Exposing SOAP service (requiring authentication)

I have created a simple SOAP web service which is working quite well, but I'm struggling to determine how to set up a userID and Password as part of the exposed web service.

For example, I'm trying to create an API that another internal application can call to get case status. That application should have an ID and password that is provided with the SOAP envelope for authentication purposes.  I'm not having much luck figuring this part of the equation out, and the exposing SOAP web service documentation doesn't have any instructions for this use case.

Any pointers on how to configure this?

Hello Josh,

Have you reviewed this page, https://success.outsystems.com/Documentation/11/Extensibility_and_Integration/SOAP/Consuming_SOAP_Web_Services/Configure_Web_Service_Authentication ?

If that doesn't help, can you give a little more information on your use case so I can assist?  For example, do you need to authenticate against an LDAP backend, are you using purely basic authentication vs WS-Security, etc.?

Thank you

I looked at that page, but it seemed to be all about consuming SOAP rather than exposing a web service.   To be honest I need a very simple authentication.   We won't be using LDAP, our current web service that is being replaced actually just has a hard coded ID/Password in the logic that the remote application passes in with the envelope.   I could do that again, or create an account in Outystems that the remote app would pass the ID/Password for as well.  

Oops, sorry about that.  If all you are doing is basic authorization, I would recommend then to use the Authorization header.  For basic auth, you join your username and password with a colon, then base64 encode it.  From an implementation standpoint, you can add a validate action into your service, for example:

Then, you can implement a ValidateAuthentication to check the values passed in.  Here is an example using RFC 7617 basic auth:

Of course, you could modify the validation if you prefer a different method.

Would that solve your problem?

Example attached.

To add, if you are looking to use WS-Security where authorization is passed as part of the Envelope, OutSystems does not have support for this out of the box.  You could write an extension to support it though.

Thanks!   I think this will work for me.  So I will just add the clear text User and Password as SOAP inputs then check them in the logic manually.    

I don't believe I will be able to set up an outystems ID for the service though correct, since the passwords are encoded.    I'll just compare the hard coded user and PW in the assign step and then set valid/non-valid based on if it matches and go from there.

Hey Josh Herron,

I don't believe I will be able to set up an outystems ID for the service though correct, since the passwords are encoded.

Do you mean you wish to authenticate against the OutSystems users, but you cannot compare to the password in the User table?  If so, you can actually use the User_Login action in Users (https://success.outsystems.com/Documentation/11/Reference/OutSystems_APIs/Users_API#User_Login) and provide it with the username and password to validate.


The User_Login function doesn't have a return does it?   How do I tell if the username and PW are accepted?

It will throw a security exception if they are not accepted.

Thanks, I might just go that route.   Right now I'm moving forward with a hard coded value but once I get that working I will switch to using the Outsystems account.

After trial and error yesterday and this morning... I think I'm still stuck.    The application that I'm calling this web service with needs to have an envelope structure like this:

It's a Genesys Pureconnect IVR and the options to configure the SOAP call are pretty limited.   We have to change our passwords every 45 days so if I can use the headers I can store my password in a server parameter and just add it as a variable.  (so it's super quick to update the passwords when it's time)


You mentioned that there isn't support for this out of the box... but I assume maybe someone has written a tutorial on how to accomplish this?  I can't imagine I'm the only person that has needed to do it.


<?xml version="1.0" encoding="utf-8"?>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ivr="url">
<soapenv:Header>
      <wsse:Security xmlns:wsse="http://schemas.xmlsoap.org/ws/2002/04/secext">
         <wsse:UsernameToken>
           <wsse:Username>$(Username)</wsse:Username>
            <wsse:Password>$(Password)</wsse:Password>
         </wsse:UsernameToken>
      </wsse:Security>
</soapenv:Header>
   <soapenv:Body>
      {More stuff here}
   </soapenv:Body>
</soapenv:Envelope>

Solution

Hey Josh,

I put together an example with an extension that simply reads the Username and Password from the XML document posted to the SOAP request.  Would this meet your needs?  It certainly doesn't support all of WS-Security 1.0, but should at least work for you I think.

Solution

Craig St.Jean wrote:

Hey Josh,

I put together an example with an extension that simply reads the Username and Password from the XML document posted to the SOAP request.  Would this meet your needs?  It certainly doesn't support all of WS-Security 1.0, but should at least work for you I think.


I appreciate the extension... I just tried to open it but our security blocked the verification in Integration Studio.   So now I'm waiting for our desktop team to add an exception so it can run.   I'll respond as soon as I get a chance to actually look at it.  :)

Works perfectly!   Now I just have to build out the authentication logic and I'm all set.   Very much appreciated.

Glad it helped!