How do I create a ColdFusion web service client that uses WS-Security?

Question

I've exposed several web services in our product using Java and WS-Security. One of our customers wants to consume the web service using ColdFusion. Does ColdFusion support WS-Security? Can I get around it by writing a Java client and using that in ColdFusion?

(I don't know much about ColdFusion).

Answer 1

I'm assuming you mean you need to pass the security in as part of the SOAP header. Here's a sample on how to connect to a .Net service. Same approach should apply w/ Java, just the url's would be different.

<cfset local.soapHeader = xmlNew()>
<cfset local.soapHeader.TheSoapHeader = xmlElemNew(local.soapHeader, "http://someurl.com/", "TheSoapHeader")>
<cfset local.soapHeader.TheSoapHeader.UserName.XmlText = "foo">
<cfset local.soapHeader.TheSoapHeader.UserName.XmlAttributes["xsi:type"] = "xsd:string">

<cfset local.soapHeader.TheSoapHeader = xmlElemNew(local.soapHeader, "http://webserviceUrl.com/", "TheSoapHeader")>
<cfset local.soapHeader.TheSoapHeader.Password.XmlText = "bar">
<cfset local.soapHeader.TheSoapHeader.Password.XmlAttributes["xsi:type"] = "xsd:string">

<cfset theWebService = createObject("webservice","http://webserviceUrl.com/Webservice.asmx?WSDL")>
<cfset addSOAPRequestHeader(theWebService, "ignoredNameSpace", "ignoredName", local.soapHeader, false)>

<cfset aResponse = theWebService.SomeMethod(arg1)>

Hope this is what you needed.

Answer 2

This is probably more accurate to produce the 'simple' xml soap header. The example above is missing a few lines.

Local['soapHeader'] = xmlNew();
Local['soapHeader']['UsernameToken'] =  xmlElemNew(local.soapHeader, "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd", "UsernameToken");
Local['soapHeader']['UsernameToken']['username'] =  xmlElemNew(local.soapHeader, "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd", "username");
Local['soapHeader']['UsernameToken']['username'].XmlText = Arguments.szUserName;
Local['soapHeader']['UsernameToken']['username'].XmlAttributes["xsi:type"] = "xsd:string";
Local['soapHeader']['UsernameToken']['password'] =  xmlElemNew(local.soapHeader, "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd", "password");
Local['soapHeader']['UsernameToken']['password'].XmlText = Arguments.szPassword;
Local['soapHeader']['UsernameToken']['password'].XmlAttributes["xsi:type"] = "xsd:string";
addSOAPRequestHeader(ws, "ignoredNameSpace", "ignoredName", Local.soapHeader, false);

Answer 3

I've never done any ws-security, and don't know if ColdFusion can consume it or not, but to answer your secondary question:

Can I get around it by writing a java client and using that in coldfusion?

Yes, absolutely. ColdFusion can easily use Java objects and methods.

Answer 4

I'm doing some research on WS-Secuirty and ColdFusion myself for some time and can definitely say that the above example is not an implementation of WS-Security. Even though a username and password are sent in the header, they are sent in plaintext. Utilizing SSL will help, but WS-Security is a lot more work that just applying this code. ColdFusion natively doesn't support WS-Security, but it can easily use Java objects and methods. There's a package from Apache called WSS4J which does provides means of implementing WS-Security in Java. You can write a wrapper and then utilize it in ColdFusion. I persoanlly was able to do so, however, there needs to be a small configuration change on ColdFusion side which I'm having some problems with.

If anyone can help me out on the configuration part, I'd really appreciate it.

Dmitriy