Announcement Announcement Module
No announcement yet.
Issue with Spring-ws-security and X509Token Page Title Module
Move Remove Collapse
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • Issue with Spring-ws-security and X509Token


    I am trying to make a connection to an existing secured webservice. I am able to make a successful connection to the webservice with SoapUI. In SoapUI I configured my keystore, selecting the alias of my certificate and selecting a Binary Security Token as Key Identifier Type. I also send a timestamp.

    As stated, this works all without issue. Thus I assume my keystore and certificate are correct.

    I'm building an application to do the signing for me, using:
    and a dependency to:
    My securityPolicy.xml:
    <?xml version="1.0" encoding="UTF-8"?>
    <xwss:SecurityConfiguration xmlns:xwss=""
                                dumpMessages="true" enableDynamicPolicy="false">
        <xwss:Sign id="signature">
            	valueType="" />
    When I look at the raw content of my WSS header in SoapUI, my BinarySecurityToken looks like:
    <wsse:BinarySecurityToken EncodingType="" ValueType="" wsu:Id="CertId-DBA866EF453B448F94134330378528513" xmlns:wsu="">
    The securityPolicy above generates the exact same BinarySecurityToken (with a different id). BinarySecurityToken comes from xws-security-1.3.1 as a dependency of Spring-ws-security.

    However, when I send a request to webservice, using this configuration, I get the following Soap Fault:
             <faultcode xmlns:_ns0="">_ns0:InvalidSecurityToken</faultcode>
             <faultstring>SECU1045: Authentication identity is malformed. Reason: Malformed WS-Security binary token</faultstring>
             <detail>SECU3003: Error encountered while decoding certificate. Reason: invalid DER-encoded certificate data</detail>
    This surprises me, as I am able to send requests to the webservice, using the exact same keystore. The code responsible for the signing does work for other WSS secured webservices, with a different securityPolicy. Eg. this one works (for a webservice that doesn't need the certificate in the requests):
    <xwss:SecurityConfiguration xmlns:xwss=""
                                dumpMessages="true" enableDynamicPolicy="false">
        <xwss:Sign id="signature" includeTimestamp="false">
            <xwss:X509Token certificateAlias="alias"/>
    Can anyone point me in the right direction? I noticed that the content in the BinarySecurityToken from SoapUI contains a lot more 'text' then the one XWSSProcessor2_0Impl adds. However, I don't know how/if I can change that generated text.

  • #2
    Tiny update: I want to add the full chain of the certificate (our own, path to CA + CA) in the WSS Header, but only the first certificate is added via the X509SecurityToken. I can't find support for X509PKIPathv1 in XWS-Security (com.sun.xml.wss or com.sun.xml.wsit). MessageConstants also doesn't support it.

    Is it possible somehow to add a X509PKIPathv1 BinarySecurityToken with the Spring-ws-security stack? Or am I trying to do something that isn't supported?