Send a SOAP request with WSSecurity in NodeJS

Question

I'm trying to request this internal service that the team responsible for it said it needs both an Username + Password AND to be encrypted with a certificate.

I thought of using this module node-soap and I found this in the documentation:

1- https://github.com/vpulim/node-soap#wssecurity

2- https://github.com/vpulim/node-soap#wssecuritycert

It explains how to implement WSSecurity, but one rule overwrites the other. So this code won't work:

var wsSecurity = new soap.WSSecurity('username', 'password', options)
client.setSecurity(wsSecurity);

var wsSecurity = new soap.WSSecurityCert(privateKey, publicKey, password);
client.setSecurity(wsSecurity);

What is the proper way of using both strategies?

I'm a newbie on SOAP, any help would be very appreciated

what I actually need is an implementation on Node of how to do both things, maybe changing this module. — Victor Ferreira, Jun 29 '17 at 15:07
It doesn't make sense much. when you have key, you dont need username and password. — Tuan Anh Tran, Jun 29 '17 at 15:09
I've got the same need to add two types of security (that's just how the service I need to talk to is set up). I wonder @VictorFerreira, did you find a solution? — David Carboni, Jun 12 '20 at 21:13

score 1 · Answer 1 · answered Jul 24 '18 at 08:51

I'm running into the same requirement. I'm building a custom WSSecurityCertSSL security module, it's not that great but may just work. The best thing would be to modify node-soap so that you can stack multiple securities, since some (ie: ssl) deal with just the connection and others with envelope manipulation (ie: WssSecurity).

score 1 · Answer 2 · answered Aug 11 '20 at 12:38

I'm totally against modifying the source of any 3th party dependencies. It usually leads to future problems ( updates, compatibility, unsuspected bugs etc.) Here is my attempt of stacking securities.

import { IHeaders, ISecurity } from "soap";

export class SecurityStack implements ISecurity {
    private stack: ISecurity[];
    public constructor(...security: ISecurity[]) {
        this.stack = security;

        const hasPostProcessMethod = this.stack.some(s => s["postProcess"]);
        const hasToXmlMethod = this.stack.some(s => s["toXML"]);

        if(hasPostProcessMethod && hasToXmlMethod)
            throw new Error("Security with `postProcess` and those with `toXml` methods cannot be used together");

        if(!hasPostProcessMethod)
            this.postProcess = undefined;
    }

    public addOptions(options: any): void {
        this.stack.forEach(security => {
            if(security["addOptions"])
                security.addOptions(options);
        });
    }

    public toXML(): string {
        let result = "";
        this.stack.forEach(security => {
            if(security["toXML"])
                result += security.toXML();
        });
        return result;
    }

    public addHeaders(headers: IHeaders): void {
        this.stack.forEach(security => {
            if(security["addHeaders"])
                security.addHeaders(headers);
        });
    }

    public postProcess?(xml: any, envelopeKey: any): string {
        let result = xml;
        this.stack.forEach(security => {
            if(security["postProcess"])
                result = security.postProcess(xml, envelopeKey);
        });
        return result;
    }
}

And then usage:

const client =  await soap.createClientAsync(wsdl);
const sslSecurity = new soap.ClientSSLSecurity(xxx, xxx);
const wsSecurity = new soap.WSSecurity("xxx","xxx");
const securityStack = new SecurityStack(sslSecurity, wsSecurity);
client.setSecurity(securityStack);

Keep in mind that not every security methods can be combined.

Send a SOAP request with WSSecurity in NodeJS

2 Answers2