Comments (13)
I just realized another simpler way to solve it without changing much!
We could just simply define a default Authenticator
implementation that gets the user:password
part of the URL if it exists and then returns it.
I even have just wrote a Rhino script that if executed once will even fix the issue until the server is restarted. It can be put for example in the deploy script of any channel or in the global deploy script.
The following works, but the username and password parsing has to be done better to comply with RFC 1738.
any ":", "@", or "/" must be encoded
var url_userinfo_authenticator = new java.net.Authenticator({
getPasswordAuthentication: function() {
var userInfo = null;
try {
var url = new java.net.URL(this.getRequestingURL());
userInfo = url.getUserInfo();
} catch (e) {
e.printStackTrace();
}
if (userInfo != null) {
var parts = userInfo.split(":");
if (parts.length === 2) {
var username = parts[0];
var password = parts[1];
return new java.net.PasswordAuthentication(username, password.toCharArray());
}
}
return null;
}
});
java.net.Authenticator.setDefault(url_userinfo_authenticator);
from connect.
I think that I have found the problem. In this commit prior to the version 4.5.0, the existing SoapUI library that handled WSDL requests (com.eviware.soapui.impl.wsdl.support.wsdl.WsdlLoader) was replaced by the Java native javax.wsdl.xml.WSDLReader one.
The root of the problem seems to be that Mirth Connect is placing the Basic auth credentials from the connector form directly in the URL. This worked for SoapUI library, but I think that it is forbidden on purpose in the native Java implementation at some level. In fact it makes sense, since for example I have just found a URL with credentials in the console of my server instance. This could cause passwords to be leaked for some.
I can think of a few ways to solve this bug in no particular order:
- Rolling back to the previous library. I don't believe it is an option, as I suppose that if they have migrated to the native Java package it is for a reason.
- Setting a default java.net.Authenticator. For me this is the best and the intended way of using this library and it even supports more authentication methods. Sadly, it is not very straightforward, as we are not able to pass the credentials directly. The only way I found to do it seems to define it for the entire application.
My idea is to define a singleAuthenticator
for the Mirth Connect instance with access to a in-memory a pair of user/password for every URL that is being requested. By identifying the requested URL usinggetRequestingURL()
method, we could return the right authentication credentials for each URL.
Maybe just after returning a pair of credentials once, they might be automatically deleted. - Passing a WSDLLocator object. Instead of passing a
String
, the library supports receiving an object that implements the WSDL download part, offering an InputSource with the XML. Here seems to be an implementation from an Apache abandoned project. - Using another library to handle this. This would probably require an adaptation in order to process other generated objects.
- Downloading the WSDL and processing it entirely. It has the advantage of not depending on a dedicated library. Probably the hardest of all and the most prone to errors.
@jonbartels netcat or similar will not work, since at least the Mirth Connect versions prior to 4.5.0 used the HTTP authentication framework, so they wait for the server to ask back for the password if needed (The client is expecting a 401 error code along with a WWW-Authenticate
header before sending the password). A simple way to reproduce this bug could be to create another channel with an HTTP listener and with Basic authentication.
Also, the bug doesn't have to do with the server receiving credentials in other format, as Basic authentication credentials are always sent and received in the same way.
The user:password
URL syntax part is totally interpreted by the client to know which credentials it has to use in the server without asking the user or obtaining them in any other way.
I also suggest a simple way to workaround this issue. It is to create another channel with an HTTP listener and an HTTP sender that acts as a proxy for the other channel, requesting the WSDL for it using the appropriate credentials. After using it, it could simply be disabled or removed.
from connect.
Actaully tried this - and it does not send authorization.
# npx http-echo-server
[server] event: listening (port: 3000)
[server] event: connection (socket#1)
[socket#1] event: resume
[socket#1] event: readable
[socket#1] event: end
[socket#1] event: prefinish
[socket#1] event: finish
[socket#1] event: close
[server] event: connection (socket#2)
[socket#2] event: resume
[socket#2] event: data
--> GET / HTTP/1.1
--> Host: localhost:3000
--> Connection: Keep-Alive
--> User-Agent: Apache-HttpClient/4.5.13 (Java/17.0.10)
--> Accept-Encoding: gzip,deflate
-->
-->
[socket#2] event: prefinish
[socket#2] event: finish
[socket#2] event: readable
[socket#2] event: end
[socket#2] event: close
from connect.
Hi @javandre
Thanks for posting this Bug.
from connect.
and
the Java9+ entries in the vmoptions file are included
I think you need additional Java9 entries for the WebService sender to work.
This is still a bug in MC, since the suggested options should support the software that NextGen publishes. I think a workaround would be to add this to your VM options file:
--add-opens=java.base/java.util.concurrent=ALL-UNNAMED
from connect.
Hi @jonbartels
We tried this today without success.
from connect.
@hanspeterbrun read the latest error message. It is still a modules error but it is a DIFFERENT module.
You need additional opens
entries
from connect.
Hi @jonbartels
Thanks for your comments. We added this java.io entry, too. After this we got no more errors in mirth.log, but a HTTP 401 error as response. I think that no username/password was transmitted with the request, because the destination could not read the input textfields.
from connect.
Are you using hardcoded credentials or mapped values? "Test Connection" usually does not work with mapped values.
Can you change the URL to a server you control and see what it sends? You should see the appropriate authn headers. The request won't work but you should be able to see what Mirth is transmitting.
from connect.
I'm a little bit confused, I think we are talking about the button "Get Operations" (not "Test Connection")...
Yes, I'm using hardcoded credentials and I'm sure there are correct (tested with SoapUI).
Unfortunately I don't have a SOAP server under my control at the moment. I'll try to check this later and then comment here.
from connect.
You don't need a soap server.
e.g. if you have node installed:
npx http-echo-erver
// starts a dumb http listener on port 3000 and echos request to console
from connect.
Workaround of course is just the grab the WSDL and host it anywhere you can in fact access.
from connect.
@pacmano1 seems to have reproduced the issue.
@javandre you should edit your bug report to focus ONLY on the WSDL auth issue. The opens
issues were unrelated.
The relevant code that generates the auth error is:
This generates the credentials in the URL:
This generates the credentials in the format https://user:pass@domain/....
. This condition is not visible in @pacmano1 test case. It also seems plausible that this format is not accepted by many servers. @pacmano1 you might need to re-try your test case with nc
or a different tool to see if the credentials are being transmitted correctly.
@javandre what authentication mechanism is the SOAP server expecting you to use for the WSDL? HTTP Basic? Oauth? something else?
Using a browser or curl
can you retrieve the WSDL with the https://user:pass@domain/....
format?
from connect.
Related Issues (20)
- [BUG] Your Issue TitleFailed to connect to 127.0.0.1 port 8443: Connection refused ,,when i try to connect with mirth connect
- [BUG] Set "Response Timeout" to a channelMap in a TCP Sender HOT 2
- [BUG] GUID generation not very random HOT 4
- Mirth service is not getting restarted HOT 4
- [BUG] Ability to restart subsystems related to logging in HOT 13
- DestinationSetFilter-name is not consistent with the Generated Script HOT 1
- [BUG] Error when adding custom metadata HOT 1
- [BUG] Loading statistics and deploying channels slow on service restart HOT 4
- [IDEA] Polling per channel, Advanced Clustering
- [BUG] 4.5.0 - API - /channels/{channelId}/messages/{messageId} HOT 20
- Alphabetize Dependencies within source tab
- Need guidance on how we can connect to Azure service bus and able to send the message to ASB queue through JMSSender as one of the destination HOT 1
- [BUG] Custom metadata columns are always formatted using toString() in the message browser.
- [BUG] `java.lang.LinkageError` loading `javax.xml.namespace.QName` HOT 1
- [BUG] JSON parse FHIR resources error using Hapi FHIR HOT 2
- [IDEA] Read server name and environment name from ENV VARS
- [SECURITY] Possible 0-Day Path Traversal Vulnerability in Mirth Connect Administrator HOT 2
- [IDEA] Advance Alerting Plugin HOT 2
- [IDEA] Migrate from JCIFS-NG to SMBJ to provide better SMB3 support
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from connect.