Web Services changes
There are changes in support of web services in Genero 3.20.
Changes to how GWS handles cookies
- WSHelper.WSServerCookiesType has a new
member (
sameSite
) added to the record to specify how cookies are sent to other sites. Three values are possibles for sending cookies: "Strict", "Lax", or "None". The default is "Lax". IfNULL
, the default "Lax" is used. - The com.HttpServiceRequest.setResponseCookies method taking
WSHelper.WSServerCookiesType
as parameter may raise a runtime error if thesameSite
attribute is not set correctly. For instance, you can not set it to "None" if secure is not set toTRUE
. This raises the errorSameSite None value requires Secure to be set
.
SameSite="Strict"
on the secure cookie ensures that only the exact URL
the cookie has been set with will return the cookie to the server. If not set, the GWS sets
each cookie's sameSite attribute as "Lax".To have SameSite available, you must recompile your sources with fglcomp 3.20.13 or greater.
Single sign-on (OpenID Connect, SAML, and GIP) sameSite security
Single sign-on (SSO) services delivered in the Genero Web Services package under $FGLDIR/web_utilities/services have enhancements in FGLGWS 3.20.13 to set "Strict" on the sameSite attribute of security cookies.
If you have previously used these protocols to authenticate users launching applications, ensure you use the services delivered in FGLGWS 3.20.13 and higher to take advantage of the SameSite security feature.
For more information about SSO, see the Genero Application Server User Guide.
sameSite security cookie set to lax for OpenID Connect and SAML
From FGLGWS 3.20.14 onwards, the sameSite attribute of security cookies used in OpenID Connect and SAML Single sign-on (SSO) services delivered in the Genero Web Services package is set to "Lax" instead of "Strict". As the security cookie is used to perform URL redirection to the Identity Provider, it is used only once to authenticate the user log in; therefore, there is no need to restrict its use.
SSO functionality is applied differently in the Genero Identity Provider (GIP). The GIP retains the cookie. If the authenticated user selects the option to "stay connected" at log in, any further authentication requests coming from the same browser are silently authorized by the GIP without requesting the user to log in again. The cookie forwarded must identify the user to the GIP, so its sameSite attribute is set to "Strict" to ensure it comes from the same domain, and is not sent via a third-party site.
No action needs to be taken on your part, but if you have previously used these protocols to authenticate users launching applications, ensure you use the services delivered in the Genero Web Services package under $FGLDIR/web_utilities/services of FGLGWS 3.20.14 and higher.
For more information about SSO, see the Genero Application Server User Guide.
XML serializer is case sensitive
From FGLGWS 3.20 on, the XML serializer is case sensitive, same as the JSON serializer. This means that the serializer uses the case of the variable name as defined in the 4GL file.
What impact has this on my existing Web services? It is recommended to:
- Generate a new client and server stub via the fglwsdl tool.
- The tool has an enhancement which does not generate
XMLName
attributes, unless they are really needed. - If you do not generate the stub, the
XMLName
attribute is still taken into account, so it should not have any impact.
- The tool has an enhancement which does not generate
- Check on server sides that all published SOAP web services input and output records are in lower case. This ensures compatibility with older versions. If backward compatibility is not an issue, then you must query the server WSDL file and generate the client stub from it.
For more details, see Customizing XML serialization.
Control HTTP Date header for GET, HEAD and DELETE requests
Starting with FGLGWS 3.20.00, the FGLPROFILE entry
http.global.request.date
can be used to control whether GWS HTTP GET,
HEAD and DELETE requests must send the HTTP Date header.
For more details, see HTTP configuration.
Support for empty HTTP POST or PUT requests
DEFINE req com.HttpRequest
LET req = com.HttpRequest.Create("http://tempuri.org")
CALL req.setMethod("POST") # or PUT
CALL req.doRequest()
Prior to GWS 3.20.01, the doRequest()
call returned error code -15555 and
the error message "Unsupported request-response feature".
readTextRequest()
will be
NULL
:DEFINE ser com.HttpServiceRequest
DEFINE txt STRING
LET ser = com.WebServiceEngine.getHttpServiceRequest(-1)
IF ser.getMethod() == "POST" THEN
LET txt = ser.readTextRequest()
IF txt IS NULL THEN
DISPLAY "No body"
END IF
END IF
Notice that the Content-Type is still checked and may raise an error, if it doesn't match.
So using readXmlRequest()
must have a Content-Type of XML format, even if
the body is empty. In practice, it is recommended to check the Content-Type before doing any
read operation.
For more details, see com.HttpRequest.doRequest.
New high-level RESTful framework
Genero BDL 3.20 provides a new framework for RESTful Web services programming.
Changes to security.global.protocol in FGLPROFILE
Starting with FGLGWS 3.20.07, GWS secured communication is based on the OpenSSL 1.1 engine. This version of OpenSSL always selects the security protocol. It no longer allows you to specify a specific Transport Layer Security (TLS) or Secure Sockets Layer (SSL).
The security.global.protocol
entry in the fglprofile
file is therefore no longer supported.
security.global.protocol = "TLSv1.2"
to
configure OpenSSL to use TLSv1.2 for HTTPS for earlier versions, you may encounter the
following error message in your Web
service:OpenSSL 1.1 doesn't support specific protocol anymoreIt is therefore recommended to remove the
security.global.protocol
entry from
your fglprofile file. For more information on Web service security
configuration see Web Services FGLPROFILE configuration.XMLChoice = "nested" attribute option
Starting with FGLGWS 3.20, the fglwsdl tool now supports the attribute
XMLChoice="nested"
option to produce an XML representation supporting a
substitutionGroup
. A substitutionGroup in an XML schema is where one XML
element can be replaced by another element that has a substitutionGroup with the same name.
See Example 3: Using XMLChoice="nested" for substitutionGroup.
This change applies if you have previously used XMLChoice for a WSDL containing a substitutionGroup.
If in versions prior to FGLGWS 3.20 you had a variable that was expected to serialize an
XMLChoice
value, you can set XMLChoice="nested"
attribute on that variable to improve the serialization options and to avoid serializer
errors.
- Recompile the Genero Web Service server to create a new WSDL that supports the XML
XMLChoice="nested"
feature. - Regenerate all Genero Web Service client stubs from the newly-generated WSDL to get
the support of
XMLChoice="nested"
. Regenerate client stubs using the fglwsdl tool.
fglwsdl -xmlname option
Starting with FGLGWS 3.20.14, the fglwsdl -xmlname
option is added to generate variables named with XMLName attributes in stubs. The option may be used if
you need to serialize sub records when generating stubs.
For more details, see fglwsdl.
Changes to default IP version used by a GWS client
Starting with FGLGWS 3.20.15, the default IP protocol version used by a GWS client is now IPv4.
The ip.global.version
entry in the fglprofile can be
used to set the IP version. For instance, if you want to use IPv6, set
ip.global.version="IPv6"
.
The previous default was to use IPv6 if available, and fall back on IPv4 if not. In some
cases, the fallback led to performance issues. To use this previous behavior, set
ip.global.version="undefined"
.
For more information on Web service IP configuration see IPv6 configuration.
Support for validating filenames in WSAttachments
WSAttachment
attribute
supports validating file names in received files. There is an option to specify that the
file name must match a regular expression pattern on the server side.
WSAttachment = "[a-zA-Z0-9_]*\.[a-zA-Z0-9_]*"
Prior to FGLGWS 3.20.15, file names in file attachments were not validated. It is recommended to use a regexp pattern to limit file names to a set of allowed characters, to avoid the risk of code injection. For more information, see WSAttachment.
Support for RFC 8693 in the Genero Identity Provider (GIP) creation of OAuth ID and access tokens with scopes
Starting with FGLGWS 3.20.17 (and FGLGWS 4.01.02), the GIP follows the standard RFC 8693 as the default method when creating OAuth ID and access tokens with the scope parameter.
Prior to 3.20.17, GIP created a JSON Web Token (JWT) with a "scopes" element defined as a JSON array for the list of scopes. Now, according to the RFC 8693 standard, the JWT has a "scope" element defined as a string with the scopes in a space-separated list.
No action needs to be taken on your part, but if you have previously used the GIP to authenticate users launching applications and you want to use the new scope member, ensure that the OpenIDConnectServiceProvider.xcf and the GeneroAccessService.xcf delivered in the Genero Web Services package under $FGLDIR/web_utilities/services use FGLGWS 3.20.17 or higher. The OpenIDConnectService and GeneroAccessService services have been enhanced to handle both the old and new methods for exchanging scopes.
For more information about GIP, see the Genero Application Server User Guide.
Dynamic zlib loading (to use system zlib)
Starting with FGLGWS 3.20.17 (and FGLGWS 4.01.03), the GWS modules requiring compression will search for the zlib library installed on the operating system, and fallback to a zlib library provided in FGLDIR/lib/wse.
In previous versions, a specific zlib was linked statically in libfglutils.so, that could enter into conflict with other components, such as JVM using the zlib of the system.
For more details, see GWS uses zlib to compress data.