Skip to content

Secure a Proxy Service

This sample demonstrates how to use WS-Security signing and encryption with proxy services through a WS policy.

In this example, the proxy service expects to receive a signed and encrypted message as specified by the security policy. To understand the format of the policy file, have a look at the Apache Rampart and Axis2 documentation. The enableSec element specifies that Apache Rampart should be engaged on this proxy service. Hence, if Rampart rejects any request message that does not conform to the specified policy, that message will never reach the inSequence for processing. Since the proxy service is forwarding the received request to the simple stock quote service that does not use WS-Security, you are instructing the Micro Integrator to remove the wsse:Security header from the outgoing message.

Synapse configuration

Following is a sample proxy service configuration that we can use to implement this scenario. See the instructions on how to build and run this example.

<proxy name="StockQuoteProxy" startOnLoad="true" transports="http https" xmlns="http://ws.apache.org/ns/synapse">
    <target>
        <inSequence>
            <header name="wsse:Security" action="remove"
                xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"/>
            <call>
                <endpoint key="SimpleStockQuoteService"/>
            </call>
            <respond />
        </inSequence>
    </target>
    <publishWSDL uri="file:/path/to/sample_proxy_1.wsdl"/>
    <policy key="sec_policy"/>
    <enableSec/>
</proxy>
<localEntry xmlns="http://ws.apache.org/ns/synapse" key="sec_policy" src="file:/path/to/policy1.xml"/>
<endpoint name="SimpleStockQuoteService" xmlns="http://ws.apache.org/ns/synapse">
    <address uri="http://localhost:9000/services/SimpleStockQuoteService"/>
</endpoint>

Build and run

The wsdl file sample_proxy_1.wsdl can be downloaded from sample_proxy_1.wsdl. The wsdl URI needs to be updated with the path to the sample_proxy_1.wsdl file.

The security policy file policy1.xml can be downloaded from policy1.xml. The security policy file URI needs to be updated with the path to the policy1.xml file. This sample security policy file validates username token and admin role is allowed to invoke the service.

Create the artifacts:

  1. Launch Visual Studio Code with the Micro Integrator for VS Code extension (MI for VS Code) installed.

    Info

    Follow the Install Micro Integrator for VS Code documentation for a complete installation guide.

  2. Create an integration project.

  3. Create the proxy service, security policy, and endpoint with the configurations provided above.
  4. Deploy the artifacts in your Micro Integrator.

Set up the back-end service:

  1. Download the back-end service.
  2. Extract the downloaded zip file.
  3. Open a terminal, navigate to the axis2Server/bin/ directory inside the extracted folder.
  4. Execute the following command to start the axis2server with the SimpleStockQuote back-end service:

    sh axis2server.sh
    
    axis2server.bat
    

Be sure to configure a user store for the Micro Integrator and add the required users and roles.

Set up the SOAP client:

  1. Download and install SoapUI to run this SOAP service.

  2. Create a new SOAP project in SoapUI using following wsdl file:

    https://localhost:8253/services/StockQuoteProxy?wsdl
    
  3. Use the getQuote operation.

  4. Set Authorization in the SoapUI request. You will need this to call a secure service.

Send a simple request to invoke the service:

POST https://localhost:8253/services/StockQuoteProxy.StockQuoteProxyHttpSoap11Endpoint HTTP/1.1
Accept-Encoding: gzip,deflate
Content-Type: text/xml;charset=UTF-8
SOAPAction: "urn:getQuote"
Content-Length: 492
Host: localhost:8253
Connection: Keep-Alive
User-Agent: Apache-HttpClient/4.1.1 (java 1.5)
Authorization: Basic YWRtaW46YWRtaW4=

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://services.samples" xmlns:xsd="http://services.samples/xsd">
   <soapenv:Header/>
   <soapenv:Body>
      <ser:getQuote xmlns:ser="http://services.samples" xmlns:xsd="http://services.samples/xsd">
         <ser:request>
            <xsd:symbol>IBM</xsd:symbol>
         </ser:request>
      </ser:getQuote>
   </soapenv:Body>
</soapenv:Envelope>

You will receive the following response:

HTTP/1.1 200 OK
server: ballerina
content-encoding: gzip
content-type: application/xml
Content-Type: application/xml; charset=UTF-8
Date: Thu, 31 Oct 2019 04:44:45 GMT
Transfer-Encoding: chunked
Connection: Keep-Alive

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ax21="http://services.samples/xsd" xmlns:ns="http://services.samples">
    <soapenv:Body>
        <ns:getQuoteResponse>
                <ax21:change>-2.86843917118114</ax21:change>
                <ax21:earnings>-8.540305401672558</ax21:earnings>
                <ax21:high>-176.67958828498735</ax21:high>
                <ax21:last>177.66987465262923</ax21:last>
                <ax21:low>-176.30898912339075</ax21:low>
                <ax21:marketCap>5.649557998178506E7</ax21:marketCap>
                <ax21:name>IBM Company</ax21:name>
                <ax21:open>185.62740369461244</ax21:open>
                <ax21:peRatio>24.341353665128693</ax21:peRatio>
                <ax21:percentageChange>-1.4930577008849097</ax21:percentageChange>
                <ax21:prevClose>192.11844053187397</ax21:prevClose>
                <ax21:symbol>IBM</ax21:symbol>
                <ax21:volume>7791</ax21:volume>
        </ns:getQuoteResponse>
    </soapenv:Body>
</soapenv:Envelope>

By analyzing the debug log output or the TCPMon output, you will see that the request received by the proxy service is signed and encrypted.

You can look up the WSDL of the proxy service by requesting the http://localhost:8290/services/StockQuoteProxy?wsdl URL. This confirms the security policy attachment to the supplied base WSDL.

When sending the message to the backend service, you can verify that the security headers were removed, the response received does not use WS-Security, and that the response being forwarded back to the client is signed and encrypted as expected by the client.