[SalesForce] Constructing SOAP Security Header for wsse:UserToken

I'm trying to callout from Apex to an Address Validation webservice that requires a SOAP <Security> header to be set. But I can't seem to get it right.

From the WSDL:

<s0:Policy s1:Id="derm.service.common.esb.wspolicy.UNT.1">
        <wssp:Identity xmlns:wssp="http://www.bea.com/wls90/security/policy">
            <wssp:SupportedTokens>
                <wssp:SecurityToken TokenType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wssusername-token-profile-1.0#UsernameToken">
                <wssp:UsePassword Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-usernametoken-profile-1.0#PasswordText" />
                </wssp:SecurityToken>
            </wssp:SupportedTokens>
        </wssp:Identity>
    </s0:Policy>

Full WSDL: http://pastebin.com/Z5VswYNF

From the documentation linked from the WSDL (http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0.pdf) I retrieved this example:

<wsse:Security>
   <wsse:UsernameToken>
   <wsse:Username>REDACTED_PLAINTEXT_USERNAME</wsse:Username>
   <wsse:Password>REDACTED_PLAINTEXT_PASSWORD</wsse:Password>
   </wsse:UsernameToken>
</wsse:Security>

Replacing the values with the Username / Password I've been supplied and firing off the sample request from the documentation doesn't work.

Sample request with Security header:

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:soap="information.qld.gov.au/service/Addressing/ValidationService/2/soap">
<soapenv:Header>
    <wsse:Security>
       <wsse:UsernameToken>
       <wsse:Username>REDACTED_PLAINTEXT_USERNAME</wsse:Username>
       <wsse:Password>REDACTED_PLAINTEXT_PASSWORD</wsse:Password>
       </wsse:UsernameToken>
    </wsse:Security>
</soapenv:Header>
<soapenv:Body>
<soap:ParseValidAddress>
<soap:addressString>867 Main Street Woolloongabba Queensland</soap:addressString>
<soap:postcodeOption>Include</soap:postcodeOption>
<soap:meshblockOption>Exclude</soap:meshblockOption>
</soap:ParseValidAddress>
</soapenv:Body>
</soapenv:Envelope>

I've also tried the following from elsewhere on stackexchange:

  <wsse:Security SOAP-ENV:mustUnderstand="1" xmlns:SOAP-ENV="SOAP-ENV">
     <wsse:UsernameToken wsu:Id="UsernameToken-1" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
        <wsse:Username>oneview</wsse:Username>
        <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">oneview123</wsse:Password>
     </wsse:UsernameToken>
  </wsse:Security>

Everything I try gets a generic error message

<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
   <soap:Body>
      <soap:Fault>
         <faultcode>soap:Client</faultcode>
         <faultstring>The requested operation was rejected. Please consult with your administrator.Your support ID is: REDACTED_SUPPORT_ID</faultstring>
         <detail/>
      </soap:Fault>
   </soap:Body>
</soap:Envelope>

What am I doing wrong?

Best Answer

Finally got to the bottom of this... The <wsse:Nonce> and <wsu:Created> elements were required. The following header included in the requests worked.

I use the same Nonce on each request. The Created date can be generated in Apex using

String requestTimeStamp = datetime.now().formatGMT('yyyy-MM-dd\'T\'HH:mm:ss.SSS\'Z\'');

The complete <Header> element:

<soapenv:Header>
    <wsse:Security soapenv:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
        <wsse:UsernameToken wsu:Id="UsernameToken-2E66C7C5CE47F74A5314575223194135">
            <wsse:Username>REDACTED_PLAINTEXT_USERNAME</wsse:Username>
            <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">REDACTED_PLAINTEXT_PASSWORD</wsse:Password>
            <wsse:Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">0S0T0SfUpdJ7A1Wom+g1hg==</wsse:Nonce>
            <wsu:Created> + requestTimeStamp + </wsu:Created>
        </wsse:UsernameToken>
    </wsse:Security>
   </soapenv:Header>

In addition http headers on the request were set to:

req.setEndpoint('https://information.qld.gov.au/service/land/property/ValidationService/2/soap');

req.setHeader('Content-Type', 'text/xml;charset=UTF-8');
req.setHeader('SOAPAction', '"information.qld.gov.au/service/Addressing/ValidationService/2/soap/IValidationServiceEnhanced/ValidateLotPlan"');
req.setHeader('Content-Length', String.valueOf(requestXML.length()));

Related Solutions

[SalesForce] How to put information into SOAP envelope header

You can generate SOAP headers for use with WebServiceCallout.invoke using a member and a corresponding string with the _hns suffix.

For reference, Wsdl2Apex processes this around Line 86 of the BindingClass.java file.

You will need to create an inner class to contain the header data.

Here is an example from the UPS XAV Service WSDL. The code was generated using the FuseIT SFDC Explorer Wsdl2Apex function (Disclosure, this is my current employer).

// Generated by FuseIT WSDL2Apex (http://www.fuseit.com/Solutions/SFDC-Explorer/Help-WSDL-Parser.aspx)
// Methods Included: ProcessXAV
// Primary Port Class Name: XAVPort 
public class wwwUpsComWsdlXoltwsXavV10 {
    public class XAVPort {
        public String endpoint_x = 'https://wwwcie.ups.com/webservices/XAV';
        public Map<String,String> inputHttpHeaders_x;
        public Map<String,String> outputHttpHeaders_x;
        public String clientCertName_x;
        public String clientCert_x;
        public String clientCertPasswd_x;
        public Integer timeout_x;

        // Setting this member will populate the <env:Header/> element 
        public wwwUpsComXmlschemaXoltwsUpssV10.UPSSecurity_element UPSSecurity;
        private String UPSSecurity_hns = 'UPSSecurity=http://www.ups.com/XMLSchema/XOLTWS/UPSS/v1.0';

        private String[] ns_map_type_info = new String[]{'http://www.ups.com/XMLSchema/XOLTWS/UPSS/v1.0','wwwUpsComXmlschemaXoltwsUpssV10','http://www.ups.com/XMLSchema/XOLTWS/Common/v1.0','wwwUpsComXmlschemaXoltwsCommonV10','http://www.ups.com/XMLSchema/XOLTWS/Error/v1.1','wwwUpsComXmlschemaXoltwsErrorV11','http://www.ups.com/XMLSchema/XOLTWS/xav/v1.0','wwwUpsComXmlschemaXoltwsXavV10'};

        public wwwUpsComXmlschemaXoltwsXavV10.XAVResponse_element ProcessXAV(wwwUpsComXmlschemaXoltwsCommonV10.RequestType Request,String RegionalRequestIndicator,String MaximumCandidateListSize,wwwUpsComXmlschemaXoltwsXavV10.AddressKeyFormatType AddressKeyFormat) {
            // ...
        }
    }
}

public class wwwUpsComXmlschemaXoltwsUpssV10 {
    public class UPSSecurity_element {
        public wwwUpsComXmlschemaXoltwsUpssV10.UPSSecurity_UsernameToken_element UsernameToken;
        public wwwUpsComXmlschemaXoltwsUpssV10.UPSSecurity_ServiceAccessToken_element ServiceAccessToken;
        private String[] UsernameToken_type_info = new String[]{'UsernameToken','http://www.ups.com/XMLSchema/XOLTWS/UPSS/v1.0','','1','1','false'};
        private String[] ServiceAccessToken_type_info = new String[]{'ServiceAccessToken','http://www.ups.com/XMLSchema/XOLTWS/UPSS/v1.0','','1','1','false'};
        private String[] apex_schema_type_info = new String[]{'http://www.ups.com/XMLSchema/XOLTWS/UPSS/v1.0','true','false'};
        private String[] field_order_type_info = new String[]{'UsernameToken','ServiceAccessToken'};
    }
    public class UPSSecurity_ServiceAccessToken_element {
        public String AccessLicenseNumber;
        private String[] AccessLicenseNumber_type_info = new String[]{'AccessLicenseNumber','http://www.ups.com/XMLSchema/XOLTWS/UPSS/v1.0','string','1','1','false'};
        private String[] apex_schema_type_info = new String[]{'http://www.ups.com/XMLSchema/XOLTWS/UPSS/v1.0','true','false'};
        private String[] field_order_type_info = new String[]{'AccessLicenseNumber'};
    }
    public class UPSSecurity_UsernameToken_element {
        public String Username;
        public String Password;
        private String[] Username_type_info = new String[]{'Username','http://www.ups.com/XMLSchema/XOLTWS/UPSS/v1.0','string','1','1','false'};
        private String[] Password_type_info = new String[]{'Password','http://www.ups.com/XMLSchema/XOLTWS/UPSS/v1.0','string','1','1','false'};
        private String[] apex_schema_type_info = new String[]{'http://www.ups.com/XMLSchema/XOLTWS/UPSS/v1.0','true','false'};
        private String[] field_order_type_info = new String[]{'Username','Password'};
    }
}

If you do want to go down the HttpRequest path as Keith commented, the FuseIT SFDC Explorer tool can also generate code using the HttpRequest. I cover this in my Dreamforce 2014 presentation.

[SalesForce] Authenticate using OAuth to connect from external System to Salesforce

Have you read this: https://developer.salesforce.com/page/Digging_Deeper_into_OAuth_2.0_on_Force.com - best article on oAuth out there IMHO.

It discusses all available options. If not listed there then it will not be possible.

Now, if you do not have a way in the external system to have a user authenticate, you could build a visual force page for a user to authenticate and then grab the token. You could then provide the access and refresh token to the external system.

You would need to create a connected app and provide those details to the external system as well...

Doing this will allow the user to be able to revoke the token as needed and negate the need for the external system to store a password. Of course this assumes that the external system has properly implemented oAuth

Best Answer

Related Solutions

[SalesForce] How to put information into SOAP envelope header

[SalesForce] Authenticate using OAuth to connect from external System to Salesforce

Related Topic