Announcement Announcement Module
Collapse
No announcement yet.
add soap header Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • add soap header

    hello,

    i try to create a web service with AbstractDomPayloadEndpoint.
    i need to sign the payload with xmldsig and add the signature to a soap header.

    how access to MessageContext? have i use other class instead AbstractDomPayloadEndpoint?

    thanks in advance,
    CÚsar.

  • #2
    Originally posted by cesar
    i try to create a web service with AbstractDomPayloadEndpoint.
    i need to sign the payload with xmldsig and add the signature to a soap header.

    how access to MessageContext? have i use other class instead AbstractDomPayloadEndpoint?
    You most definitely want to do so in an EndpointInterceptor, because:
    • It has full access to the MessageContext, and
    • Signing messages is an AOP-like cross-cutting concern, that has little to do with the actual endpoint code, but can be applied to multiple endpoints (using DOM or not).

    The basic idea should be that you:
    1. implement SoapEndpointInterceptor
    2. implement handleResponse(); all other methods should be no-ops
    3. cast the MessageContext to SoapMessageContext (since you want to add a SOAP header)
    4. get the response SoapMessage from the soap message context
    5. sign the payload from the response using a xmldsig library
    6. add a SoapHeaderElement with the signature to the SoapHeader of the response

    I must say that I am very much interested in your solution for this, since XML signatures is also something on my TODO list. If you need any more help, please contact me.

    Cheers,

    Comment


    • #3
      hello poutsma,
      thanks for your help.
      i'll try do it like you said.

      Comment


      • #4
        hello,

        like poutsma said, i has implement SoapEndpointInterceptor.handleResponse()
        i wanted to add an attribute Id to the soap body (to sign the body later), but when i add it:
        Code:
                  SoapMessageContext soapMessageContext = (SoapMessageContext)messageContext;
                  SoapMessage messageResponse = soapMessageContext.getSoapResponse();
                  SoapEnvelope envelope = messageResponse.getEnvelope();
                  Source envelopeSource = envelope.getSource();
                  Document docEnvelopeSource = toDomMessagePayload(envelopeSource);
                  //Id attribute creation
        
                  Element body = (Element)docEnvelopeSource.getElementsByTagNameNS("http://schemas.xmlsoap.org/soap/envelope/", "Body").item(0);
                  logger.info("[SignatureInterceptor.handleResponse] body.getTagName(): " + body.getTagName());
                  body.setAttribute("Id", identificador);
        when in the client look the response, the body hasn't the attribute Id, and not verify the sign.

        another question, i add the Signature (firmaSource) to the header so:
        Code:
                    QName signature = QNameUtils.toQName("http://...", "tns:firma");
                    SoapHeader header = messageResponse.getSoapHeader();
                    SoapHeaderElement headerElement = header.addHeaderElement(signature);
                    Result headerResult = headerElement.getResult();
                    transform(firmaSource, headerResult);
        and the soap header is:
        Code:
        <SOAP-ENV:Header><tns:firma xmlns:tns="http://..."><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:SignedInfo>
        ...
        how can i add the Signature without firma element??? like this:
        Code:
        <SOAP-ENV:Header><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:SignedInfo>
        ...
        thanks in advance,
        CÚsar.

        Comment


        • #5
          Originally posted by cesar
          like poutsma said, i has implement SoapEndpointInterceptor.handleResponse()
          i wanted to add an attribute Id to the soap body (to sign the body later), but when i add it:
          Code:
                    SoapMessageContext soapMessageContext = (SoapMessageContext)messageContext;
                    SoapMessage messageResponse = soapMessageContext.getSoapResponse();
                    SoapEnvelope envelope = messageResponse.getEnvelope();
                    Source envelopeSource = envelope.getSource();
                    Document docEnvelopeSource = toDomMessagePayload(envelopeSource);
                    //Id attribute creation
          
                    Element body = (Element)docEnvelopeSource.getElementsByTagNameNS("http://schemas.xmlsoap.org/soap/envelope/", "Body").item(0);
                    logger.info("[SignatureInterceptor.handleResponse] body.getTagName(): " + body.getTagName());
                    body.setAttribute("Id", identificador);
          when in the client look the response, the body hasn't the attribute Id, and not verify the sign.
          When you are transforming the envelope source to a DOM document, you are basically creating a copy. And adding the id attribute to that copy obviously doesn't change the original.

          I will add code to add attributes to SoapElements today. I haven't done so in the past, because I want to keep the API as small as possible. Until so far, I had no need for attributes on SoapElements, but obviously, we do so now :-).

          Originally posted by cesar
          another question, i add the Signature (firmaSource) to the header so:
          Code:
                      QName signature = QNameUtils.toQName("http://...", "tns:firma");
                      SoapHeader header = messageResponse.getSoapHeader();
                      SoapHeaderElement headerElement = header.addHeaderElement(signature);
                      Result headerResult = headerElement.getResult();
                      transform(firmaSource, headerResult);
          and the soap header is:
          Code:
          <SOAP-ENV:Header><tns:firma xmlns:tns="http://..."><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
          <ds:SignedInfo>
          ...
          how can i add the Signature without firma element??? like this:
          Code:
          <SOAP-ENV:Header><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
          <ds:SignedInfo>
          ...
          You cannot do this yet. I will try and think of a way to accomplish this without breaking the whole SoapMessage abstraction. Not every message is based on DOM (some are based on streaming APIs), so you can't just put everything in there.

          However, are you sure you want to add the d:Signature element as a top-level header? WS-Security indicates that you should put it under a special <wsse:Security/> block.

          I am writing some WS-Security code right now, perhaps we can help each other out? My MSN and Skype ids are above this message, and I sent you a private message with my email address.

          Cheers,

          Arjen

          Comment

          Working...
          X