Don't reveal SwaggerHub APIKey in requests from SwaggerHub Integration for Confluence
Could you please consider proxying any authenticated calls from the Confluence page to the SwaggerHub API back through the domain that you presumably serve the widget content from (https://confluence-plugin.swaggerhub.com)? I'm not sure what constraints exist with the Confluence plugin model, but hopefully this would allow you to manage all sensitive state (ApiKey storage) externally in a location we already trust, and form the appropriate authenticated requests to the SwaggerHub API from there. As things stand right now, the SwaggerHub API requests are observable using browser dev tools as the Confluence page renders. These requests include the chosen SwaggerHub ApiKey in the authorization header. This is a security concern for us as we have external parties and partners who we grant visibility to areas of our Confluence tenant so they can view documentation which includes api specifications. Once the ApiKey is compromised, the holder has far more than the readonly-access to specific API specifications that we intended. There are probably other ways to address this, but the proxy approach seemed the most pragmatic to me. We've worked around this issue in the past with other Confluence swagger plugins by only using exported specifications that are attached to the page. However, you are in a good position to allow the convenient referencing of the api specifications in their natural home in SwaggerHub, while keeping the communication paths secure.341Views0likes0CommentsRelated to log4j and Bitbar
Hi, as recently has been revealed such a big vulnerability like log4j I wanted to ask if is Bitbar affected somehow. With the recent updates over version 2.15.0 not being a full solution as a second vulnerability has been detected, I wanted to know if this has any impact or already a patch fixing it over Bitbar. https://www.zdnet.com/article/second-log4j-vulnerability-found-apache-log4j-2-16-0-released/Solved1.2KViews0likes1CommentAvoid exfiltering OAuth Credentials in Git Repository
Hi, I am using ReadyAPI to test an OAuth2.0 secured API. I am using a Composite project with Git integration and I do not see how could I make use of Auth Manager without exfiltering my OAuth credentials into Git in plaintext, as part of the settings.xml file, within con:oAuth2ProfileContainer and con:oAuth20AuthEntry I tried using client-id and client-secret as encrypted properties, but as soon as the groovy script sets them in the profile, they appear in clear text in the settings.xml file.Solved1.1KViews1like3CommentsSSL Certificate verification missing
Hi Community, I've been trying to get SoapUI 5.5. (OpenSource) to verify and reject my self-signed ssl server certificate for security reasons (self-signed, not trusted), just like other clients do. Where can I switch the behavior between test and live environment? I need the verification enabled. In my case soapui just accepts the connection and does not even notify about any security issues. I have searched the database but didn't find much information. Thanks in advance.3.6KViews0likes10CommentsMissing a receive token call in the generated client
Hello, I have the following part for securityDefinition in my swagger 2.0 API definition: securityDefinitions: petstore_auth: type: "oauth2" tokenUrl: "http://petstore.swagger.io/oauth/dialog" flow: "password" scopes: write:pets: "modify pets in your account" read:pets: "read your pets" With this API definition I generate a C# API Client with the online Swagger Editor Tool. The generated client code does not include an API call to receive the token from the given Url "http://petstore.swagger.io/oauth/dialog". What am I missing here? Thanks in advance, DavidNo Community Help with SAML 2 Config Posts. Can some provide an example of SAML(XML) 2 in SoapUI?
I'm having difficulty configuring SAML authentication using SoapUI Pro and I've read many similar posts in Open Source community; however, they go unanswered. For example, "Could some give a sample example of SAML(XML) in SoapUI WS configuration" and "Enveloped Signature for SAML (XML) WSS Entry". SmartBear's page doesn't provide an example SAML(XML) Assertion. Collaborator has a page that goes into some depth to help the customer, but not SoapUI OS or Pro. We use ForgeRock's OpenAM to setup SAML and I think I’ve gleaned as much as I can from it. For instance, XML Canonicalization algorithm, XML digest algorithm, XML signature algorithm, ID Token Signing Algorithms supported, ID Token Encryption Algorithms supported, Circle of Trust, etc.; however, there’s no 1-for-1 match between what OpenAM provides that SoapUI Pro asks for. I've asked our DevOps/Integration teams for a SAML(XML) Assertion, but they haven't been able to accommodate, yet. Could someone give a sample example of SAML(XML) in SoapUI WS configuration? Regards,Solved4KViews0likes6CommentsSOAPUI not signing/ security header empty
Hi, Ive been stressed out by this item. Ive followed through the following guide:soapui keystore + security guide, double checked everything (keystore status = OK) and created the corresponding "Outgoing WS-Security Configurations". Added Signature and Timestamp, both items fully configured. Later I added, to my Request, a Basic Auth (pre-emptive auth: Use global preference) and pointed "Outgoing WSS" to my created configuration. The service that I need to connect with is stating: "An error occurred when verifying security for the message." I do believe that the reason behind all of this is because Im not seeing a security or signature token anywhere (or they are empty). I even tried creating a Mock Service, in order to review the exact message that Im sending and its as follows (extracted from raw): <soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:wcf="http://wcf.dian.colombia"> <soap:Header xmlns:wsa="http://www.w3.org/2005/08/addressing"><wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"/><wsa:Action>http://wcf.dian.colombia/IWcfDianCustomerServices/GetStatus</wsa:Action></soap:Header> <soap:Body> <wcf:GetStatus> <wcf:trackId>1d1</wcf:trackId> </wcf:GetStatus> </soap:Body> </soap:Envelope> As stated, this is almost empty. I reviewed other cases on site and they tended to go into two directions: * Incorrect or missing configuration: Im pretty sure Ive followed through every required step, I even checked multiple guides on this item. * Invalid JKS store: I tried with multiple certificates, even created one following a guide from smartbear for this purpose (right now, Im unsure which) and, as stated, all of them show Status = OK. Im terrible frustrated by this, which I do require for work, so if anyone could point me out on the correct direction... Ill really appreciate it. Thanks!4KViews0likes1CommentSecuring the default page of OpenAPI documentation
Dear community, I am trying to generate OpenAPI documentation for my existing .net core Web API's. The Web API's are protected by AAD B2C (by OAuth 2.0 spec). But when implementing the open API documentation, the default documentation page popping up without any credential verififcaiton. Since my requirement is to make the default page that lists the titles and documentation as well need an authentication before displaying that page. I was thinking to have separate authorization filter for documentation path, but how to configure the handshaking part of OAuth is looking grey to me. Could someone help me on this? Regards, Shanmugam