tag:blogger.com,1999:blog-5122101482600825069.post6049833848093393082..comments2019-09-19T02:45:25.177-07:00Comments on ConsiderTheAnt: Using WS Security for SOAP Requests in ColdFusionAnthony Israel-Davishttp://www.blogger.com/profile/01726702236067369761noreply@blogger.comBlogger42125tag:blogger.com,1999:blog-5122101482600825069.post-42278364429764289592012-12-14T08:41:37.699-08:002012-12-14T08:41:37.699-08:00not sure where the getMsgHeader(), get MsgUsername...not sure where the getMsgHeader(), get MsgUsername() . . .comming from?cvunoreply@blogger.comtag:blogger.com,1999:blog-5122101482600825069.post-2006996579661227892012-12-08T13:02:54.460-08:002012-12-08T13:02:54.460-08:00uhm, I am confused. Can someone help me through t...uhm, I am confused. Can someone help me through the whole coding proccess? how to consume web service in SSL, SOAP that required certificate authentication as binary token. As I see Steve Smith is heading in that direction but I am so sure how to fit his codes in <cfhttp . . . Please help.cvunoreply@blogger.comtag:blogger.com,1999:blog-5122101482600825069.post-13250242343946697762012-08-23T11:57:41.273-07:002012-08-23T11:57:41.273-07:00This comment has been removed by the author.milohttps://www.blogger.com/profile/10762754345007942668noreply@blogger.comtag:blogger.com,1999:blog-5122101482600825069.post-39863494504769934392012-08-23T11:53:29.950-07:002012-08-23T11:53:29.950-07:00This comment has been removed by the author.milohttps://www.blogger.com/profile/10762754345007942668noreply@blogger.comtag:blogger.com,1999:blog-5122101482600825069.post-14098266968013946402012-08-23T10:41:38.340-07:002012-08-23T10:41:38.340-07:00This comment has been removed by the author.milohttps://www.blogger.com/profile/10762754345007942668noreply@blogger.comtag:blogger.com,1999:blog-5122101482600825069.post-76969238550152597832012-08-07T11:28:44.081-07:002012-08-07T11:28:44.081-07:00Paul,
I've got my hands quite full now, so I ...Paul,<br /><br />I've got my hands quite full now, so I am not available for hourly work. It is possible to construct WS-Security headers manually, so that could be an option. It's a not as elegant, but it can be done. I'm pegged out at work right now, but there are other options out there. Also, I *think* CF10 may actually have the necessary libraries built in since it uses AXIS 2, but I haven't had a chance to download and play with it (mostly force.com and middleware development at the moment)Anthony Israel-Davishttps://www.blogger.com/profile/01726702236067369761noreply@blogger.comtag:blogger.com,1999:blog-5122101482600825069.post-14585061113927474382012-08-06T17:27:41.788-07:002012-08-06T17:27:41.788-07:00Hey again Anthony. If you are available for hourly...Hey again Anthony. If you are available for hourly work, please let me know. We've consumed too much time and need this issue sorted ASAP. paulbaylis1@yahoo.com. Many thanks!Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-5122101482600825069.post-17657003843347211442012-08-06T03:27:58.485-07:002012-08-06T03:27:58.485-07:00Hi Anthony,
Yeah, I got that one sorted in the en...Hi Anthony,<br /><br />Yeah, I got that one sorted in the end.<br />A new issue though. Not sure I can explain it briefly. I've posted it on StackOverflow though at http://stackoverflow.com/questions/11822301/coldfusion-java-the-build-method-was-not-found <br /><br />You may have hit this issue before or have some insight.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-5122101482600825069.post-838102115634889662012-08-05T20:33:13.159-07:002012-08-05T20:33:13.159-07:00Paul,
Glad you are finding it useful! It sounds l...Paul,<br /><br />Glad you are finding it useful! It sounds like the Jar file isn't in your classpath - if it is in your classpath, you may need to restart coldfusion for it to be recognized. <br /><br />If you are able to instantiate org.apache.ws.security, then you can dump that out and see if something is missing. Also check capitalization and syntax in case a space or some other mischievous character got in there.<br /><br />Hope that helps!Anthony Israel-Davishttps://www.blogger.com/profile/01726702236067369761noreply@blogger.comtag:blogger.com,1999:blog-5122101482600825069.post-57544871290935476842012-08-05T14:54:10.945-07:002012-08-05T14:54:10.945-07:00Hey Anthony, love your work.
I'm getting an er...Hey Anthony, love your work.<br />I'm getting an error - "Object Instantiation Exception.<br />Class not found: org.apache.ws.security.WSConstants". Any idea what the problem could be?Paul Baylishttp://www.china-buy.comnoreply@blogger.comtag:blogger.com,1999:blog-5122101482600825069.post-30818437244733396242012-05-25T22:11:13.603-07:002012-05-25T22:11:13.603-07:00Chris,
I this looks an awful lot like a classpat...Chris, <br /><br />I this looks an awful lot like a classpath issue to me. Perhaps the jar needs to be packaged with the WAR or there is something in the WAR config that needs a pointer? I haven't worked with portlets, so I don't have any experience in that regard, so I'm just guessing. <br /><br />I would probably try to see if the ws.security object can be found - my guess is no - but if it can dump that out and see what you get. <br /><br />I don't think this a bug issue with the jars, although it's quite likely newer versions are out (pretty sure XMLSec is updated), so you could pull those to see if those work better. <br /><br />You may also want to check out Mark Mandel's Java Loader (http://javaloader.riaforge.org/) that may help as well.<br /><br />This is probably all moot with CF10 as it uses Axis2 and likely has better integration with these libraries (and Java Loader built in IIRC). I haven't had a chance to play with it yet and it's not really a solution for you, but it's worth tucking away for later. <br /><br />If you do find a solution, let us know, I'm curious to know what the issue is and I'm sure you'll help someone else out there with the same problem!Anthony Israel-Davishttps://www.blogger.com/profile/01726702236067369761noreply@blogger.comtag:blogger.com,1999:blog-5122101482600825069.post-12939853722758106332012-05-25T13:20:00.273-07:002012-05-25T13:20:00.273-07:00Anthony,
Thanks for your tips and providing this ...Anthony,<br /><br />Thanks for your tips and providing this forum for discussion. We've used your (and others) efforts here to try and get WS pulling into a CF9 Portlet. As portal native, cfusion.war doesn't spin up it's own JVM, we're getting an "Object Instantiation Exception.<br />Class not found: org.apache.ws.security.WSConstants." it's as if CF, deployed as a .war, is not finding the xmlsec and wss4j jars (webapps\cfusion\WEB-INF\cfusion\lib\wss4j-1.5.8.jar and xmlsec-1.4.2jar) in the class path. The CF admin DOES indicate that they are there in server settings. We're stumped. We've put them in every lib dir we can find, tried adding them to the java class path outside cfusion.war. The statements that are calling the classes are in our WSAuthenticator.cfc<br /><br /> <br /> <br /> // Create Java Objects from xmlsec and wss4j<br /> variables.WSConstantsObj = CreateObject("Java","org.apache.ws.security.WSConstants");<br /> variables.messageClass = CreateObject("Java","org.apache.ws.security.message.WSSecUsernameToken");<br /> variables.secHeaderClass = CreateObject("Java","org.apache.ws.security.message.WSSecHeader");<br /> variables.TSBuilder = CreateObject("Java","org.apache.ws.security.message.WSSecTimestamp");<br /> return this;<br /> <br /> <br /><br />Am I read above correctly, there's a bug in xmlsec or wss4j?Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-5122101482600825069.post-36704376260319500542012-03-20T17:22:36.263-07:002012-03-20T17:22:36.263-07:00Thanks K.J.! This is really excellent stuff. I app...Thanks K.J.! This is really excellent stuff. I appreciate your contribution - I'm sure it will be invaluable to others doing integration work.Anthony Israel-Davishttps://www.blogger.com/profile/01726702236067369761noreply@blogger.comtag:blogger.com,1999:blog-5122101482600825069.post-79919995862191513812012-03-20T12:51:20.963-07:002012-03-20T12:51:20.963-07:00@Steve and Anthony
I finally got this working aft...@Steve and Anthony<br /><br />I finally got this working after several days and figured I'd share my results. Early on, I abandoned the notion of getting this working in CF, and pushed it all to a custom Java class that just takes strings from CF as arguments.<br /><br />I used Axis2 with Rampart, following their normal instructions, I created a stub and got my web service working from a standalone file. I setup the constructor to create a static ConfigurationContext with my endpoint. I then created a call() function that creates a new Axis2 stub and actually performs the sendReceive() and returns the result to CF as a string.<br /><br />Here is where I hit issues. This would work perfectly once, then randomly after that. I kept getting an "Object not instantiated" error. I was able to track it down to a bug in an older version of xml-security which is even included in the most up to date version of wss4j.<br /><br />You will need to download the latest wss4j source and the latest xml-security libraries. Update the xml-security libraries in wss4j and compile. I had to remove an "init();" line from one of the wss4j source files because the newer xml-security no longer requires (or even has) that function.<br /><br />Now you should be able to copy in all of your Axis2 and rampart libraries into the CF classpath and be good to go.K.J.https://www.blogger.com/profile/03145006164461340539noreply@blogger.comtag:blogger.com,1999:blog-5122101482600825069.post-47991799740644448372012-02-16T09:17:05.494-08:002012-02-16T09:17:05.494-08:00Hi Steve, did you or anybody else managed it to in...Hi Steve, did you or anybody else managed it to integrate the certificate in the cfc? Because of my minor java knowledge i don't know where and how to integrate your source code. Any help would be great!Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-5122101482600825069.post-57842840080650171932011-09-28T06:07:31.072-07:002011-09-28T06:07:31.072-07:00Thanks for the link. That looks like it could solv...Thanks for the link. That looks like it could solve my problem. I've been pulled into some other work for the moment, but I'll give it a try when I can.Steve Smithhttps://www.blogger.com/profile/01421859886080134059noreply@blogger.comtag:blogger.com,1999:blog-5122101482600825069.post-317246828028196932011-09-26T08:47:38.610-07:002011-09-26T08:47:38.610-07:00Hey so I found the following code which uses java ...Hey so I found the following code which uses java to sign a soap message. Still digging into it but if you go by the COMMENTED OUT code in the main method you'll see all the calls required. (It's a test to send an encrpyted soap message to amazon).<br /><br />http://code.google.com/p/androidzon/source/browse/AmazonClientTest/src/it/marco/axis2/amazon/TestWSS4J.java?r=71indrajit chowdhuryhttp://www.powerstores.comnoreply@blogger.comtag:blogger.com,1999:blog-5122101482600825069.post-54497359102697525722011-09-22T11:27:40.405-07:002011-09-22T11:27:40.405-07:00Steve,
I'm looking forward to seeing your ans...Steve,<br /><br />I'm looking forward to seeing your answer (I'm sure you'll get it!) I wish I had time to dive in and help more. <br /><br />I'll want to add that code in to the helper object at GitHub once you've got it, so feel free to fork it and put in a pull request. If I am able to find some time, I'll dig in as well.Anthony Israel-Davishttps://www.blogger.com/profile/01726702236067369761noreply@blogger.comtag:blogger.com,1999:blog-5122101482600825069.post-37014604141316845042011-09-22T11:22:41.043-07:002011-09-22T11:22:41.043-07:00I'm still struggling with getting it in place....I'm still struggling with getting it in place. If I crack it I'll be sure to post here.Steve Smithhttps://www.blogger.com/profile/01421859886080134059noreply@blogger.comtag:blogger.com,1999:blog-5122101482600825069.post-66957949272253519742011-09-22T10:44:15.657-07:002011-09-22T10:44:15.657-07:00Hi Steve,
I have to sign a soap envelope with a ...Hi Steve,<br /><br /> I have to sign a soap envelope with a binary security token as well and would love to skip some hair pulling. Did you ever get this working? If so would you be kind enough to share some of that code to sign the message.<br /><br />Thanks.....Indrajit Chowdhuryhttp://www.powerstores.innoreply@blogger.comtag:blogger.com,1999:blog-5122101482600825069.post-27426329362461654122011-09-21T16:30:44.109-07:002011-09-21T16:30:44.109-07:00@Steve - It sounds like you're making pretty g...@Steve - It sounds like you're making pretty good progress! Without digging into the crypto library, I'm not sure what is missing, but what I usually do in situations like that is start looking at the JavaDoc. <br /><br />A quick check, looks like it may be the private key needed to sign the the certificate. Let me know if this gets you moving in the right direction:<br /><br />http://massapi.com/class/javax/xml/crypto/dsig/dom/DOMSignContext.java.htmlAnthony Israel-Davishttps://www.blogger.com/profile/01726702236067369761noreply@blogger.comtag:blogger.com,1999:blog-5122101482600825069.post-61562239206979292122011-09-21T14:41:31.102-07:002011-09-21T14:41:31.102-07:00So far so good. I can get your results doing the f...So far so good. I can get your results doing the following:<br /><br />===============<br />holder.newdoc = holder.msgUser.build(holder.env.GetOwnerDocument(),holder.msgHead);<br />===============<br /><br />The problem comes when I try to include the certificate and the security token. When I try this:<br />===============<br />holder.msgSig.build(holder.env.GetOwnerDocument(),holder.cryptoX509,holder.msgHead);<br />===============<br />I am getting an exception thrown that traces back to "Caused by: java.lang.NullPointerException: signingKey cannot be null at javax.xml.crypto.dsig.dom.DOMSignContext"<br /><br />Any ideas on what I need to do to get that signingKey in place?Steve Smithhttps://www.blogger.com/profile/01421859886080134059noreply@blogger.comtag:blogger.com,1999:blog-5122101482600825069.post-59021892627870154242011-09-21T14:41:26.024-07:002011-09-21T14:41:26.024-07:00So I've been working on it today and I've ...So I've been working on it today and I've kind of hit a wall, and I'm hoping you can point me in the right direction. First I should mention that I've upgraded to wwwj4 1.6.2 and xmlsec 1.4.5. Here is my code based on yours.<br />===============<br />var holder = StructNew();<br />holder.msgHead = getMsgHeader(); //org.apache.ws.security.message.WSSecHeader<br />holder.msgUser = getMsgUsername(); //org.apache.ws.security.message.WSSecUsernameToken<br />holder.msgSig = getMsgSignature(); //org.apache.ws.security.message.WSSecSignature<br />holder.msgX509Token = getMsgX509Token(); //org.apache.ws.security.message.token.X509Security<br />holder.cryptoX509 = getCryptoX509(); //org.apache.ws.security.components.crypto.CertificateStore<br />holder.WSConstants = getWSConstants(); //org.apache.ws.security.WSConstants<br />holder.soapEnv = arguments.soapEnvelope;<br />holder.env = holder.soapEnv.getDocumentElement(); <br />holder.certInput = CreateObject("java","java.io.FileInputStream").init("path_to_cert_file");<br />holder.certFactory = CreateObject("java","java.security.cert.CertificateFactory").getInstance("X.509");<br />holder.cert = holder.certFactory.generateCertificate(holder.certInput);<br />holder.certArr = [holder.cert];<br />holder.cryptoX509.init(holder.certArr);<br />holder.certInput.close();<br />holder.msgSig.setKeyIdentifierType(holder.WSConstants.ISSUER_SERIAL);<br />holder.msgSig.setX509Certificate(holder.cert);<br /><br />// Set Password type to TEXT (default is DIGEST)<br />holder.msgUser.setPasswordType(holder.WSConstants.PASSWORD_TEXT);<br />holder.msgUser.setUserInfo(arguments.username,arguments.password);<br />// Add the Nonce and Created elements<br />holder.msgUser.addNonce();<br />holder.msgUser.addCreated();<br />holder.msgHead.insertSecurityHeader(holder.env.GetOwnerDocument());<br />===============Steve Smithhttps://www.blogger.com/profile/01421859886080134059noreply@blogger.comtag:blogger.com,1999:blog-5122101482600825069.post-73604358247412136892011-09-19T14:48:55.083-07:002011-09-19T14:48:55.083-07:00Thanks I'll give it a try and let you know how...Thanks I'll give it a try and let you know how it goes.Steve Smithhttps://www.blogger.com/profile/01421859886080134059noreply@blogger.comtag:blogger.com,1999:blog-5122101482600825069.post-12879281285600598052011-09-19T14:37:41.406-07:002011-09-19T14:37:41.406-07:00@Steve - aha. It looks very much like this will he...@Steve - aha. It looks very much like this will help you out: http://ws.apache.org/wss4j/apidocs/org/apache/ws/security/message/package-summary.html<br /><br />The WSSecSignature has an appendBSTElementToHeader() method that seems to be what you want.<br /><br />I'm guess something like binToken = msg = CreateObject("Java","org.apache.ws.security.message.WSSecSignature");<br /><br />binToken.appendBSTElementToHeader(WSSecHeader secHeader) // WSSSecHeader is also in the message object.<br /><br />You'll need to compose your own x509 but if you have that, you should be able to create the header and add the BST to your SOAP packet.Anthony Israel-Davishttps://www.blogger.com/profile/01726702236067369761noreply@blogger.com