Announcement Announcement Module
Collapse
No announcement yet.
Signing SOAP Faults Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Signing SOAP Faults

    Hello,

    I'm currently successfully using Spring-WS to sign SOAP Responses (only signing, no encryption), using an interceptor configuration as such:

    <bean class="org.springframework.ws.soap.server.endpoint .SoapFaultAnnotationExceptionResolver"/>
    <bean class="org.springframework.ws.server.endpoint.mapp ing.PayloadRootAnnotationMethodEndpointMapping">
    <property name="interceptors">
    <list>
    <ref bean="loggingInterceptor"/>
    <ref bean="wsSecurityInterceptor"/>
    </list>
    </property>
    </bean>

    With the wsSecurityInterceptor being a org.springframework.ws.soap.security.xwss.XwsSecur ityInterceptor, and the logging interceptor being a personal interceptor.

    SOAP Responses are correctly signed (soapUI verifies this), however since I use a thrown Exception from within an annotation-mapped endpoint for generating SOAP Faults, I can't explicitly generate a fault message. I would expect a generated SOAP Fault to be picked up by the wsSecurityInterceptor. However, nothing gets signed in this case (the SOAP Fault simply has no security header).

    I would appreciate any insights anyone may have on this.

    Thanks in advance.

  • #2
    The security interceptors currently ignore soap faults (both on client and server side). To work around this, you subclass the interceptor, and override handleFault() to do as you see fit.

    Comment


    • #3
      ah thanks. I'll give that a try.

      As another question: is it possible to use spring-ws in a pure client setting? Because I haven't found the documentation to do this, and therefore use plain JAX-WS for calling out to other services, and I'm not looking forward to having to layer xwss on top of that by hand.

      Comment


      • #4
        Yes you can. Check out the client side section in the manual.

        Comment


        • #5
          Thanks! The server side signs the faults perfectly now, and I managed to get a client communicating with the server using the same JAXB marshalling beans, so it works great.

          However, using a security interceptor on the client side doesn't seem to work correctly. I have a Xws security interceptor which works correctly on the server (it can sign correctly, gets validated by SoapUI, and is capable of validating incoming messages correctly). Everything works great there, but if I refer to the same interceptor on the client, I get the following:

          com.sun.xml.wss.XWSSecurityException: No X509Certificate was provided
          at org.springframework.ws.soap.security.xwss.XwsSecur ityInterceptor.secureMessage(XwsSecurityIntercepto r.java:139)
          ...

          When the certificate is pointed at in the securityPolicy.xml file:

          <xwss:SecurityConfiguration xmlns:xwss="blocked by forum">
          <xwss:Sign includeTimestamp="false">
          <xwss:X509Token certificateAlias="abc"/>
          </xwss:Sign>
          </xwss:SecurityConfiguration>

          and the server correctly finds this and can sign with it. The client simply cannot. The spring context file is exactly the same for the client and the server:

          <bean id="webServiceTemplate" class="org.springframework.ws.client.core.WebServi ceTemplate">
          <constructor-arg ref="messageFactory"/>
          <property name="marshaller" ref="marshaller"/>
          <property name="defaultUri" value="snip"/>
          <property name="interceptors">
          <list>
          <ref bean="wsSecurityInterceptor"/>
          </list>
          </property>
          </bean>

          with the marshaller and interceptor being the same beans used by the server.

          Does anyone have any pointers or insights?

          Thanks in advance.

          Comment

          Working...
          X