I'm struggling with the following issue.
In my development environment, I'm using a SOAP request with this structure:
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:v1="My_endPoint">
<soapenv:Header/>
<soapenv:Body>
...
</soapenv:Body>
</soapenv:Envelope>
And so far I've never faced any issue, because I can reach the address defined in xmlns:soapenv.
My issue is coming out, since we are approching to the deployment in production and in this env I'm not longer able to reach that page (due to policy security the server can't go on the Internet).
My question: since that url contains an xml with the schema definition, is there a way "to store" the xml in locally?
My goal is to copy that xml in a local file, copy it on the production environment and call it while executing the soap request.
Is it possible? or is there another workaround?
Thanks a lot for your support!
Related
I put de url and try load, but happen this error.
I'm sure that it's work, because I can call this url in SOAPUI...
What you report are two different things:
In your first screenshot, there is an error message that your program cannot load the WSDL document, because one of the referenced XML Schema is not accessible.
In SoapUI you demonstrate that the target service is alive.
Please note that SoapUI is very tolerant when parsing the WSDL. Your WSDL might have errors, but when you import the WSDL into SoapUI, SoapUI skips and ignores the errors. You can consume the target service then.
You need to check your WSDL and all referenced XML Schemas and to make sure they are accessible (it can be a network issue or other cause).
Context
See this question: Enable CORS on Azure Service Bus Namespace
Really I want to have a front-end only ReactJS app that talks to the Azure API, and renders bits of the result onto the screen. Then gets input from the users and sends that back to the Azure API. Rinse and repeat.
Unfortunately CORS pretty much rules that out, and you can't[1] override the CORS rules for a ServiceBus Namespace.
So the proposed solution is a thin proxy server, proxying the Azure API, to circumvent CORS.
(Alternative solutions to this question are HIGHLY welcome!)
[1] read: I can't currently see any way to, and nor can my Google Searches.
Question
The user on that other question proposes the relevant web.config file, so now I want to create that proxy server. I don't really want that server doing anything else, I want it to be as transparent as possible.
What is the simplest possible way to set up that server?
I'm kinda hoping that I would be able to do something like:
"Tell Azure that I want a webserver, and paste/upload that web.config text into the Azure Portal"?
If it's relevant, currently my stack has literally nothing other than npm and the JS Create-React-App template's stack. I'm imagining we'll host the site in Azure too.
I got this to work, and it was pretty painless - Azure can JustDoThis.
Documenting the notes I wrote for myself here, for any future lost wanderers :)
As noted in the linked question, the Azure server doesn't (and can't) enable CORS, so we need to circumvent that in some manner. The approach is to create a ReverseProxy server, which accepts the request, forwards it to Azure, receives the response, adds the relevant CORS headers and and returns it to the caller.
Followed steps, except skip the "Basic Authentication" step (Steps #3 & #4), from this Microsoft blog: https://blogs.msdn.microsoft.com/mihansen/2018/04/18/reverse-proxy-with-basic-authentication-in-azure-web-app/
Step 1: Create a new Azure Web App
Step 2: Add applicationHost.xdt file (in \Home\site)
Step 2a: Set the contents of the .xdt file using provided template (I think it's literally a web.config file?
<?xml version="1.0"?>
<configuration xmlns:xdt="http://schemas.microsoft.com/XML-Document-Transform">
<system.webServer>
<proxy xdt:Transform="InsertIfMissing" enabled="true" preserveHostHeader="false" reverseRewriteHostInResponseHeaders="false" />
</system.webServer>
</configuration>
SKIP STEPS 3 & 4 (relate to Authentication which isn't necessary if it's just a redirect.)
Step 5: Update/Modify/Create rewrite rules
Step 2 is achieved through KUDU, which is accessible here:
https://yourazuresitedomain.scm.azurewebsites.net/
Some links about what KUDU is and how to use it:
https://blogs.msdn.microsoft.com/benjaminperkins/2014/03/24/using-kudu-with-windows-azure-web-sites/
https://www.jamessturtevant.com/posts/How-to-add-edit-and-remove-files-in-your-azure-webapp-using-the-kudu-service-dashboard/
since some days ago we are getting an "Access forbidden" error when trying to download any resources uploaded to Google Cloud Storage from some of our servers.
That resources are shared publicly and they are available from all the other locations we've tested.
For example, this is URL https://migoa.storage.googleapis.com/static/r45001/images/cancel.png should be accessible world-wide. We tested it and it's working. But, when trying to download it from one of our servers, instead of the image, we got this XML:
<?xml version='1.0' encoding='UTF-8'?>
<Error><Code>AccessDenied</Code>
<Message>Access denied.</Message>
<Details>We're sorry, but this service is not available in your location</Details>
</Error>
[javi#OK ~]$ lwp-request https://migoa.storage.googleapis.com/static/r45001/images/cancel.png -dS
GET https://migoa.storage.googleapis.com/static/r45001/images/cancel.png --> 200 OK
[javi#notOK ~]$ lwp-request https://migoa.storage.googleapis.com/static/r45001/images/cancel.png -dS
GET https://migoa.storage.googleapis.com/static/r45001/images/cancel.png --> 403 Forbidden
Adding the host "migoa.storage.googleapis.com" to the server hosts file, pointing to another location IP (Google Cloud Storage acts as CDN using the best per-location server), the image is downloaded without problems, so, it seems a problem with the resolved Google server, in our case, this:
dig +short migoa.storage.googleapis.com
storage-ugc.l.googleusercontent.com.
74.125.136.132
In fact, we don't know how many locations can be affected. Also, we've been using GCS from almost 1 year without any problems until now.
Any idea about how to solve this?
Regards,
This problem seems to exist on a specific server. All other servers are working ok.
Background: The website is basically Forms Auth but there's an asmx that manually requires Basic Auth.
I have two C# client.
When invoking using SOAP (asmx client proxy) with basic auth credentials - all is well.
When invoking using WebClient or WebRequest with the same basic auth credentials, I get 401.5.
The folders have "Everyone" set to them.
When setting up iis trace, I see a very weird behavior. The request arrives with the correct Basic auth header. But further down the trace I see the following:
GENERAL_REQUEST_HEADERS
Headers="Connection: Keep-Alive
Content-Length: 68
Content-Type: application/json
Authorization: Kerberos
Expect: 100-continue
Host: 1.2.3.4
The Kerberos seems very weird. It is as if the request headers changed throughout the process, and perhaps that explains the 401.5.
Again, I would like to stress out that on other servers there's no problem with both clients. The only difference I can think of is that the problematic server is a DC. But if that is a problem then why is the SOAP client working well?
Any ideas?
Progress!
After some debugging I noticed that Application_AuthenticateRequest was fired twice for every request. The first time with Basic auth as I expected and the second time with the Kerberos!
After googling I found this:
http://forums.asp.net/t/1868629.aspx?HttpModule+triggered+two+times+for+request+to+URL+without+default+document
Seems like for extensionless urls those events might fire multiple times, depending on the configured Extensionless urls.
Going back to the trace I noticed that in the non-working server the trace shows usage of ExtensionlessUrl-ISAPI-4.0_64bit, and in the working servers no such entry existed. After comparing the two IIS I noticed that the non-working IIS had ExtensionlessUrl-ISAPI-4.0_64bit configured whereas in the working IIS there was ExtensionlessUrl**Handler**-ISAPI-4.0_64bit (note the "handler"). I compared the dlls involved and the working server had a newer aspnet_isapi.dll. I assume that this is an updated extensionless url handler. I suppose an upgrade to IIS or .NET might install a later version, but for now I tried to remove the ExtensionlessUrl-ISAPI-4.0_xxbit like so:
<remove name="ExtensionlessUrl-ISAPI-4.0_32bit" />
<remove name="ExtensionlessUrl-ISAPI-4.0_64bit" />
And it worked! Now there is only a single Application_AuthenticateRequest.
The non-working version that had this in the trace:
OldHandlerName="", NewHandlerName="ExtensionlessUrl-ISAPI-4.0_64bit", NewHandlerModules="IsapiModule", NewHandlerScriptProcessor="C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_isapi.dll", NewHandlerType=""
Now changed to:
OldHandlerName="", NewHandlerName="WebServiceHandlerFactory-ISAPI-4.0_64bit", NewHandlerModules="IsapiModule", NewHandlerScriptProcessor="C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_isapi.dll", NewHandlerType=""
Hopefully that's the end of it. Additional testing still required.
I would appreciate if someone can write how to upgrade IIS dlls to a later version. Is this an upgrade to .NET or is there a specific KB update that is downloaded with Windows Update?
Im currently evaluating different ESB Products (in fact im focuding on mule right now). The Use Case is to proxy a simple HTTP Service, an OpenGIS Web Mapping Service WMS.
Here is an example of an freely published WMS Service:
it responds with XML Metadata about the Service for a "GetCapablities" Request (http://www.wms.nrw.de/wms/uebersicht_nrw2?REQUEST=GetCapabilities&VERSION=1.1.1&SERVICE=WMS)
it responds with Image data containing a map for a "GetMap" Request (http://www.wms.nrw.de/wms/uebersicht_nrw2?REQUEST=GetMap&VERSION=1.1.1&SERVICE=WMS&LAYERS=Uebersicht&SRS=EPSG:31466&FORMAT=image/png&BBOX=2538900,5656400,2619500,5777000&WIDTH=200&HEIGHT=200&STYLES=&)
Both returns its data as a byte array, which could possibly be the problem i am dealing with.
After I can proxy it through Mule ESB, I want to add security features as follows:
HTTP Basic and Digest Authentication
Authentication via TLS Client certificates
Implementing a XACML Policy Enforcement Point
provide some usage statistics over auditing services and implement some QoS and Throttling on it.
But basically the proxy itself isn't working as i want it to. Here is what I got so far. First I tried to proxy it with a flow to add a security provider on the inbound-adress. but the request doesn't seem to get through to the outbound-adress, and the response is empty.
<?xml version="1.0" encoding="UTF-8"?>
<mule xmlns="http://www.mulesoft.org/schema/mule/core" xmlns:http="http://www.mulesoft.org/schema/mule/http" xmlns:doc="http://www.mulesoft.org/schema/mule/documentation" xmlns:spring="http://www.springframework.org/schema/beans" xmlns:mulexml="http://www.mulesoft.org/schema/mule/xml" xmlns:pattern="http://www.mulesoft.org/schema/mule/pattern" xmlns:core="http://www.mulesoft.org/schema/mule/core" xmlns:file="http://www.mulesoft.org/schema/mule/file" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:mule-ss="http://www.mulesoft.org/schema/mule/spring-security" xmlns:ss="http://www.springframework.org/schema/security" version="CE-3.2.1" xsi:schemaLocation="...cut..."
<mule-ss:security-manager>
<mule-ss:delegate-security-provider name="memory-provider" delegate-ref="authenticationManager"/>
</mule-ss:security-manager>
<spring:beans>
<ss:authentication-manager alias="authenticationManager">
<ss:authentication-provider>
<ss:user-service id="userService">
<ss:user name="ross" password="ross" authorities="ROLE_ADMIN"/>
<ss:user name="anon" password="anon" authorities="ROLE_ANON"/>
</ss:user-service>
</ss:authentication-provider>
</ss:authentication-manager>
</spring:beans>
<http:connector name="NoSessionConnector">
<service-overrides sessionHandler="org.mule.session.NullSessionHandler" />
</http:connector>
<flow name="wfsFlow1" doc:name="wfsFlow1" processingStrategy="synchronous">
<http:inbound-endpoint exchange-pattern="request-response" host="localhost" port="8081" path="wms" responseTimeout="10000000" doc:name="Geoserver OWS">
<mule-ss:http-security-filter realm="mule-realm"/>
</http:inbound-endpoint>
<http:outbound-endpoint exchange-pattern="request-response" method="GET" address="http://www.wms.nrw.de/wms#[header:INBOUND:http.request]" encoding="UTF-8" disableTransportTransformer="true" responseTimeout="1000000" doc:name="Geoserver OWS"/>
</flow>
</mule>
I think the problem is the response from the WMS Service as byte array. I tried different repsonse transformers to transform from byte array to string or html response, but it didn't work.
I also tried the bridge pattern, but it wasn't providing the parameters with the GET Operation as i expected but by POST, which is not accepted by the underlying WMS Service.
I think my Use Case is pretty simple, but im trying to implement it since four weeks now. I did every sample Tutorial these vendors provided, but i wasn't able to set up a simple HTTP Parameter service with any kind of authentication.
Does anybody have any experiences with these products or would beso nice to answer me some specific questions on how to set up a HTTP Proxy with authentication on any of these products.
Many thanks!
David, your requirement is lengthy. Let me clarify some points on the WSO2 ESB so you can get started.
WSO2 ESB supports a variety of transports and content types not just SOAP. You may be most interested in the REST and probably JSON support. Links at here and here may help.
All WSO2 servers can be plugged into an external Directory service. Click here for instructions.
All your requirements can be covered. You can go through the comprehensive samples at this location to get a feel for what the ESB can do. Let me also point you to the articles at here, here, here, here and here that would help you with your requirements.
Hope this helps.
Mule relies on Spring Security when it comes to authenticate and authorize people.
Configuring Security is the documentation entry point for dealing with security in Mule. You'll find there information on configuring Spring Security, securing components (like your HTTP bridge) and LDAP authentication.
By default Mule serializes its session into an HTTP header when performing outbound requests. This not only can be a security issue if the remote site is not trusted, but it can also lead to Bad Request issues because the serialized session yields a too large HTTP header.
Knowing that when a security context is present, the Mule Session becomes pretty big, this can cause problem. And indeed, using your config, I was receiving bad request errors from my remote test site! So I added the following to ensure Mule doesn't send its requests over HTTP:
<http:connector name="NoSessionConnector">
<service-overrides sessionHandler="org.mule.session.NullSessionHandler" />
</http:connector>
Also I removed disableTransportTransformer="true" from your config because this can cause issues too.