ColdFusion failed security in invoking a WebSphere web service

Report · Jun 11, 2008

Hello,

I tried to call a web service hosted in a IBM WebSphere server, but could not pass WebSphere's security framework. After some talking with the guys in the WebSphere side, I'm not sure whether this is possible in ColdFusion because they ask for a <wsse:UsernameToken> in the SOAP envelope header. We did some testing, and they confirmed that ColdFusion could talk to the web service, by could not pass security validation. Would someone help me here? Must it be done in Java?

Here is my calling syntax in ColdFusion:

<cfinvoke webservice="https://WebServiceURL?wsdl" method="myMethod" username="myUserName" password="myPassword" returnVariable="ReturnCode">
<cfinvokeargument name="ParaName" value="ParameterValue">
</cfinvoke>

The web service is locked down, so the calling client must issue a SOAP message containing VALID security extensions:

<soapenv:Envelope
xmlns:soapenv=" http://schemas.xmlsoap.org/soap/envelope/"
xmlns:ws=" http://somedomain"
xmlns:wsse=" http://schemas.xmlsoap.org/ws/2002/07/secext">

<soapenv:Header>
<wsse:Security>
<wsse:UsernameToken>
<wsse:Username>myUserName</wsse:Username>
<wsse:Password>myPassword</wsse:Password>
</wsse:UsernameToken>
</wsse:Security>
</soapenv:Header>
<soapenv:Body>
... REMOVED as this depends on your individual SOAP service
</soapenv:Body>
</soapenv:Envelope>

The guys at WebSphere said that my ColdFusion SOAP call probably did not have the envelope security header. IIs there a way to capture the underlying actual SOAP call format? Here is the error msg:

AxisFault
faultCode: { http://schemas.xmlsoap.org/ws/2003/06/secext}FailedAuthentication
faultSubcode:
faultString: WSEC5075E: No security token found which satisfies any one of AuthMethods.
faultActor:
faultNode:
faultDetail:
{ http://xml.apache.org/axis/}stackTrace:WSEC5075E: No security token found which satisfies any one of AuthMethods.
at org.apache.axis.message.SOAPFaultBuilder.createFault(SOAPFaultBuilder.java:221)
at org.apache.axis

Larry

Report · Jun 11, 2008

Hi, try this:

<cfset UserName = "myUsername" />
<cfset Password = "myPassword" />
<cfset NameSpace = " http://schemas.xmlsoap.org/ws/2002/07/secext" />

<cfsavecontent variable="my_xml">
<Security xmlns="#NameSpace#">
<UsernameToken>
<Username>#Username#</Username>
<Password>#Password#</Password>
</UsernameToken>
</Security>
</cfsavecontent>

<cfset xml_obj = xmlparse(my_xml)>

<cfset WS = CreateObject('webservice', ' http://WebServiceUrl?wsdl') />
<cfset AddSOAPRequestHeader(WS, NameSpace, "Security", Security) />

Sam
Adobe Certified Flash and
Advanced ColdFusion Developer

Report · Jun 11, 2008

Hmm, I still got similar error after adding the header. Any more ideas? Here is my code:

<cfset UserName = "#Form.UserName#" />
<cfset Password = "#Form.Password#" />
<cfset NameSpace = " http://schemas.xmlsoap.org/ws/2002/07/secext" />

<cfsavecontent variable="my_xml">
<Security xmlns="#NameSpace#">
<UsernameToken>
<Username>#Username#</Username>
<Password>#Password#</Password>
</UsernameToken>
</Security>
</cfsavecontent>

<cfset xml_obj = xmlparse(my_xml)>
<cfset ws = CreateObject("webservice", "#Form.EndPoint#") />
<cfset AddSOAPRequestHeader(ws, NameSpace, "Security", xml_obj) />
<cfset ReturnCode = ws.getDealer("#Form.ParameterValue1#")>

Here is the error msg:

Error: coldfusion.xml.rpc.ServiceProxy$ServiceInvocationException: Could not perform web service invocation "getDealer".
Description: Could not perform web service invocation "getDealer". Here is the fault returned when invoking the web service operation:

AxisFault
faultCode: { http://schemas.xmlsoap.org/soap/envelope/}Server.generalException
faultSubcode:
faultString: com.ibm.wsspi.wssecurity.SoapSecurityException: The Application Server expected a Security header with the http://schemas.xmlsoap.org/ws/2003/06/secext or http://schemas.xmlsoap.org/ws/2002/07/secext or http://schemas.xmlsoap.org/ws/2002/04/secext namespace, but it was not found.
faultActor:
faultNode:
faultDetail:
{ http://xml.apache.org/axis/}stackTrace:com.ibm.wsspi.wssecurity.SoapSecurityException: The Application Server expected a Security header with the http://schemas.xmlsoap.org/ws/2003/06/secext or http://schemas.xmlsoap.org/ws/2002/07/secext or http://schemas.xmlsoap.org/ws/2002/04/secext namespace, but it was not found.
at org.apache.axis.message.SOAPFaultBuilder.createFault(SOAPFaultBuilder.java:221)
at org.apache.axis.message.SOAPFaultBuilder.endElement(SOAPFaultBuilder.java:128)
at org.apache.axis.encoding.DeserializationContext.endElement(DeserializationConte...

Report · Jun 11, 2008

Hmm. May be modifying the xml this way will do the trick:

<cfsavecontent variable="my_xml">
<UsernameToken xmlns="#NameSpace#">
<Username>#Username#</Username>
<Password>#Password#</Password>
</UsernameToken>
</cfsavecontent>

Sam
Adobe Certified Flash and
Advanced ColdFusion Developer

Report · Jun 11, 2008

I just found this out in CF documentation for AddSOAPRequestHeader(webservice, namespace, name, value [, mustunderstand]):

"If you pass XML in the value parameter, ColdFusion ignores the namespace and name parameters. If you require a namespace, define it within the XML itself."

But after reviewing the SOAP header definition in my initial post, I couldn't figure out how can you add a namespace to the envelope header.

Report · Jun 11, 2008

I tried many combinations of generating the pre-defined SOAP header. None of them worked. All with the same error msg from WebSphere: "The Application Server expected a Security header ...., but it was not found."

Please help!

Report · Jul 08, 2008

so after pulling out most of my remaining hair and reading tons of docs, I finally got this to work. Hopefully this will save someone a LOT of time and aggravation. How to use CF with stupid WSSE security.

Report · Jul 10, 2013

Sadly, byrning's reply ended with just "how to use CF with stupid WSSE security", which leads readers to wonder if he meant to share more. For instance, was that supposed to be a link to a blog entry?

I did some digging, and I found an old google cache of another version of this forum, and it showed that he had included the following code, which somehow never made it into the message here:

<cfset myDate = DateFormat(DateConvert("local2Utc", now()),

"yyyy-mm-ddThh:mm:ssZ")>

<cfset myNonce = createPIN(33)> <!--- this is just a random alpha numeric

string 33 chars long - got the function at cflib.org --->

myObj = createObject("webservice", "http://urltoYourService?wsdl");

headerElement = createObject("java",

"org.apache.axis.message.SOAPHeaderElement");

headerElement.init("http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wss

ecurity-secext-1.0.xsd", "wsse:Security");

headerElement.addChildElement("wsse:UsernameToken");

headerElement.getFirstChild().addChildElement("wsse:Username").setValue(myUsern

ame);

mypass = headerElement.getFirstChild().addChildElement("wsse:Password");

mypass.setValue(myPasswordDigest);

mypass.setAttribute("Type", "wsse:PasswordDigest");

headerElement.getFirstChild().addChildElement("wsse:Nonce").setValue(

ToBase64(Hash(myNonce, "SHA")) );

myCreated = headerElement.getFirstChild().addChildElement("wsu:Created");

myCreated.setValue(myDate);

myCreated.setAttribute("xmlns:wsu",

"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-ut....

xsd");

headerElement.setMustUnderstand(1);

headerElement.setActor("");

myObj.setHeader(headerElement);

result = myObj.methodtoCall(param1="yadda", param2="yadda")

</cfscript>

/Charlie (troubleshooter, carehart. org)

Report · Dec 03, 2008

?

ColdFusion failed security in invoking a WebSphere web service

Photos