Neuron ESB User Network

The Service Bus for the Connected Business

Configuring REST binding Service Endpoint with Digest Authentication

Good afternoon!

I was successful at setting a basic HTTP authentication connection for a service endpoint (using REST as binding) and would like to configure the endpoint to use Digest Authentication. 

When I do that there is an additional authentication header included that the server accepts listed as opaque to which I've given it a specific value for the connection to go through.  How do I configure the service endpoint aside from setting the Security Model to HTTPDigest and having the client credentials set up in the security? Would I need to create a custom header via a business process?

Please let me know what would be the most efficient way to go about it. Thank you in advance!

Views: 503

Reply to This

Replies to This Discussion

All you should need to do is:

1. Create the credential in the Security section of Neuron ESB Explorer

2. Create a Service Endpoint

3. Select HttpDigest as the security model

4. Enable the Service Connector, set the subscriber ID and URL, and select the credential from the Client Credentials dropdown list.

Neuron will automatically add the appropriate Http Header for this.  Are you seeing an error?  Can you send that?

Joe

Hey Joe,

Thanks for helping me with this. I had done all the steps you mentioned but somehow, yes, I get the following error:

My understanding is that it requires an authentication value for opaque within the header: (which is set to $modded! on the listener channel with proper matching username and password). 

Maybe I don't understand what you need.  Do you have an example of a raw request that works with the service?  Actually, it would be helpful if you could send one that works and one from Neuron.  You can use Fiddler to capture both.

Joe

Hey Joe,

I'm currently using Insomnia for direct raw request that works with the service. The service is on a server and is configured with Digest Authentication type for HTTP Authentication. It has both auth and auth-int QOP Modes selected.  Both MD5 and MD5-sess algorithms settings.

Opaque value = $modded!

Username and Password match with the raw request. 

I've uploaded a doc that captures both the fhir listener and the raw request from insomnia.

Let me know if you need more details. 

Attachments:

Hey Joe,

I think the basic issue we are experiencing is with trying to set a non-Windows Domain username/password credentials for the Digest Authentication.  I noticed when working on the service endpoint that it only allows you to select a Windows Domain credential under Client Credentials.  

I also noticed that in the proxy settings there is a custom credentials option.  I set the Digest Authentication credentials there, but I'm not sure if there are additional steps to take for this to work.

Hi Joe,

We're still having an issue getting the digest-auth working for this service connector. Here's the working exchange when we send from 3rd party Insomnia tool (captured in Fiddler).

***server response to initial request***

HTTP/1.1 401 Unauthorized
Date: Tue, 11 Jul 2017 22:33:14 GMT
WWW-Authenticate: Digest qop="auth-int,auth", opaque="ac27f35a-4d39-4677-a5f1-5ef51878369e", domain="/fhir/Patient/", realm="My Realm", nonce="QUUyUKEKo76CtggY+5ze4YP7kGRPK/SV", algorithm="MD5,MD5-sess"
Cache-Control: must-revalidate,no-cache,no-store
Content-Type: text/html; charset=ISO-8859-1
Content-Length: 294
Server: Jetty(9.2.14.v20151106)

***return client request***

POST http://localhost:89/fhir/Patient/ HTTP/1.1
Host: localhost:89
Authorization: Digest username="admin",realm="My Realm",nonce="QUUyUKEKo76CtggY+5ze4YP7kGRPK/SV",uri="/fhir/Patient/",cnonce="5232edfc4157263cf3b31f358c41757d",nc=00000001,algorithm=MD5-sess,response="99c9c7463ef69be62df5f1604051687f",qop="auth",opaque="ac27f35a-4d39-4677-a5f1-5ef51878369e"
User-Agent: insomnia/5.5.2
Accept: */*
Accept-Encoding: deflate, gzip
Connection: Keep-Alive
Content-Type: application/xml
Content-Length: 12981

When Neuron tries to send I see the similar initial server response, but i do not see a follow up return request from Neuron. But I'm just looking at the event logs though - I've not been able to proxy Neuron to Fiddler properly to see the traffic directly (I've tried setting a custom proxy in the service connector, but no luck - if you have any ideas?

Our settings for the service connector Security tab are:

Security Model: HttpDigest

Server Identity Type: None

It may be that we are not setting the client credentials properly though. We are not using a Windows credential, we're using a Username/Password, however it doesn't appear that Non-Windows credentials appear in the drop-down in the Service Connector tab, so we are setting it in the Proxy Setting tab where it does appear. Is this correct?

Thanks.
Marc

Is the service you are calling on the local machine?  If that's the case, then for Fiddler to work, the custom proxy address must be 127.0.0.1, and the service connector URL must be the machine name and not localhost.

You won't see the challenge/response exchange as that is handled by WCF under the covers.

Have you tried calling this service with a WCF client?  What does the binding look like?

Thanks Joe.

Yes, everything is running local. I was able to get the proxy working for Fiddler to see the neuron traffic. I can see Neuron sending out a 2nd request in response to the Unauthorized 401 response from the service, but the return request looks identical to the original, no Authorization property is added to the header.

here's the exchange:

outbound request from Neuron:

PUT http://a2it201106:89/fhir/Patient/fs138 HTTP/1.1
Accept: application/xml+fhir
Accept-Encoding: deflate, gzip
User-Agent: insomnia/5.5.2
Content-Type: application/xml+fhir
Prefer: return=representation
If-Match: W/"id338"
Host: a2it201106:89
Content-Length: 14539
Expect: 100-continue
Connection: Close

service response:

HTTP/1.1 401 Unauthorized
Date: Wed, 12 Jul 2017 16:21:15 GMT
WWW-Authenticate: Digest qop="auth-int,auth", opaque="5db89e70-f70d-465d-a311-b5649f9b1db1", domain="/fhir/Patient/fs138", realm="My Realm", nonce="vKqqXcgM8T1wxFpAec1Xuf3EXK411wl+", algorithm="MD5,MD5-sess"
Cache-Control: must-revalidate,no-cache,no-store
Content-Type: text/html; charset=ISO-8859-1
Content-Length: 299
Connection: close
Server: Jetty(9.2.14.v20151106)

2nd outbound request from Neuron

PUT http://a2it201106:89/fhir/Patient/fs138 HTTP/1.1
Accept: application/xml+fhir
Accept-Encoding: deflate, gzip
User-Agent: insomnia/5.5.2
Content-Type: application/xml+fhir
Prefer: return=representation
If-Match: W/"id339"
Host: a2it201106:89
Content-Length: 14539
Expect: 100-continue
Connection: Close

We haven't been able to test with WCF, and the MS WCFTestClient tool doesn't work with connecting to RESTful services unfortunately.. 

appreciate any ideas you may have.

FYI, HttpBasic authentication is working fine with the service.

thanks.

Marc

Marc,

I have been able to verify Neuron can call a REST Service using digest authentication when the target service is also WCF.  The initial challenge response is different:;

HTTP/1.1 401 Unauthorized
Content-Length: 0
Server: Microsoft-HTTPAPI/2.0
WWW-Authenticate: Digest qop="auth",algorithm=MD5-sess,nonce="+Upgraded+v1c247b269c4eb19e23251585aa5a9f7dda645eb6b94fcd201e5fe963ad9af4d7149b4f98806c6fd6b28f6c0a13f7a14b4dafc19a7ef0c7299",charset=utf-8,realm="Digest"
Date: Fri, 14 Jul 2017 11:29:13 GMT

My guess is there may be a WCF-Java interop issue here.  Could you please see if you can successfully call this REST service with a WCF client?

Thanks,

Joe

RSS

Neuron ESB Product Support Forums and Communities

Latest Activity

Anupama Nair posted a discussion

Marketo Adapter Invalid Token

Hi,We are using the Marketo adapter to push account updates to Marketo. It works well for some time then starts failing with Invalid Token unless restarted. Is there a configuration that can be done so it can auto refresh the token when required?Thanks!See More
Nov 6, 2023
Sayantini Basak posted a discussion

Maximum payload size(REST API) for requests interfacing to NeuronESB

I am new to Neuron ESB and in our current scenario,We need to process batch transactions comprising of ~1000 records and send them to Neuron ESB for further processing. I would like to understand what is the maximum size of payload that can be transferred using REST interface to Neuron ESB.See More
Jul 22, 2022
Profile IconRobert E Dunie and Sayantini Basak joined Neuron ESB User Network
Apr 28, 2022
Profile IconDayanand, Frederic C, Steffen Greve-Oksfeldt and 1 more joined Neuron ESB User Network
Mar 16, 2022
Profile IconCam Vong and Mitja Luznar joined Neuron ESB User Network
Jan 27, 2022
Profile IconWill Hitzges, Chad Parsons, michael larsen and 4 more joined Neuron ESB User Network
Jun 11, 2021
Anupama Nair posted a discussion

ODBC stored proc polling with temporary tables

We have set up an ODBC adapter to poll a stored proc.We found that if the stored proc has a temporary table defined the rows returned are always 0.Any idea why this would be and what we can do to get around it?See More
Dec 14, 2020
Prasanth Kharade is now a member of Neuron ESB User Network
Dec 30, 2019

Badge

Loading…

© 2024   Created by Neuron Admin.   Powered by

Badges  |  Report an Issue  |  Terms of Service