Announcement Announcement Module
Collapse
No announcement yet.
Issue with Spring-ws-security and X509Token Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Issue with Spring-ws-security and X509Token

    Hello,

    I am trying to make a connection to an existing secured webservice. I am able to make a successful connection to the webservice with SoapUI. In SoapUI I configured my keystore, selecting the alias of my certificate and selecting a Binary Security Token as Key Identifier Type. I also send a timestamp.

    As stated, this works all without issue. Thus I assume my keystore and certificate are correct.


    I'm building an application to do the signing for me, using:
    Code:
    <spring-version>3.0.5.RELEASE</spring-version>
    <spring-ws-version>2.0.0.RELEASE</spring-ws-version>
    and a dependency to:
    Code:
    	<dependency>
    			<groupId>org.springframework.ws</groupId>
    			<artifactId>spring-ws-security</artifactId>
    			<version>2.1.0.RELEASE</version>
     			<exclusions>
    				<exclusion>
    					<groupId>org.apache.ws.security</groupId>
    					<artifactId>wss4j</artifactId>
    				</exclusion>			
    			</exclusions> 
    		</dependency>
    My securityPolicy.xml:
    Code:
    <?xml version="1.0" encoding="UTF-8"?>
    <xwss:SecurityConfiguration xmlns:xwss="http://java.sun.com/xml/ns/xwss/config"
                                dumpMessages="true" enableDynamicPolicy="false">
    
        <xwss:Sign id="signature">
            <xwss:X509Token 
            	certificateAlias="alias" 
            	keyReferenceType="Direct"
            	valueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509PKIPathv1" />
            	
        </xwss:Sign>
        <xwss:RequireSignature/> 
    </xwss:SecurityConfiguration>
    When I look at the raw content of my WSS header in SoapUI, my BinarySecurityToken looks like:
    Code:
    <wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509PKIPathv1" wsu:Id="CertId-DBA866EF453B448F94134330378528513" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
    The securityPolicy above generates the exact same BinarySecurityToken (with a different id). BinarySecurityToken comes from xws-security-1.3.1 as a dependency of Spring-ws-security.

    However, when I send a request to webservice, using this configuration, I get the following Soap Fault:
    Code:
          <soap:Fault>
             <faultcode xmlns:_ns0="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">_ns0:InvalidSecurityToken</faultcode>
             <faultstring>SECU1045: Authentication identity is malformed. Reason: Malformed WS-Security binary token</faultstring>
             <detail>SECU3003: Error encountered while decoding certificate. Reason: java.security.cert.CertificateParsingException: invalid DER-encoded certificate data</detail>
          </soap:Fault>
    This surprises me, as I am able to send requests to the webservice, using the exact same keystore. The code responsible for the signing does work for other WSS secured webservices, with a different securityPolicy. Eg. this one works (for a webservice that doesn't need the certificate in the requests):
    Code:
    <xwss:SecurityConfiguration xmlns:xwss="http://java.sun.com/xml/ns/xwss/config"
                                dumpMessages="true" enableDynamicPolicy="false">
    
        <xwss:Sign id="signature" includeTimestamp="false">
            <xwss:X509Token certificateAlias="alias"/>
        </xwss:Sign>
    
        <xwss:RequireSignature/> 
    </xwss:SecurityConfiguration>
    Can anyone point me in the right direction? I noticed that the content in the BinarySecurityToken from SoapUI contains a lot more 'text' then the one XWSSProcessor2_0Impl adds. However, I don't know how/if I can change that generated text.

  • #2
    Tiny update: I want to add the full chain of the certificate (our own, path to CA + CA) in the WSS Header, but only the first certificate is added via the X509SecurityToken. I can't find support for X509PKIPathv1 in XWS-Security (com.sun.xml.wss or com.sun.xml.wsit). MessageConstants also doesn't support it.

    Is it possible somehow to add a X509PKIPathv1 BinarySecurityToken with the Spring-ws-security stack? Or am I trying to do something that isn't supported?

    Comment

    Working...
    X