[Soap-Python] WSSE security

Iuri iurisilvio at gmail.com
Mon Apr 27 21:25:24 CEST 2015 

The signature is not shown in the suds.client logging. I created a small
log plugin to print the request/response.

class LogPlugin(MessagePlugin):
    def sending(self, context):
        print str(context.envelope)

    def received(self, context):
        print str(context.reply)

# add the LogPlugin after the WssePlugin
client = Client(url, plugins=[WssePlugin(certificate), LogPlugin()])

This plugin will print the signed request (if it is really signed). I don't
remember exactly what was happening, but in some cases the WssePlugin
failed silently. No signature and no error. Maybe it is your case.

Check if your PEM certificate is loading correctly:

from OpenSSL import crypto
print crypto.load_certificate(crypto.FILETYPE_PEM, open(key_file).read())

The verify_envelope[1] is used when you receive the server response.

[1]
https://github.com/mvantellingen/py-soap-wsse/blob/ffd25323cd05ac85d36411f67270d9801935c9e0/src/soap_wsse/suds_plugin.py

I don't know what scenario the soap_wsse author considered, but the plugin
expects the response signed with the same key. I fixed with a little hack:

class OutboundWssePlugin(WssePlugin):
    def received(self, context):
        pass

# use OutboundWssePlugin instead of the original WssePlugin here
client = Client(url, plugins=[OutboundWssePlugin(certificate), LogPlugin()])

Now, the plugin will not expect a signed answer.

On Mon, Apr 27, 2015 at 4:02 PM, Paul Tomblin <ptomblin at xcski.com> wrote:

> This looks really promising, but when I try it with my self-signed
> certificate, I get the following error:
>
> DEBUG:suds.client:sending to (
> https://xxx.service-now.com/u_cart_request.do?SOAP)
> message:
> <?xml version="1.0" encoding="UTF-8"?>
> <SOAP-ENV:Envelope xmlns:wsse="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
> xmlns:wsu="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
> xmlns:ns0="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ns1="
> http://www.service-now.com/u_cart_request" xmlns:xsi="
> http://www.w3.org/2001/XMLSchema-instance" xmlns:SOAP-ENV="
> http://schemas.xmlsoap.org/soap/envelope/">
>    <SOAP-ENV:Header>
>       <wsse:Security mustUnderstand="true">
>          <wsse:UsernameToken>
>             <wsse:Username>aaaa</wsse:Username>
>             <wsse:Password>bbbb</wsse:Password>
>          </wsse:UsernameToken>
>          <wsu:Timestamp>
>             <wsu:Created>2015-04-27T18:55:22.714722+00:00</wsu:Created>
>             <wsu:Expires>2015-04-27T18:56:52.714722+00:00</wsu:Expires>
>          </wsu:Timestamp>
>       </wsse:Security>
>    </SOAP-ENV:Header>
>    <ns0:Body>
>       <ns1:insert>
>          <u_cart_number>12345</u_cart_number>
>          <u_servicenow_ritm_number>RMT12345</u_servicenow_ritm_number>
>       </ns1:insert>
>    </ns0:Body>
> </SOAP-ENV:Envelope>
> DEBUG:suds.client:headers = {'SOAPAction': '"
> http://www.service-now.com/u_cart_request/insert"', 'Content-Type':
> 'text/xml; charset=utf-8'}
> DEBUG:suds.client:HTTP failed - 500 - Internal Server Error:
> <SOAP-ENV:Envelope xmlns:SOAP-ENV="
> http://schemas.xmlsoap.org/soap/envelope/"><SOAP-ENV:Header/><SOAP-ENV:Body><SOAP-ENV:Fault><faultcode>wsse:FailedAuthentication</faultcode><faultstring>The
> security token could not be authenticated or
> authorized</faultstring><detail>WSSecurity login
> failed</detail></SOAP-ENV:Fault></SOAP-ENV:Body></SOAP-ENV:Envelope>
> ERROR:suds.plugin:No signature node found
> Traceback (most recent call last):
>   File "/usr/local/lib/python2.7/dist-packages/suds/plugin.py", line 254,
> in __call__
>     method(ctx)
>   File "/usr/local/lib/python2.7/dist-packages/soap_wsse/suds_plugin.py",
> line 20, in received
>     valid = verify_envelope(context.reply, self.cert_filename)
>   File "/usr/local/lib/python2.7/dist-packages/soap_wsse/signing.py", line
> 130, in verify_envelope
>     raise CertificationError("No signature node found")
> CertificationError: No signature node found
> ERROR:suds.client:<suds.sax.document.Document instance at 0x7f4c8b4a45f0>
> e = Server raised fault: 'The security token could not be authenticated or
> authorized'
>
>
> I don't see the BinarySecurityToken in the outgoing XML in the first debug
> message. Shouldn't it be there? The "No signature node found" message seems
> to be related to incoming not outgoing messages, so I'm confused why it's
> happening.
>
>
>
> On Mon, Apr 27, 2015 at 1:13 PM, Iuri <iurisilvio at gmail.com> wrote:
>
>> I'm using suds-jurko [1] with soap_wsse [2] for this. It is simple. I
>> never tried pysimplesoap.
>>
>> from soap_wsse.suds_plugin import WssePlugin
>> from suds.client import Client
>> from suds.wsse import Security, UsernameToken, Timestamp
>>
>> url = "http://example.com/service?WSDL"
>> username = "test"
>> password = "p at ssw0rd!"
>> certificate = "/your/cert.pem"
>>
>> s = Security()
>> s.tokens.extend([UsernameToken(username, password), Timestamp()])
>>
>> client = Client(url, plugins=[WssePlugin(certificate)])
>> client.set_options(wsse=s)
>>
>> [1] https://pypi.python.org/pypi/suds-jurko
>> [2] https://pypi.python.org/pypi/soap_wsse
>>
>> Cheers!
>>
>>
>> On Mon, Apr 27, 2015 at 12:06 PM, Paul Tomblin <ptomblin at xcski.com>
>> wrote:
>>
>>> I need to talk to a web service that requires wsse:BinarySecurityToken,
>>> ds:Security, wsse:UsernameToken and wsu:Timestamp headers. I see that the
>>> latest version of pysimplesoap on python.org has some sort of plugin
>>> architecture and a wsse.py for at least some of these headers, but I don't
>>> see any documentation on how to use them. The Google Code page doesn't have
>>> the wsse.py file, and so obviously nothing in their Wiki.
>>>
>>> Can somebody point me to documentation or examples?
>>>
>>>
>>> --
>>> http://www.linkedin.com/in/paultomblin
>>> http://careers.stackoverflow.com/ptomblin
>>>
>>> _______________________________________________
>>> Soap mailing list
>>> Soap at python.org
>>> https://mail.python.org/mailman/listinfo/soap
>>>
>>>
>>
>
>
> --
> http://www.linkedin.com/in/paultomblin
> http://careers.stackoverflow.com/ptomblin
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/soap/attachments/20150427/7a4583b0/attachment-0001.html>

More information about the Soap mailing list