How to add wsse:Security to SOAP headers?

[Just]

Hi guys,

I've implemented an ASP.NET 2.0 web service (ASMX), which methods are
supposed to be called from an iPhone application. The service requires
wsse:Security element in the SOAP header with UsernameToken and stuff
(I'm using WSE 3.0).
The guy implementing the iPhone application generates the service
proxy class (or something like that), using WSDL2ObjC, and he claims
that the generated proxy class does not allow to manually add that
header before invoking a web service method, because WSDL2ObjC
generates no code allowing this - because my WSDL does not contain a
requirement of the header.

I've spent a lot of time googling a way to add required information to
my WSDL and yet have nothing. ASMX does not seem to support that,
though I have WSE 3.0 installed.

Simultaneously I hope to find a solution from the other side: I wonder
if it's really impossible to make the code generated by WSDL2ObjC to
add Security stuff to the SOAP header? Or can anyone suggest what
exactly should my WSDL contain in order to make WSDL2ObjC generate
required code?

Thanks!

[Henri Asseily]

So the WSDL doesn't say anything about the wsse:Security element?

What we could do pretty easily is expose a "commonHeaders" dictionary
attribute of the [MYSERVICE]Binding_envelope.
Then what you'd do is at some point early in your code:

WSSEHeader *wsse = [WSSEHeader headerWithId:@"example"];
[wsse setUsername:@"..."];
[wsse setPassword:@"..." forType:@"..."];
[wsse setNonce:@"..." forEncodingType:@"..."];
[wsse setCreated:[NSDate now]];

// assume the service name is "XXX"
XXXBinding_envelope *sharedEnvelope = [XXXBinding_envelope
sharedInstance];
[wsse addToEnvelope:[XXXBinding_envelope sharedInstance]];


This of course necessitates the creation of a WSSEHeader class that
doesn't exist yet.
Also the method addToEnvelope: would use the (yet to be created)
commonHeaders attribute of the envelope to inject itself and be ready
for serialization upon query.

Thoughts?
---
Henri Asseily
henri.tel

[Igor]

It would be great if you could implement such feature! :)
P.S. I'm "the guy implementing the iPhone application".

--
Igor Istochnick

[Igor]

When do you think this feature could be implemented?
It's a pity, but we simply can't wait for a long time :(

On Sep 11, 1:01 pm, Henri Asseily <hasse...@gmail.com> wrote:

[Peter Kananen]

This is an open source project. If you need it, you are the first candidate to implement it!

[Henri Asseily]

Actually if your wsdl properly supports wsse:Security, then the whole
framework should work as-is.
Your wsdl should refer to this xsd: http://schemas.xmlsoap.org/ws/2002/04/secext/secext.xsd
and should state for each operation that uses wsse:Security, that it
takes as input a Security header object.

What is the WSDL you are using?
In effect, your WSDL is broken.

[Igor Istochnick]

An example of WSDL we are using can be found in attachment.

How should we modify it in order to work with WS-Security headers correctly?

--
Igor Istochnick

[Henri Asseily]

I just committed some additional functional changes, the chief one
being support for global attributes (attributes defined at the top
level of a schema, to be referenced).
This was necessary to support wsse:Security if you use the "default"
xsd includes for it.
I've attached a sample wsdl file that references WS-Security headers.
Make sure you:
- reference the wsse xsd
- import the wsse xsd
- add the wsse message header definition
- refer to the wsse message header in your operation input

I've NOT tested it, nor guarantee in any shape or form that it works.
But it parses, and that's all I can give you. I can't spend much more
time on this.

[Igor]

Thank you very much for your help and advices!
I'll definitely test your code tomorrow and report my results.

>  sample_weather.wsdl.zip
> 1KViewDownload

>
>
>
> On Sep 12, 2009, at 11:38 PM, Igor Istochnick wrote:
>
>
>
> > An example of WSDL we are using can be found in attachment.
> > How should we modify it in order to work with WS-Security headers  
> > correctly?
>
> > --
> > Igor Istochnick
>

> > On Sat, Sep 12, 2009 at 6:40 PM, Henri Asseily <hasse...@gmail.com>  

> > <test.wsdl>

[Igor]

I't a pity, but I should say that the case with sample_weather does
not work... Xcode even cannot compilate the generated code... :(
I'll try to implement the solution you suggested in the first reply.

[Henri Asseily]

The WS-Security xsd exposed a number of new use cases that break the
parsing due to either lack of functionality or bugs in the code.
I'll try to fix them. Among them:
- restricted names (ID, etc...)
- enumerations with full names ("wsu:ContextEstablished")

and probably others.

H

[Henri Asseily]

It's because there's a lot of "any" stuff that isn't implemented. The
problem with "any" is that it's basically a free-for-all that you just
can't map to objective-c classes. It's like saying "you can put
anything in there". We could map it to the "id" class, but then you
really don't gain anything.

What you could of course do is grab the WSSE wsdl+xsd and cut them
down to size to only use what you want, including getting rid of all
the garbage "any" stuff.

I tried implementing "any" by allowing every single existing element
in the schema, but then things become unwieldy and pretty horrible. So
I reverted back and fixed some other issues that I found. Now using
the latest svn code in the iphone branch you can generate code that
compiles fine (3 warnings for unused vars) given the following sample
wsdl.