Using 2 different AnnotationActionEndpointMapping - spring-ws

I´m using Spring WS 2.2.0 with WS-Security (wss4j) and WS-Addressing.
I want to publish two web services, one with username-password authentication and soap body encryption/decryption (request and response) and the other just with username-password authentication.
How should I configure Wss4jSecurityInterceptor at AnnotationActionEndpointMapping?
I would like to configure two AnnotationActionEndpointMapping with different Wss4jSecurityInterceptor's so there would be two different EndpointInvocationChain, one with encryption and the other without it. But you can´t specify two different AnnotationActionEndpointMapping because it fails when registering endpoints at AbstractActionEndpointMapping.registerEndpoint().
Or should I extend AnnotationActionEndpointMapping, redefining registerEndpoint() so I can specify whether to register or not.

Related

Getting 'unauthorized_client' with Power Platform Custom Connector using OAuth2

I am trying to build a Custom Connector in the Power Platform to connect to the BMC Helix (formerly Remedy) system to create work orders and such. I am using OAuth2 and was given a callback URL, auth URL, token URL, client ID and client secret.
I went to create a connector from scratch. I populated the fields, but I wasn't sure what to put for the 'Refresh URL', so I used the token URL there too.
I am trying to accomplish testing this connector and my successful test would be to get a JWT from doing a POST to the /api/jwt/login endpoint of BMC Helix. It should return a JWT which I can use to make subsequent calls.
Upon testing this, I go to create a connection, but a window opens (which I believe should be a prompt for authentication), but instead it contains an error saying 'unauthorized_client' coming back from the BMC Helix system at the /rsso/oauth2/authorize endpoint. It also contains a property within the URL of redirect_uri = https://global.consent.azure-apim.net/redirect.
Is there something on the Helix side I need to further configure? Not sure why I am getting this....
It sounds like you need TWO METHODS in your connector. A POST to call the token server, a GET (or another POST) to call the API (using the token received from Call 1).
One approach I've successfully used in the past is:
Use Postman to get your token server call working with OAUTH
Then use Postman to get your subsequent API calls working with the token appended
Save both requests to a single Postman collection
Export the Postman collection (as a V1 (deprecated) if I recall correctly)
Import this collection into PowerApps Custom Connector (create new/import from Postman Collection)
You'll have to massage it a bit after import, but it will give you a good headstart and you're starting from a known-good place (working Postman calls)
Good luck!

ReactiveBase headers

I'm experimenting with ReactiveSearch and so far have tried the DataSearch and ResultList components. I'm looking over the required component to look at all the props and I see this
<ReactiveBase
app="appname"
credentials="abcdef123:abcdef12-ab12-ab12-ab12-abcdef123456"
headers={{
secret: 'reactivesearch-is-awesome'
}}
>
<Component1 .. />
<Component2 .. />
</ReactiveBase>
If the app is already secured using Appbaseio and the credentials gives my React app access to my ES cluster hosted there... what exactly could headers be used for? At first I thought username and password but you wouldn't do that.
What would be some of the scenarios where I SHOULD/COULD use the headers prop?
The headers are added to each request sent to the url. Normally you wouldn't need these. But in production you might want to add a layer of proxy server between your elasticsearch cluster and the client side ReactiveSearch code, this is where headers can be helpful.
You could add authentication in the flow. For example, you could restrict the elasticsearch calls to authenticated users by sending an access token via the headers prop and then verifying it at the proxy server (example of proxy server).
You could also implement some custom logic by adding custom headers and a logic to handle them at the proxy server.

Adding custom headers using AmqpProxyFactoryBean + AmqpInvokerServiceExporter

I have two separate services communicating using AmqpProxyFactoryBean (the "client") and AmqpInvokerServiceExporter (the "server"). Now, I'd like to include some custom headers on every request made through the AMQP proxy and be able to access them on the "server". Is there any easy way I can achieve this?
Since AmqpClientInterceptor uses AmqpTemplate to send and receive AMQP messages, you can provide for that RabbitTemplate any custom MessageConverter. And populate any additional headers from your toMessage() implementation.
However I'm not sure that you will be able to access to those custom header on the server side. We end up there just with RemoteInvocation.invoke().
So, seems for me you finally come up to the solution with an additional RPC param.
From other side that custom header may be useful for other AQMP routing scenarios when you can route that RPC message not only to the RPC queue.
Consider using Spring Integration AMQP Gateways instead of remoting over rabbitmq; that way you have complete control over the headers passed back and forth.
If you don't want to use Spring Integration, you can use the RabbitTemplate sendAndReceive methods on the client and either the receiveAndSend or a listener container on the server.
Again, this gives you full control over the headers.

Spring-WS payload based endpoint mapping unsuccessful in case of WS-Security Encryption

When using PayloadRootAnnotationMethodEndpointMapping together with WS-Security Encryption, I get this error: [EndpointNotFound] No endpoint mapping found for [SaajSoapMessage {http://www.w3.org/2001/04/xmlenc#}EncryptedData]
Spring WS wants first finding the right Endpoint, and only later decrypts the SOAP body. This is obviously not the right thing to do.
Please dont tell me that the SoapActionAnnotationMethodEndpointMapping is the solution. Is not there a better way? I would not like routing based on SOAP Action or WS-A Action.
Unfortunately, using the SoapActionAnnotationMethodEndpointMapping or AnnotationActionEndpointMapping are the only provided mappings you can use. In Spring-WS, the EndpointMapping is queried before any of the interceptors are invoked - including the security interceptor, and such you have to find a mapping that does not depend on the encrypted message payload.
That said, since EndpointMapping is an interface, you can also write your own, and include any kind of routing logic you can think of. Extending from AbstractAnnotationMethodEndpointMapping is a good start for this approach. When your mapping is done, just wire it up in the application context and it should be detected automatically by Spring-WS's MessageDispatcher.

Parse.com REST API authentication

Parse.com's REST API docs (https://www.parse.com/docs/rest) say: Authentication is done via HTTP headers. The X-Parse-Application-Id header identifies which application you are accessing, and the X-Parse-REST-API-Key header authenticates the endpoint. In the examples with curl that follow, the headers are stored in shell variables APPLICATION_ID and REST_API_KEY, so to follow along in the terminal, export these variables.
I am building a Sencha Touch app as a native app on iOS and Android using Phonegap, and I was wondering whether it is secure to expose these keys to the client while making the REST calls?
Also, can someone explain to me how does security work in this scenario? Help is much appreciated! Thanks!
Without phonegap , in a proguard , post processed android apk , the string values of the 2 headers you mention are exposed client-side . not a big issue. TLS covers the http header values during network leg and far more important for app security, you have Full ACL at the DB row level(parse/mongo) contingent on permissions of 'current user()'. So with no access to logon, some outsider doesn't have any more than obfuscated string value to an app-level access token.
. One odd thing is that with parse the lease time on the client-side token value foapi key is permanent rather than say a month.
Parse REST security is robust n well executed.
Can't speak to what PG framework offers in obfuscate/minify/uglify area but you should check that.

Resources