Web service security header with Encryption and decryption - java stack

Web service security header with Encryption and decryption - java stack

I have written a web service and now i want to send the credentials from the client in SOAP header with X509 certificate(encryption) and at the same time service should read those credentials and decrypt. Can someone help me in doing this in Outsystems platform. 
I need this to be on Java stack.
Appreciate your help

Thanks much,
Just getting in to basics, Is it possible to encrypt password in SOAP Header in web reference and decrypt it in the web service on the server side?
Hi Thiru,

You are able to extend support of web services and/or web references by using the extension EnhancedWebReference.

Paulo Garrudo
Hi Paulo,
I was trying to get the EnhancedWebReference code on to eclipse by using Integration Studio, but i dont see any code in it. What ever i see is the classes with methods have no implementation (//TODO : Write implementation for action). So I'm not sure why the code is not seen.
If you can let me know how can i get the access to code, it would be great help. Why this because, i want to understand the internals of web services related things in outsystems. So that i can try out some code to play around and get my work done. 
Any helpful tips from your side for achieving WS security spec implementation would be a great help.

You shouldn't need the code for the EnhancedWebReferences extension in order to accomplish your stated goal here.

All you need to do is accessing the headers which were sent with the requests, and to add headers to your own response. This can be done using the corresponding actions from the EnhancedWebReferences extension. How we add or retrieve those headers is an implementational detail on which you shouldn't rely on. This is because the implementation detail can change in future versions of the OutSystems Platform without any prior notice and that could completely break your code.

I believe that, at this time, it is not possible to declare an OutSystems Platform web service to comply with WS-Security.
Hi Ricardo,
W.r.t code i dont want to use it, I just want to understand how outsystems getting context objects and all in the code, so which may be helpful to me in  writing extension.
The existing API in the extension return the SOAP Header element, and the extraction of data from the header is a custom action need to be written by user.

My requirement is my web service should support the WSSE Specification.
generally, the web service and the web refereces should support the headers defined in WS Security Standard i.e.,
  • Pass authentication tokens between services
  • Encrypt/Decrypt messages or parts of messages
  • Sign messages
  • Timestamp messages
  • Manage public keys using XKMS
Is this possible in outsystems? If yes, what should i do to support all these? Should i write extension? then I suppose the extension code would be the callback handlers for the webservices. How do i tie the handler with the Outsystem webservices. So that the handlers are called and my job is done.

Your help is greatly appreciated. I am blocked here and no clues how to proceed further.

Hi Thirupathi,

Currently It will be very hard to get all those requiments with just header manipulation.
Like Ricardo sugested the EnhancedWebReferences allows you to do some of them, like the Auth and Timestamping, but the rest I'm not sure how.

The implementation is internal and seeing it would not help because it only calls internal methods of the platform runtime that "instruments" those parts when necesary. Does not access the contexts/soap directly.

I did some research and to really implement ws-security in jboss you need to use specific anotations in the service class.
I think that if you really need more than what you can do with the
EnhancedWebReferences, then best way to achieve what you it without much risk it of breaking on the next Platform Version is to implement the service directly in an extension and then from there call a less secure web service in your application (for example that only responds on localhost).

For the webreference I was able to consume it directly in a eSpace (but the policy I tested was not very complicated).
It may be necessary to also import the webreference in an extension if you need to manipulate the properties in code instead of configurations.

I'll send you an email with a working sample of what I did.

Thanks Joao, Please send me the sample implementation, it would be much helpful for me.

gmail.com: thirupathiveerla

waiting for your email :)

Thanks again,
Humm I had already sent.
I'll forward to your official one.
Hi João,

Could you please send me the sample you talked above?

I have a similar, but much simpler need, using WSSec in a webservice. Is this the case of the sample?

Thank you in advance.