Wednesday, August 3, 2016

Call Username/Password enabled web service in JAVA

In this case, web service is secured with username and password authentication using WS-Security. Following code is used to generated SOAP message header to create security token to call web service.

RetailerAppWS appWS = new RetailerAppWS();
        RetailerAppWSPortType retailerAppWSPortType = appWS.getRetailerAppWSHttpsSoap11Endpoint();
        BindingProvider bindingProvider = (BindingProvider) retailerAppWSPortType;
        @SuppressWarnings("rawtypes")
        List handlerChain = new ArrayList();
        handlerChain.add(new WSSecurityHeaderSOAPHandler("Retailer", "Retailer123"));
        bindingProvider.getBinding().setHandlerChain(handlerChain);

        PayBill payBill = new PayBill();
        payBill.setAmount(1.0);
        payBill.setPin("9834");
        payBill.setReceiver("1234567890");
        payBill.setUser("sujith");

        PayBillResponse pbr = retailerAppWSPortType.payBill(payBill);

In the above code, it is created a WSSecurityHeaderSOAPHandler to manipulate the SOAP message to add security token to SOAP header.

WSSecurityHeaderSOAPHandler is shown below. This code will re-generate the SOAP message.

public class WSSecurityHeaderSOAPHandler implements SOAPHandler {

    private static final String SOAP_ELEMENT_PASSWORD = "Password";
    private static final String SOAP_ELEMENT_NONCE = "Nonce";
    private static final String SOAP_ELEMENT_USERNAME = "Username";
    private static final String SOAP_ELEMENT_Created = "Created";
    private static final String SOAP_ELEMENT_Expires = "Expires";
    private static final String SOAP_ELEMENT_USERNAME_TOKEN = "UsernameToken";
    private static final String SOAP_ELEMENT_Timestamp_TOKEN = "Timestamp";
    private static final String SOAP_ELEMENT_SECURITY = "Security";
    private static final String NAMESPACE_SECURITY = "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
    private static final String PREFIX_SECURITY = "wsse";
    private static final String NAMESPACE_WSU = "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
    private static final String PREFIX_WSU = "wsu";
    private static final String NAMESPACE_TYPE = "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText";
    private static final String ATTRIBUTE_TYPE = "Type";
    private static final String NAMESPACE_EncodingType = "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary";
    private static final String ATTRIBUTE_EncodingType = "EncodingType";
    private static final String ATTRIBUTE_MustUnderstand ="mustUnderstand";

    private String usernameText;
    private String passwordText;

    public WSSecurityHeaderSOAPHandler(String usernameText, String passwordText) {
        this.usernameText = usernameText;
        this.passwordText = passwordText;
    }

    public boolean handleMessage(SOAPMessageContext soapMessageContext) {

        Boolean outboundProperty = (Boolean) soapMessageContext.get(MessageContext.MESSAGE_OUTBOUND_PROPERTY);

        if (outboundProperty.booleanValue()) {

            try {
                SOAPEnvelope soapEnvelope = soapMessageContext.getMessage().getSOAPPart().getEnvelope();

                SOAPHeader header = soapEnvelope.getHeader();
                if (header == null) {
                    header = soapEnvelope.addHeader();
                }

                SOAPElement soapElementSecurityHeader = header.addChildElement(SOAP_ELEMENT_SECURITY, PREFIX_SECURITY,
                        NAMESPACE_SECURITY);
                soapElementSecurityHeader.addAttribute(soapEnvelope.createName(ATTRIBUTE_MustUnderstand), "1");
                soapElementSecurityHeader.addNamespaceDeclaration(PREFIX_WSU, NAMESPACE_WSU);

                SOAPElement soapElementUsernameToken = soapElementSecurityHeader.addChildElement(SOAP_ELEMENT_USERNAME_TOKEN, PREFIX_SECURITY);
                SOAPElement soapElementUsername = soapElementUsernameToken.addChildElement(SOAP_ELEMENT_USERNAME, PREFIX_SECURITY);
                soapElementUsername.addTextNode(usernameText);

                SOAPElement soapElementPassword = soapElementUsernameToken.addChildElement(SOAP_ELEMENT_PASSWORD, PREFIX_SECURITY);
                soapElementPassword.addAttribute(soapEnvelope.createName(ATTRIBUTE_TYPE), NAMESPACE_TYPE);
                soapElementPassword.addTextNode(passwordText);

                SOAPElement soapElementUserCreated = soapElementUsernameToken.addChildElement(SOAP_ELEMENT_Created, PREFIX_WSU);
                long created = System.currentTimeMillis();

                TimeZone timeZone = TimeZone.getTimeZone("UTC");
                Calendar calendar = Calendar.getInstance(timeZone);
                SimpleDateFormat sdfu
                        = new SimpleDateFormat("yyyy-MM-dd'T'HH:mm:ss'Z'", Locale.US);
                sdfu.setTimeZone(timeZone);

                String dateu = sdfu.format(calendar.getTime());
                soapElementUserCreated.addTextNode(dateu);

                SOAPElement soapElementNonce = soapElementUsernameToken.addChildElement(SOAP_ELEMENT_NONCE, PREFIX_SECURITY);
                soapElementNonce.addAttribute(soapEnvelope.createName(ATTRIBUTE_EncodingType), NAMESPACE_EncodingType);
                soapElementNonce.addTextNode(createNonce(created));

                SOAPElement soapElementTimestampToken = soapElementSecurityHeader.addChildElement(SOAP_ELEMENT_Timestamp_TOKEN, PREFIX_WSU);
                SOAPElement soapElementCreated = soapElementTimestampToken.addChildElement(SOAP_ELEMENT_Created, PREFIX_WSU);

                soapElementCreated.addTextNode(dateu);

                calendar.set(Calendar.MINUTE, calendar.get(Calendar.MINUTE) + 2);

                SimpleDateFormat sdf2 = new SimpleDateFormat("yyyy-MM-dd'T'HH:mm:ss'Z'");
                String date2 = sdf2.format(calendar.getTime());
                SOAPElement soapElementExpires = soapElementTimestampToken.addChildElement(SOAP_ELEMENT_Expires, PREFIX_WSU);
                soapElementExpires.addTextNode(date2);

            } catch (Exception e) {
                throw new RuntimeException("Error on wsSecurityHandler: " + e.getMessage());
            }

        }

        return true;
    }

    @Override
    public void close(MessageContext context) {
        // TODO Auto-generated method stub
    }

    @Override
    public boolean handleFault(SOAPMessageContext context) {
        // TODO Auto-generated method stub
        return true;
    }

    @Override
    public Set getHeaders() {

        final QName securityHeader = new QName(
                NAMESPACE_SECURITY, SOAP_ELEMENT_SECURITY, PREFIX_SECURITY);

        final HashSet headers = new HashSet();
        headers.add(securityHeader);
        return headers;
    }

    public String createNonce(long value) throws Exception {
        java.security.SecureRandom random = java.security.SecureRandom.getInstance("SHA1PRNG");
        random.setSeed(value);
        byte[] nonceBytes = new byte[16];
        random.nextBytes(nonceBytes);
        String nonce = new String(org.apache.commons.codec.binary.Base64.encodeBase64(nonceBytes), "UTF-8");
        return nonce;
    }

}

NOTE :- Timestamp must be in UTC format. NONCE value must generated as above.

Call Username/Password enabled web service in JAVA

In this case, web service is secured with username and password authentication using WS-Security. Following code is used to generated SOAP message header to create security token to call web service.

RetailerAppWS appWS = new RetailerAppWS();
        RetailerAppWSPortType retailerAppWSPortType = appWS.getRetailerAppWSHttpsSoap11Endpoint();
        BindingProvider bindingProvider = (BindingProvider) retailerAppWSPortType;
        @SuppressWarnings("rawtypes")
        List handlerChain = new ArrayList();
        handlerChain.add(new WSSecurityHeaderSOAPHandler("Retailer", "Retailer123"));
        bindingProvider.getBinding().setHandlerChain(handlerChain);

        PayBill payBill = new PayBill();
        payBill.setAmount(1.0);
        payBill.setPin("9834");
        payBill.setReceiver("1234567890");
        payBill.setUser("sujith");

        PayBillResponse pbr = retailerAppWSPortType.payBill(payBill);

In the above code, it is created a WSSecurityHeaderSOAPHandler to manipulate the SOAP message to add security token to SOAP header.

WSSecurityHeaderSOAPHandler is shown below. This code will re-generate the SOAP message.

public class WSSecurityHeaderSOAPHandler implements SOAPHandler {

    private static final String SOAP_ELEMENT_PASSWORD = "Password";
    private static final String SOAP_ELEMENT_NONCE = "Nonce";
    private static final String SOAP_ELEMENT_USERNAME = "Username";
    private static final String SOAP_ELEMENT_Created = "Created";
    private static final String SOAP_ELEMENT_Expires = "Expires";
    private static final String SOAP_ELEMENT_USERNAME_TOKEN = "UsernameToken";
    private static final String SOAP_ELEMENT_Timestamp_TOKEN = "Timestamp";
    private static final String SOAP_ELEMENT_SECURITY = "Security";
    private static final String NAMESPACE_SECURITY = "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
    private static final String PREFIX_SECURITY = "wsse";
    private static final String NAMESPACE_WSU = "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
    private static final String PREFIX_WSU = "wsu";
    private static final String NAMESPACE_TYPE = "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText";
    private static final String ATTRIBUTE_TYPE = "Type";
    private static final String NAMESPACE_EncodingType = "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary";
    private static final String ATTRIBUTE_EncodingType = "EncodingType";
    private static final String ATTRIBUTE_MustUnderstand ="mustUnderstand";

    private String usernameText;
    private String passwordText;

    public WSSecurityHeaderSOAPHandler(String usernameText, String passwordText) {
        this.usernameText = usernameText;
        this.passwordText = passwordText;
    }

    public boolean handleMessage(SOAPMessageContext soapMessageContext) {

        Boolean outboundProperty = (Boolean) soapMessageContext.get(MessageContext.MESSAGE_OUTBOUND_PROPERTY);

        if (outboundProperty.booleanValue()) {

            try {
                SOAPEnvelope soapEnvelope = soapMessageContext.getMessage().getSOAPPart().getEnvelope();

                SOAPHeader header = soapEnvelope.getHeader();
                if (header == null) {
                    header = soapEnvelope.addHeader();
                }

                SOAPElement soapElementSecurityHeader = header.addChildElement(SOAP_ELEMENT_SECURITY, PREFIX_SECURITY,
                        NAMESPACE_SECURITY);
                soapElementSecurityHeader.addAttribute(soapEnvelope.createName(ATTRIBUTE_MustUnderstand), "1");
                soapElementSecurityHeader.addNamespaceDeclaration(PREFIX_WSU, NAMESPACE_WSU);

                SOAPElement soapElementUsernameToken = soapElementSecurityHeader.addChildElement(SOAP_ELEMENT_USERNAME_TOKEN, PREFIX_SECURITY);
                SOAPElement soapElementUsername = soapElementUsernameToken.addChildElement(SOAP_ELEMENT_USERNAME, PREFIX_SECURITY);
                soapElementUsername.addTextNode(usernameText);

                SOAPElement soapElementPassword = soapElementUsernameToken.addChildElement(SOAP_ELEMENT_PASSWORD, PREFIX_SECURITY);
                soapElementPassword.addAttribute(soapEnvelope.createName(ATTRIBUTE_TYPE), NAMESPACE_TYPE);
                soapElementPassword.addTextNode(passwordText);

                SOAPElement soapElementUserCreated = soapElementUsernameToken.addChildElement(SOAP_ELEMENT_Created, PREFIX_WSU);
                long created = System.currentTimeMillis();

                TimeZone timeZone = TimeZone.getTimeZone("UTC");
                Calendar calendar = Calendar.getInstance(timeZone);
                SimpleDateFormat sdfu
                        = new SimpleDateFormat("yyyy-MM-dd'T'HH:mm:ss'Z'", Locale.US);
                sdfu.setTimeZone(timeZone);

                String dateu = sdfu.format(calendar.getTime());
                soapElementUserCreated.addTextNode(dateu);

                SOAPElement soapElementNonce = soapElementUsernameToken.addChildElement(SOAP_ELEMENT_NONCE, PREFIX_SECURITY);
                soapElementNonce.addAttribute(soapEnvelope.createName(ATTRIBUTE_EncodingType), NAMESPACE_EncodingType);
                soapElementNonce.addTextNode(createNonce(created));

                SOAPElement soapElementTimestampToken = soapElementSecurityHeader.addChildElement(SOAP_ELEMENT_Timestamp_TOKEN, PREFIX_WSU);
                SOAPElement soapElementCreated = soapElementTimestampToken.addChildElement(SOAP_ELEMENT_Created, PREFIX_WSU);

                soapElementCreated.addTextNode(dateu);

                calendar.set(Calendar.MINUTE, calendar.get(Calendar.MINUTE) + 2);

                SimpleDateFormat sdf2 = new SimpleDateFormat("yyyy-MM-dd'T'HH:mm:ss'Z'");
                String date2 = sdf2.format(calendar.getTime());
                SOAPElement soapElementExpires = soapElementTimestampToken.addChildElement(SOAP_ELEMENT_Expires, PREFIX_WSU);
                soapElementExpires.addTextNode(date2);

            } catch (Exception e) {
                throw new RuntimeException("Error on wsSecurityHandler: " + e.getMessage());
            }

        }

        return true;
    }

    @Override
    public void close(MessageContext context) {
        // TODO Auto-generated method stub
    }

    @Override
    public boolean handleFault(SOAPMessageContext context) {
        // TODO Auto-generated method stub
        return true;
    }

    @Override
    public Set getHeaders() {

        final QName securityHeader = new QName(
                NAMESPACE_SECURITY, SOAP_ELEMENT_SECURITY, PREFIX_SECURITY);

        final HashSet headers = new HashSet();
        headers.add(securityHeader);
        return headers;
    }

    public String createNonce(long value) throws Exception {
        java.security.SecureRandom random = java.security.SecureRandom.getInstance("SHA1PRNG");
        random.setSeed(value);
        byte[] nonceBytes = new byte[16];
        random.nextBytes(nonceBytes);
        String nonce = new String(org.apache.commons.codec.binary.Base64.encodeBase64(nonceBytes), "UTF-8");
        return nonce;
    }

}

NOTE :- Timestamp must be in UTC format. NONCE value must generated as above.

Monday, July 25, 2016

HTTP Request/ Response capture in JAVA

Following properties can be used to enable console output of http requests and responses in JAVA. 

System.setProperty("com.sun.xml.ws.transport.http.client.HttpTransportPipe.dump",
"true");
    
System.setProperty("com.sun.xml.internal.ws.transport.http.client.HttpTransportPipe.dump",
"true");
    
System.setProperty("com.sun.xml.ws.transport.http.HttpAdapter.dump",
"true");
    
System.setProperty("com.sun.xml.internal.ws.transport.http.HttpAdapter.dump",

"true");

Friday, July 15, 2016

OAuth2.0 client Token creation, Resource access, Refresh token

OAuth2.0 is used to authenticate and authorize resource access in web. Following code snip can be used to generate access tokens, access protected resources and refresh resources.

Libraries
httpcore-4.2.4.jar
httpclient-4.2.5.jar

1. Generate access tokens

        String url = "authorization/token issuer URL";

        DefaultHttpClient client = new DefaultHttpClient();
        HttpPost post = new HttpPost(url);

        // add header
        post.setHeader("User-Agent", USER_AGENT);
        post.setHeader("Content-Type", "application/x-www-form-urlencoded");
        post.setHeader("Cache-Control", "no-cache");

        List urlParameters = new ArrayList();
        urlParameters.add(new BasicNameValuePair("username", "username1"));
        urlParameters.add(new BasicNameValuePair("client_secret", "CQTYxzOUMCGGRt_MmKDKsWcFxrga"));
        urlParameters.add(new BasicNameValuePair("grant_type", "password"));
        urlParameters.add(new BasicNameValuePair("client_id", "OLBM3wf54GtT_R8HNbLztK63qHMa"));
        urlParameters.add(new BasicNameValuePair("password", "password1"));

        post.setEntity(new UrlEncodedFormEntity(urlParameters));

        HttpResponse response = client.execute(post);
        System.out.println("Response Code : "
                + response.getStatusLine());

        BufferedReader rd = new BufferedReader(
                new InputStreamReader(response.getEntity().getContent()));

        StringBuffer result = new StringBuffer();
        String line = "";
        while ((line = rd.readLine()) != null) {
            result.append(line);
        }
        System.out.println(result);

Above code will generate a "access_token" that can be used to access a protected resource in web.
Sample token is shown below.

{"token_type":"bearer","expires_in":2722,"refresh_token":"be3fe469bf5b62836e85ab73fa7c7935a","access_token":"6beb0a2a54d9wefad9401f6f8cecd1de"}

2. Access protected resource

above generated "access_token" is used here to access the resource.

        String url = "protected resource URI";

        DefaultHttpClient client = new DefaultHttpClient();
        HttpPost post = new HttpPost(url);

        // add header
        post.setHeader("User-Agent", USER_AGENT);
        post.setHeader("Content-Type", "application/json");
        post.setHeader("Accept-Encoding", "UTF-8");
        post.setHeader("Authorization", "Bearer access_token");
        post.setHeader("Cache-Control", "no-cache");

        StringEntity params = new StringEntity("{ \"sessionID\":\"123456789\", \"requestHeader\": { \"requestTime\":\"2016/06/25 08:00:00\", \"userName\": \"Sujith\", \"token\":\"abc123qpd452\" } }");
        post.setEntity(params);

        HttpResponse response = client.execute(post);
        System.out.println("Response Code : "
                + response.getStatusLine());

        BufferedReader rd = new BufferedReader(
                new InputStreamReader(response.getEntity().getContent()));

        StringBuffer result = new StringBuffer();
        String line = "";
        while ((line = rd.readLine()) != null) {
            result.append(line);
        }
        System.out.println(result);

3. Refresh access token

Following code can be used to refresh the "access_token" generated above.

       String url = "authorization/token issuer URL";

        DefaultHttpClient client = new DefaultHttpClient();
        HttpPost post = new HttpPost(url);

        // add header
        post.setHeader("User-Agent", USER_AGENT);
        post.setHeader("Content-Type", "application/x-www-form-urlencoded");
        post.setHeader("Cache-Control", "no-cache");

        List urlParameters = new ArrayList();
        urlParameters.add(new BasicNameValuePair("username", "username1"));
        urlParameters.add(new BasicNameValuePair("client_secret", "CQTYxzOUMCGGRt_MmKDKsWcFxrga"));
        urlParameters.add(new BasicNameValuePair("grant_type", "refresh_token"));
        urlParameters.add(new BasicNameValuePair("client_id", "OLBM3wf54GtT_R8HNbLztK63qHMa"));
        urlParameters.add(new BasicNameValuePair("password", "password1"));
        urlParameters.add(new BasicNameValuePair("refresh_token","617ff4a46cb87eaaea113835d7c7e3"));

        post.setEntity(new UrlEncodedFormEntity(urlParameters));

        HttpResponse response = client.execute(post);
        System.out.println("Response Code : "
                + response.getStatusLine());

        BufferedReader rd = new BufferedReader(
                new InputStreamReader(response.getEntity().getContent()));

        StringBuffer result = new StringBuffer();
        String line = "";
        while ((line = rd.readLine()) != null) {
            result.append(line);
        }

        System.out.println(result);

Tuesday, July 5, 2016

Git ignore HTTPS verification

Following git commands ignore https verification.

git -c http.sslVerify=false clone https://github.com/spring-guides/gs-securing-web.git

In Git shell, type the above command to retrieve "gs-securing-web" web application clone.

Monday, June 13, 2016

Run MongoDB as a service

Following command can be used to run mongo db as service.

mongod.exe --install --dbpath "c:\mongo\data\db" --logpath "c:\mongo\data\log"

You can also set dbpath & logpath in "mongod.cfg" file and run the command as follows.

mongod.exe --install --config "c:\mongo\mongod.cfg"

Sample mongod.cfg

systemLog:
    destination: file
    path: C:\Program Files\MongoDB\Server\3.2\data\log\mongod.log
storage:
    dbPath: C:\Program Files\MongoDB\Server\3.2\data\db

In Windows, you can stop service in services management window. Run/Services

In Linux, ps -ef|grep mongo then kill -9 process_id

Tuesday, June 7, 2016

Trust certificates in JAVA

Following trust manager can be used to ignore validation certificate chains.

TrustManager[] trustAllCerts = new TrustManager[] {
    new X509TrustManager() {
        public java.security.cert.X509Certificate[] getAcceptedIssuers() {
            return null;
        }
        public void checkClientTrusted(
            java.security.cert.X509Certificate[] certs, String authType) {
            }
        public void checkServerTrusted(
            java.security.cert.X509Certificate[] certs, String authType) {
        }
    }
};

// Install the all-trusting trust manager
try {
    SSLContext sc = SSLContext.getInstance("SSL");
    sc.init(null, trustAllCerts, new java.security.SecureRandom());
    HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());
} catch (GeneralSecurityException e) {

}