Im currently evaluating different ESB Products (in fact im focuding on mule right now). The Use Case is to proxy a simple HTTP Service, an OpenGIS Web Mapping Service WMS.
Here is an example of an freely published WMS Service:
it responds with XML Metadata about the Service for a "GetCapablities" Request (http://www.wms.nrw.de/wms/uebersicht_nrw2?REQUEST=GetCapabilities&VERSION=1.1.1&SERVICE=WMS)
it responds with Image data containing a map for a "GetMap" Request (http://www.wms.nrw.de/wms/uebersicht_nrw2?REQUEST=GetMap&VERSION=1.1.1&SERVICE=WMS&LAYERS=Uebersicht&SRS=EPSG:31466&FORMAT=image/png&BBOX=2538900,5656400,2619500,5777000&WIDTH=200&HEIGHT=200&STYLES=&)
Both returns its data as a byte array, which could possibly be the problem i am dealing with.
After I can proxy it through Mule ESB, I want to add security features as follows:
HTTP Basic and Digest Authentication
Authentication via TLS Client certificates
Implementing a XACML Policy Enforcement Point
provide some usage statistics over auditing services and implement some QoS and Throttling on it.
But basically the proxy itself isn't working as i want it to. Here is what I got so far. First I tried to proxy it with a flow to add a security provider on the inbound-adress. but the request doesn't seem to get through to the outbound-adress, and the response is empty.
<?xml version="1.0" encoding="UTF-8"?>
<mule xmlns="http://www.mulesoft.org/schema/mule/core" xmlns:http="http://www.mulesoft.org/schema/mule/http" xmlns:doc="http://www.mulesoft.org/schema/mule/documentation" xmlns:spring="http://www.springframework.org/schema/beans" xmlns:mulexml="http://www.mulesoft.org/schema/mule/xml" xmlns:pattern="http://www.mulesoft.org/schema/mule/pattern" xmlns:core="http://www.mulesoft.org/schema/mule/core" xmlns:file="http://www.mulesoft.org/schema/mule/file" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:mule-ss="http://www.mulesoft.org/schema/mule/spring-security" xmlns:ss="http://www.springframework.org/schema/security" version="CE-3.2.1" xsi:schemaLocation="...cut..."
<mule-ss:security-manager>
<mule-ss:delegate-security-provider name="memory-provider" delegate-ref="authenticationManager"/>
</mule-ss:security-manager>
<spring:beans>
<ss:authentication-manager alias="authenticationManager">
<ss:authentication-provider>
<ss:user-service id="userService">
<ss:user name="ross" password="ross" authorities="ROLE_ADMIN"/>
<ss:user name="anon" password="anon" authorities="ROLE_ANON"/>
</ss:user-service>
</ss:authentication-provider>
</ss:authentication-manager>
</spring:beans>
<http:connector name="NoSessionConnector">
<service-overrides sessionHandler="org.mule.session.NullSessionHandler" />
</http:connector>
<flow name="wfsFlow1" doc:name="wfsFlow1" processingStrategy="synchronous">
<http:inbound-endpoint exchange-pattern="request-response" host="localhost" port="8081" path="wms" responseTimeout="10000000" doc:name="Geoserver OWS">
<mule-ss:http-security-filter realm="mule-realm"/>
</http:inbound-endpoint>
<http:outbound-endpoint exchange-pattern="request-response" method="GET" address="http://www.wms.nrw.de/wms#[header:INBOUND:http.request]" encoding="UTF-8" disableTransportTransformer="true" responseTimeout="1000000" doc:name="Geoserver OWS"/>
</flow>
</mule>
I think the problem is the response from the WMS Service as byte array. I tried different repsonse transformers to transform from byte array to string or html response, but it didn't work.
I also tried the bridge pattern, but it wasn't providing the parameters with the GET Operation as i expected but by POST, which is not accepted by the underlying WMS Service.
I think my Use Case is pretty simple, but im trying to implement it since four weeks now. I did every sample Tutorial these vendors provided, but i wasn't able to set up a simple HTTP Parameter service with any kind of authentication.
Does anybody have any experiences with these products or would beso nice to answer me some specific questions on how to set up a HTTP Proxy with authentication on any of these products.
Many thanks!
David, your requirement is lengthy. Let me clarify some points on the WSO2 ESB so you can get started.
WSO2 ESB supports a variety of transports and content types not just SOAP. You may be most interested in the REST and probably JSON support. Links at here and here may help.
All WSO2 servers can be plugged into an external Directory service. Click here for instructions.
All your requirements can be covered. You can go through the comprehensive samples at this location to get a feel for what the ESB can do. Let me also point you to the articles at here, here, here, here and here that would help you with your requirements.
Hope this helps.
Mule relies on Spring Security when it comes to authenticate and authorize people.
Configuring Security is the documentation entry point for dealing with security in Mule. You'll find there information on configuring Spring Security, securing components (like your HTTP bridge) and LDAP authentication.
By default Mule serializes its session into an HTTP header when performing outbound requests. This not only can be a security issue if the remote site is not trusted, but it can also lead to Bad Request issues because the serialized session yields a too large HTTP header.
Knowing that when a security context is present, the Mule Session becomes pretty big, this can cause problem. And indeed, using your config, I was receiving bad request errors from my remote test site! So I added the following to ensure Mule doesn't send its requests over HTTP:
<http:connector name="NoSessionConnector">
<service-overrides sessionHandler="org.mule.session.NullSessionHandler" />
</http:connector>
Also I removed disableTransportTransformer="true" from your config because this can cause issues too.
Related
Context
See this question: Enable CORS on Azure Service Bus Namespace
Really I want to have a front-end only ReactJS app that talks to the Azure API, and renders bits of the result onto the screen. Then gets input from the users and sends that back to the Azure API. Rinse and repeat.
Unfortunately CORS pretty much rules that out, and you can't[1] override the CORS rules for a ServiceBus Namespace.
So the proposed solution is a thin proxy server, proxying the Azure API, to circumvent CORS.
(Alternative solutions to this question are HIGHLY welcome!)
[1] read: I can't currently see any way to, and nor can my Google Searches.
Question
The user on that other question proposes the relevant web.config file, so now I want to create that proxy server. I don't really want that server doing anything else, I want it to be as transparent as possible.
What is the simplest possible way to set up that server?
I'm kinda hoping that I would be able to do something like:
"Tell Azure that I want a webserver, and paste/upload that web.config text into the Azure Portal"?
If it's relevant, currently my stack has literally nothing other than npm and the JS Create-React-App template's stack. I'm imagining we'll host the site in Azure too.
I got this to work, and it was pretty painless - Azure can JustDoThis.
Documenting the notes I wrote for myself here, for any future lost wanderers :)
As noted in the linked question, the Azure server doesn't (and can't) enable CORS, so we need to circumvent that in some manner. The approach is to create a ReverseProxy server, which accepts the request, forwards it to Azure, receives the response, adds the relevant CORS headers and and returns it to the caller.
Followed steps, except skip the "Basic Authentication" step (Steps #3 & #4), from this Microsoft blog: https://blogs.msdn.microsoft.com/mihansen/2018/04/18/reverse-proxy-with-basic-authentication-in-azure-web-app/
Step 1: Create a new Azure Web App
Step 2: Add applicationHost.xdt file (in \Home\site)
Step 2a: Set the contents of the .xdt file using provided template (I think it's literally a web.config file?
<?xml version="1.0"?>
<configuration xmlns:xdt="http://schemas.microsoft.com/XML-Document-Transform">
<system.webServer>
<proxy xdt:Transform="InsertIfMissing" enabled="true" preserveHostHeader="false" reverseRewriteHostInResponseHeaders="false" />
</system.webServer>
</configuration>
SKIP STEPS 3 & 4 (relate to Authentication which isn't necessary if it's just a redirect.)
Step 5: Update/Modify/Create rewrite rules
Step 2 is achieved through KUDU, which is accessible here:
https://yourazuresitedomain.scm.azurewebsites.net/
Some links about what KUDU is and how to use it:
https://blogs.msdn.microsoft.com/benjaminperkins/2014/03/24/using-kudu-with-windows-azure-web-sites/
https://www.jamessturtevant.com/posts/How-to-add-edit-and-remove-files-in-your-azure-webapp-using-the-kudu-service-dashboard/
I am developing flow (community version) to consume SOAP Web Service and store response into DB. So far I am able to get result from Web Service however I am not sure how to read response XML element. I tried to use variable component with XPATH but didn't work. Any suggestions?
Assume that you have the below xml response from your web service
<Employee>
<Name>John</Name>
<ID>J234</ID>
</Employee>
Please try the below syntax to fetch XML element
[xpath3('/Employee/Name')]
Hope this will help you...
We are using WSO2 Carbon 4.2.0 through the WSO2 Application Server (AS) package. In replacing an older, highly customized Carbon installation (provided by a company that no longer supports the product, has abandoned it and refuses to work on it, and left us no details on how/what they modified in Carbon), we have deployed a couple web applications in the webapps container as they were deployed before in the older instance. We have changed our WebContextRoot in the carbon.xml from the default "/" to a sub-URL of ex: "/stuff", as is also detailed in the self-answered SO question here. However the answer given there is not detailed in what the OP actually encountered when he modified his WSO2 instance.
In testing the above configuration we noticed that if a user were to go to a non-existent web address on the server, depending on the format of the URL they are either:
redirected to a blank page;
receive a "500 Internal server error" (I suspect this is the embedded Tomcat?);
get sent to the Carbon login page (which we definitely do not want to happen for security reasons); or
get an XML document stating:
<faultString> The service cannot be found for the endpoint reference (EPR) /stuff/services/nonexistantservicename </faultString>
At least in the case of missing content we wish the user to be sent to a standardized 404 error page, or at the least be sent an HTTP 404 error by the server. For services the XML error is palatable, we can deal with that.
The only option for us right now to circumvent this issue is to place a proxy in front of the WSO2 instance, which would be another layer to manage and tune, and possibly degrade performance. Please know that I am not a programmer but just an admin with DevOps experience. I would not know how to handle this with e.g. a Java solution or re-coding parts of WSO2. Customizing the core product would also hamper future upgrades of WSO2, a scenario we are trying to dig ourselves out of now as detailed above. Is there no internal WSO2 mechanism to handle non-existent content? Can we not redirect any errors to a standard canned response page?
This problem seems to exist on a specific server. All other servers are working ok.
Background: The website is basically Forms Auth but there's an asmx that manually requires Basic Auth.
I have two C# client.
When invoking using SOAP (asmx client proxy) with basic auth credentials - all is well.
When invoking using WebClient or WebRequest with the same basic auth credentials, I get 401.5.
The folders have "Everyone" set to them.
When setting up iis trace, I see a very weird behavior. The request arrives with the correct Basic auth header. But further down the trace I see the following:
GENERAL_REQUEST_HEADERS
Headers="Connection: Keep-Alive
Content-Length: 68
Content-Type: application/json
Authorization: Kerberos
Expect: 100-continue
Host: 1.2.3.4
The Kerberos seems very weird. It is as if the request headers changed throughout the process, and perhaps that explains the 401.5.
Again, I would like to stress out that on other servers there's no problem with both clients. The only difference I can think of is that the problematic server is a DC. But if that is a problem then why is the SOAP client working well?
Any ideas?
Progress!
After some debugging I noticed that Application_AuthenticateRequest was fired twice for every request. The first time with Basic auth as I expected and the second time with the Kerberos!
After googling I found this:
http://forums.asp.net/t/1868629.aspx?HttpModule+triggered+two+times+for+request+to+URL+without+default+document
Seems like for extensionless urls those events might fire multiple times, depending on the configured Extensionless urls.
Going back to the trace I noticed that in the non-working server the trace shows usage of ExtensionlessUrl-ISAPI-4.0_64bit, and in the working servers no such entry existed. After comparing the two IIS I noticed that the non-working IIS had ExtensionlessUrl-ISAPI-4.0_64bit configured whereas in the working IIS there was ExtensionlessUrl**Handler**-ISAPI-4.0_64bit (note the "handler"). I compared the dlls involved and the working server had a newer aspnet_isapi.dll. I assume that this is an updated extensionless url handler. I suppose an upgrade to IIS or .NET might install a later version, but for now I tried to remove the ExtensionlessUrl-ISAPI-4.0_xxbit like so:
<remove name="ExtensionlessUrl-ISAPI-4.0_32bit" />
<remove name="ExtensionlessUrl-ISAPI-4.0_64bit" />
And it worked! Now there is only a single Application_AuthenticateRequest.
The non-working version that had this in the trace:
OldHandlerName="", NewHandlerName="ExtensionlessUrl-ISAPI-4.0_64bit", NewHandlerModules="IsapiModule", NewHandlerScriptProcessor="C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_isapi.dll", NewHandlerType=""
Now changed to:
OldHandlerName="", NewHandlerName="WebServiceHandlerFactory-ISAPI-4.0_64bit", NewHandlerModules="IsapiModule", NewHandlerScriptProcessor="C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_isapi.dll", NewHandlerType=""
Hopefully that's the end of it. Additional testing still required.
I would appreciate if someone can write how to upgrade IIS dlls to a later version. Is this an upgrade to .NET or is there a specific KB update that is downloaded with Windows Update?
I'm trying to use Talend Open Studio to sync contacts from a variety of input sources into an Exchange 2007 server.
I know Talend can talk SOAP, and EWS has a WSDL, but having bumped into all
sorts of problems trying to marry the two together (since Exchange's WSDL is lacking elements which Talend needs) I don't know if that's the best plan of attack, or if I should be looking at building a more Exchange-specific plugin for Talend using the EWS Java API from MS.
Alternatively, if these are both known to not be possible, I'd appreciate a pointer to an explanation as to why - all the buzzwords seem to line up on each side, after all.
I work at Talend and would be happy to try and help you out a bit, but I myself am not familiar with the Exchange WSDL. I would assume that a SOAP interface from an established vendor like Microsoft is going to be WS-I Basic Profile compatible and should be easily invoked directly just like any regular WS. Would you mind trying the following:
What particular elements are missing from the MS WSDL, or is it trying to use some non-standard feature? CXF is fully JAX-WS compliant, and it is certified WS-I BP compliant, so I have to assume something odd is going on.
post the WSDL from exchange that you are trying to invoke from Talend.
create a proxy client for that WSDL using CXF.
Give it a try and send the error message.
Generate a mock service provider based on that wsdl using CXF and run the CXF mock and try against that with the CXF wsdl client. This will give you added confidence that the client and wsdl have no problems.
you can also try generating a simple test case with just SOAP UI or similar tooling against the Exchange WS.
ps: CXF is apache based open source. It is easy to use and has tight integration with Talend via the ASF suite. But you can also just use it by itself for diagnostic purposes.
Ed
I have been struggling with that too...
You can use tSoap for that purpose.
tWebServiceInput does not work for me with EWS.
tSoap->tLogRow
eg:
tSoap component that resolves a given name is the method ResolveNames()
Value to resolve = Thierry
Set "Need Authentication" with username and password
Set End Point, eg "https://yourserver/EWS/Exchange.asmx"
Set SOAP Action,
"http://schemas.microsoft.com/exchange/services/2006/messages/ResolveNames"
SOAP Version 1.1
Set SOAP Message:
... Enter Soap Method enclosed with ".
Joins tSoap to tLogRow
Run the Job. Voila the result...
Starting job xSoap_ResolveNames_LogRow at 13:43 30/05/2012.
[statistics] connecting to socket on port 3682
[statistics] connected
<Header><t:ServerVersionInfo xmlns:t="http://schemas.microsoft.com/exchange/services/2006/types" MajorBuildNumber="685" MajorVersion="8" MinorBuildNumber="24" MinorVersion="0" /></Header>|<m:ResolveNamesResponse xmlns:m="http://schemas.microsoft.com/exchange/services/2006/messages" xmlns:t="http://schemas.microsoft.com/exchange/services/2006/types"><m:ResponseMessages><m:ResolveNamesResponseMessage ResponseClass="Success"><m:ResponseCode>NoError</m:ResponseCode><m:ResolutionSet IncludesLastItemInRange="true" TotalItemsInView="1"><t:Resolution><t:Mailbox><t:Name>Thierry TYS. Yen Suin</t:Name><t:EmailAddress>thierry.suin#sc-mauritius.com</t:EmailAddress><t:RoutingType>SMTP</t:RoutingType><t:MailboxType>Mailbox</t:MailboxType></t:Mailbox><t:Contact><t:DisplayName>Thierry Yen Suin</t:DisplayName><t:GivenName>Thierry</t:GivenName><t:EmailAddresses><t:Entry Key="EmailAddress1">SMTP:thierry.suin#sc-mauritius.com</t:Entry></t:EmailAddresses><t:ContactSource>ActiveDirectory</t:ContactSource><t:Surname>Yen Suin</t:Surname></t:Contact></t:Resolution></m:ResolutionSet></m:ResolveNamesResponseMessage></m:ResponseMessages></m:ResolveNamesResponse>|
[statistics] disconnected
Job xSoap_ResolveNames_LogRow ended at 13:43 30/05/2012. [exit code=0]
It should work similarly with a method that creates a contact.
Hope it helps because I haven't found a lot of post on integrating Talend with Exchange Web Services despite searching for a long time.