[Dev] Connecting to GreenMail IMAP Server over SSL

[Thishani Lucas]

Hi All,

These days I work on replacing the Gmail server with GreenMail [1] server
in the EI mail-to transport tests. I configured the GreenMail server with
POP3 and IMAP protocols. My requirement is to connect to the IMAP server
using an SSL connection.

Previously with Gmail server, we could connect by setting the
'mail.imap.socketFactory.class' to 'javax.net.ssl.SSLSocketFactory'. This
worked fine because Gmail server is by default SSL-enabled. But in my case
this is throwing an error because my server is not accepting SSL
connections. I tried enabling SSL in my server but to do so, I had to
change the protocol to IMAPS which again throws some other SSL certificates
error.

Is there any other way to enable SSL in the GreenMail server so that I can
use the above property at the transport listener and connect to the server?

[1] http://www.icegreen.com/greenmail

Appreciate your response.

Thank you.

-- 
Regards,

*Thishani Lucas*
*Software Engineer*
*WSO2 Lanka (Private) Limited**: http://wso2.com *
*lean.enterprise.middle-ware*

*Tel: +94 77 2556931 *

*LinkedIn: https://www.linkedin.com/in/thishani-lucas/
*


___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Exception while invoking proxy service in ESB 5.0.0

[Dilusha Alphonso]

Hi

As it is mentioned already, I have set this property only for POST method.
I haven't tested it for the GET method as it was working fine without this
property.

Thanks
Dilusha

On Wed, Nov 15, 2017 at 11:31 AM, Chanika Geeganage 
wrote:

> If you set OUT_ONLY property to true then the response is not sent back to
> the client, since a callback is not registered. That's why the response is
> dropped. Therefore, you can't set OUT_ONLY for GET requests.
>
> On Tue, Nov 14, 2017 at 10:38 AM, Buddhimala Ranasinghe <
> buddhim...@wso2.com> wrote:
>
>> Hi Dilusha,
>>
>> I encountered the same problem and tried out the solution as given. But
>> now, when I invoke the proxy with GET method using SOAPUI, I don't see the
>> response in SOAPUI. But when I checked the wirelogs, the response is sent
>> from BE to the proxy and from proxy, it gets dropped. Have you too noticed
>> this behaviour? If so, how did you overcome this problem?
>>
>> Regards,
>> Buddhimala
>>
>> On Mon, Nov 13, 2017 at 3:21 PM, Dilusha Alphonso 
>> wrote:
>>
>>> Thank you for your solution. It works fine.
>>>
>>> Thanks
>>> Dilusha
>>>
>>> On Mon, Nov 13, 2017 at 3:03 PM, Saneth Dharmakeerthi 
>>> wrote:
>>>
 Hi Dilusha,

 Your  calling method is In only

 wsdl:operation name="postMediData">
 
 
 


 If the WSDL is defined the service endpoint as an IN-ONLY operation,
 then you should call that service in the same manner. For that; we can use
 the below property before calling that particular service.

 **



 Thanks and Best Regards,

 Saneth Dharmakeerthi
 *Associate Technical Lead*
 WSO2, Inc.
 Mobile: +94772325511 <+94%2077%20232%205511>

 

 On Mon, Nov 13, 2017 at 12:52 PM, Dilusha Alphonso 
 wrote:

> 1.I invoke the proxy service in ESB 5.0.0.
>
> 2.I attached a wire log of the proxy service.
>
> [2017-11-13 12:48:06,483] DEBUG - wire HTTPS-Listener I/O dispatcher-1
> >> "POST /services/Durdans HTTP/1.1[\r][\n]"
> [2017-11-13 12:48:06,484] DEBUG - wire HTTPS-Listener I/O dispatcher-1
> >> "Accept-Encoding: gzip,deflate[\r][\n]"
> [2017-11-13 12:48:06,484] DEBUG - wire HTTPS-Listener I/O dispatcher-1
> >> "Content-Type: text/xml;charset=UTF-8[\r][\n]"
> [2017-11-13 12:48:06,484] DEBUG - wire HTTPS-Listener I/O dispatcher-1
> >> "SOAPAction: "urn:postMediData"[\r][\n]"
> [2017-11-13 12:48:06,484] DEBUG - wire HTTPS-Listener I/O dispatcher-1
> >> "Content-Length: 2149[\r][\n]"
> [2017-11-13 12:48:06,484] DEBUG - wire HTTPS-Listener I/O dispatcher-1
> >> "Host: dilusha-ThinkPad-X1-Carbon-5th:8243[\r][\n]"
> [2017-11-13 12:48:06,484] DEBUG - wire HTTPS-Listener I/O dispatcher-1
> >> "Connection: Keep-Alive[\r][\n]"
> [2017-11-13 12:48:06,484] DEBUG - wire HTTPS-Listener I/O dispatcher-1
> >> "User-Agent: Apache-HttpClient/4.1.1 (java 1.5)[\r][\n]"
> [2017-11-13 12:48:06,484] DEBUG - wire HTTPS-Listener I/O dispatcher-1
> >> "[\r][\n]"
> [2017-11-13 12:48:06,484] DEBUG - headers http-incoming-4 >> POST
> /services/Durdans HTTP/1.1
> [2017-11-13 12:48:06,484] DEBUG - headers http-incoming-4 >>
> Accept-Encoding: gzip,deflate
> [2017-11-13 12:48:06,484] DEBUG - headers http-incoming-4 >>
> Content-Type: text/xml;charset=UTF-8
> [2017-11-13 12:48:06,484] DEBUG - headers http-incoming-4 >>
> SOAPAction: "urn:postMediData"
> [2017-11-13 12:48:06,484] DEBUG - headers http-incoming-4 >>
> Content-Length: 2149
> [2017-11-13 12:48:06,484] DEBUG - headers http-incoming-4 >> Host:
> dilusha-ThinkPad-X1-Carbon-5th:8243
> [2017-11-13 12:48:06,484] DEBUG - headers http-incoming-4 >>
> Connection: Keep-Alive
> [2017-11-13 12:48:06,485] DEBUG - headers http-incoming-4 >>
> User-Agent: Apache-HttpClient/4.1.1 (java 1.5)
> [2017-11-13 12:48:06,487] DEBUG - wire HTTPS-Listener I/O dispatcher-1
> >> "http://schemas.
> xmlsoap.org/soap/envelope/" xmlns:ser="http://service.samp
> le.durdans.com" xmlns:xsd="http://dto.service.sample.durdans.com/xsd
> ">[\n]"
> [2017-11-13 12:48:06,487] DEBUG - wire HTTPS-Listener I/O dispatcher-1
> >> "   [\n]"
> [2017-11-13 12:48:06,487] DEBUG - wire HTTPS-Listener I/O dispatcher-1
> >> "   [\n]"
> [2017-11-13 12:48:06,487] DEBUG - wire HTTPS-Listener I/O dispatcher-1
> >> "  [\n]"
> [2017-11-13 12:48:06,487] DEBUG - wire HTTPS-Listener I/O dispatcher-1
> >> " [\n]"
> [2017-11-13 12:48:06,487] DEBUG - wire HTTPS-Listener I/O dispatcher-1
> >> " [\n]"
> [2017-11-13 12:48:06,487] DEBUG - wire HTTPS-Listener I/O dispatcher-1
> >> "[\n]"
> [2017-11-13 12:48:06,487] DEBUG - wire HTTPS-Listener I/O dispatcher-1
> >> "[\n]"
> [2017-11-13 

Re: [Dev] Exception while invoking proxy service in ESB 5.0.0

[Chanika Geeganage]

If you set OUT_ONLY property to true then the response is not sent back to
the client, since a callback is not registered. That's why the response is
dropped. Therefore, you can't set OUT_ONLY for GET requests.

On Tue, Nov 14, 2017 at 10:38 AM, Buddhimala Ranasinghe  wrote:

> Hi Dilusha,
>
> I encountered the same problem and tried out the solution as given. But
> now, when I invoke the proxy with GET method using SOAPUI, I don't see the
> response in SOAPUI. But when I checked the wirelogs, the response is sent
> from BE to the proxy and from proxy, it gets dropped. Have you too noticed
> this behaviour? If so, how did you overcome this problem?
>
> Regards,
> Buddhimala
>
> On Mon, Nov 13, 2017 at 3:21 PM, Dilusha Alphonso 
> wrote:
>
>> Thank you for your solution. It works fine.
>>
>> Thanks
>> Dilusha
>>
>> On Mon, Nov 13, 2017 at 3:03 PM, Saneth Dharmakeerthi 
>> wrote:
>>
>>> Hi Dilusha,
>>>
>>> Your  calling method is In only
>>>
>>> wsdl:operation name="postMediData">
>>> 
>>> 
>>> 
>>>
>>>
>>> If the WSDL is defined the service endpoint as an IN-ONLY operation,
>>> then you should call that service in the same manner. For that; we can use
>>> the below property before calling that particular service.
>>>
>>> **
>>>
>>>
>>>
>>> Thanks and Best Regards,
>>>
>>> Saneth Dharmakeerthi
>>> *Associate Technical Lead*
>>> WSO2, Inc.
>>> Mobile: +94772325511 <+94%2077%20232%205511>
>>>
>>> 
>>>
>>> On Mon, Nov 13, 2017 at 12:52 PM, Dilusha Alphonso 
>>> wrote:
>>>
 1.I invoke the proxy service in ESB 5.0.0.

 2.I attached a wire log of the proxy service.

 [2017-11-13 12:48:06,483] DEBUG - wire HTTPS-Listener I/O dispatcher-1
 >> "POST /services/Durdans HTTP/1.1[\r][\n]"
 [2017-11-13 12:48:06,484] DEBUG - wire HTTPS-Listener I/O dispatcher-1
 >> "Accept-Encoding: gzip,deflate[\r][\n]"
 [2017-11-13 12:48:06,484] DEBUG - wire HTTPS-Listener I/O dispatcher-1
 >> "Content-Type: text/xml;charset=UTF-8[\r][\n]"
 [2017-11-13 12:48:06,484] DEBUG - wire HTTPS-Listener I/O dispatcher-1
 >> "SOAPAction: "urn:postMediData"[\r][\n]"
 [2017-11-13 12:48:06,484] DEBUG - wire HTTPS-Listener I/O dispatcher-1
 >> "Content-Length: 2149[\r][\n]"
 [2017-11-13 12:48:06,484] DEBUG - wire HTTPS-Listener I/O dispatcher-1
 >> "Host: dilusha-ThinkPad-X1-Carbon-5th:8243[\r][\n]"
 [2017-11-13 12:48:06,484] DEBUG - wire HTTPS-Listener I/O dispatcher-1
 >> "Connection: Keep-Alive[\r][\n]"
 [2017-11-13 12:48:06,484] DEBUG - wire HTTPS-Listener I/O dispatcher-1
 >> "User-Agent: Apache-HttpClient/4.1.1 (java 1.5)[\r][\n]"
 [2017-11-13 12:48:06,484] DEBUG - wire HTTPS-Listener I/O dispatcher-1
 >> "[\r][\n]"
 [2017-11-13 12:48:06,484] DEBUG - headers http-incoming-4 >> POST
 /services/Durdans HTTP/1.1
 [2017-11-13 12:48:06,484] DEBUG - headers http-incoming-4 >>
 Accept-Encoding: gzip,deflate
 [2017-11-13 12:48:06,484] DEBUG - headers http-incoming-4 >>
 Content-Type: text/xml;charset=UTF-8
 [2017-11-13 12:48:06,484] DEBUG - headers http-incoming-4 >>
 SOAPAction: "urn:postMediData"
 [2017-11-13 12:48:06,484] DEBUG - headers http-incoming-4 >>
 Content-Length: 2149
 [2017-11-13 12:48:06,484] DEBUG - headers http-incoming-4 >> Host:
 dilusha-ThinkPad-X1-Carbon-5th:8243
 [2017-11-13 12:48:06,484] DEBUG - headers http-incoming-4 >>
 Connection: Keep-Alive
 [2017-11-13 12:48:06,485] DEBUG - headers http-incoming-4 >>
 User-Agent: Apache-HttpClient/4.1.1 (java 1.5)
 [2017-11-13 12:48:06,487] DEBUG - wire HTTPS-Listener I/O dispatcher-1
 >> "http://schemas.
 xmlsoap.org/soap/envelope/" xmlns:ser="http://service.samp
 le.durdans.com" xmlns:xsd="http://dto.service.sample.durdans.com/xsd
 ">[\n]"
 [2017-11-13 12:48:06,487] DEBUG - wire HTTPS-Listener I/O dispatcher-1
 >> "   [\n]"
 [2017-11-13 12:48:06,487] DEBUG - wire HTTPS-Listener I/O dispatcher-1
 >> "   [\n]"
 [2017-11-13 12:48:06,487] DEBUG - wire HTTPS-Listener I/O dispatcher-1
 >> "  [\n]"
 [2017-11-13 12:48:06,487] DEBUG - wire HTTPS-Listener I/O dispatcher-1
 >> " [\n]"
 [2017-11-13 12:48:06,487] DEBUG - wire HTTPS-Listener I/O dispatcher-1
 >> " [\n]"
 [2017-11-13 12:48:06,487] DEBUG - wire HTTPS-Listener I/O dispatcher-1
 >> "[\n]"
 [2017-11-13 12:48:06,487] DEBUG - wire HTTPS-Listener I/O dispatcher-1
 >> "[\n]"
 [2017-11-13 12:48:06,487] DEBUG - wire HTTPS-Listener I/O dispatcher-1
 >> "   [\n]"
 [2017-11-13 12:48:06,487] DEBUG - wire HTTPS-Listener I/O dispatcher-1
 >> "   ?[\n]"
 [2017-11-13 12:48:06,487] DEBUG - wire HTTPS-Listener I/O dispatcher-1
 >> "   [\n]"
 [2017-11-13 12:48:06,487] DEBUG - wire HTTPS-Listener I/O dispatcher-1
 >> "   

Re: [Dev] [IS] [OAuth] Validating and renewing an access token with one call.

[Farasath Ahamed]

Farasath Ahamed
Software Engineer, WSO2 Inc.; http://wso2.com
Mobile: +94777603866
Blog: blog.farazath.com
Twitter: @farazath619 




On Wed, Nov 15, 2017 at 10:56 AM, Thilina Madumal 
wrote:

>
>
> On Wed, Nov 15, 2017 at 9:42 AM, Farasath Ahamed 
> wrote:
>
>>
>>
>>
>> On Wed, Nov 15, 2017 at 9:03 AM, Thilina Madumal 
>> wrote:
>>
>>> Hi Farazath,
>>>
>>> Thanks for the reply. Please see the inline comments.
>>>
>>> On Tue, Nov 14, 2017 at 11:10 PM, Farasath Ahamed 
>>> wrote:
>>>


 On Tuesday, November 14, 2017, Thilina Madumal 
 wrote:

> Hi Devs,
>
> I'm working implementing an SPA that uses OAuth access-token in
> securing resource access.
> In the documentation [1] I found that to validate the access token
> that I already have obtained, the introspection endpoint can be used.
>
> My question is, is there a way where I can send both the accesss token
> and the refresh token, then IS will validate the access token, and if the
> access token is expired IS will issue a new access token for the given
> refresh token.
>
> I understand that the above use-case can be achieved by 2 requests to
> the IS. But I'm curious is to know whether there is a way to achieve this
> by a single request.
>

 Introspection Endpoint is basically an endpoint used to gather validate
 and gather metadata about the access token.

 Usually this will be used by a resource server to validate an access
 token presented by an oauth client. Resource server will introspect the
 token to get metadata and authorize access.

 Meanwhile, a refresh token flow is between the oauth client and
 authorization server.

 So the requirement you have presented does not fit into the
 introspection call/endpoint. ie. Introspection and token refresh in one
 call simply because there are two completely different flows.

>>>
>>> In end-user perspective this would be a nice to have feature unless it
>>> is not a spec violation.
>>> On the other hand it do not need to be the introspection endpoint, it
>>> can be some custom endpoint where it takes the access-token and
>>> refresh-token and has the following behavior;
>>>
>>>- if the access-token is still valid return the same accesss-token
>>>and refresh-token.
>>>- if access-token is expired exchange the refresh-token for a new
>>>access-token, and return the new access-token and a new refresh-token.
>>>
>>> Okay in that case we can go for a custom grant type. Grant type will
>> accept an access token and a refresh token and have the behaviour you have
>> described. Anyways if the requirement is to make sure we have an active
>> token all the time why not simply refresh the token :)
>>
>
> Is it a recommended approach? I mean refreshing the access-token
> frequently. Just asking for the curiosity :)
>

There are two options,

1. OAuth client keeps track of the expiry and does a refresh when the token
is about to expiry.
2. OAuth client has a retry mechanism when an the resource server returns
an error when a expired token is used.

>
>
>
>>
>>
>>
>>> Anyhow need to consider the practicality of the use-case furthermore.
>>>
>>>

 In you use case why does the SPA have to do the introspection call?
 Shouldn't it be the resource server consumed by SPA that needs to do the
 introspection call.

>>>
>>> In this particular use-case the IS is the resource server. The SPA is a
>>> fully browser based application.
>>> To verify the authenticity of the user the SPA uses the access-token it
>>> obtained, that's why the SPA needs to call the introspection endpoint.
>>>
>>
>> From what you have explained. To me IS is the authorization server. SPA
>> is the OAuth2/OIDC client. Since the SPA will recieve the id_token which is
>> signed by IS. We should use that to verify the authenticity of the user.
>> Moreoever user details in an instrospection call is optional so we can't
>> rely on it to authenticate the user where as id_token is tailored for user
>> authenticationa and guranteed to contain the identifier of the user as
>> 'sub' claim.
>>
>
> Yep we can use the use the id_token  (expiry timestamp that is specified
> in the id_token) to verify the authenticity.
> My only concern here is what if manual revocation of the access_token took
> place. The SPA will not know it until the expiry-time specified in the
> id_token.
>

How about doing the id_token call always?
I mean send the id_token request to the IS whenever user does an
authenticate request. If the user is authenticated already you will get the
id_token if not user will be prompted to authenticate (A small challenge
here is the consent. That is skippable too). If the token is not valid user
will be prompted to 

Re: [Dev] Observing Missing Timestamp exception when doing creation via rest client

[Piriya Sivalingam]

Hi all,

I am also facing the same error. The only difference is I am using a Proxy
service in ESB 5.0.0 whereas Thivya mentioned it for API.

Can you please suggest how to overcome this issue?

Thanks,
Piriya

On Wed, Nov 15, 2017 at 10:35 AM, Thivya Mahenthirarasa 
wrote:

> Hi Mushtaq/Irham,
>
> I have enabled the wire logs,
>
> The request which comes to ESB is as follows, which could able to produce
> the actual creation in the backend.
>
> 
> http://schemas.xmlsoap.org/soap/envelope/
> ">
>
>   http://ws.apache.org/ns/synapse; />
>
>
>
>   http://service.sample.central.com;>
>  
> http://dto.service.
> sample.central.com/xsd">
>?
>?
>?
> 
> http://dto.service.
> sample.central.com/xsd">
>?
>?
> 
> http://dto.service.
> sample.central.com/xsd">
>?
>?
>?
> 
> http://dto.service.
> sample.central.com/xsd">
>?
>?
>?
> 
> http://dto.service.
> sample.central.com/xsd">?
> http://dto.service.
> sample.central.com/xsd">105665
> http://dto.service.
> sample.central.com/xsd">
>?
>?
>?
> 
>  
>   
>
> 
>
>
>
> The request which goes from the ESB is as follows,due to which Backend is
> producing the mentioned timestamp error.
>
> 
> http://schemas.xmlsoap.org/soap/envelope/
> ">
>
>   http://ws.apache.org/ns/synapse; />
>  *  xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
> "
> />*
>
>
>
>   http://service.sample.central.com;>
>  
> http://dto.service.
> sample.central.com/xsd">
>?
>?
>?
> 
> http://dto.service.
> sample.central.com/xsd">
>?
>?
> 
> http://dto.service.
> sample.central.com/xsd">
>?
>?
>?
> 
> http://dto.service.
> sample.central.com/xsd">
>?
>?
>?
> 
> http://dto.service.
> sample.central.com/xsd">?
> http://dto.service.
> sample.central.com/xsd">105665
> http://dto.service.
> sample.central.com/xsd">
>?
>?
>?
> 
>  
>   
>
> 
>
> The response is as follows.
>
> 
> http://schemas.xmlsoap.org/soap/envelope/
> ">
>
>   http://docs.oasis-
> open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
> soapenv:mustUnderstand="1">
>  http://docs.oasis-
> open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
> wsu:Id="Timestamp-5318">
> 2017-11-15T04:45:28.638Z
> 2017-11-15T04:50:28.638Z
>  
>   
>
>
>   http://docs.oasis-
> open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
>  wsse:InvalidSecurity
>  Missing Timestamp
>  
>   
>
> 
>
> What is the root cause for *wsse:Security *got added in the Soap Header.
> And How can i overcome this issue.
>
> Thank you for the responses.
>
> Regards,
> Thivya
>
>
>
>
>
> On Wed, Nov 15, 2017 at 5:54 AM, Mushthaq Rumy  wrote:
>
>> Hi Thivya,
>>
>> As Irham have suggested better to enable wire logs and check.
>> Furthermore, seems like it is checking for a time stamp in the header tag.
>>
>> Thanks & Regards,
>> Mushthaq
>>
>> On Wed, Nov 15, 2017 at 5:21 AM, Irham Iqbal  wrote:
>>
>>> Hi Thuvya,
>>>
>>> You can enable the wire log and check the response headers and status
>>> code to narrow down this. follow the blog[1] to know about wire logs.
>>>
>>> [1] http://mytecheye.blogspot.com/2013/09/wso2-esb-all-about
>>> -wire-logs.html
>>>
>>> Thanks,
>>> Iqbal
>>>
>>> On Tue, Nov 14, 2017 at 8:10 PM, Thivya Mahenthirarasa 
>>> wrote:
>>>
 Hi Dev,

 When I invoke POST method to create resource in a legacy(SOAP) backend.
 (Backe end is secured)in my API of a WUM updated ESB500 pack from a rest
 client, I'm observing exception as follows from the Backend soap service.
 The Other Methods (DELETE/GET) are working fine.


 wsse:InvalidSecurity
  Missing Timestamp


 The resource of the API

 
   
  >>> type="STRING"/>
  >>> type="STRING"/>
  >>> value="urn:postCMedi"/>
  
 
http://schemas.
 xmlsoap.org/soap/envelope/">
   
  
 

Re: [Dev] [IS] [OAuth] Validating and renewing an access token with one call.

[Thilina Madumal]

On Wed, Nov 15, 2017 at 9:42 AM, Farasath Ahamed  wrote:

>
>
>
> On Wed, Nov 15, 2017 at 9:03 AM, Thilina Madumal 
> wrote:
>
>> Hi Farazath,
>>
>> Thanks for the reply. Please see the inline comments.
>>
>> On Tue, Nov 14, 2017 at 11:10 PM, Farasath Ahamed 
>> wrote:
>>
>>>
>>>
>>> On Tuesday, November 14, 2017, Thilina Madumal 
>>> wrote:
>>>
 Hi Devs,

 I'm working implementing an SPA that uses OAuth access-token in
 securing resource access.
 In the documentation [1] I found that to validate the access token that
 I already have obtained, the introspection endpoint can be used.

 My question is, is there a way where I can send both the accesss token
 and the refresh token, then IS will validate the access token, and if the
 access token is expired IS will issue a new access token for the given
 refresh token.

 I understand that the above use-case can be achieved by 2 requests to
 the IS. But I'm curious is to know whether there is a way to achieve this
 by a single request.

>>>
>>> Introspection Endpoint is basically an endpoint used to gather validate
>>> and gather metadata about the access token.
>>>
>>> Usually this will be used by a resource server to validate an access
>>> token presented by an oauth client. Resource server will introspect the
>>> token to get metadata and authorize access.
>>>
>>> Meanwhile, a refresh token flow is between the oauth client and
>>> authorization server.
>>>
>>> So the requirement you have presented does not fit into the
>>> introspection call/endpoint. ie. Introspection and token refresh in one
>>> call simply because there are two completely different flows.
>>>
>>
>> In end-user perspective this would be a nice to have feature unless it is
>> not a spec violation.
>> On the other hand it do not need to be the introspection endpoint, it can
>> be some custom endpoint where it takes the access-token and refresh-token
>> and has the following behavior;
>>
>>- if the access-token is still valid return the same accesss-token
>>and refresh-token.
>>- if access-token is expired exchange the refresh-token for a new
>>access-token, and return the new access-token and a new refresh-token.
>>
>> Okay in that case we can go for a custom grant type. Grant type will
> accept an access token and a refresh token and have the behaviour you have
> described. Anyways if the requirement is to make sure we have an active
> token all the time why not simply refresh the token :)
>

Is it a recommended approach? I mean refreshing the access-token
frequently. Just asking for the curiosity :)


>
>
>
>> Anyhow need to consider the practicality of the use-case furthermore.
>>
>>
>>>
>>> In you use case why does the SPA have to do the introspection call?
>>> Shouldn't it be the resource server consumed by SPA that needs to do the
>>> introspection call.
>>>
>>
>> In this particular use-case the IS is the resource server. The SPA is a
>> fully browser based application.
>> To verify the authenticity of the user the SPA uses the access-token it
>> obtained, that's why the SPA needs to call the introspection endpoint.
>>
>
> From what you have explained. To me IS is the authorization server. SPA is
> the OAuth2/OIDC client. Since the SPA will recieve the id_token which is
> signed by IS. We should use that to verify the authenticity of the user.
> Moreoever user details in an instrospection call is optional so we can't
> rely on it to authenticate the user where as id_token is tailored for user
> authenticationa and guranteed to contain the identifier of the user as
> 'sub' claim.
>

Yep we can use the use the id_token  (expiry timestamp that is specified in
the id_token) to verify the authenticity.
My only concern here is what if manual revocation of the access_token took
place. The SPA will not know it until the expiry-time specified in the
id_token.


>
>>
>>
>>>
>>> If the resource server throws an error due to an invalid access token
>>> then the SPA can do the refresh call and get a new token.
>>>

 [1] https://docs.wso2.com/display/IS530/Invoke+the+OAuth+Int
 rospection+Endpoint

 Best,
 Thilina
 --
 *Thilina Madumal*
 *Software Engineer | **WSO2*
 Email: thilina...@wso2.com
 Mobile: *+ <+94%2077%20767%201807>94 774553167*
 Web:  http://wso2.com

 


>>>
>>> --
>>> Farasath Ahamed
>>> Software Engineer, WSO2 Inc.; http://wso2.com
>>> Mobile: +94777603866
>>> Blog: blog.farazath.com
>>> Twitter: @farazath619 
>>> 
>>>
>>>
>>>
>>>
>>
>>
>> --
>> *Thilina Madumal*
>> *Software Engineer | **WSO2*
>> Email: thilina...@wso2.com
>> Mobile: *+ <+94%2077%20767%201807>94 774553167*
>> Web:  http://wso2.com
>>
>> 

Re: [Dev] Observing Missing Timestamp exception when doing creation via rest client

[Thivya Mahenthirarasa]

Hi Mushtaq/Irham,

I have enabled the wire logs,

The request which comes to ESB is as follows, which could able to produce
the actual creation in the backend.


http://schemas.xmlsoap.org/soap/envelope/;>
   
  http://ws.apache.org/ns/synapse; />
   
   
  http://service.sample.central.com;>
 
http://dto.service.sample.central.com/xsd;>
   ?
   ?
   ?

http://dto.service.sample.central.com/xsd;>
   ?
   ?

http://dto.service.sample.central.com/xsd;>
   ?
   ?
   ?

http://dto.service.sample.central.com/xsd;>
   ?
   ?
   ?

http://dto.service.sample.central.com/xsd;>?
http://dto.service.sample.central.com/xsd;>105665
http://dto.service.sample.central.com/xsd;>
   ?
   ?
   ?

 
  
   




The request which goes from the ESB is as follows,due to which Backend is
producing the mentioned timestamp error.


http://schemas.xmlsoap.org/soap/envelope/;>
   
  http://ws.apache.org/ns/synapse; />
 * http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
"
/>*
   
   
  http://service.sample.central.com;>
 
http://dto.service.sample.central.com/xsd;>
   ?
   ?
   ?

http://dto.service.sample.central.com/xsd;>
   ?
   ?

http://dto.service.sample.central.com/xsd;>
   ?
   ?
   ?

http://dto.service.sample.central.com/xsd;>
   ?
   ?
   ?

http://dto.service.sample.central.com/xsd;>?
http://dto.service.sample.central.com/xsd;>105665
http://dto.service.sample.central.com/xsd;>
   ?
   ?
   ?

 
  
   


The response is as follows.


http://schemas.xmlsoap.org/soap/envelope/;>
   
  http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd;
soapenv:mustUnderstand="1">
 http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd;
wsu:Id="Timestamp-5318">
2017-11-15T04:45:28.638Z
2017-11-15T04:50:28.638Z
 
  
   
   
  http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
">
 wsse:InvalidSecurity
 Missing Timestamp
 
  
   


What is the root cause for *wsse:Security *got added in the Soap Header.
And How can i overcome this issue.

Thank you for the responses.

Regards,
Thivya





On Wed, Nov 15, 2017 at 5:54 AM, Mushthaq Rumy  wrote:

> Hi Thivya,
>
> As Irham have suggested better to enable wire logs and check. Furthermore,
> seems like it is checking for a time stamp in the header tag.
>
> Thanks & Regards,
> Mushthaq
>
> On Wed, Nov 15, 2017 at 5:21 AM, Irham Iqbal  wrote:
>
>> Hi Thuvya,
>>
>> You can enable the wire log and check the response headers and status
>> code to narrow down this. follow the blog[1] to know about wire logs.
>>
>> [1] http://mytecheye.blogspot.com/2013/09/wso2-esb-all-about
>> -wire-logs.html
>>
>> Thanks,
>> Iqbal
>>
>> On Tue, Nov 14, 2017 at 8:10 PM, Thivya Mahenthirarasa 
>> wrote:
>>
>>> Hi Dev,
>>>
>>> When I invoke POST method to create resource in a legacy(SOAP) backend.
>>> (Backe end is secured)in my API of a WUM updated ESB500 pack from a rest
>>> client, I'm observing exception as follows from the Backend soap service.
>>> The Other Methods (DELETE/GET) are working fine.
>>>
>>>
>>> wsse:InvalidSecurity
>>>  Missing Timestamp
>>>
>>>
>>> The resource of the API
>>>
>>> 
>>>   
>>>  >> type="STRING"/>
>>>  >> type="STRING"/>
>>>  >> value="urn:postCMedi"/>
>>>  
>>> 
>>>http://schemas.
>>> xmlsoap.org/soap/envelope/">
>>>   
>>>  
>>>   
>>>   
>>>  http://service.samp
>>> le.central.com">
>>> 
>>>http://dto.service.
>>> sample.central.com/xsd">
>>>   ?
>>>   ?
>>>   ?
>>>
>>>http://dto.service.
>>> sample.central.com/xsd">
>>>   ?
>>>   ?
>>>
>>>http://dto.service.sample.central.com/xsd;>
>>>   ?
>>> 

Re: [Dev] [C5] Supporting transports in server mode

[Shafreen Anfar]

Hi All,

It was decided to make transports just a library and let the interested
parties convert it into something OSGI compatible.

[adding Sameera]

On Wed, Nov 15, 2017 at 9:41 AM, Niranjan Karunanandham 
wrote:

> [adding Danesh]
>
> On Tue, Nov 14, 2017 at 4:53 PM, Niranjan Karunanandham  > wrote:
>
>> [Adding Azeez]
>> Hi all,
>>
>> In previous transport, as I remember we had a transport manager which was
>> used for OSGi mode. As this been removed? IMO we need to have both support
>> for standalone and OSGi mode in carbon transports.
>>
>> Regards,
>> Nira
>>
>> On Tue, Nov 14, 2017 at 4:13 PM, Asanka Abeyweera 
>> wrote:
>>
>>> Hi all,
>>>
>>> It seems the carbon transports feature is no longer supported from the
>>> kernel version 5.2.0 onwards. The class CarbonTransport is no longer there
>>> in the kernel repo.
>>>
>>> 1. What is our approach to managing transports (start,
>>> stop, beginMaintenance, endMaintenance) in server mode?
>>> 2. If someone wants to write a transport for C5 will it be similar to
>>> writing a general component? Is there a guideline or a document that I can
>>> follow when writing transports for C5 server mode.
>>>
>>> I also created a PR [1] removing the docs related to carbon transports
>>> from the kernel.
>>>
>>> [1] https://github.com/wso2/carbon-kernel/pull/1609
>>>
>>> --
>>> Asanka Abeyweera
>>> Associate Technical Lead
>>> WSO2 Inc.
>>>
>>> Phone: +94 712228648 <+94%2071%20222%208648>
>>> Blog: a5anka.github.io
>>>
>>> 
>>>
>>
>>
>>
>> --
>>
>>
>> *Niranjan Karunanandham*
>> Associate Technical Lead - WSO2 Inc.
>> WSO2 Inc.: http://www.wso2.com
>>
>>
>
>
> --
>
>
> *Niranjan Karunanandham*
> Associate Technical Lead - WSO2 Inc.
> WSO2 Inc.: http://www.wso2.com
>
>


-- 
Regards,
*Shafreen*
Software Engineer
WSO2 Inc
Mobile : 077-556-395-1
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] [IS] [OAuth] Validating and renewing an access token with one call.

[Farasath Ahamed]

On Wed, Nov 15, 2017 at 9:03 AM, Thilina Madumal 
wrote:

> Hi Farazath,
>
> Thanks for the reply. Please see the inline comments.
>
> On Tue, Nov 14, 2017 at 11:10 PM, Farasath Ahamed 
> wrote:
>
>>
>>
>> On Tuesday, November 14, 2017, Thilina Madumal 
>> wrote:
>>
>>> Hi Devs,
>>>
>>> I'm working implementing an SPA that uses OAuth access-token in securing
>>> resource access.
>>> In the documentation [1] I found that to validate the access token that
>>> I already have obtained, the introspection endpoint can be used.
>>>
>>> My question is, is there a way where I can send both the accesss token
>>> and the refresh token, then IS will validate the access token, and if the
>>> access token is expired IS will issue a new access token for the given
>>> refresh token.
>>>
>>> I understand that the above use-case can be achieved by 2 requests to
>>> the IS. But I'm curious is to know whether there is a way to achieve this
>>> by a single request.
>>>
>>
>> Introspection Endpoint is basically an endpoint used to gather validate
>> and gather metadata about the access token.
>>
>> Usually this will be used by a resource server to validate an access
>> token presented by an oauth client. Resource server will introspect the
>> token to get metadata and authorize access.
>>
>> Meanwhile, a refresh token flow is between the oauth client and
>> authorization server.
>>
>> So the requirement you have presented does not fit into the introspection
>> call/endpoint. ie. Introspection and token refresh in one call simply
>> because there are two completely different flows.
>>
>
> In end-user perspective this would be a nice to have feature unless it is
> not a spec violation.
> On the other hand it do not need to be the introspection endpoint, it can
> be some custom endpoint where it takes the access-token and refresh-token
> and has the following behavior;
>
>- if the access-token is still valid return the same accesss-token and
>refresh-token.
>- if access-token is expired exchange the refresh-token for a new
>access-token, and return the new access-token and a new refresh-token.
>
> Okay in that case we can go for a custom grant type. Grant type will
accept an access token and a refresh token and have the behaviour you have
described. Anyways if the requirement is to make sure we have an active
token all the time why not simply refresh the token :)



> Anyhow need to consider the practicality of the use-case furthermore.
>
>
>>
>> In you use case why does the SPA have to do the introspection call?
>> Shouldn't it be the resource server consumed by SPA that needs to do the
>> introspection call.
>>
>
> In this particular use-case the IS is the resource server. The SPA is a
> fully browser based application.
> To verify the authenticity of the user the SPA uses the access-token it
> obtained, that's why the SPA needs to call the introspection endpoint.
>

>From what you have explained. To me IS is the authorization server. SPA is
the OAuth2/OIDC client. Since the SPA will recieve the id_token which is
signed by IS. We should use that to verify the authenticity of the user.
Moreoever user details in an instrospection call is optional so we can't
rely on it to authenticate the user where as id_token is tailored for user
authenticationa and guranteed to contain the identifier of the user as
'sub' claim.

>
>
>
>>
>> If the resource server throws an error due to an invalid access token
>> then the SPA can do the refresh call and get a new token.
>>
>>>
>>> [1] https://docs.wso2.com/display/IS530/Invoke+the+OAuth+Int
>>> rospection+Endpoint
>>>
>>> Best,
>>> Thilina
>>> --
>>> *Thilina Madumal*
>>> *Software Engineer | **WSO2*
>>> Email: thilina...@wso2.com
>>> Mobile: *+ <+94%2077%20767%201807>94 774553167*
>>> Web:  http://wso2.com
>>>
>>> 
>>>
>>>
>>
>> --
>> Farasath Ahamed
>> Software Engineer, WSO2 Inc.; http://wso2.com
>> Mobile: +94777603866
>> Blog: blog.farazath.com
>> Twitter: @farazath619 
>> 
>>
>>
>>
>>
>
>
> --
> *Thilina Madumal*
> *Software Engineer | **WSO2*
> Email: thilina...@wso2.com
> Mobile: *+ <+94%2077%20767%201807>94 774553167*
> Web:  http://wso2.com
>
> 
>
>
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] [C5] Supporting transports in server mode

[Niranjan Karunanandham]

[adding Danesh]

On Tue, Nov 14, 2017 at 4:53 PM, Niranjan Karunanandham 
wrote:

> [Adding Azeez]
> Hi all,
>
> In previous transport, as I remember we had a transport manager which was
> used for OSGi mode. As this been removed? IMO we need to have both support
> for standalone and OSGi mode in carbon transports.
>
> Regards,
> Nira
>
> On Tue, Nov 14, 2017 at 4:13 PM, Asanka Abeyweera 
> wrote:
>
>> Hi all,
>>
>> It seems the carbon transports feature is no longer supported from the
>> kernel version 5.2.0 onwards. The class CarbonTransport is no longer there
>> in the kernel repo.
>>
>> 1. What is our approach to managing transports (start,
>> stop, beginMaintenance, endMaintenance) in server mode?
>> 2. If someone wants to write a transport for C5 will it be similar to
>> writing a general component? Is there a guideline or a document that I can
>> follow when writing transports for C5 server mode.
>>
>> I also created a PR [1] removing the docs related to carbon transports
>> from the kernel.
>>
>> [1] https://github.com/wso2/carbon-kernel/pull/1609
>>
>> --
>> Asanka Abeyweera
>> Associate Technical Lead
>> WSO2 Inc.
>>
>> Phone: +94 712228648 <+94%2071%20222%208648>
>> Blog: a5anka.github.io
>>
>> 
>>
>
>
>
> --
>
>
> *Niranjan Karunanandham*
> Associate Technical Lead - WSO2 Inc.
> WSO2 Inc.: http://www.wso2.com
>
>


-- 


*Niranjan Karunanandham*
Associate Technical Lead - WSO2 Inc.
WSO2 Inc.: http://www.wso2.com
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] [IS] [OAuth] Validating and renewing an access token with one call.

[Thilina Madumal]

On Wed, Nov 15, 2017 at 9:03 AM, Thilina Madumal 
wrote:

> Hi Farazath,
>
> Thanks for the reply. Please see the inline comments.
>
> On Tue, Nov 14, 2017 at 11:10 PM, Farasath Ahamed 
> wrote:
>
>>
>>
>> On Tuesday, November 14, 2017, Thilina Madumal 
>> wrote:
>>
>>> Hi Devs,
>>>
>>> I'm working implementing an SPA that uses OAuth access-token in securing
>>> resource access.
>>> In the documentation [1] I found that to validate the access token that
>>> I already have obtained, the introspection endpoint can be used.
>>>
>>> My question is, is there a way where I can send both the accesss token
>>> and the refresh token, then IS will validate the access token, and if the
>>> access token is expired IS will issue a new access token for the given
>>> refresh token.
>>>
>>> I understand that the above use-case can be achieved by 2 requests to
>>> the IS. But I'm curious is to know whether there is a way to achieve this
>>> by a single request.
>>>
>>
>> Introspection Endpoint is basically an endpoint used to gather validate
>> and gather metadata about the access token.
>>
>> Usually this will be used by a resource server to validate an access
>> token presented by an oauth client. Resource server will introspect the
>> token to get metadata and authorize access.
>>
>> Meanwhile, a refresh token flow is between the oauth client and
>> authorization server.
>>
>> So the requirement you have presented does not fit into the introspection
>> call/endpoint. ie. Introspection and token refresh in one call simply
>> because there are two completely different flows.
>>
>
> In end-user perspective this would be a nice to have feature unless it is
> not a spec violation.
> On the other hand it do not need to be the introspection endpoint, it can
> be some custom endpoint where it takes the access-token and refresh-token
> and has the following behavior;
>
>- if the access-token is still valid return the same accesss-token and
>refresh-token.
>- if access-token is expired exchange the refresh-token for a new
>access-token, and return the new access-token and a new refresh-token.
>
> Anyhow need to consider the practicality of the use-case furthermore.
>
>
>>
>> In you use case why does the SPA have to do the introspection call?
>> Shouldn't it be the resource server consumed by SPA that needs to do the
>> introspection call.
>>
>
> In this particular use-case the IS is the resource server. The SPA is a
> fully browser based application.
> To verify the authenticity of the user the SPA uses the access-token it
> obtained, that's why the SPA needs to call the introspection endpoint.
>

not the SPA, it is the oauth-client that do the introspection call on
behalf of the SPA.


>
>
>>
>> If the resource server throws an error due to an invalid access token
>> then the SPA can do the refresh call and get a new token.
>>
>>>
>>> [1] https://docs.wso2.com/display/IS530/Invoke+the+OAuth+Int
>>> rospection+Endpoint
>>>
>>> Best,
>>> Thilina
>>> --
>>> *Thilina Madumal*
>>> *Software Engineer | **WSO2*
>>> Email: thilina...@wso2.com
>>> Mobile: *+ <+94%2077%20767%201807>94 774553167*
>>> Web:  http://wso2.com
>>>
>>> 
>>>
>>>
>>
>> --
>> Farasath Ahamed
>> Software Engineer, WSO2 Inc.; http://wso2.com
>> Mobile: +94777603866
>> Blog: blog.farazath.com
>> Twitter: @farazath619 
>> 
>>
>>
>>
>>
>
>
> --
> *Thilina Madumal*
> *Software Engineer | **WSO2*
> Email: thilina...@wso2.com
> Mobile: *+ <+94%2077%20767%201807>94 774553167*
> Web:  http://wso2.com
>
> 
>
>


-- 
*Thilina Madumal*
*Software Engineer | **WSO2*
Email: thilina...@wso2.com
Mobile: *+ <+94%2077%20767%201807>94 774553167*
Web:  http://wso2.com


___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] [IS] [OAuth] Validating and renewing an access token with one call.

[Thilina Madumal]

Hi Farazath,

Thanks for the reply. Please see the inline comments.

On Tue, Nov 14, 2017 at 11:10 PM, Farasath Ahamed 
wrote:

>
>
> On Tuesday, November 14, 2017, Thilina Madumal 
> wrote:
>
>> Hi Devs,
>>
>> I'm working implementing an SPA that uses OAuth access-token in securing
>> resource access.
>> In the documentation [1] I found that to validate the access token that I
>> already have obtained, the introspection endpoint can be used.
>>
>> My question is, is there a way where I can send both the accesss token
>> and the refresh token, then IS will validate the access token, and if the
>> access token is expired IS will issue a new access token for the given
>> refresh token.
>>
>> I understand that the above use-case can be achieved by 2 requests to the
>> IS. But I'm curious is to know whether there is a way to achieve this by a
>> single request.
>>
>
> Introspection Endpoint is basically an endpoint used to gather validate
> and gather metadata about the access token.
>
> Usually this will be used by a resource server to validate an access token
> presented by an oauth client. Resource server will introspect the token to
> get metadata and authorize access.
>
> Meanwhile, a refresh token flow is between the oauth client and
> authorization server.
>
> So the requirement you have presented does not fit into the introspection
> call/endpoint. ie. Introspection and token refresh in one call simply
> because there are two completely different flows.
>

In end-user perspective this would be a nice to have feature unless it is
not a spec violation.
On the other hand it do not need to be the introspection endpoint, it can
be some custom endpoint where it takes the access-token and refresh-token
and has the following behavior;

   - if the access-token is still valid return the same accesss-token and
   refresh-token.
   - if access-token is expired exchange the refresh-token for a new
   access-token, and return the new access-token and a new refresh-token.

Anyhow need to consider the practicality of the use-case furthermore.


>
> In you use case why does the SPA have to do the introspection call?
> Shouldn't it be the resource server consumed by SPA that needs to do the
> introspection call.
>

In this particular use-case the IS is the resource server. The SPA is a
fully browser based application.
To verify the authenticity of the user the SPA uses the access-token it
obtained, that's why the SPA needs to call the introspection endpoint.


>
> If the resource server throws an error due to an invalid access token then
> the SPA can do the refresh call and get a new token.
>
>>
>> [1] https://docs.wso2.com/display/IS530/Invoke+the+OAuth+
>> Introspection+Endpoint
>>
>> Best,
>> Thilina
>> --
>> *Thilina Madumal*
>> *Software Engineer | **WSO2*
>> Email: thilina...@wso2.com
>> Mobile: *+ <+94%2077%20767%201807>94 774553167*
>> Web:  http://wso2.com
>>
>> 
>>
>>
>
> --
> Farasath Ahamed
> Software Engineer, WSO2 Inc.; http://wso2.com
> Mobile: +94777603866
> Blog: blog.farazath.com
> Twitter: @farazath619 
> 
>
>
>
>


-- 
*Thilina Madumal*
*Software Engineer | **WSO2*
Email: thilina...@wso2.com
Mobile: *+ <+94%2077%20767%201807>94 774553167*
Web:  http://wso2.com


___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Observing Missing Timestamp exception when doing creation via rest client

[Mushthaq Rumy]

Hi Thivya,

As Irham have suggested better to enable wire logs and check. Furthermore,
seems like it is checking for a time stamp in the header tag.

Thanks & Regards,
Mushthaq

On Wed, Nov 15, 2017 at 5:21 AM, Irham Iqbal  wrote:

> Hi Thuvya,
>
> You can enable the wire log and check the response headers and status code
> to narrow down this. follow the blog[1] to know about wire logs.
>
> [1] http://mytecheye.blogspot.com/2013/09/wso2-esb-all-
> about-wire-logs.html
>
> Thanks,
> Iqbal
>
> On Tue, Nov 14, 2017 at 8:10 PM, Thivya Mahenthirarasa 
> wrote:
>
>> Hi Dev,
>>
>> When I invoke POST method to create resource in a legacy(SOAP) backend.
>> (Backe end is secured)in my API of a WUM updated ESB500 pack from a rest
>> client, I'm observing exception as follows from the Backend soap service.
>> The Other Methods (DELETE/GET) are working fine.
>>
>>
>> wsse:InvalidSecurity
>>  Missing Timestamp
>>
>>
>> The resource of the API
>>
>> 
>>   
>>  > type="STRING"/>
>>  > type="STRING"/>
>>  > value="urn:postCMedi"/>
>>  
>> 
>>http://schemas.
>> xmlsoap.org/soap/envelope/">
>>   
>>  
>>   
>>   
>>  http://service.samp
>> le.central.com">
>> 
>>http://dto.service.
>> sample.central.com/xsd">
>>   ?
>>   ?
>>   ?
>>
>>http://dto.service.
>> sample.central.com/xsd">
>>   ?
>>   ?
>>
>>http://dto.service.sample.central.com/xsd;>
>>   ?
>>   ?
>>   ?
>>
>>http://dto.service.sample.central.com/xsd;>
>>   ?
>>   ?
>>   ?
>>
>>http://dto.service.sample.central.com/xsd;>?
>>http://dto.service.
>> sample.central.com/xsd">105665
>>http://dto.service.
>> sample.central.com/xsd">
>>   ?
>>   ?
>>   ?
>>
>> 
>>  
>>   
>>
>> 
>> 
>>  
>>  
>>  
>>  
>> 
>>https://192.168.55.160:94
>> 43/services/CentralPatientService" format="soap11"/>
>> 
>>  
>>   
>>   
>>  
>>  > scope="axis2" type="STRING"/>
>>  
>>   
>>
>>
>> WSDL location
>>
>> h*ttp://192.168.55.160:9763/services/CentralPatientService?wsdl*
>> 
>>
>> Could you please help to resolve this?
>>
>>
>>
>> --
>>
>> *Thivya Mahenthirarasa*
>>
>> *Software Engineer -Support Team | WSO2*
>>
>>
>> *Email: thi...@wso2.com *
>>
>> *Mobile: +94766461966 <+94%2076%20646%201966> *
>> *Web: http://wso2.com *
>>
>> ___
>> Dev mailing list
>> Dev@wso2.org
>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>
>>
>
>
> --
> Irham Iqbal
> Software Engineer
> WSO2
> phone: +94 777888452
> 
>
>
> ___
> Dev mailing list
> Dev@wso2.org
> http://wso2.org/cgi-bin/mailman/listinfo/dev
>
>


-- 
Mushthaq Rumy
*Software Engineer*
Mobile : +94 (0) 779 492140 <%2B94%20%280%29%20773%20451194>
Email : musht...@wso2.com
WSO2, Inc.; http://wso2.com/
lean . enterprise . middleware.


___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Observing Missing Timestamp exception when doing creation via rest client

[Irham Iqbal]

Hi Thuvya,

You can enable the wire log and check the response headers and status code
to narrow down this. follow the blog[1] to know about wire logs.

[1] http://mytecheye.blogspot.com/2013/09/wso2-esb-all-about-wire-logs.html

Thanks,
Iqbal

On Tue, Nov 14, 2017 at 8:10 PM, Thivya Mahenthirarasa 
wrote:

> Hi Dev,
>
> When I invoke POST method to create resource in a legacy(SOAP) backend.
> (Backe end is secured)in my API of a WUM updated ESB500 pack from a rest
> client, I'm observing exception as follows from the Backend soap service.
> The Other Methods (DELETE/GET) are working fine.
>
>
> wsse:InvalidSecurity
>  Missing Timestamp
>
>
> The resource of the API
>
> 
>   
>   type="STRING"/>
>   type="STRING"/>
>   value="urn:postCMedi"/>
>  
> 
>http://schemas.
> xmlsoap.org/soap/envelope/">
>   
>  
>   
>   
>  http://service.
> sample.central.com">
> 
>http://dto.service.
> sample.central.com/xsd">
>   ?
>   ?
>   ?
>
>http://dto.service.
> sample.central.com/xsd">
>   ?
>   ?
>
>http://dto.service.sample.central.com/xsd;>
>   ?
>   ?
>   ?
>
>http://dto.service.sample.central.com/xsd;>
>   ?
>   ?
>   ?
>
>http://dto.service.sample.central.com/xsd;>?
>http://dto.service.
> sample.central.com/xsd">105665
>http://dto.service.
> sample.central.com/xsd">
>   ?
>   ?
>   ?
>
> 
>  
>   
>
> 
> 
>  
>  
>  
>  
> 
>https://192.168.55.160:9443/services/
> CentralPatientService" format="soap11"/>
> 
>  
>   
>   
>  
>   scope="axis2" type="STRING"/>
>  
>   
>
>
> WSDL location
>
> h*ttp://192.168.55.160:9763/services/CentralPatientService?wsdl*
> 
>
> Could you please help to resolve this?
>
>
>
> --
>
> *Thivya Mahenthirarasa*
>
> *Software Engineer -Support Team | WSO2*
>
>
> *Email: thi...@wso2.com *
>
> *Mobile: +94766461966 <+94%2076%20646%201966> *
> *Web: http://wso2.com *
>
> ___
> Dev mailing list
> Dev@wso2.org
> http://wso2.org/cgi-bin/mailman/listinfo/dev
>
>


-- 
Irham Iqbal
Software Engineer
WSO2
phone: +94 777888452

___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] [IS] [OAuth] Validating and renewing an access token with one call.

[Farasath Ahamed]

On Tuesday, November 14, 2017, Thilina Madumal  wrote:

> Hi Devs,
>
> I'm working implementing an SPA that uses OAuth access-token in securing
> resource access.
> In the documentation [1] I found that to validate the access token that I
> already have obtained, the introspection endpoint can be used.
>
> My question is, is there a way where I can send both the accesss token and
> the refresh token, then IS will validate the access token, and if the
> access token is expired IS will issue a new access token for the given
> refresh token.
>
> I understand that the above use-case can be achieved by 2 requests to the
> IS. But I'm curious is to know whether there is a way to achieve this by a
> single request.
>

Introspection Endpoint is basically an endpoint used to gather validate and
gather metadata about the access token.

Usually this will be used by a resource server to validate an access token
presented by an oauth client. Resource server will introspect the token to
get metadata and authorize access.

Meanwhile, a refresh token flow is between the oauth client and
authorization server.

So the requirement you have presented does not fit into the introspection
call/endpoint. ie. Introspection and token refresh in one call simply
because there are two completely different flows.

In you use case why does the SPA have to do the introspection call?
Shouldn't it be the resource server consumed by SPA that needs to do the
introspection call.

If the resource server throws an error due to an invalid access token then
the SPA can do the refresh call and get a new token.

>
> [1] https://docs.wso2.com/display/IS530/Invoke+the+
> OAuth+Introspection+Endpoint
>
> Best,
> Thilina
> --
> *Thilina Madumal*
> *Software Engineer | **WSO2*
> Email: thilina...@wso2.com
> 
> Mobile: *+ <+94%2077%20767%201807>94 774553167*
> Web:  http://wso2.com
>
> 
>
>

-- 
Farasath Ahamed
Software Engineer, WSO2 Inc.; http://wso2.com
Mobile: +94777603866
Blog: blog.farazath.com
Twitter: @farazath619 

___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Issues with API Monetization in WSO2 APIM 2.1.0

[Rukshan Premathunga]

Hi Jorge,

We have update the billing engine for AM 2.1.0. Please get the latest
billing engine/workflow extension from here[1] and do the test again.

Another question, my scenario work when the user exists inside the billing
> DB, but when the user does not exist I get redirected to the billing
> system, I can register my user and I get redirected again to the apim store,
> but I don´t see  the completed method called asynchronous


Can you raise a git issue. we will check and do the needful.


[1] https://github.com/ruks/wso2-am-billing-engine/releases/tag/am-2.1.0

Thanks and Regards

On Tue, Nov 14, 2017 at 8:47 PM, Jorge  wrote:

> Hi Rukshan, thanks for answer.
>
> I tried before with that repo and it worked fine with maven dependency:
> 
> org.wso2.carbon.apimgt
> org.wso2.carbon.apimgt.impl
> 6.0.4
> 
>
> Still, remain problem 2 with the jaggery files:
> In jaggery I see this call:
> result = store.resumeWorkflow(workflowReference, status, description);
>
> but in org.wso2.carbon.apimgt.hostobjects jar I have this method:
>   public static NativeObject jsFunction_resumeWorkflow(Context cx,
> Scriptable thisObj, Object[] args, Function funObj)
> throws ScriptException, WorkflowException
>
>
>
>
> Another question, my scenario work when the user exists inside the billing
> DB, but when the user does not exist I get redirected to the billing
> system, I can register my user and I get redirected again to the apim
> store, but I don´t see  the completed method called asynchronous
>
>
> Regards,
> Jorge
>
> 2017-11-13 22:08 GMT-05:00 Rukshan Premathunga :
>
>> Hi Jorge,
>>
>> Did you able to check with branch [1] and AM 2.1.0? Or you experience
>> this issue when you did so? Initially  branch [1] released after tested
>> with AM 2.0.0. If you faced any issues with AM 2.1.0, can you please
>> attached the logs? Will check this further for AM 2.1.0.
>>
>> [1] https://github.com/chamilaadhi/wso2-am-billing-engine/tree/am-2.0
>>
>> Thanks and Regards
>>
>> On Tue, Nov 14, 2017 at 1:00 AM, Jorge  wrote:
>>
>>> Hi all.
>>>
>>> Recently I followed this guide[1] for enable api monetizaction in WSO2
>>> APIM 2.1.0 with severals errors.
>>>
>>> 1. The code with the workflow and the billing engine point out to[2]
>>> with version 1.10. This code use this maven dependency [3] with a issue
>>> related with the org.wso2.carbon.apimgt.impl_6.1.66.jar inside WSO2
>>> APIM 2.1.0. I found a more updated version in [4]
>>>
>>> In version 5.0.3 you create apiMgtDAO  object with this line:
>>>
>>> ApiMgtDAO apiMgtDAO = new ApiMgtDAO();
>>>
>>> In version 6.1.66 with this another line:
>>>
>>> ApiMgtDAO apiMgtDAO = ApiMgtDAO.getInstance();
>>>
>>> 2. Inside the jaggery api store webapp I found a issue with the module
>>> workflow in the function resumeWorkflow. Inside this function it try to
>>> call this java method:
>>>
>>> result = store.resumeWorkflow(workflowReference, status, description);
>>>
>>> but inside the org.wso2.carbon.apimgt.hostobjects_6.1.66 jar file the
>>> method get called with the followings parameters:
>>>
>>> public static void jsFunction_loadRegistryOfTenant(Context cx,
>>> Scriptable thisObj, Object[] args, Function funObj)
>>>
>>> In any case, inside this file: /site/blocks/workflow/workflow
>>> -listener/ajax/workflow-listener.jag I cannot get a response from this
>>> invocation:
>>>
>>> result = mod.resumeWorkflow(workflowReference, status, description);
>>>
>>> Always = empty so:
>>>
>>> if (result.error) = false
>>>
>>> response.status = result.statusCode; // with errors..
>>>
>>> Any help or idea?
>>>
>>>
>>>
>>> Regards,
>>>Jorge.
>>>
>>>
>>> References:
>>> [1] https://docs.wso2.com/display/AM210/Enabling+Monetization+of+APIs
>>>
>>> [2] https://docs.wso2.com/download/attachments/76743427/wso2-am-
>>> billing-engine-am-1.10.zip?version=1=150962
>>> 5739000=v2
>>>
>>> [3] 
>>> org.wso2.carbon.apimgt
>>> org.wso2.carbon.apimgt.impl
>>> 5.0.3
>>> 
>>>
>>> [4] https://github.com/chamilaadhi/wso2-am-billing-engine
>>>
>>>
>>>
>>> ___
>>> Dev mailing list
>>> Dev@wso2.org
>>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>>
>>>
>>
>>
>> --
>> Rukshan Chathuranga.
>> Software Engineer.
>> WSO2, Inc.
>> +94711822074 <+94%2071%20182%202074>
>>
>
>


-- 
Rukshan Chathuranga.
Software Engineer.
WSO2, Inc.
+94711822074
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] [IS] Looking for a ClientCertificateBasedAuthentication sample code for accessing REST APIs

[Thilina Madumal]

Hi Gayan,

Thanks for the reply. Please see the inline comment.

On Tue, Nov 14, 2017 at 8:40 PM, Gayan Gunawardana  wrote:

>
>
> On Tue, Nov 14, 2017 at 2:48 PM, Thilina Madumal 
> wrote:
>
>> Hi Devs,
>>
>> Recently I have started implementing an oauth2-proxy client for Single
>> Page Applications to be used as the proxy for securing resource access
>> using OAuth2.
>>
>> During that, I wanted to validate the access token. In the documentation,
>> I found that it can be achieved using introspection endpoint [1]. There the
>> given curl commands use Basic Authorization to access the introspection
>> endpoint.
>>
>> As I research further I found [2] where it describes 3 methods on
>> authenticating and authorizing to REST-APIs in IS.
>> IMO it would be more convenient if there were a link between these [1]
>> and [2]. WDYT?
>>
> Not only introspection this is common to any REST API exposed by Identity
> Server.
> +1 for having a link to [2].
>
>>
>> Highly appreciate if someone could point me a sample implementation
>> where ClientCertificateBasedAuthentication is used for authentication
>> and authorization for IS REST APIs.
>>
> If this is about client side implementation you can try it from some tool
> like SOAPUI.
>
I'm implementing a client (an oauth-proxy for SPAs) application. There I
want to access the introspection REST API to validate the access tokens I
obtain on behalf of the SPAs.

>
>> Also in the documentation giving a sample implementations for all the
>> default methods described in [2] would be helpful for both the end-users
>> and the community.
>>
>
>> [1] https://docs.wso2.com/display/IS530/Invoke+the+OAuth+
>> Introspection+Endpoint
>> [2] https://docs.wso2.com/display/IS530/Authenticating+and+
>> Authorizing+REST+APIs
>>
>> Best,
>> Thilina
>> --
>> *Thilina Madumal*
>> *Software Engineer | **WSO2*
>> Email: thilina...@wso2.com
>> Mobile: *+ <+94%2077%20767%201807>94 774553167*
>> Web:  http://wso2.com
>>
>> 
>>
>>
>
>
> --
> Gayan Gunawardana
> Senior Software Engineer; WSO2 Inc.; http://wso2.com/
> Email: ga...@wso2.com
> Mobile: +94 (71) 8020933
>


Best,
Thilina
-- 
*Thilina Madumal*
*Software Engineer | **WSO2*
Email: thilina...@wso2.com
Mobile: *+ <+94%2077%20767%201807>94 774553167*
Web:  http://wso2.com


___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Issues with API Monetization in WSO2 APIM 2.1.0

[Jorge]

Hi Rukshan, thanks for answer.

I tried before with that repo and it worked fine with maven dependency:

org.wso2.carbon.apimgt
org.wso2.carbon.apimgt.impl
6.0.4


Still, remain problem 2 with the jaggery files:
In jaggery I see this call:
result = store.resumeWorkflow(workflowReference, status, description);

but in org.wso2.carbon.apimgt.hostobjects jar I have this method:
  public static NativeObject jsFunction_resumeWorkflow(Context cx,
Scriptable thisObj, Object[] args, Function funObj)
throws ScriptException, WorkflowException




Another question, my scenario work when the user exists inside the billing
DB, but when the user does not exist I get redirected to the billing
system, I can register my user and I get redirected again to the apim
store, but I don´t see  the completed method called asynchronous


Regards,
Jorge

2017-11-13 22:08 GMT-05:00 Rukshan Premathunga :

> Hi Jorge,
>
> Did you able to check with branch [1] and AM 2.1.0? Or you experience this
> issue when you did so? Initially  branch [1] released after tested with AM
> 2.0.0. If you faced any issues with AM 2.1.0, can you please attached the
> logs? Will check this further for AM 2.1.0.
>
> [1] https://github.com/chamilaadhi/wso2-am-billing-engine/tree/am-2.0
>
> Thanks and Regards
>
> On Tue, Nov 14, 2017 at 1:00 AM, Jorge  wrote:
>
>> Hi all.
>>
>> Recently I followed this guide[1] for enable api monetizaction in WSO2
>> APIM 2.1.0 with severals errors.
>>
>> 1. The code with the workflow and the billing engine point out to[2] with
>> version 1.10. This code use this maven dependency [3] with a issue related
>> with the org.wso2.carbon.apimgt.impl_6.1.66.jar inside WSO2 APIM 2.1.0.
>> I found a more updated version in [4]
>>
>> In version 5.0.3 you create apiMgtDAO  object with this line:
>>
>> ApiMgtDAO apiMgtDAO = new ApiMgtDAO();
>>
>> In version 6.1.66 with this another line:
>>
>> ApiMgtDAO apiMgtDAO = ApiMgtDAO.getInstance();
>>
>> 2. Inside the jaggery api store webapp I found a issue with the module
>> workflow in the function resumeWorkflow. Inside this function it try to
>> call this java method:
>>
>> result = store.resumeWorkflow(workflowReference, status, description);
>>
>> but inside the org.wso2.carbon.apimgt.hostobjects_6.1.66 jar file the
>> method get called with the followings parameters:
>>
>> public static void jsFunction_loadRegistryOfTenant(Context cx,
>> Scriptable thisObj, Object[] args, Function funObj)
>>
>> In any case, inside this file: /site/blocks/workflow/workflow
>> -listener/ajax/workflow-listener.jag I cannot get a response from this
>> invocation:
>>
>> result = mod.resumeWorkflow(workflowReference, status, description);
>>
>> Always = empty so:
>>
>> if (result.error) = false
>>
>> response.status = result.statusCode; // with errors..
>>
>> Any help or idea?
>>
>>
>>
>> Regards,
>>Jorge.
>>
>>
>> References:
>> [1] https://docs.wso2.com/display/AM210/Enabling+Monetization+of+APIs
>>
>> [2] https://docs.wso2.com/download/attachments/76743427/wso2-am-
>> billing-engine-am-1.10.zip?version=1=150
>> 9625739000=v2
>>
>> [3] 
>> org.wso2.carbon.apimgt
>> org.wso2.carbon.apimgt.impl
>> 5.0.3
>> 
>>
>> [4] https://github.com/chamilaadhi/wso2-am-billing-engine
>>
>>
>>
>> ___
>> Dev mailing list
>> Dev@wso2.org
>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>
>>
>
>
> --
> Rukshan Chathuranga.
> Software Engineer.
> WSO2, Inc.
> +94711822074
>
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] [APIM with IS as the KM] throwing org.apache.axis2.AxisFault: Mapping qname not fond for the package: java.util when invoking API

[Rajith Roshan]

Hi Nuwan,

This was patched in apim 2.0.0 for implicit grant type (Ideally the fix
should be in apim 2.1.0). What is the grant type you are using?
This is not the intended behavior. Scope is an optional parameter, you
don't have to send the scope in the request.

Thanks!
Rajith

On Tue, Nov 14, 2017 at 5:50 PM, Chamin Dias  wrote:

> Hi,
>
> There was a similar case for the "Mapping qname not fond for the package"
> error, but that seems to be fixed in APIM 2.1.0. Also, please see [1].
>
> [1] https://wso2.org/jira/browse/APIMANAGER-5369
>
> Thanks.
>
> On Tue, Nov 14, 2017 at 4:33 PM, Nuwan Silva  wrote:
>
>> Hi Team,
>>
>> I have a setup with APIM 2.1.0 with IS 5.3.0 as the KM and I see the
>> following error when invoking an API. While looking for a solution I found
>> that sending the scope with the token generation request resolves this.
>>
>> Is this the intended behavior? We can request for a token without the
>> scope and that token fails. As per [1] the scope is optional.
>>
>> [1] https://docs.wso2.com/display/AM210/Password+Grant
>>
>> TID: [-1234] [] [2017-11-14 06:57:16,695] ERROR
>> {org.apache.axis2.rpc.receivers.RPCMessageReceiver} -
>> org.apache.axis2.AxisFault: Mapping qname not fond for the package:
>> java.util
>> java.lang.RuntimeException: org.apache.axis2.AxisFault: Mapping qname not
>> fond for the package: java.util
>> at org.apache.axis2.databinding.utils.BeanUtil.getPropertyQname
>> List(BeanUtil.java:276)
>> at org.apache.axis2.databinding.utils.BeanUtil.getPullParser(Be
>> anUtil.java:72)
>> at org.apache.axis2.databinding.utils.reader.ADBXMLStreamReader
>> Impl.processProperties(ADBXMLStreamReaderImpl.java:994)
>> at org.apache.axis2.databinding.utils.reader.ADBXMLStreamReader
>> Impl.next(ADBXMLStreamReaderImpl.java:850)
>> at org.apache.axis2.util.StreamWrapper.next(StreamWrapper.java:71)
>> at org.apache.axiom.om.impl.builder.StAXOMBuilder.parserNext(St
>> AXOMBuilder.java:681)
>> at org.apache.axiom.om.impl.builder.StAXOMBuilder.next(StAXOMBu
>> ilder.java:214)
>> at org.apache.axiom.om.impl.llom.OMSerializableImpl.build(OMSer
>> ializableImpl.java:78)
>> at org.apache.axiom.om.impl.llom.OMElementImpl.build(OMElementI
>> mpl.java:722)
>> at org.apache.axiom.om.impl.llom.OMElementImpl.detach(OMElement
>> Impl.java:700)
>> at org.apache.axiom.om.impl.llom.OMNodeImpl.setParent(OMNodeImp
>> l.java:105)
>> at org.apache.axiom.om.impl.llom.OMElementImpl.addChild(OMEleme
>> ntImpl.java:296)
>> at org.apache.axiom.om.impl.llom.OMElementImpl.addChild(OMEleme
>> ntImpl.java:212)
>> at org.apache.axis2.rpc.receivers.RPCUtil.processResponse(RPCUt
>> il.java:105)
>> at org.apache.axis2.rpc.receivers.RPCUtil.processResponseAsDocL
>> itWrapped(RPCUtil.java:456)
>> at org.apache.axis2.rpc.receivers.RPCMessageReceiver.invokeBusi
>> nessLogic(RPCMessageReceiver.java:153)
>> at org.apache.axis2.receivers.AbstractInOutMessageReceiver.invo
>> keBusinessLogic(AbstractInOutMessageReceiver.java:40)
>> at org.apache.axis2.receivers.AbstractMessageReceiver.receive(A
>> bstractMessageReceiver.java:110)
>> at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:180)
>> at org.apache.axis2.transport.http.HTTPTransportUtils.processHT
>> TPPostRequest(HTTPTransportUtils.java:173)
>> at org.apache.axis2.transport.http.AxisServlet.doPost(AxisServl
>> et.java:146)
>> at org.wso2.carbon.core.transports.CarbonServlet.doPost(CarbonS
>> ervlet.java:231)
>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:650)
>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:731)
>> at org.eclipse.equinox.http.servlet.internal.ServletRegistratio
>> n.service(ServletRegistration.java:61)
>> at org.eclipse.equinox.http.servlet.internal.ProxyServlet.proce
>> ssAlias(ProxyServlet.java:128)
>> at org.eclipse.equinox.http.servlet.internal.ProxyServlet.servi
>> ce(ProxyServlet.java:68)
>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:731)
>> at org.wso2.carbon.tomcat.ext.servlet.DelegationServlet.service
>> (DelegationServlet.java:68)
>> at org.apache.catalina.core.ApplicationFilterChain.internalDoFi
>> lter(ApplicationFilterChain.java:303)
>> at org.apache.catalina.core.ApplicationFilterChain.doFilter(App
>> licationFilterChain.java:208)
>> at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilte
>> r.java:52)
>> at org.apache.catalina.core.ApplicationFilterChain.internalDoFi
>> lter(ApplicationFilterChain.java:241)
>> at org.apache.catalina.core.ApplicationFilterChain.doFilter(App
>> licationFilterChain.java:208)
>> at org.apache.catalina.filters.HttpHeaderSecurityFilter.doFilte
>> r(HttpHeaderSecurityFilter.java:120)
>> at org.apache.catalina.core.ApplicationFilterChain.internalDoFi
>> lter(ApplicationFilterChain.java:241)
>> at org.apache.catalina.core.ApplicationFilterChain.doFilter(App
>> 

Re: [Dev] [IS] Looking for a ClientCertificateBasedAuthentication sample code for accessing REST APIs

[Gayan Gunawardana]

On Tue, Nov 14, 2017 at 2:48 PM, Thilina Madumal 
wrote:

> Hi Devs,
>
> Recently I have started implementing an oauth2-proxy client for Single
> Page Applications to be used as the proxy for securing resource access
> using OAuth2.
>
> During that, I wanted to validate the access token. In the documentation,
> I found that it can be achieved using introspection endpoint [1]. There the
> given curl commands use Basic Authorization to access the introspection
> endpoint.
>
> As I research further I found [2] where it describes 3 methods on
> authenticating and authorizing to REST-APIs in IS.
> IMO it would be more convenient if there were a link between these [1] and
> [2]. WDYT?
>
Not only introspection this is common to any REST API exposed by Identity
Server.
+1 for having a link to [2].

>
> Highly appreciate if someone could point me a sample implementation where
> ClientCertificateBasedAuthentication is used for authentication and
> authorization for IS REST APIs.
>
If this is about client side implementation you can try it from some tool
like SOAPUI.

>
> Also in the documentation giving a sample implementations for all the
> default methods described in [2] would be helpful for both the end-users
> and the community.
>

> [1] https://docs.wso2.com/display/IS530/Invoke+the+
> OAuth+Introspection+Endpoint
> [2] https://docs.wso2.com/display/IS530/Authenticating+
> and+Authorizing+REST+APIs
>
> Best,
> Thilina
> --
> *Thilina Madumal*
> *Software Engineer | **WSO2*
> Email: thilina...@wso2.com
> Mobile: *+ <+94%2077%20767%201807>94 774553167*
> Web:  http://wso2.com
>
> 
>
>


-- 
Gayan Gunawardana
Senior Software Engineer; WSO2 Inc.; http://wso2.com/
Email: ga...@wso2.com
Mobile: +94 (71) 8020933
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

[Dev] [IS] Looking for a ClientCertificateBasedAuthentication sample code for accessing REST APIs

[Thilina Madumal]

Hi Devs,

Recently I have started implementing an oauth2-proxy client for Single Page
Applications to be used as the proxy for securing resource access using
OAuth2.

During that, I wanted to validate the access token. In the documentation, I
found that it can be achieved using introspection endpoint [1]. There the
given curl commands use Basic Authorization to access the introspection
endpoint.

As I research further I found [2] where it describes 3 methods on
authenticating and authorizing to REST-APIs in IS.
IMO it would be more convenient if there were a link between these [1] and
[2]. WDYT?

Highly appreciate if someone could point me a sample implementation
where ClientCertificateBasedAuthentication is used for authentication and
authorization for IS REST APIs.

Also in the documentation giving a sample implementations for all the
default methods described in [2] would be helpful for both the end-users
and the community.

[1]
https://docs.wso2.com/display/IS530/Invoke+the+OAuth+Introspection+Endpoint
[2]
https://docs.wso2.com/display/IS530/Authenticating+and+Authorizing+REST+APIs

Best,
Thilina
-- 
*Thilina Madumal*
*Software Engineer | **WSO2*
Email: thilina...@wso2.com
Mobile: *+ <+94%2077%20767%201807>94 774553167*
Web:  http://wso2.com


___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

[Dev] Observing Missing Timestamp exception when doing creation via rest client

[Thivya Mahenthirarasa]

Hi Dev,

When I invoke POST method to create resource in a legacy(SOAP) backend.
(Backe end is secured)in my API of a WUM updated ESB500 pack from a rest
client, I'm observing exception as follows from the Backend soap service.
The Other Methods (DELETE/GET) are working fine.


wsse:InvalidSecurity
 Missing Timestamp


The resource of the API


  
 
 
 
 

   http://schemas.xmlsoap.org/soap/envelope/;>
  
 
  
  
 http://service.sample.central.com;>

   http://dto.service.sample.central.com/xsd;>
  ?
  ?
  ?
   
   http://dto.service.sample.central.com/xsd;>
  ?
  ?
   
   http://dto.service.sample.central.com/xsd;>
  ?
  ?
  ?
   
   http://dto.service.sample.central.com/xsd;>
  ?
  ?
  ?
   
   http://dto.service.sample.central.com/xsd;>?
   http://dto.service.sample.central.com/xsd;>105665
   http://dto.service.sample.central.com/xsd;>
  ?
  ?
  ?
   

 
  
   


 
 
 
 

   https://192.168.55.160:9443/services/CentralPatientService;
format="soap11"/>

 
  
  
 
 
 
  
   

WSDL location

h*ttp://192.168.55.160:9763/services/CentralPatientService?wsdl*


Could you please help to resolve this?



-- 

*Thivya Mahenthirarasa*

*Software Engineer -Support Team | WSO2*


*Email: thi...@wso2.com *

*Mobile: +94766461966 *
*Web: http://wso2.com *
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] EI 6.0.0 and HL7 transport activation

[Vinod Kavinda]

Hi Thomas,
The issue you are experiencing is happening since we are referring to same
plugins directory (jars location for wso2 products) in all the profiles in
WSO2 EI as you already identified. Even though these profiles are shipped
together, they are not running in the same runtime. So what you can do is
keep separate distributions for each profile. Then install the HL7 features
only for the dist you are using for the ESB.

One more suggestion for you, since you are still in the initial development
phase, please upgrade to WSO2 EI 6.1.1. Since 6.0 is the initial version of
the new structure, we have fixed lot of issues in the later versions.

Regards,
Vinod

On Tue, Nov 14, 2017 at 5:54 PM, Thomas LEGRAND <
thomas.legr...@versusmind.eu> wrote:

> Hello!
>
> I come back concerning this problem to give you some extra informations
> (and to point other problems :))
>
> First, my ESB is configured to be able to process convert automatically
> the content of the files with the content-type application/edi-hl7. To do
> so, I uncommented in the file the axis2.xml:
>
>class="org.wso2.carbon.business.messaging.hl7.
> message.HL7MessageFormatter"/>
>
> Since I deployed manually the previoulsy mentioned libraries by dropping
> them in the dropins directory, I noticed that other problems occur:
>
> - When I start the BPS, an OpenJPA error happens because of the dropped
> openjpa-all_2.2.2.wso2v1 in dropins. Meaning that, if I remove it, the
> following stacktrace does not appear and the BPS starts nicely:
>
> TID: [-1234] [] [2017-11-14 13:17:50,750]  INFO {org.wso2.carbon.humantask.
> core.HumanTaskSchedulerInitializer} -  Starting HumanTasks Scheduler
> {org.wso2.carbon.humantask.core.HumanT
> askSchedulerInitializer}
> TID: [-1234] [] [2017-11-14 13:17:51,523] ERROR {org.wso2.carbon.humantask.
> core.scheduler.SimpleScheduler} -  Error retrieving node list. {
> org.wso2.carbon.humantask.core.scheduler.Si
> mpleScheduler}
> 
> org.apache.openjpa.persistence.ArgumentException: An error occurred while
> parsing the query filter "SELECT DISTINCT t.nodeId
>  FROM org.wso2.carbon.humantask.core.dao.jpa.openjpa.model.HumanTaskJob t
> WHERE t.nodeId IS NOT NULL". Error message: The name
> "org.wso2.carbon.humantask.core.dao.jpa.openjpa.model.H
> umanTaskJob" is not a recognized entity or identifier. Perhaps you meant
> HumanTaskJob, which is a close match. Known entity names: [Task,
> PresentationDescription, Message, ProcessIns
> tanceDAOImpl, CorrelatorDAOImpl, ScopeDAOImpl, MexProperty, Attachment,
> ProcessDAOImpl, PresentationSubject, AttachmentDAOImpl,
> ActivityRecoveryDAOImpl, TaskVersion, MessageExchangeD
> AOImpl, MessageDAOImpl, XmlDataProperty, Comment, HumanTaskJob,
> PresentationParameter, OrganizationalEntity, Deadline, MessageRouteDAOImpl,
> PresentationName, FaultDAOImpl, GenericHum
> anRole, PresentationElement, PartnerLinkDAOImpl, CorrelationSetDAOImpl,
> Event, EventDAOImpl, DeploymentUnit, XmlDataDAOImpl, CorrSetProperty]
>
>
> - When I start the BPS or the Broker, I have a stacktrace concerning the
> hl7 messageing component. This is not blocking but that is not clean
> either. This is caused by the presence of the 
> org.wso2.carbon.business.messaging.hl7.*.jar
> files:
>
> TID: [-1234] [] [2017-11-14 12:08:30,078] ERROR {org.wso2.carbon.utils.
> deployment.Axis2ServiceRegistry} -  Error while adding services from
> bundle : org.wso2.carbon.business.messagin
> g.hl7.store-4.6.6 {org.wso2.carbon.utils.deployment.Axis2ServiceRegistry}
> java.lang.NoClassDefFoundError: org/wso2/carbon/mediation/initializer/
> AbstractServiceBusAdmin
> at java.lang.ClassLoader.defineClass1(Native Method)
> at java.lang.ClassLoader.defineClass(ClassLoader.java:763)
> blablabla
> Caused by: java.lang.ClassNotFoundException: org.wso2.carbon.mediation.
> initializer.AbstractServiceBusAdmin cannot be found by
> org.wso2.carbon.business.messaging.hl7.store_4.6.6
> at org.eclipse.osgi.internal.loader.BundleLoader.
> findClassInternal(BundleLoader.java:501)
> at org.eclipse.osgi.internal.loader.BundleLoader.findClass(
> BundleLoader.java:421)
> at org.eclipse.osgi.internal.loader.BundleLoader.findClass(
> BundleLoader.java:412)
> at org.eclipse.osgi.internal.baseadaptor.
> DefaultClassLoader.loadClass(DefaultClassLoader.java:107)
> at java.lang.ClassLoader.loadClass(ClassLoader.java:357)
> ... 66 more
>
> As workaround as my first blocking problem, I just removed the openjpa
> file from the dropins directory. That seems to work but since I just need
> to process files, I doubt that will work if I need to use the ESB to
> persist some HL7 messages in a database using the ESB-integrated-way.
>
> Regards,
>
> Thomas
>
>
> 2017-11-10 9:38 GMT+01:00 Thomas LEGRAND :
>
>> Hello again!
>>
>> Finally, I made a diff of the directory via the command comp > where there aren't the feature libs> > libs> (I am on 

Re: [Dev] EI 6.0.0 and HL7 transport activation

[Thomas LEGRAND]

Hello!

I come back concerning this problem to give you some extra informations
(and to point other problems :))

First, my ESB is configured to be able to process convert automatically the
content of the files with the content-type application/edi-hl7. To do so, I
uncommented in the file the axis2.xml:

 

Since I deployed manually the previoulsy mentioned libraries by dropping
them in the dropins directory, I noticed that other problems occur:

- When I start the BPS, an OpenJPA error happens because of the dropped
openjpa-all_2.2.2.wso2v1 in dropins. Meaning that, if I remove it, the
following stacktrace does not appear and the BPS starts nicely:

TID: [-1234] [] [2017-11-14 13:17:50,750]  INFO
{org.wso2.carbon.humantask.core.HumanTaskSchedulerInitializer} -  Starting
HumanTasks Scheduler {org.wso2.carbon.humantask.core.HumanT
askSchedulerInitializer}
TID: [-1234] [] [2017-11-14 13:17:51,523] ERROR
{org.wso2.carbon.humantask.core.scheduler.SimpleScheduler} -  Error
retrieving node list. {org.wso2.carbon.humantask.core.scheduler.Si
mpleScheduler}

org.apache.openjpa.persistence.ArgumentException: An error occurred while
parsing the query filter "SELECT DISTINCT t.nodeId
 FROM org.wso2.carbon.humantask.core.dao.jpa.openjpa.model.HumanTaskJob t
WHERE t.nodeId IS NOT NULL". Error message: The name
"org.wso2.carbon.humantask.core.dao.jpa.openjpa.model.H
umanTaskJob" is not a recognized entity or identifier. Perhaps you meant
HumanTaskJob, which is a close match. Known entity names: [Task,
PresentationDescription, Message, ProcessIns
tanceDAOImpl, CorrelatorDAOImpl, ScopeDAOImpl, MexProperty, Attachment,
ProcessDAOImpl, PresentationSubject, AttachmentDAOImpl,
ActivityRecoveryDAOImpl, TaskVersion, MessageExchangeD
AOImpl, MessageDAOImpl, XmlDataProperty, Comment, HumanTaskJob,
PresentationParameter, OrganizationalEntity, Deadline, MessageRouteDAOImpl,
PresentationName, FaultDAOImpl, GenericHum
anRole, PresentationElement, PartnerLinkDAOImpl, CorrelationSetDAOImpl,
Event, EventDAOImpl, DeploymentUnit, XmlDataDAOImpl, CorrSetProperty]


- When I start the BPS or the Broker, I have a stacktrace concerning the
hl7 messageing component. This is not blocking but that is not clean
either. This is caused by the presence of the
org.wso2.carbon.business.messaging.hl7.*.jar files:

TID: [-1234] [] [2017-11-14 12:08:30,078] ERROR
{org.wso2.carbon.utils.deployment.Axis2ServiceRegistry} -  Error while
adding services from bundle : org.wso2.carbon.business.messagin
g.hl7.store-4.6.6 {org.wso2.carbon.utils.deployment.Axis2ServiceRegistry}
java.lang.NoClassDefFoundError:
org/wso2/carbon/mediation/initializer/AbstractServiceBusAdmin
at java.lang.ClassLoader.defineClass1(Native Method)
at java.lang.ClassLoader.defineClass(ClassLoader.java:763)
blablabla
Caused by: java.lang.ClassNotFoundException:
org.wso2.carbon.mediation.initializer.AbstractServiceBusAdmin cannot be
found by org.wso2.carbon.business.messaging.hl7.store_4.6.6
at
org.eclipse.osgi.internal.loader.BundleLoader.findClassInternal(BundleLoader.java:501)
at
org.eclipse.osgi.internal.loader.BundleLoader.findClass(BundleLoader.java:421)
at
org.eclipse.osgi.internal.loader.BundleLoader.findClass(BundleLoader.java:412)
at
org.eclipse.osgi.internal.baseadaptor.DefaultClassLoader.loadClass(DefaultClassLoader.java:107)
at java.lang.ClassLoader.loadClass(ClassLoader.java:357)
... 66 more

As workaround as my first blocking problem, I just removed the openjpa file
from the dropins directory. That seems to work but since I just need to
process files, I doubt that will work if I need to use the ESB to persist
some HL7 messages in a database using the ESB-integrated-way.

Regards,

Thomas


2017-11-10 9:38 GMT+01:00 Thomas LEGRAND :

> Hello again!
>
> Finally, I made a diff of the directory via the command comp  where there aren't the feature libs>  libs> (I am on Windows). So, something like that:
>
> C:\Users\t.legrand>comp D:\ProjetESB\wso2ei-6.0.0-bis\wso2\components\plugins
>> D:\ProjetESB\wso2ei-6.0.0\wso2\components\plugins /A > test.log
>> Comparer d’autres fichiers (O/N) ? n
>>
>
> This generated a file where I could see some messages like
>
> Comparaison de D:\ProjetESB\wso2ei-6.0.0-bis\
>> wso2\components\plugins\axis2-transport-mqtt_2.0.0.wso2v1.jar et
>> D:\ProjetESB\wso2ei-6.0.0\wso2\components\plugins\axis2-
>> transport-mqtt_2.0.0.wso2v1.jar...
>> Comparaison des fichiers OK
>>
> Comparaison de D:\ProjetESB\wso2ei-6.0.0-bis\wso2\components\plugins\org.
>> wso2.carbon.business.messaging.hl7.common_4.6.6.jar et
>> D:\ProjetESB\wso2ei-6.0.0\wso2\components\pluginsorg.
>> wso2.carbon.business.messaging.hl7.common_4.6.6.jar...
>>
> Impossible de trouver/ouvrir le fichier: D:\ProjetESB\wso2ei-6.0.0\
>> wso2\components\plugins\org.wso2.carbon.business.
>> messaging.hl7.common_4.6.6.jar
>>
>
> So, in the end, the installed libraries were:
>
> - openjpa-all_2.2.2.wso2v1
> - 

Re: [Dev] [APIM with IS as the KM] throwing org.apache.axis2.AxisFault: Mapping qname not fond for the package: java.util when invoking API

[Chamin Dias]

Hi,

There was a similar case for the "Mapping qname not fond for the package"
error, but that seems to be fixed in APIM 2.1.0. Also, please see [1].

[1] https://wso2.org/jira/browse/APIMANAGER-5369

Thanks.

On Tue, Nov 14, 2017 at 4:33 PM, Nuwan Silva  wrote:

> Hi Team,
>
> I have a setup with APIM 2.1.0 with IS 5.3.0 as the KM and I see the
> following error when invoking an API. While looking for a solution I found
> that sending the scope with the token generation request resolves this.
>
> Is this the intended behavior? We can request for a token without the
> scope and that token fails. As per [1] the scope is optional.
>
> [1] https://docs.wso2.com/display/AM210/Password+Grant
>
> TID: [-1234] [] [2017-11-14 06:57:16,695] ERROR
> {org.apache.axis2.rpc.receivers.RPCMessageReceiver} -
> org.apache.axis2.AxisFault: Mapping qname not fond for the package:
> java.util
> java.lang.RuntimeException: org.apache.axis2.AxisFault: Mapping qname not
> fond for the package: java.util
> at org.apache.axis2.databinding.utils.BeanUtil.getPropertyQname
> List(BeanUtil.java:276)
> at org.apache.axis2.databinding.utils.BeanUtil.getPullParser(Be
> anUtil.java:72)
> at org.apache.axis2.databinding.utils.reader.ADBXMLStreamReader
> Impl.processProperties(ADBXMLStreamReaderImpl.java:994)
> at org.apache.axis2.databinding.utils.reader.ADBXMLStreamReader
> Impl.next(ADBXMLStreamReaderImpl.java:850)
> at org.apache.axis2.util.StreamWrapper.next(StreamWrapper.java:71)
> at org.apache.axiom.om.impl.builder.StAXOMBuilder.parserNext(
> StAXOMBuilder.java:681)
> at org.apache.axiom.om.impl.builder.StAXOMBuilder.next(StAXOMBu
> ilder.java:214)
> at org.apache.axiom.om.impl.llom.OMSerializableImpl.build(OMSer
> ializableImpl.java:78)
> at org.apache.axiom.om.impl.llom.OMElementImpl.build(OMElementI
> mpl.java:722)
> at org.apache.axiom.om.impl.llom.OMElementImpl.detach(OMElement
> Impl.java:700)
> at org.apache.axiom.om.impl.llom.OMNodeImpl.setParent(OMNodeImp
> l.java:105)
> at org.apache.axiom.om.impl.llom.OMElementImpl.addChild(OMEleme
> ntImpl.java:296)
> at org.apache.axiom.om.impl.llom.OMElementImpl.addChild(OMEleme
> ntImpl.java:212)
> at org.apache.axis2.rpc.receivers.RPCUtil.processResponse(
> RPCUtil.java:105)
> at org.apache.axis2.rpc.receivers.RPCUtil.processResponseAsDocL
> itWrapped(RPCUtil.java:456)
> at org.apache.axis2.rpc.receivers.RPCMessageReceiver.invokeBusi
> nessLogic(RPCMessageReceiver.java:153)
> at org.apache.axis2.receivers.AbstractInOutMessageReceiver.invo
> keBusinessLogic(AbstractInOutMessageReceiver.java:40)
> at org.apache.axis2.receivers.AbstractMessageReceiver.receive(A
> bstractMessageReceiver.java:110)
> at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:180)
> at org.apache.axis2.transport.http.HTTPTransportUtils.processHT
> TPPostRequest(HTTPTransportUtils.java:173)
> at org.apache.axis2.transport.http.AxisServlet.doPost(AxisServl
> et.java:146)
> at org.wso2.carbon.core.transports.CarbonServlet.doPost(
> CarbonServlet.java:231)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:650)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:731)
> at org.eclipse.equinox.http.servlet.internal.ServletRegistratio
> n.service(ServletRegistration.java:61)
> at org.eclipse.equinox.http.servlet.internal.ProxyServlet.proce
> ssAlias(ProxyServlet.java:128)
> at org.eclipse.equinox.http.servlet.internal.ProxyServlet.servi
> ce(ProxyServlet.java:68)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:731)
> at org.wso2.carbon.tomcat.ext.servlet.DelegationServlet.service
> (DelegationServlet.java:68)
> at org.apache.catalina.core.ApplicationFilterChain.internalDoFi
> lter(ApplicationFilterChain.java:303)
> at org.apache.catalina.core.ApplicationFilterChain.doFilter(App
> licationFilterChain.java:208)
> at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilte
> r.java:52)
> at org.apache.catalina.core.ApplicationFilterChain.internalDoFi
> lter(ApplicationFilterChain.java:241)
> at org.apache.catalina.core.ApplicationFilterChain.doFilter(App
> licationFilterChain.java:208)
> at org.apache.catalina.filters.HttpHeaderSecurityFilter.doFilte
> r(HttpHeaderSecurityFilter.java:120)
> at org.apache.catalina.core.ApplicationFilterChain.internalDoFi
> lter(ApplicationFilterChain.java:241)
> at org.apache.catalina.core.ApplicationFilterChain.doFilter(App
> licationFilterChain.java:208)
> at org.wso2.carbon.tomcat.ext.filter.CharacterSetFilter.doFilte
> r(CharacterSetFilter.java:61)
> at org.apache.catalina.core.ApplicationFilterChain.internalDoFi
> lter(ApplicationFilterChain.java:241)
> at org.apache.catalina.core.ApplicationFilterChain.doFilter(App
> licationFilterChain.java:208)
> at org.apache.catalina.filters.HttpHeaderSecurityFilter.doFilte
> r(HttpHeaderSecurityFilter.java:120)
> at 

[Dev] 'Input too long' error occurred while executing Siddhi.bat file

[Raveen Rathnayake]

Hi all,

Currently I am in the process of developing a SDK for Siddhi. In this SDK I
am packing all the Siddhi Extensions with it. All the jars(*all together
279*) related to these extensions are located in the* {siddhi.home}/lib*
folder. Executable files(*siddhi.sh* and *siddhi.bat*) are located in the
*{siddhi.home}/bin* folder. In the* siddhi.bat* file I am adding all the
jar files in the *{siddhi.home}/lib* folder to the *classpath*. When I
tried to execute the* siddhi.bat* file I am getting an error  saying "*The
input line is too long*." After googling about the error, I found that this
error was caused because in windows a single command has a limit of ~250
characters. Since this 250 limit is exceeded by classpath setting command,
I got the error.(when adding all the names of jars inside the lib the 250
limit is exceeded.) I have tried few methods to overcome this issue, but
failed.  I have attached the *siddhi.bat* file here with.

It will be great if any of you can suggest a solution for this.

Thank you.
-- 
Raveen Savinda Rathnayake,
Software Engineering Intern,
WSO2 Inc.

*lean. enterprise. middleware  *
Web: www.WSO2.com Mobile : +94771144549  Blog : https://blog.raveen.me




@echo off

REM ---
REM   Copyright (c) 2017, WSO2 Inc. (http://www.wso2.org) All Rights Reserved.
REM
REM   Licensed under the Apache License, Version 2.0 (the "License");
REM   you may not use this file except in compliance with the License.
REM   You may obtain a copy of the License at
REM
REM   http://www.apache.org/licenses/LICENSE-2.0
REM
REM   Unless required by applicable law or agreed to in writing, software
REM   distributed under the License is distributed on an "AS IS" BASIS,
REM   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
REM   See the License for the specific language governing permissions and
REM   limitations under the License.

rem ---
rem Main Script for Siddhi SDK
rem
rem Environment Variable Prerequisites
rem
rem   SIDDHI_HOME  Home of SIDDHI installation. If not set I will  try
rem   to figure it out.
rem
rem   JAVA_HOME   Must point at your Java Development Kit installation.
rem
rem   JAVA_OPTS   (Optional) Java runtime options used when the commands
rem   is executed.
rem ---

rem - if JAVA_HOME is not set we're not happy --

:checkJava

if "%JAVA_HOME%" == "" goto noJavaHome
if not exist "%JAVA_HOME%\bin\java.exe" goto noJavaHome
goto checkServer

:noJavaHome
echo "You must set the JAVA_HOME variable before running Siddhi."
goto end

rem - set SIDDHI_HOME 
:checkServer
rem %~sdp0 is expanded pathname of the current script under NT with spaces in 
the path removed
set SIDDHI_HOME=%~sdp0..
SET curDrive=%cd:~0,1%
SET siddhiDrive=%SIDDHI_HOME:~0,1%
if not "%curDrive%" == "%siddhiDrive%" %siddhiDrive%:

goto updateClasspath

:noServerHome
echo SIDDHI_HOME is set incorrectly or Siddhi could not be located. Please set 
SIDDHI_HOME.
goto end

rem - update classpath -
:updateClasspath

setlocal EnableDelayedExpansion
set SIDDHI_CLASSPATH=
FOR %%C in ("%SIDDHI_HOME%\lib\*.jar") DO set 
SIDDHI_CLASSPATH=!SIDDHI_CLASSPATH!;
"%SIDDHI_HOME%\lib\%%~nC%%~xC"

set SIDDHI_HOME="%JAVA_HOME%\lib\tools.jar";%SIDDHI_CLASSPATH%;

FOR %%D in ("%SIDDHI_HOME%\lib\*.jar") DO set 
SIDDHI_CLASSPATH=!SIDDHI_CLASSPATH!;
"%SIDDHI_HOME%\lib\%%~nD%%~xD"

rem - Process the input command ---

rem Slurp the command line arguments. This loop allows for an unlimited number
rem of arguments (up to the command line limit, anyway).

:setupArgs
if ""%1""== goto doneStart

if ""%1""==""debug""goto commandDebug
if ""%1""==""-debug""   goto commandDebug
if ""%1""==""--debug""  goto commandDebug

shift
goto setupArgs


rem - commandDebug -
:commandDebug
shift
set DEBUG_PORT=%1
if "%DEBUG_PORT%"=="" goto noDebugPort
if not "%JAVA_OPTS%"=="" echo Warning !!!. User specified JAVA_OPTS will be 
ignored, once you give the --debug option.
set JAVA_OPTS=-Xdebug -Xnoagent -Djava.compiler=NONE 
-Xrunjdwp:transport=dt_socket,server=y,suspend=y,address=%DEBUG_PORT%
echo Please start the remote debugging client to continue...
goto runServer

:noDebugPort
echo Please specify the debug port after the --debug option
goto end

:doneStart
if "%OS%"=="Windows_NT" @setlocal
if "%OS%"=="WINNT" @setlocal
goto runServer


rem - Execute The Requested Command 

:runServer

set CMD=%*

rem -- Add jars to classpath 

set 

Re: [Dev] [C5] Supporting transports in server mode

[Niranjan Karunanandham]

[Adding Azeez]
Hi all,

In previous transport, as I remember we had a transport manager which was
used for OSGi mode. As this been removed? IMO we need to have both support
for standalone and OSGi mode in carbon transports.

Regards,
Nira

On Tue, Nov 14, 2017 at 4:13 PM, Asanka Abeyweera  wrote:

> Hi all,
>
> It seems the carbon transports feature is no longer supported from the
> kernel version 5.2.0 onwards. The class CarbonTransport is no longer there
> in the kernel repo.
>
> 1. What is our approach to managing transports (start,
> stop, beginMaintenance, endMaintenance) in server mode?
> 2. If someone wants to write a transport for C5 will it be similar to
> writing a general component? Is there a guideline or a document that I can
> follow when writing transports for C5 server mode.
>
> I also created a PR [1] removing the docs related to carbon transports
> from the kernel.
>
> [1] https://github.com/wso2/carbon-kernel/pull/1609
>
> --
> Asanka Abeyweera
> Associate Technical Lead
> WSO2 Inc.
>
> Phone: +94 712228648 <+94%2071%20222%208648>
> Blog: a5anka.github.io
>
> 
>



-- 


*Niranjan Karunanandham*
Associate Technical Lead - WSO2 Inc.
WSO2 Inc.: http://www.wso2.com
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

[Dev] [APIM with IS as the KM] throwing org.apache.axis2.AxisFault: Mapping qname not fond for the package: java.util when invoking API

[Nuwan Silva]

Hi Team,

I have a setup with APIM 2.1.0 with IS 5.3.0 as the KM and I see the
following error when invoking an API. While looking for a solution I found
that sending the scope with the token generation request resolves this.

Is this the intended behavior? We can request for a token without the scope
and that token fails. As per [1] the scope is optional.

[1] https://docs.wso2.com/display/AM210/Password+Grant

TID: [-1234] [] [2017-11-14 06:57:16,695] ERROR
{org.apache.axis2.rpc.receivers.RPCMessageReceiver} -
org.apache.axis2.AxisFault: Mapping qname not fond for the package:
java.util
java.lang.RuntimeException: org.apache.axis2.AxisFault: Mapping qname not
fond for the package: java.util
at
org.apache.axis2.databinding.utils.BeanUtil.getPropertyQnameList(BeanUtil.java:276)
at
org.apache.axis2.databinding.utils.BeanUtil.getPullParser(BeanUtil.java:72)
at
org.apache.axis2.databinding.utils.reader.ADBXMLStreamReaderImpl.processProperties(ADBXMLStreamReaderImpl.java:994)
at
org.apache.axis2.databinding.utils.reader.ADBXMLStreamReaderImpl.next(ADBXMLStreamReaderImpl.java:850)
at org.apache.axis2.util.StreamWrapper.next(StreamWrapper.java:71)
at
org.apache.axiom.om.impl.builder.StAXOMBuilder.parserNext(StAXOMBuilder.java:681)
at
org.apache.axiom.om.impl.builder.StAXOMBuilder.next(StAXOMBuilder.java:214)
at
org.apache.axiom.om.impl.llom.OMSerializableImpl.build(OMSerializableImpl.java:78)
at
org.apache.axiom.om.impl.llom.OMElementImpl.build(OMElementImpl.java:722)
at
org.apache.axiom.om.impl.llom.OMElementImpl.detach(OMElementImpl.java:700)
at
org.apache.axiom.om.impl.llom.OMNodeImpl.setParent(OMNodeImpl.java:105)
at
org.apache.axiom.om.impl.llom.OMElementImpl.addChild(OMElementImpl.java:296)
at
org.apache.axiom.om.impl.llom.OMElementImpl.addChild(OMElementImpl.java:212)
at
org.apache.axis2.rpc.receivers.RPCUtil.processResponse(RPCUtil.java:105)
at
org.apache.axis2.rpc.receivers.RPCUtil.processResponseAsDocLitWrapped(RPCUtil.java:456)
at
org.apache.axis2.rpc.receivers.RPCMessageReceiver.invokeBusinessLogic(RPCMessageReceiver.java:153)
at
org.apache.axis2.receivers.AbstractInOutMessageReceiver.invokeBusinessLogic(AbstractInOutMessageReceiver.java:40)
at
org.apache.axis2.receivers.AbstractMessageReceiver.receive(AbstractMessageReceiver.java:110)
at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:180)
at
org.apache.axis2.transport.http.HTTPTransportUtils.processHTTPPostRequest(HTTPTransportUtils.java:173)
at
org.apache.axis2.transport.http.AxisServlet.doPost(AxisServlet.java:146)
at
org.wso2.carbon.core.transports.CarbonServlet.doPost(CarbonServlet.java:231)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:650)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:731)
at
org.eclipse.equinox.http.servlet.internal.ServletRegistration.service(ServletRegistration.java:61)
at
org.eclipse.equinox.http.servlet.internal.ProxyServlet.processAlias(ProxyServlet.java:128)
at
org.eclipse.equinox.http.servlet.internal.ProxyServlet.service(ProxyServlet.java:68)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:731)
at
org.wso2.carbon.tomcat.ext.servlet.DelegationServlet.service(DelegationServlet.java:68)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at
org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at
org.apache.catalina.filters.HttpHeaderSecurityFilter.doFilter(HttpHeaderSecurityFilter.java:120)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at
org.wso2.carbon.tomcat.ext.filter.CharacterSetFilter.doFilter(CharacterSetFilter.java:61)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at
org.apache.catalina.filters.HttpHeaderSecurityFilter.doFilter(HttpHeaderSecurityFilter.java:120)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:218)
at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:505)
at

[Dev] [C5] Supporting transports in server mode

[Asanka Abeyweera]

Hi all,

It seems the carbon transports feature is no longer supported from the
kernel version 5.2.0 onwards. The class CarbonTransport is no longer there
in the kernel repo.

1. What is our approach to managing transports (start,
stop, beginMaintenance, endMaintenance) in server mode?
2. If someone wants to write a transport for C5 will it be similar to
writing a general component? Is there a guideline or a document that I can
follow when writing transports for C5 server mode.

I also created a PR [1] removing the docs related to carbon transports from
the kernel.

[1] https://github.com/wso2/carbon-kernel/pull/1609

-- 
Asanka Abeyweera
Associate Technical Lead
WSO2 Inc.

Phone: +94 712228648
Blog: a5anka.github.io


___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Clarificatoin on Identity federation between service providers and identity providers with incompatible identity federation protocols

[Ushani Balasooriya]

Hi Tharindu,

Found your blog [1] for salesforce configuration. I think this should go in
to docs.

[1]
http://www.securityinternal.com/2017/09/using-salesforce-as-identity-provider.html

Thanks,

On Tue, Nov 14, 2017 at 1:34 PM, Ushani Balasooriya  wrote:

> Hi Tharindu/Godwin,
>
> Can you please guide me to a doc where I can find configuring WSO2 IS as
> an IDP using SAML? I found this [1] doc.
> Is it the correct doc or appreciate if you can point me to relevant doc.
> (IS or Salesforce)
>
> [1] https://docs.wso2.com/display/IS530/Configuring+
> SAML2+Single-Sign-On+Across+Different+WSO2+Products
>
>
> Thanks,
>
> On Tue, Nov 14, 2017 at 11:59 AM, Ushani Balasooriya 
> wrote:
>
>> Thanks a lot Tharindu and Godwin for the clarification and examples. I
>> will try one of those.
>>
>>
>>
>> On Tue, Nov 14, 2017 at 11:56 AM, Tharindu Edirisinghe <
>> tharin...@wso2.com> wrote:
>>
>>> Hi Ushani,
>>>
>>> I think these are the correct ways to do this. I don't think you need to
>>> do any config for resident IDP.
>>>
>>> *Use Case 1 *
>>>
>>> travelocity sample --> IS (the protocol is SAML)
>>> IS --> External IDP (any external IDP that supports OpenIDConnect/OAuth)
>>> - You can use Facebook federated authenticator here (or another IS)
>>>
>>>
>>>
>>> *Use Case 2*
>>> playground sample --> IS (the protocol is OAuth)
>>> IS --> External IDP (any external IDP that supports SAML) - You can use
>>> salesforce for this (or another IS)
>>>
>>> Thanks,
>>> TharinduE
>>>
>>>
>>> On Tue, Nov 14, 2017 at 11:45 AM, Ushani Balasooriya 
>>> wrote:
>>>
 Hi IAM Team,

 I am trying to implement a sample using travelocity web app which can
 be configured for identity federation between sp and IDP with incompatible
 Identity federation protocols.

 My Pattern is "*Identity federation between service providers and
 identity providers with incompatible identity federation protocols*"
 as mentioned in Solution 11 of this blog post [1].

 In order to try this I need to find out the correct and valid use cases.

 Use Case 1 - Configure travelocity web app as a SP which uses SAML and
  WSO2 IS resident IDP which uses Oauth. - This is Valid obviously and
 curently I  have configured it as explained in our documents.


 My question is on Use Case 2.

 *Use case 2* - Configure a service provider which uses Oauth and IDP
 which uses SAML.

 I feel above use case is not valid.

 Please correct me if I am wrong. If the use case 2 is valid, please
 explain me it with a valid scenario which uses Oauth as SP and SAML as IDP.

 If the above use case2 is not valid, can you please let me know what
 are the possible and valid use cases which are relevant for the pattern
 mentioned in the blog considering the different protocols such as SAML,
 Oauth, Passive STS.

 [1] https://medium.facilelogin.com/thirty-solution-patterns-
 with-the-wso2-identity-server-16f9fd0c0389

 Appreciate your response.

 Thanks,
 --
 *Ushani Balasooriya*
 Associate Technical Lead - EE;
 WSO2 Inc; http://www.wso2.com/.
 Mobile; +94772636796


>>>
>>>
>>> --
>>>
>>> Tharindu Edirisinghe
>>> Senior Software Engineer | WSO2 Inc
>>> Platform Security Team
>>> Blog : http://tharindue.blogspot.com
>>> mobile : +94 775181586 <+94%2077%20518%201586>
>>>
>>
>>
>>
>> --
>> *Ushani Balasooriya*
>> Associate Technical Lead - EE;
>> WSO2 Inc; http://www.wso2.com/.
>> Mobile; +94772636796
>>
>>
>
>
> --
> *Ushani Balasooriya*
> Associate Technical Lead - EE;
> WSO2 Inc; http://www.wso2.com/.
> Mobile; +94772636796
>
>


-- 
*Ushani Balasooriya*
Associate Technical Lead - EE;
WSO2 Inc; http://www.wso2.com/.
Mobile; +94772636796
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] [DEV] Using a Proxy or an API is the best practice for a secured legacy(SOAP) back end service.

[Thivya Mahenthirarasa]

Hi Abimaran,

Thank you for the explanations.

Regards,
Thivya

On Tue, Nov 14, 2017 at 11:34 AM, Abimaran Kugathasan 
wrote:

> Hi Thivya,
>
> Normally, API refers to REST APIs, while a proxy service can be used with
> any type of backend services like HTTP, WSDL, [1]. Since you have a WSDL
> service as the backend, better to use WSDL Based Proxy, otherwise you have
> to convert REST to SOAP before sending to the backend.
>
> Also, for REST API, we can use OAuth header which is handled through auth
> handler, and for proxies based on WSDL, it's better to WS-Security. But,
> you can use auth handler too.
>
> [1]: https://docs.wso2.com/display/ESB500/WSO2+ESB+Endpoints
>
> On Mon, Nov 13, 2017 at 5:52 PM, Thivya Mahenthirarasa 
> wrote:
>
>> Hi All,
>>
>> I am working on the scenario which is having CRUD operations where I have
>> to create a service in ESB 5.0.0 using a WSDL of a SOAP backend service.
>>
>> I have tried this scenario with both Proxy and API in ESB. Also, I need
>> to secure the ESB service too.
>>
>> I have configured the WS-Security policy[1] to secure the Proxy service
>> and but API I couldn't able to secure API with WS-Security policy so I have
>> used custom Auth Handler[2] to secure API.
>>
>> 1. What you think whether to use a Proxy or API, for me to be the best
>> practice to access a SOAP backend WSDL service?
>> 2. Using custom auth handler or WS-Security policy is the best way for
>> the security.
>>
>>
>> Could you please advice on this. Your ideas are much appreciated.
>>
>>
>>
>> [1] https://docs.wso2.com/display/ESB500/Securing+APIs#SecuringA
>> PIs-BasicAuthUsingaBasicAuthhandler
>> [2] https://docs.wso2.com/display/ESB500/Applying+Security+to+a+
>> Proxy+Servicev
>>
>>
>>
>>
>> --
>>
>> *Thivya Mahenthirarasa*
>>
>> *Software Engineer -Support Team | WSO2*
>>
>>
>> *Email: thi...@wso2.com *
>>
>> *Mobile: +94766461966 <+94%2076%20646%201966> *
>> *Web: http://wso2.com *
>>
>> ___
>> Dev mailing list
>> Dev@wso2.org
>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>
>>
>
>
> --
> Thanks
> Abimaran Kugathasan
> Senior Software Engineer - API Technologies
>
> Email : abima...@wso2.com
> Mobile : +94 773922820 <+94%2077%20392%202820>
>
> 
> 
>   
> 
>
>


-- 

*Thivya Mahenthirarasa*

*Software Engineer -Support Team | WSO2*


*Email: thi...@wso2.com *

*Mobile: +94766461966 *
*Web: http://wso2.com *
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Clarificatoin on Identity federation between service providers and identity providers with incompatible identity federation protocols

[Ushani Balasooriya]

Hi Tharindu/Godwin,

Can you please guide me to a doc where I can find configuring WSO2 IS as an
IDP using SAML? I found this [1] doc.
Is it the correct doc or appreciate if you can point me to relevant doc.
(IS or Salesforce)

[1]
https://docs.wso2.com/display/IS530/Configuring+SAML2+Single-Sign-On+Across+Different+WSO2+Products


Thanks,

On Tue, Nov 14, 2017 at 11:59 AM, Ushani Balasooriya 
wrote:

> Thanks a lot Tharindu and Godwin for the clarification and examples. I
> will try one of those.
>
>
>
> On Tue, Nov 14, 2017 at 11:56 AM, Tharindu Edirisinghe  > wrote:
>
>> Hi Ushani,
>>
>> I think these are the correct ways to do this. I don't think you need to
>> do any config for resident IDP.
>>
>> *Use Case 1 *
>>
>> travelocity sample --> IS (the protocol is SAML)
>> IS --> External IDP (any external IDP that supports OpenIDConnect/OAuth)
>> - You can use Facebook federated authenticator here (or another IS)
>>
>>
>>
>> *Use Case 2*
>> playground sample --> IS (the protocol is OAuth)
>> IS --> External IDP (any external IDP that supports SAML) - You can use
>> salesforce for this (or another IS)
>>
>> Thanks,
>> TharinduE
>>
>>
>> On Tue, Nov 14, 2017 at 11:45 AM, Ushani Balasooriya 
>> wrote:
>>
>>> Hi IAM Team,
>>>
>>> I am trying to implement a sample using travelocity web app which can be
>>> configured for identity federation between sp and IDP with incompatible
>>> Identity federation protocols.
>>>
>>> My Pattern is "*Identity federation between service providers and
>>> identity providers with incompatible identity federation protocols*" as
>>> mentioned in Solution 11 of this blog post [1].
>>>
>>> In order to try this I need to find out the correct and valid use cases.
>>>
>>> Use Case 1 - Configure travelocity web app as a SP which uses SAML and
>>>  WSO2 IS resident IDP which uses Oauth. - This is Valid obviously and
>>> curently I  have configured it as explained in our documents.
>>>
>>>
>>> My question is on Use Case 2.
>>>
>>> *Use case 2* - Configure a service provider which uses Oauth and IDP
>>> which uses SAML.
>>>
>>> I feel above use case is not valid.
>>>
>>> Please correct me if I am wrong. If the use case 2 is valid, please
>>> explain me it with a valid scenario which uses Oauth as SP and SAML as IDP.
>>>
>>> If the above use case2 is not valid, can you please let me know what are
>>> the possible and valid use cases which are relevant for the pattern
>>> mentioned in the blog considering the different protocols such as SAML,
>>> Oauth, Passive STS.
>>>
>>> [1] https://medium.facilelogin.com/thirty-solution-patterns-
>>> with-the-wso2-identity-server-16f9fd0c0389
>>>
>>> Appreciate your response.
>>>
>>> Thanks,
>>> --
>>> *Ushani Balasooriya*
>>> Associate Technical Lead - EE;
>>> WSO2 Inc; http://www.wso2.com/.
>>> Mobile; +94772636796
>>>
>>>
>>
>>
>> --
>>
>> Tharindu Edirisinghe
>> Senior Software Engineer | WSO2 Inc
>> Platform Security Team
>> Blog : http://tharindue.blogspot.com
>> mobile : +94 775181586 <+94%2077%20518%201586>
>>
>
>
>
> --
> *Ushani Balasooriya*
> Associate Technical Lead - EE;
> WSO2 Inc; http://www.wso2.com/.
> Mobile; +94772636796
>
>


-- 
*Ushani Balasooriya*
Associate Technical Lead - EE;
WSO2 Inc; http://www.wso2.com/.
Mobile; +94772636796
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev