Custom HttpRIO with security header [Edit]

hello,

I have created my own Httprio 
  TDMPHTTPRIO = class(THTTPRIO)
  private
    { Déclarations privées }
    Fsecurity: TDMPsecurity;
    FXMLrequest: TXMLDocument;
    FXMLresponse: TXMLDocument;
    fquery: integer;
  protected
    { Déclarations protégées }
    procedure DoBeforeExecute(const MethodName: string; Request: TStream); override;
  public
    { Déclarations publiques }
    function AsXMLString(SoapStream: Tstream): string;
    procedure SetSecurityHeader;
    constructor Create(AOwner: TComponent); override;
    destructor Destroy; override;
  published
    { Déclarations publiées }
    property Security: TDMPsecurity read Fsecurity write Fsecurity;
  end;

with a setsecurity method.

procedure TDMPHTTPRIO.SetSecurityHeader;
var
   Header: Sec_security;
   AOf_Sec_attribute: Array_Of_Sec_attribute;
   AOf_Sec_attributeValue: Array_Of_Sec_attributeValue;
begin
   Header := Sec_security.Create;
   //Header.MustUnderstand := True;

   Header.assertion := Sec_assertion.Create;
   Header.assertion.saml := 'urn:oasis:names:tc:SAML:2.0:assertion';
   Header.assertion.xsi := 'http://www.w3.org/2001/XMLSchema-instance';
   Header.assertion.ID := '59c8ef4e-8069-4a9c-9e27-4c10ddc80e5d';
   Header.assertion.issueInstant := DateTimeToGMTStr(now);
   Header.assertion.version := '2.0';

   Header.assertion.issuer := Sec_issuer.Create;
   Header.assertion.issuer.format := 'urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName';
   Header.assertion.issuer.value := 'CN='+Security.NameId+' + SURNAME='+Security.SurName+' + GIVENNAME='+Security.GivenName+', OU='+Security.DisplayName+', O=TEST, C=FR';

   Header.assertion.subject := Sec_subject.Create;
   Header.assertion.subject.nameID := Security.NameId;

   Header.assertion.authnStatement := Sec_authnStatement.Create;
   Header.assertion.authnStatement.AuthnInstant := DateTimeToGMTStr(now);
   Header.assertion.authnStatement.AuthnContext := Sec_AuthnContext.Create;
   Header.assertion.authnStatement.AuthnContext.AuthnContextClassRef := 'urn:oasis:names:tc:SAML:2.0:ac:classes:SmartcardPKI';

   Setlength(AOf_Sec_attribute, 12);

   AOf_Sec_attribute[0] := Sec_attribute.Create;
   AOf_Sec_attribute[0].name := 'VIHF_Version';
   Setlength(AOf_Sec_attributeValue, 1);
   AOf_Sec_attributeValue[0] := Sec_attributeValue.Create;
   AOf_Sec_attributeValue[0].Value := '1.0';
   AOf_Sec_attribute[0].attributeValue := AOf_Sec_attributeValue;

  //some code removed from sample

   Header.assertion.attributeStatement := Sec_attributeStatement.Create;
   Header.assertion.attributeStatement.attribute := AOf_Sec_attribute;

   Self.SOAPHeaders.SetOwnsSentHeaders(True);
   Self.SOAPHeaders.Send(Header);
end;

i tryed to override DoBeforeExecute to call my SetSecurityHeader but it did not work

so i have to call SetSecurityHeader myself manually before i execute TDMPHTTPRIO 

is there a way to do it automatically by overriding a THTTPRIO method ?

Thanks

Edited by: Christophe LACH on Sep 29, 2011 3:22 AM
0
Christophe
9/29/2011 10:22:50 AM
embarcadero.delphi.webservices 976 articles. 0 followers. Follow

4 Replies
3114 Views

Similar Articles

[PageSpeed] 38

Hello,

>
> I have created my own Httprio
>  TDMPHTTPRIO = class(THTTPRIO)
>  private
>    { Déclarations privées }
>    Fsecurity: TDMPsecurity;
>    FXMLrequest: TXMLDocument;
>    FXMLresponse: TXMLDocument;
>    fquery: integer;
>  protected
>    { Déclarations protégées }
>    procedure DoBeforeExecute(const MethodName: string; Request: TStream); 
> override;
>  public
>    { Déclarations publiques }
>    function AsXMLString(SoapStream: Tstream): string;
>    procedure SetSecurityHeader;
>    constructor Create(AOwner: TComponent); override;
>    destructor Destroy; override;
>  published
>    { Déclarations publiées }
>    property Security: TDMPsecurity read Fsecurity write Fsecurity;
>  end;
>
> with a setsecurity method.
>
> procedure TDMPHTTPRIO.SetSecurityHeader;
> var
>   Header: Sec_security;
>   AOf_Sec_attribute: Array_Of_Sec_attribute;
>   AOf_Sec_attributeValue: Array_Of_Sec_attributeValue;
> begin
>   Header := Sec_security.Create;
>   //Header.MustUnderstand := True;
>
>   Header.assertion := Sec_assertion.Create;
>   Header.assertion.saml := 'urn:oasis:names:tc:SAML:2.0:assertion';
>   Header.assertion.xsi := 'http://www.w3.org/2001/XMLSchema-instance';
>   Header.assertion.ID := '59c8ef4e-8069-4a9c-9e27-4c10ddc80e5d';
>   Header.assertion.issueInstant := DateTimeToGMTStr(now);
>   Header.assertion.version := '2.0';
>
>   Header.assertion.issuer := Sec_issuer.Create;
>   Header.assertion.issuer.format := 
> 'urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName';
>   Header.assertion.issuer.value := 'CN='+Security.NameId+' + 
> SURNAME='+Security.SurName+' + GIVENNAME='+Security.GivenName+', 
> OU='+Security.DisplayName+', O=TEST, C=FR';
>
>   Header.assertion.subject := Sec_subject.Create;
>   Header.assertion.subject.nameID := Security.NameId;
>
>   Header.assertion.authnStatement := Sec_authnStatement.Create;
>   Header.assertion.authnStatement.AuthnInstant := DateTimeToGMTStr(now);
>   Header.assertion.authnStatement.AuthnContext := Sec_AuthnContext.Create;
>   Header.assertion.authnStatement.AuthnContext.AuthnContextClassRef := 
> 'urn:oasis:names:tc:SAML:2.0:ac:classes:SmartcardPKI';
>
>   Setlength(AOf_Sec_attribute, 12);
>
>   AOf_Sec_attribute[0] := Sec_attribute.Create;
>   AOf_Sec_attribute[0].name := 'VIHF_Version';
>   Setlength(AOf_Sec_attributeValue, 1);
>   AOf_Sec_attributeValue[0] := Sec_attributeValue.Create;
>   AOf_Sec_attributeValue[0].Value := '1.0';
>   AOf_Sec_attribute[0].attributeValue := AOf_Sec_attributeValue;
>
>  //some code removed from sample
>
>   Header.assertion.attributeStatement := Sec_attributeStatement.Create;
>   Header.assertion.attributeStatement.attribute := AOf_Sec_attribute;
>
>   Self.SOAPHeaders.SetOwnsSentHeaders(True);
>   Self.SOAPHeaders.Send(Header);
> end;
>
> i tryed to override DoBeforeExecute to call my SetSecurityHeader but it 
> did not work
>
> so i have to call SetSecurityHeader myself manually before i execute 
> TDMPHTTPRIO
>
> is there a way to do it automatically by overriding a THTTPRIO method ?
>

DoBeforeExecute is too late to set any headers. It's the call that leads to 
the OnBeforeExecute event: so by then the SOAP runtime has already created 
the request (with any headers that had been set) and the idea is to give 
some access to the raw request stream. It seems that you'd want to override 
a method that's invoked *before* any serialization occurs. That would be 
DoDispatch (http://docwiki.embarcadero.com/VCL/en/Rio.TRIO.DoDispatch) but 
it's not virtual:(.

In the past I've configured/setup headers when I retrieve the RIO. For 
example, this is from an old example that was used to talk to eBay:

{code}
function getEbayInterface(Rio: THTTPRIO; callname: string): 
eBayAPIInterface;
var
  SecurityHdr: RequesterCredentials;              // eBay security header
  Credentials: UserIdPasswordType;                // eBay credentials
begin
   SecurityHdr := RequesterCredentials.Create;
   Credentials := UserIdPasswordType.Create;

   SecurityHdr.eBayAuthToken        := Token;
   SecurityHdr.Credentials          := Credentials;
   SecurityHdr.Credentials.AppId    := AppID;
   SecurityHdr.Credentials.DevId    := DevID;
   SecurityHdr.Credentials.AuthCert := CertID;

   Rio.SOAPHeaders.Send(SecurityHdr);
   Rio.SOAPHeaders.SetOwnsSentHeaders(True);
   Rio.URL := EndPoint;

  Result := Rio as eBayAPIInterface;

//  RIO.Converter.Options := RIO.Converter.Options + [soDontSendEmptyNodes];

  Rio.URL := ENDPOINT + callname  +
            '&siteid=0' +
            '&appid='   + AppID   +
            '&version=' + VERSION +
            '&Routing=new';
end;
{code}

The caller would use the above as follows:

{code}
  service := getEbayInterface(RIO, 'GeteBayOfficialTime');
  req := GeteBayOfficialTimeRequest.Create();
  try
    InitRequest(req);
    res := service.GeteBayOfficialTime(req);
    try
    ...
{code}

Not as elegant as overriding a virtual in the RIO, I'll admit. We could 
probably make DoDispatch virtual for the case you described. If time allows, 
please do open a QC for this: it would be trivial to remedy. Thank you.

Cheers,

Bruneau
0
Jean
9/29/2011 4:51:14 PM
> Not as elegant as overriding a virtual in the RIO, I'll admit. We could 
> probably make DoDispatch virtual for the case you described. If time allows, 

Already using this technique learned from you with google's help.

> please do open a QC for this: it would be trivial to remedy. Thank you.

Done.  http://qc.embarcadero.com/wc/qcmain.aspx?d=99471

but low chances to get attention ... because my current delphi is XE not XE2 ... and XE2 reports will logicaly be priorized.

if you can edit the version to XE2 and set an XE2 build N° ... than maybe ;) 

but i would prefer them to work on http://qc.embarcadero.com/wc/qcmain.aspx?d=95937   ... 
because if we cannot generate usable headers and complete the application for the 31/12/2011 we will loose a contract of 100000€ of public funds :(

sadly support is aware of the wsdlimp problem but reports the fix to 'later when XE2 will be released' without giving us a date and without knowing about our deadline. Now XE2 is released and we wait ... hoping for a solution before end of the year that lets us time to program before the deadline.

Thank you
Cheers
Chris

Edited by: Christophe LACH on Sep 30, 2011 2:58 AM
0
Christophe
9/30/2011 9:59:57 AM
Hello,

>
> Done.  http://qc.embarcadero.com/wc/qcmain.aspx?d=99471
>

Thank you! I'll check in a fix for this.


>
> but i would prefer them to work on 
> http://qc.embarcadero.com/wc/qcmain.aspx?d=95937   ...
>

I'll check on this. The problem here is more XML-schema instead of SOAP 
related. IOW, the WSDL Importer uses the same logic that we use in the XML 
Data Binding... and there have been some issues in that area. I can't 
promise anything but I'll inquire.

Cheers,

Bruneau
0
Jean
10/3/2011 10:13:29 PM
> I'll check on this. The problem here is more XML-schema instead of SOAP 
> related. IOW, the WSDL Importer uses the same logic that we use in the XML 
> Data Binding... and there have been some issues in that area. I can't 
> promise anything but I'll inquire.
> 
> Cheers,
> 
> Bruneau

Thank you.

i managed to create some header with delphi 2010 wsdlimp, by cutting the wsdl in two and writting myself a merge tool for the two .pas results. We started working with this for now ... but i'm not sure the result is complete ... and how compatible with XE2 the 2010 headers are ?

Wsdlimp from delphi XE always failed using huge amounts of memory. (It uses less memory when i replace include keyword by import keyword, but i don't know if it's correct to do this (probably not)). anyway even with less memory usage it still fails.

Cheers
Chris
0
Christophe
10/6/2011 10:05:23 AM
Reply:

Similar Artilces:

Add custom headers to request header TidHttp [Edit]
Suppose I want to either correct existing request headers.. or add a custom non-standard request header if it does not not already exist. At what point can I do that? If I add headers to CustomHeaders, it clears all normal request headers. (Confirmed by using Ethereal/WireShark)... Which is not the desired result in my case :) What is the correct method of adding/correcting custom headers? <Thomas Schulz> wrote in message news:374355@forums.embarcadero.com... > Suppose I want to either correct existing request headers.. Such as? > or add a custom non-standard request hea...

Delphi 2010 webservice consumer pass null strings to webservice [Edit]
Hello, I need to consume a webservice that is developed in java ( thas all that I know ). I have a HTTPRIO componente and have import the webservice file win the WSDL importer. Til here everything is allright but when I run the application all the parameters reach the webservice as null. I have made some webservice and consumers but I never have had problems ( I make the server and the client ) I test to do the same with prism and c++ bilder and it go allright, but I need it to do in delphi Thanks PD: Pleas be patient, my English is not good Edited by: Adrian Zussino on Sep 8, 2010 3...

Webservices Security Error [Edit]
Hello, Please help, the error message I get from delphi, *"cannot process the message because the content type 'text/xml charset"utf-8"' was not expected type 'application/soap+xml; charset=utf-8'"* {code} procedure TForm1.Button1Click(Sender: TObject); var servis:KPSServices; istek:TcKimlikNoIleKisiSorgula; cevap:TcKimlikNoIleKisiSorgulaResponse; Header: Security; SOAPHeaders: ISOAPHeaders; begin HTTPRIO1.HTTPWebNode.GetHTTPReqResp.UserName:='2'; HTTPRIO1.HTTPWebNode.GetHTTPReqResp.Password:='2'; servi...

Assigning custom headers of TIdHTTPResponseInfo [Edit]
I'm using TIdHTTPServer to write a small web server. PHP files are being parsed by the PHP CGI and I send it's result as stream back to the client (through TIdHTTPResponseInfo->ContentStream). The PHP CGI returns self generated headers with it's output - by default: X-Powered-By: PHP/5.3.9 Content-type: text/html Now I have two questions: 1. Can I set the stream's Position attribute to the place after PHP's custom header so TIdHTTPServer send not the entire stream I assigned to TIdHTTPResponseInfo->ContentStream, or do I have to remove that part manually? TIdH...

HTTPRIO and Delphi XE Pro [Edit]
I was intending to delete this post but did not find the "Delete" button Thanks Edited by: Softwarex.ro Administrator on Dec 16, 2011 1:47 PM Deleted question ...

Custom Header in Custom GridView
I am adding a Custom Header to a GridView to be able to add a TextBox for filtering as follows:                GridViewRow gvRow = new GridViewRow(0, -1, DataControlRowType.Header, DataControlRowState.Normal);                TableCell tableCell = new TableHeaderCell();                tableCell.HorizontalAlign = HorizontalAlign.Right;      &n...

How to recover a SOAP Header in a Delphi Win32 WebService?
I'm trying to implement authentication across of SOAP header in my webservice. The WebService is developed in Delphi XE (Win32) and is accessed by application an .NET (C #). I could not find documentation and working examples of a webservice with this type of authentication.The other option would be to create parameters in all functions of the webservice passing the username and password, but would not want to do this. Declared in the interface (INTF) a class of type "TSoapHeader" with the properties you need in this case, username and password! {code} THeader = class(...

XML WebService Custom Authentication with Soap Header
I'm trying the custom soap header authentication in this example: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpguide/html/cpconsecuringaspnetwebservices.asp I put the two long C# codes in a .cs file and register the module in web.config. It seems to work. When a XML consumer pass a request with username and password in soap header, it actually launch the WebServiceAuthenticationEvent. I can see the user/password passed into public WebServiceAuthenticationEvent(HttpContext context, string user, string password) However, it never reach the Authenticate() and A...

Delphi 2010
Hi With new Delphi 2010 code i can't have a Dbgrid with ColumnClick event and column header Themed. i have see a new option in dbgrid : dgTitleClick :( if i active this property i lost themed blue rettangule when i move mouse over the column header ( it is like a very old dbgrid ) i'm using ThemedDBGrid unit , but don't work more in D2010 ( column header not Themed with OnTitleClick Assigned and dgTitleClick set to True ) How i can active ALL FEATURES of THEMED with OnTitleClick Assigned ? Edited by: Mauro Botta on Oct 13, 2009 11:54 AM upppp...

How to remove the Security header default unit namespace ? [Edit]
i'm generating a security header with the Self.SOAPHeaders.SetOwnsSentHeaders(True); Self.SOAPHeaders.Send(Header); commands but i get a namespace NS3 generated with the name of my delphi unit where the security header Tremotables are located. <soap:Header xmlns:NS3="urn:SOAPsecurity"> i need simply <soap:Header> to you have an idea where the NS3 comes from ? my class registrations are like this implementation const NS_SECEXT = 'http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd'; ...

Having problems with the Delphi "Custom Styles" or skins [Edit]
I started a new app in Delphi XE2. I added a TStaticText which was tall enough to show 4 lines of text. Then I added a TLabel. Depending on what the user does, the TLabel can display Yes or *No* where 'No' is bolded and red in color. When I apply any skin at all, the TStaticText no longer word wraps (which is not a property I can set or override). It only shows one line of text and the other three dissapear off to the right. When I apply my skin, the TLabel still allows bolding, but my font color does not work. A skin should only override system colors like clBtnFace. It sh...

SEPA components for Delphi with Source Code (Delphi 5
Hi all, in the european union change next year the Bankingformat to the SEPA Format. All peoples and companies must change the bankingssoftware and the costumer data form acountnummers in the new IBAN and BIC numbers. See: http://www.arma-it.de/shop/artikelueber.php?wgruppeid=211&wgruppe_offen=211 Functions: - generate SEPA XML'S - Calc IBAN - BIC Database (DE,AT and CH) Questions: vertrieb@arma-it.de PS: Bankinssoftware for Develpoers (Germany only) http://www.arma-it.de/shop/artikelueber.php?wgruppeid=212&wgruppe_offen=212 El 26/10/13 21:38, A...

superreview requested: [Bug 356860] Custom columns from message headers : [Attachment 242809] add ability to customize headers we store in the .msf file
David Bienvenu <bienvenu@nventure.com> has asked Scott MacGregor <mscott@mozilla.org> for superreview: Bug 356860: Custom columns from message headers https://bugzilla.mozilla.org/show_bug.cgi?id=356860 Attachment 242809: add ability to customize headers we store in the .msf file https://bugzilla.mozilla.org/attachment.cgi?id=242809&action=edit ------- Additional Comments from David Bienvenu <bienvenu@nventure.com> this allows extensions to set/add to a pref controlling which headers we download and parse, and store in the .msf file, accessible from nsIMsgHdr...

superreview granted: [Bug 356860] Custom columns from message headers : [Attachment 242809] add ability to customize headers we store in the .msf file
Scott MacGregor <mscott@mozilla.org> has granted David Bienvenu <bienvenu@nventure.com>'s request for superreview: Bug 356860: Custom columns from message headers https://bugzilla.mozilla.org/show_bug.cgi?id=356860 Attachment 242809: add ability to customize headers we store in the .msf file https://bugzilla.mozilla.org/attachment.cgi?id=242809&action=edit ------- Additional Comments from Scott MacGregor <mscott@mozilla.org> This can probably get removed: + else + { + } This should be really cool David! ...

Web resources about - Custom HttpRIO with security header [Edit] - embarcadero.delphi.webservices

Krebs on Security
The House Financial Services Committee is slated to hold a hearing this Friday on the impact of cyber heists against small- to mid-sized businesses. ...

Security Middle East - Latest news from the Middle East.
Security Middle East is a news portal for the entire security industry, focussed specifically on latest security news from the Middle East. Security ...

Information Security News, IT Security News & Expert Insights: SecurityWeek.Com
IT Security News and Information Security News, Cyber Security, Network Security, Enterprise Security Threats, Cybercrime News and more. Information ...

Security (finance) - Wikipedia, the free encyclopedia
equity securities, e.g., common stocks ; and, The company or other entity issuing the security is called the issuer . A country's regulatory ...

Foodbank Bunbury thieves ram security guard's car, attempt to run him over
Thieves who carried out a heartless robbery on a Bunbury charity rammed the car of a security guard who tried to stop them and then tried to ...

Dell To Add Off-Host BIOS Verification To Endpoint Security Suite Enterprise
... one of the few companies that does complete end to end solutions for the enterprise. Part of that end to end solution is Dell’s Endpoint Security ...

Why the Internet of Things is a security nightmare
The good guys over at Context Information Security have cracked Motorola’s outdoor security camera just to point out how the Internet of Things ...

Tech-savvy Bay Area ramps up security for Super Bowl 50
More than 50 law enforcement and government agencies are working to keep the big game secure, using new technologies

THIS is the weak link in global security
In an age of terror, its high time that global leaders get this unregulated industry under control, says Ami Daniel.

Poor Wi-Fi security
Yesterday, while waiting for a dentist, I took out my phone, turned on the Wi-Fi and poked around. What I found was depressing. First, let me ...

Resources last updated: 2/4/2016 9:08:31 PM