypted.
Edit: Hummm having read more I get the impression that using https binding for the message circumvents any notion of username credentials without something mysterious with certificates going on. I hope I haven't wasted money on the ssl certificate for the server at this point.
Can the IP of the requestor be used to allow the service for a known client only?
If you only need a couple of users, then use the inbuilt Windows authentication - create Windows user accounts, put the right security option in your binding config and you're done. If you're using SOAP from a non-windows client you'll have to perform some tricks to make it communicate properly (typically we found using NTLM authentication from PHP client required the use of curl rather than the PHP SOAP client library, but I understand that if you use AD accounts this becomes much easier).
WCF docs have a full description of auth options for you.
First of all sorry for my English, its not my native language. I will try to describe my problem as much as I can.
I searched for a long time on the Internet for a solution where I can create a wcf service that can respond to requests of my clients with username and password required but without creating a certificate, using https or anything else that require a special configuration on the machine where my windows service will be installed.
Here is my point: I want to deploy an application to a lot of my customers. This application will have mobile devices and a server which will give some information to mobile device with the help of wcf. Each customer will have a server and many devices. I don't want that anyone on the web can have access to these information and for this reason, I must implement an authentication procedure with username and password for each request but I don't want to be forced to install a certificate, activate some https port on each machine when I sell a new copy of my application.
I've read that with wcf 4.0, there is a built-in system that can encrypt data and for this reason, I don't want the overhead of implementing anything else if possible.
My question is: Is that possible to have a secure solution considering my requirements and if yes, how can I do that?
If I really must create a certificate and use IIS, https or any other secure solution, it is possible to automate these things in a package that will be installed in a single click wizard into each server machine of my customers?
Thank you in advance for your time.
By default WCF doesnt allow transport of username credentials over http and hence have to use certificates to secure your transport layer. But if you are sure that you are fine with sending username credentials over the http channel then you can have a look at ClearUsernameBinding which gives you the flexibility of sending username credentials over http channel (consider the fact that someone can intercept your transport channel to get access to the credentials)
Also if you want to use certificates that have to be installed you can achieve that writing some code in c# and include that as part of your installation from your package. You can also configure everything from an msi like creating a virtual directory, deploying the application,etc..
what you are probably looking for is one of the wcf bindings that has message level security. You can put the user name and password into this message and not worry about them going across an http wire unencrypted(ie custom authentication). The defaults for WCF send user name and password as part of the http request in the header this is why it wants https.