Announcement Announcement Module
Collapse
No announcement yet.
XwsSecurity Interception - the correct xws-security implementation for 1.5.7? Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • XwsSecurity Interception - the correct xws-security implementation for 1.5.7?

    I am using Xws Security where my client and service are both spring ws 1.5.7 based.

    The client and the server both reside in the same eclipse project. So whatever server has, the client has too.

    My serverSecurityPolicy.xml
    Code:
    <xwss:SecurityConfiguration xmlns:xwss="http://java.sun.com/xml/ns/xwss/config">
    	<xwss:RequireSignature requireTimestamp="false">
    		<xwss:X509Token certificateAlias="alias1" />
    		<xwss:CanonicalizationMethod algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
    		<xwss:SignatureMethod algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
    	</xwss:RequireSignature>
    
    	<xwss:RequireEncryption id="enc1">
    		<xwss:X509Token certificateAlias="alias1" id="token1"/>
    	</xwss:RequireEncryption>
    </xwss:SecurityConfiguration>
    My ClientSecurityPolicy.xml
    Code:
    <xwss:SecurityConfiguration xmlns:xwss="http://java.sun.com/xml/ns/xwss/config">
    	 
    	<xwss:Sign id="signature" includeTimestamp="false">
    		<xwss:X509Token certificateAlias="alias1" />
    		<xwss:CanonicalizationMethod algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
    		<xwss:SignatureMethod algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
    	</xwss:Sign>
    	 
    	<xwss:Encrypt id="enc1">
    		<xwss:X509Token certificateAlias="alias1" id="token1"/>
    	</xwss:Encrypt>
     </xwss:SecurityConfiguration>

    Here is the formatted data the client sends to the service, removed the base64 data for readability.

    Code:
    <?xml version="1.0" encoding="UTF-8"?>
    <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
    	<SOAP-ENV:Header xmlns:wsa="http://www.w3.org/2005/08/addressing">
    		<wsse:Security
    			xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
    			SOAP-ENV:mustUnderstand="1">
    			<wsse:BinarySecurityToken
    				xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
    				EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"
    				ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"
    				wsu:Id="token1"
    				xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
    				base64Data
    			</wsse:BinarySecurityToken>
    			<xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
    				Id="XWSSGID-1250598455657-364754404">
    				<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"
    					xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" />
    				<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
    					<wsse:SecurityTokenReference
    						xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
    						<wsse:Reference URI="#token1"
    							ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" />
    					</wsse:SecurityTokenReference>
    				</ds:KeyInfo>
    				<xenc:CipherData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
    					<xenc:CipherValue xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
    						base64Data
    					</xenc:CipherValue>
    				</xenc:CipherData>
    			</xenc:EncryptedKey>
    			<xenc:ReferenceList xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
    				<xenc:DataReference URI="#XWSSGID-1250598455875-479363074" />
    			</xenc:ReferenceList>
    			<wsse:BinarySecurityToken
    				xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
    				EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"
    				ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"
    				wsu:Id="XWSSGID-125059845548541647699"
    				xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
    				base64Data
    			</wsse:BinarySecurityToken>
    			<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
    				Id="signature">
    				<ds:SignedInfo>
    					<ds:CanonicalizationMethod
    						Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
    						<InclusiveNamespaces xmlns="http://www.w3.org/2001/10/xml-exc-c14n#"
    							PrefixList="wsse wsa SOAP-ENV" />
    					</ds:CanonicalizationMethod>
    					<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
    					<ds:Reference URI="#XWSSGID-1250598455626263387424">
    						<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
    						<ds:DigestValue>base64Data digest
    						</ds:DigestValue>
    					</ds:Reference>
    				</ds:SignedInfo>
    				<ds:SignatureValue>
    					base64Data signature data</ds:SignatureValue>
    				<ds:KeyInfo>
    					<wsse:SecurityTokenReference
    						xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
    						wsu:Id="XWSSGID-1250598455610-1523446675"
    						xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
    						<wsse:Reference URI="#XWSSGID-125059845548541647699"
    							ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" />
    					</wsse:SecurityTokenReference>
    				</ds:KeyInfo>
    			</ds:Signature>
    		</wsse:Security>
    		<wsa:To SOAP-ENV:mustUnderstand="1">
    			http://localhost:8080/services/price</wsa:To>
    		<wsa:Action>http://www.pricecompany.com/prices/main
    		</wsa:Action>
    		<wsa:MessageID>urn:uuid:a22c3ea1-6257-4a4a-8dec-20f8d9bd2eb8
    		</wsa:MessageID>
    	</SOAP-ENV:Header>
    	<SOAP-ENV:Body
    		xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
    		wsu:Id="XWSSGID-1250598455626263387424">
    		<xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
    			Id="XWSSGID-1250598455875-479363074" Type="http://www.w3.org/2001/04/xmlenc#Content">
    			<xenc:EncryptionMethod
    				Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"
    				xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" />
    			<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
    				<wsse:SecurityTokenReference
    					xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
    					<wsse:Reference URI="#XWSSGID-1250598455657-364754404" />
    				</wsse:SecurityTokenReference>
    			</ds:KeyInfo>
    			<xenc:CipherData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
    				<xenc:CipherValue xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">base64 Data
    				</xenc:CipherValue>
    			</xenc:CipherData>
    		</xenc:EncryptedData>
    	</SOAP-ENV:Body>
    </SOAP-ENV:Envelope>
    In my pom.xml, I tried all

    Code:
    	<dependency>
    		<groupId>com.sun.xml.wsit</groupId>
    		<artifactId>wsit-rt</artifactId>
    		<version>1.3.1</version>
    	</dependency>
    
    	<dependency>
    		<groupId>com.sun.xml.wsit</groupId>
    		<artifactId>xmldsig</artifactId>
    		<version>1.1</version>
    	</dependency>
    
        <dependency>
        	<groupId>com.sun.xml.wsit</groupId>
        	<artifactId>xws-security</artifactId>
        	<version>1.3.1</version>
        </dependency>
    
        <dependency>
    		<groupId>org.springframework.ws</groupId>
    		<artifactId>spring-ws-security</artifactId>
    		<version>${spring.ws.version}</version>
    		<exclusions>
    			<exclusion>
    				<groupId>com.sun.xml.wss</groupId>
    				<artifactId>xws-security</artifactId>
    			</exclusion>
    			<exclusion>
    				<groupId>javax.xml.crypto</groupId>
    				<artifactId>xmldsig</artifactId>
    			</exclusion>
    		</exclusions>
    	</dependency>
    as well as Spring WS's default dependency

    Code:
      	<dependency>
    		<groupId>com.sun.xml.wss</groupId>
    		<artifactId>xws-security</artifactId>
    		<version>2.0-FCS</version>
    	</dependency>
    I also downloaded xws-security-3.1 and tried that too. Just to confirm, I cleaned the project before trying either of the xws implementations.

    Enough about the environment, here is my problem

    The Service fails with
    Code:
    Exception in thread "main" org.springframework.ws.soap.client.SoapFaultClientException: com.sun.xml.wss.XWSSecurityException: com.sun.xml.wss.impl.PolicyViolationException: Expected Signature Element as per receiver requirements, found  ReferenceList; nested exception is com.sun.xml.wss.XWSSecurityException: com.sun.xml.wss.XWSSecurityException: com.sun.xml.wss.impl.PolicyViolationException: Expected Signature Element as per receiver requirements, found  ReferenceList
    	at org.springframework.ws.soap.client.core.SoapFaultMessageResolver.resolveFault(SoapFaultMessageResolver.java:37)
    	at org.springframework.ws.client.core.WebServiceTemplate.handleFault(WebServiceTemplate.java:738)
    	at org.springframework.ws.client.core.WebServiceTemplate.doSendAndReceive(WebServiceTemplate.java:564)
    	at org.springframework.ws.client.core.WebServiceTemplate.sendAndReceive(WebServiceTemplate.java:502)
    	at org.springframework.ws.client.core.WebServiceTemplate.doSendAndReceive(WebServiceTemplate.java:457)
    	at org.springframework.ws.client.core.WebServiceTemplate.sendSourceAndReceiveToResult(WebServiceTemplate.java:403)
    	at org.springframework.ws.client.core.WebServiceTemplate.sendSourceAndReceiveToResult(WebServiceTemplate.java:394)
    The funny thing is the message makes perfect sense to me, yes it does not like the ReferenceList element before the Signature element as you can see in the XML above.

    How can we force the XWS implementation to do what it is supposed to do ?


    If I enable only one of Signature or Encryption for the webservice, it all works fine. It is when both are enabled, the element ordering of the client XML is complained by the service.

    Any pointers much appreciated.
Working...
X