[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Consume https web service with userid and password.
I don't think the Nonce is an encrypted password. Nonces are usually used as part of a "conversation" to hold a value that helps ensure only that conversation (the login) is valid and when ended, it is no longer valid.
The wiki on cryptographic_nonce has a diagram that shows how it usually works and the description of it is pretty good (but it might take reading it more than once).
http://en.wikipedia.org/wiki/Cryptographic_nonce
That said, I am surprised you could just fill in the Nonce and get it to work.
The authentication documents that describe the general process that web service is using are here:
http://docs.oasis-open.org/wss/2004/01/
From a quick read in the security one, implementations are flexible and open to interpretation.
-----Original Message-----
From: ftpapi-bounces@xxxxxxxxxxxxxxxxxxxxxx [mailto:ftpapi-bounces@xxxxxxxxxxxxxxxxxxxxxx] On Behalf Of John Rusling
Sent: Thursday, April 17, 2014 2:45 PM
To: HTTPAPI and FTPAPI Projects
Subject: RE: Consume https web service with userid and password.
Thanks Chris,
Can you tell me if this gibberish 'ABCDEV9FfuqzOjbjBr1Q/w=='
+ '<wsse:Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/'
+ 'oasis-200401-wss-soap-message-security-1.0#Base64Binary">'
+ 'ABCDEV9FfuqzOjbjBr1Q/w==</wsse:Nonce>'
piece is some sort of encrypted version of the password 'fakepasswordhere'.
ie, the below?
+ '<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/'
+ 'oasis-200401-wss-username-token-profile-1.0#PasswordText">'
+ 'fakepasswordhere</wsse:Password>
John
-----Original Message-----
From: ftpapi-bounces@xxxxxxxxxxxxxxxxxxxxxx [mailto:ftpapi-bounces@xxxxxxxxxxxxxxxxxxxxxx] On Behalf Of Hayden, Chris
Sent: Thursday, April 17, 2014 2:29 PM
To: HTTPAPI and FTPAPI Projects
Subject: RE: Consume https web service with userid and password.
Just a suggestion:
Create service program that contains all of the underlying HTTP logic
Create another RPG program that will execute the service program procedure
For the userid and password, I created configuration file that contains the userid and password
Send me an email at chayden@xxxxxxxxxxxx and I will send you an example
-----Original Message-----
From: ftpapi-bounces@xxxxxxxxxxxxxxxxxxxxxx [mailto:ftpapi-bounces@xxxxxxxxxxxxxxxxxxxxxx] On Behalf Of John Rusling
Sent: Thursday, April 17, 2014 3:14 PM
To: ftpapi@xxxxxxxxxxxxxxxxxxxxxx
Subject: Consume https web service with userid and password.
I am consuming a web service. I first consumed it using SoapUI, then took the soap request that it built, and plugged it into an rpg program.
Then i used the httpapi to get the results, sample of the call below.
rc = http_url_post(Url
:%addr(Soap) + 2 :len
:'/johnr/aaJBRCustomReport1Result.xml');
It is an https url and via some mechanism in the soap header, the user id and password are fed to the request/web service.
The soap request is below.
Basically, i've just exhausted everything that didn't work until i got it to work, so, i don't really know what i'm doing. (what else is new)
Can someone explain what kind of security/authentication this is and/or what's going on?
Is there something 'built in' to the httpapi to automagically implement this?
Any guidance, suggestions or explanations are much appreciated.
Thanks,
John
Soap = '<?xml version="1.0" encoding="UTF-8"?>'
+ '<soapenv:Envelope xmlns:soapenv="'
+ 'http://schemas.xmlsoap.org/soap/envelope/"; '
+ 'xmlns:jbr="urn:com.workday.report/JBR_Custom_Report1">'
+ '<soapenv:Header>'
+ '<wsse:Security soapenv:mustUnderstand="1" '
+ 'xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/'
+ 'oasis-200401-wss-wssecurity-secext-1.0.xsd" '
+ 'xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/'
+ 'oasis-200401-wss-wssecurity-utility-1.0.xsd">'
+ '<wsse:UsernameToken wsu:Id="UsernameToken-2">'
+ '<wsse:Username>'
+ 'fakeuseridhere'
+ '</wsse:Username>'
+ '<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/'
+ 'oasis-200401-wss-username-token-profile-1.0#PasswordText">'
+ 'fakepasswordhere</wsse:Password>'
+ '<wsse:Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/'
+ 'oasis-200401-wss-soap-message-security-1.0#Base64Binary">'
+ 'ABCDEV9FfuqzOjbjBr1Q/w==</wsse:Nonce>'
+ '<wsu:Created>2014-04-11T20:24:12.980Z</wsu:Created>'
+ '</wsse:UsernameToken></wsse:Security>'
+ '</soapenv:Header>'
+ '<soapenv:Body>'
+ '<jbr:Execute_Report>'
+ '<!--Optional:-->'
+ '<jbr:Report_Parameters>'
+ '<!--Optional:-->'
+ '<jbr:Start_Date>2011-01-01</jbr:Start_Date>'
+ '<!--Optional:-->'
+ '<jbr:End_Date>2011-12-31</jbr:End_Date>'
+ '</jbr:Report_Parameters>'
+ '<!--Optional:-->'
+ '</jbr:Execute_Report>'
+ '</soapenv:Body>'
+ '</soapenv:Envelope>';
-----------------------------------------------------------------------
This is the FTPAPI mailing list. To unsubscribe, please go to:
http://www.scottklement.com/mailman/listinfo/ftpapi
-----------------------------------------------------------------------
-----------------------------------------------------------------------
This is the FTPAPI mailing list. To unsubscribe, please go to:
http://www.scottklement.com/mailman/listinfo/ftpapi
-----------------------------------------------------------------------
-----------------------------------------------------------------------
This is the FTPAPI mailing list. To unsubscribe, please go to:
http://www.scottklement.com/mailman/listinfo/ftpapi
-----------------------------------------------------------------------
-----------------------------------------------------------------------
This is the FTPAPI mailing list. To unsubscribe, please go to:
http://www.scottklement.com/mailman/listinfo/ftpapi
-----------------------------------------------------------------------