[Soap-Python] WSSE security

Mon Apr 27 21:38:07 CEST 2015

Thanks, that looks like it's sending the right header.  The server doesn't
like it for some reason, but I'll have to talk to them about it.

Thanks very much for your help, Luri.

On Mon, Apr 27, 2015 at 3:25 PM, Iuri <iurisilvio at gmail.com> wrote:

> The signature is not shown in the suds.client logging. I created a small
> log plugin to print the request/response.
>
> class LogPlugin(MessagePlugin):
>     def sending(self, context):
>         print str(context.envelope)
>
>     def received(self, context):
>         print str(context.reply)
>
> # add the LogPlugin after the WssePlugin
> client = Client(url, plugins=[WssePlugin(certificate), LogPlugin()])
>
> This plugin will print the signed request (if it is really signed). I
> don't remember exactly what was happening, but in some cases the WssePlugin
> failed silently. No signature and no error. Maybe it is your case.
>
> Check if your PEM certificate is loading correctly:
>
> from OpenSSL import crypto
> print crypto.load_certificate(crypto.FILETYPE_PEM, open(key_file).read())
>
> The verify_envelope[1] is used when you receive the server response.
>
> [1]
> https://github.com/mvantellingen/py-soap-wsse/blob/ffd25323cd05ac85d36411f67270d9801935c9e0/src/soap_wsse/suds_plugin.py
>
> I don't know what scenario the soap_wsse author considered, but the plugin
> expects the response signed with the same key. I fixed with a little hack:
>
> class OutboundWssePlugin(WssePlugin):
>     def received(self, context):
>         pass
>
> # use OutboundWssePlugin instead of the original WssePlugin here
> client = Client(url, plugins=[OutboundWssePlugin(certificate),
> LogPlugin()])
>
> Now, the plugin will not expect a signed answer.
>
> On Mon, Apr 27, 2015 at 4:02 PM, Paul Tomblin <ptomblin at xcski.com> wrote:
>
>> This looks really promising, but when I try it with my self-signed
>> certificate, I get the following error:
>>
>> DEBUG:suds.client:sending to (
>> https://xxx.service-now.com/u_cart_request.do?SOAP)
>> message:
>> <?xml version="1.0" encoding="UTF-8"?>
>> <SOAP-ENV:Envelope xmlns:wsse="
>> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
>> xmlns:wsu="
>> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
>> xmlns:ns0="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ns1="
>> http://www.service-now.com/u_cart_request" xmlns:xsi="
>> http://www.w3.org/2001/XMLSchema-instance" xmlns:SOAP-ENV="
>> http://schemas.xmlsoap.org/soap/envelope/">
>>    <SOAP-ENV:Header>
>>       <wsse:Security mustUnderstand="true">
>>          <wsse:UsernameToken>
>>             <wsse:Username>aaaa</wsse:Username>
>>             <wsse:Password>bbbb</wsse:Password>
>>          </wsse:UsernameToken>
>>          <wsu:Timestamp>
>>             <wsu:Created>2015-04-27T18:55:22.714722+00:00</wsu:Created>
>>             <wsu:Expires>2015-04-27T18:56:52.714722+00:00</wsu:Expires>
>>          </wsu:Timestamp>
>>       </wsse:Security>
>>    </SOAP-ENV:Header>
>>    <ns0:Body>
>>       <ns1:insert>
>>          <u_cart_number>12345</u_cart_number>
>>          <u_servicenow_ritm_number>RMT12345</u_servicenow_ritm_number>
>>       </ns1:insert>
>>    </ns0:Body>
>> </SOAP-ENV:Envelope>
>> DEBUG:suds.client:headers = {'SOAPAction': '"
>> http://www.service-now.com/u_cart_request/insert"', 'Content-Type':
>> 'text/xml; charset=utf-8'}
>> DEBUG:suds.client:HTTP failed - 500 - Internal Server Error:
>> <SOAP-ENV:Envelope xmlns:SOAP-ENV="
>> http://schemas.xmlsoap.org/soap/envelope/"><SOAP-ENV:Header/><SOAP-ENV:Body><SOAP-ENV:Fault><faultcode>wsse:FailedAuthentication</faultcode><faultstring>The
>> security token could not be authenticated or
>> authorized</faultstring><detail>WSSecurity login
>> failed</detail></SOAP-ENV:Fault></SOAP-ENV:Body></SOAP-ENV:Envelope>
>> ERROR:suds.plugin:No signature node found
>> Traceback (most recent call last):
>>   File "/usr/local/lib/python2.7/dist-packages/suds/plugin.py", line 254,
>> in __call__
>>     method(ctx)
>>   File "/usr/local/lib/python2.7/dist-packages/soap_wsse/suds_plugin.py",
>> line 20, in received
>>     valid = verify_envelope(context.reply, self.cert_filename)
>>   File "/usr/local/lib/python2.7/dist-packages/soap_wsse/signing.py",
>> line 130, in verify_envelope
>>     raise CertificationError("No signature node found")
>> CertificationError: No signature node found
>> ERROR:suds.client:<suds.sax.document.Document instance at 0x7f4c8b4a45f0>
>> e = Server raised fault: 'The security token could not be authenticated
>> or authorized'
>>
>>
>> I don't see the BinarySecurityToken in the outgoing XML in the first
>> debug message. Shouldn't it be there? The "No signature node found" message
>> seems to be related to incoming not outgoing messages, so I'm confused why
>> it's happening.
>>
>>
>>
>> On Mon, Apr 27, 2015 at 1:13 PM, Iuri <iurisilvio at gmail.com> wrote:
>>
>>> I'm using suds-jurko [1] with soap_wsse [2] for this. It is simple. I
>>> never tried pysimplesoap.
>>>
>>> from soap_wsse.suds_plugin import WssePlugin
>>> from suds.client import Client
>>> from suds.wsse import Security, UsernameToken, Timestamp
>>>
>>> url = "http://example.com/service?WSDL"
>>> username = "test"
>>> password = "p at ssw0rd!"
>>> certificate = "/your/cert.pem"
>>>
>>> s = Security()
>>> s.tokens.extend([UsernameToken(username, password), Timestamp()])
>>>
>>> client = Client(url, plugins=[WssePlugin(certificate)])
>>> client.set_options(wsse=s)
>>>
>>> [1] https://pypi.python.org/pypi/suds-jurko
>>> [2] https://pypi.python.org/pypi/soap_wsse
>>>
>>> Cheers!
>>>
>>>
>>> On Mon, Apr 27, 2015 at 12:06 PM, Paul Tomblin <ptomblin at xcski.com>
>>> wrote:
>>>
>>>> I need to talk to a web service that requires wsse:BinarySecurityToken,
>>>> ds:Security, wsse:UsernameToken and wsu:Timestamp headers. I see that the
>>>> latest version of pysimplesoap on python.org has some sort of plugin
>>>> architecture and a wsse.py for at least some of these headers, but I don't
>>>> see any documentation on how to use them. The Google Code page doesn't have
>>>> the wsse.py file, and so obviously nothing in their Wiki.
>>>>
>>>> Can somebody point me to documentation or examples?
>>>>
>>>>
>>>> --
>>>> http://www.linkedin.com/in/paultomblin
>>>> http://careers.stackoverflow.com/ptomblin
>>>>
>>>> _______________________________________________
>>>> Soap mailing list
>>>> Soap at python.org
>>>> https://mail.python.org/mailman/listinfo/soap
>>>>
>>>>
>>>
>>
>>
>> --
>> http://www.linkedin.com/in/paultomblin
>> http://careers.stackoverflow.com/ptomblin
>>
>
>

-- 
http://www.linkedin.com/in/paultomblin
http://careers.stackoverflow.com/ptomblin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/soap/attachments/20150427/c1446dee/attachment.html>