Announcement Announcement Module
Collapse
No announcement yet.
Signing a SOAP message Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Signing a SOAP message

    My first question is: does anyone know for a good howto, tutorial or working example on how to perform simple task of signing of SOAP message on client side and verifying it on server side (one including all necessary configuration files and proper pom.xml).
    Unfortunately Spring documentation is only rudimentary on this issue and after struggling for a few days i am still stuck with the same problem.

    At the moment i have working example which sends signed message to server, but server fails to verify it? Response i got is:
    com.sun.xml.wss.impl.WssSoapFaultException: Signature verification failed

    I have set up my client to use KeyStoreCallbackHandler and sign message before sending it to the service. Here is my applicationContrex.xml

    <bean id="holidayClient" class="com.tiskis.wsclient.HolidayServiceClient">
    <property name="defaultUri" value="http://localhost:8080/spring-wss"/>
    <property name="keystoreHandler" ref="keyStoreHandler" />
    </bean>

    <bean id="keyStoreHandler" class="org.springframework.ws.soap.security.xwss.c allback.KeyStoreCallbackHandler">
    <property name="keyStore" ref="keyStore"/>
    <property name="defaultAlias" value="ws-client"/>
    <property name="privateKeyPassword" value="ws-pwd"/>
    </bean>

    <bean id="keyStore" class="org.springframework.ws.soap.security.suppor t.KeyStoreFactoryBean">
    <property name="location" value="classpath:client-keystore.jks"/>
    <property name="password" value="keyStorePassword"/>
    </bean>

    Client itself works fine and produces follwing xml:

    2008.02.09 11:58:00 com.sun.xml.wss.impl.filter.DumpFilter process
    INFO: ==== Sending Message Start ====
    <?xml version="1.0" encoding="UTF-8"?>
    <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
    <SOAP-ENV:Header>
    <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" SOAP-ENV:mustUnderstand="1">
    <wsse:BinarySecurityToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="XWSSGID-1202554680156-245171579">MIIBmjCCAQMCBEekgncwDQYJKoZIhvcNAQEEBQA wFDESMBAGA1UEAxMJd3MtY2xpZW50MB4XDTA4
    MDIwMjE0NDcxOVoXDTA4MDUwMjE0NDcxOVowFDESMBAGA1UEAx MJd3MtY2xpZW50MIGfMA0GCSqG
    SIb3DQEBAQUAA4GNADCBiQKBgQCfx/T4njKBVBgwX4Rw7at2E1vf9eIQsLwXZNATs5DtWyWzRHW8
    4fkmdoh/Qao1G66gzMfoEmWTqaLLirPkBbfeCUJ5qEsWzzeoY1cyHUCVHb yTXcM4o26fmhwBdd+7
    lzZzxE48cPuXLtc33jCyBva3oJp+JEinlWcuCwCv4gb+7wIDAQ ABMA0GCSqGSIb3DQEBBAUAA4GB
    AJDmLVHAdrBtZkJye63VwoTffoWkUocH3lYQErXRuc1Fu3eo4O tqilbblD6qS3rhtr/JjOrMYzRN
    Mu5KhenEt6LSb2sO//yg+91Km61YqXa8EjQ8YP0MxLfH2ohCdvXb31vgty5YXSYGkT37 CqVxy9WL
    5zc9upA1A7Rdd79Wflq0</wsse:BinarySecurityToken>
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
    <ds:SignedInfo>
    <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
    <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
    <ds:Reference URI="#XWSSGID-1202554680218-1852736734">
    <dsigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
    <dsigestValue>OJUemKehXiTNjerWai2bp0vtb6A=</dsigestValue>
    </ds:Reference>
    </ds:SignedInfo>
    <ds:SignatureValue>eKGe/ugInvGWT5fPC0Wyg1Fb2HdxN9yRSVe2aCRUMiJf4tSpvu8vdf+ 2Gl8k78R5Fj60etLJUiHB
    c4KpXVq8r9GbEVQvhlDIO7aegEJmPVqd6rvtqswKVDQXjdOXzf F+zITuuBds8TUAJWk603JOgZWm
    gdUbK8MkFccjp5K/mY0=</ds:SignatureValue>
    <ds:KeyInfo>
    <wsse:SecurityTokenReference xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="XWSSGID-1202554680156-1214939264">
    <wsse:Reference URI="#XWSSGID-1202554680156-245171579" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
    </wsse:SecurityTokenReference>
    </ds:KeyInfo>
    </ds:Signature>
    <wsse:UsernameToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="XWSSGID-120255467942140355907">
    <wsse:Username>domagoj</wsse:Username>
    <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest">****</wsse:Password>
    <wsse:Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">50e4LO8GTQVkq18FY8FYx65J</wsse:Nonce>
    <wsu:Created>2008-02-09T10:58:00Z</wsu:Created>
    </wsse:UsernameToken>
    </wsse:Security>
    </SOAP-ENV:Header>
    <SOAP-ENV:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="XWSSGID-1202554680218-1852736734">
    <hr:HolidayRequest xmlns:hr="http://tiskis.com/hr/schemas">
    <hr:Holiday>
    <hr:StartDate>2008-02-09</hr:StartDate>
    <hr:EndDate>2008-02-09</hr:EndDate>
    </hr:Holiday>
    <hr:Employee>
    <hr:Number>33333333</hr:Number>
    <hr:FirstName>DomagojX</hr:FirstName>
    <hr:LastName>Madunic</hr:LastName>
    </hr:Employee>
    </hr:HolidayRequest>
    </SOAP-ENV:Body>
    </SOAP-ENV:Envelope>
    ==== Sending Message End ====
    My security policy file for client is as follows:

    <xwss:SecurityConfiguration dumpMessages="true" xmlns:xwss="http://java.sun.com/xml/ns/xwss/config">

    <xwss:UsernameToken name="domagoj" password="domagoj" useNonce="true" digestPassword="true"/>
    <xwss:Sign includeTimestamp="false" />

    </xwss:SecurityConfiguration>

    I have correct key store in path (client-keystore.jks) and it contains all necessary data.

    Server configuration is pretty simple:
    ============================
    <bean class="org.springframework.ws.server.endpoint.mapp ing.PayloadRootQNameEndpointMapping">
    <property name="mappings">
    <props>
    <prop key="{http://tiskis.com/hr/schemas}HolidayRequest">holidayEndpoint</prop>
    </props>
    </property>
    <property name="interceptors">
    <list>
    <bean class="org.springframework.ws.server.endpoint.inte rceptor.PayloadLoggingInterceptor" />
    <ref bean="wsSecurityInterceptor" />
    </list>
    </property>
    </bean>

    <!-- ============ security ================= -->

    <bean id="wsSecurityInterceptor" class="org.springframework.ws.soap.security.xwss.X wsSecurityInterceptor">
    <property name="policyConfiguration" value="classpath:securityPolicy.xml" />
    <property name="callbackHandlers">
    <list>
    <ref bean="simplePasswordValidationHandler" />
    <ref bean="keyStoreHandler" />
    </list>
    </property>
    </bean>

    <bean id="keyStoreHandler" class="org.springframework.ws.soap.security.xwss.c allback.KeyStoreCallbackHandler">
    <property name="trustStore" ref="trustStore" />
    </bean>

    <bean id="trustStore" class="org.springframework.ws.soap.security.suppor t.KeyStoreFactoryBean">
    <property name="location" value="classpath:server-keystore.jks" />
    <property name="password" value="keyStorePassword" />
    </bean>

    <bean id="simplePasswordValidationHandler"
    class="org.springframework.ws.soap.security.xwss.c allback.SimplePasswordValidationCallbackHandler">
    <property name="users">
    <props>
    <prop key="domagoj">domagoj</prop>
    </props>
    </property>
    </bean>

    Again server-keystore.jks is in path and contains imported signe certificate from client.
    My server xwss configuration is :
    <xwss:SecurityConfiguration xmlns:xwss="http://java.sun.com/xml/ns/xwss/config">

    <xwss:RequireUsernameToken passwordDigestRequired="true" nonceRequired="true" />
    <xwss:RequireSignature requireTimestamp="false"/>

    </xwss:SecurityConfiguration>

    Libraries:
    I am using xwss2.0 jars, and JDK 1.5.0_13

    After some debuging i have noticed that Callback that is handled by KeyStoreCallbackHandler is never SignatureVerificationKeyCallback, but always SignatureKeyCallback???

    Any help?
Working...
X