Solved

Coldfusion: SOAP Security Header Problem

Posted on 2013-01-09
4
1,434 Views
Last Modified: 2016-02-10
OVERVIEW
I need to make a secure SOAP request with Coldfusion , and I'm having trouble implementing the headers properly so the service can use it.

There are two structure examples I was given

Example 1:
This is a sample soap request:

POST /WebService/EmployerWebServiceV24.asmx HTTP/1.1
Host: stage.e-verify.uscis.gov
Content-Type: text/xml; charset=utf-8
Content-Length: length
SOAPAction: "https://www.vis-dhs.com/EmployerWebService/EmpCpsVerifyConnection"

<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
  <soap:Body>
    <EmpCpsVerifyConnection xmlns="https://www.vis-dhs.com/EmployerWebService/" />
  </soap:Body>
</soap:Envelope>

Open in new window


Example 2:
An example SOAP authentication HEADER would look something like:

<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
    <soap:Header>
        <wsse:Security soap:mustUnderstand="1">
            <wsse:UsernameToken namespaces>
                <wsse:Username>username</wsse:Username>
                <wsse:Password Type="type info">password</wsse:Password>
                <wsse:Nonce>nonce</wsse:Nonce>
                <wsu:Created>date created</wsu:Created>
            </wsse:UsernameToken>
        <wsse:Security>
    </soap:Header>
    <soap:Body>
        <WebServiceMethodName xmlns="Web Service Namespace" />
    </soap:Body>
</soap:Envelope>

Open in new window


IMPORTANT
I was able to create a successful connection to this web service without including header information.
To use other functions I need a properly working header which works.
This is my code for the successful connection without the headers. (So you can reproduce it)


<cfsavecontent variable="request_xml">
<cfoutput>
<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
  <soap:Body>
    <EmpCpsVerifyConnection xmlns="https://www.vis-dhs.com/EmployerWebService/" />
  </soap:Body>
</soap:Envelope>
</cfoutput>
</cfsavecontent>
<!--- Make Request --->
<cfhttp url="https://stage.e-verify.uscis.gov/WebService/EmployerWebServiceV24.asmx?wsdl" method="post" result="httpResponse">
  <cfhttpparam type="header" name="SOAPAction" value="https://www.vis-dhs.com/EmployerWebService/EmpCpsVerifyConnection" />
  <cfhttpparam type="header" name="accept-encoding" value="no-compression" />
  <cfhttpparam type="body" value="#trim(request_xml)#" />
</cfhttp>
<!--- Show Response --->
<cfdump var="#httpResponse#" label="httpResponse">
<cfdump var="#xmlParse( httpResponse.fileContent )#" label="soapResponse">

Open in new window


PROBLEM

When I insert my header into the request, then it throws me an error saying "code:InvalidSecurityToken"
(Replace cfsavecontent with this)

<!--- Define Nonce --->
<cfscript>
  strNonce = ToBase64(createUUID());
</cfscript>
<cfsavecontent variable="request_xml">
<cfoutput>
<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
  <soap:Header>
	<wsse:Security soap:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
		<wsse:UsernameToken wsu:Id="UsernameToken-1" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
            <wsse:Username>ARIC1124</wsse:Username>
            <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0##PasswordText">myPassword</wsse:Password>
            <wsse:Nonce>#strNonce#</wsse:Nonce> 
            <wsu:Created>#Dateformat(Now(),'yyyy-mm-ddThh:mm:ss')#Z</wsu:Created>
		</wsse:UsernameToken>
	</wsse:Security>
  </soap:Header>
  <soap:Body>
    <EmpCpsVerifyConnection xmlns="https://www.vis-dhs.com/EmployerWebService/" />
  </soap:Body>
</soap:Envelope>
</cfoutput>
</cfsavecontent>

Open in new window


OTHER SOLUTIONS I HAVE TRIED:
I have tried to use createObject + AddSOAPRequestHeader + cfinvoke but nothing seems to work for me

WHAT I AM LOOKING FOR FROM THE EXPERTS:
I want a complete cfm code file which would include my header that works.

*Email address removed by Netminder 15 Jan 2013*
0
Comment
Question by:Totalpackage612
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
4 Comments
 

Accepted Solution

by:
Totalpackage612 earned 0 total points
ID: 38782649
I cancelled my membership to this site because this is a complete joke!
I have a working example above, and not one of your "experts" could even bother to copy paste that to check it out. Just admit that your site doesn't even attempt to help people. It's just a money making scheme.
0

Featured Post

[Webinar] How Hackers Steal Your Credentials

Do You Know How Hackers Steal Your Credentials? Join us and Skyport Systems to learn how hackers steal your credentials and why Active Directory must be secure to stop them. Thursday, July 13, 2017 10:00 A.M. PDT

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I found this questions asking how to do this in many different forums, so I will describe here how to implement a solution using PHP and AJAX. The logical flow for the problem should be: Write an event handler for the first drop down box to get …
Have you tried to learn about Unicode, UTF-8, and multibyte text encoding and all the articles are just too "academic" or too technical? This article aims to make the whole topic easy for just about anyone to understand.
Explain concepts important to validation of email addresses with regular expressions. Applies to most languages/tools that uses regular expressions. Consider email address RFCs: Look at HTML5 form input element (with type=email) regex pattern: T…
The viewer will learn how to look for a specific file type in a local or remote server directory using PHP.

729 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question