在 C++ WWSAPI Web 服务中处理 WS-Security PasswordDigest 模式

Question

I inherited an existing and working web service written in c++ with WWSAPI. I must implement the security mechanism based on WS-Security using passworddigest in the soap header, like this one:

   <soapenv:Header>
  <wsse:Security soapenv:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
     <wsse:UsernameToken wsu:Id="UsernameToken-5094D0E1418B986BF215754539660332">
        <wsse:Username>test</wsse:Username>
        <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest">sqPh/Bap7ER6j+n+2iYlI+4Qt9A=</wsse:Password>
        <wsse:Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">1ROYkV/ZftvGi17KmsvgnQ==</wsse:Nonce>
        <wsu:Created>2019-12-04T10:06:06.032Z</wsu:Created>
     </wsse:UsernameToken>
  </wsse:Security>

I'm neither a web service expert nor a WWSAPI expert, but I understand the basics of a web service. I tried to understand the WWSAPI documentation, but didn't understand where to start to implement this security.

I tested by using the binding WS_STRING_USERNAME_MESSAGE_SECURITY_BINDING_TYPE, for which I can define a password validator callback, which seems to work with a simple user/password scheme. But where/how to define a password digest security mechanism ?

With the API, I was expecting a simple setting to define the basic digest mechanism and a callback to receive the nonce, the date created, the username, and the password, but I don't understand where to start. I don't understand if this needs simple declarations (bindings + properties + callback), or if I need to write some code, for example to manually parse the xml header.

As someone implemented a WWSAAPI web service with WS-Security and how ?

Answer 1

Ok, so, nobody seems to implement web services in pure c++ ? Anyway, I found the answer: this must be done (pratically) by hand. The main points are:

• An authorization callback must be defined in the WS_SERVICE_POINT structure
• The WS-security header must be read and checked in this callback, through the following operations:
• Get the input message (it contains the header and the body) with the WsGetOperationContextProperty function and the parameter WS_OPERATION_CONTEXT_PROPERTY_INPUT_MESSAGE
• Check that the message state is not empty (property WS_MESSAGE_PROPERTY_STATE)
• Get the header buffer (property WS_MESSAGE_PROPERTY_HEADER_BUFFER)
• Create a XML reader (WsCreateReader)
• Initialize this reader with the header buffer (WsSetInputToBuffer)
• Parse the XML to find the WS-Security tags with the function WsGetReaderNode (see the example provided with WWSAPI).
• Call WsMarkHeaderAsUnderstood at the position of the found attribute "mustUnderstand"
• Now that the XML is parsed, you can do whatever you want with the WS-Security tags to verify that they are valid
• Before exiting the authorization callback, you just decide to authorize or not the access, by setting the parameter *authorized to TRUE or FALSE