Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Calling a secured Web Service in Java

Tags:

java

security

soap

web-services

ws-security

I need to write a web service client to call a third party web service (SOAP based). The third party published a wsdl and the associated xsd files.

The third party secure their website and services using .p12 certificates

I used wsdl2java to generate my stubs. I modified the endpoints and called the service. I received the following error:

<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
   <SOAP-ENV:Header></SOAP-ENV:Header>
   <SOAP-ENV:Body>
      <SOAP-ENV:Fault>
         <faultcode xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">wsse:InvalidSecurity</faultcode>
         <faultstring>SECU1075: An error was discovered processing the &lt;wsse:Security> header</faultstring>
         <detail>SECU3510: Signature requirements validation failed: Element (/soapenv:Envelope/soapenv:Body) was not signed</detail>
      </SOAP-ENV:Fault>
   </SOAP-ENV:Body>
</SOAP-ENV:Envelope>

Hmmm, ok. Makes sense that I should be signing the document.

The strange part (to me) is there isn't a security definition anywhere in the WSDL file. Is this normal? I contacted the third party and they sent me a pdf of what the SOAP message needs to look like. The following tags appear in the header: containing:

<wsse:BinarySecurityToken>

and

<dsig:SignedInfo>

so from what I gather, it requires my certificate and some digital signatures.

Can someone recommend how to generate these in Java? I started down the Axis2/Rampart path but honestly, it seems those are predicated on having the security requirements defined in the WSDL file (correct me if I'm wrong).

like image 375
Jamie McIlroy Avatar asked Oct 14 '22 19:10

Jamie McIlroy

1 Answers

Looks like you need to sign you message using The WS-Security standard. The WS-security standard does not specify any security mapping to wsdl file. Some application use WS-Security policy and WS-Policy Attachement in conjunction with Ws-security. WS-Policy Attachment does specifies the way to map policies to WSDL.

You can learn more about these standard from w3.org

And yes you are on the right path, could use WSS4J or axis rampart it your choice.

like image 67
ruttamani Avatar answered Oct 18 '22 04:10

ruttamani
Sign in to Comment

Related questions

Log4j multiple files
XSD Schema - JAXB marshaling - Datastore(JPA/JDO) Roundtrip
How do I make an Eclipse plugin extension which displays different context menu items when the user clicks a marker?
Java Reflection - Get all instance variable names of a class
Creating single instance for system tray in java
Bytecode manipulation to intercept setting the value of a field
A question on clustered environment on Weblogic server
Using the JList .setModel() method with a class as an argument
@Scheduled & scheduler: What exactly does pool-size do?
What code changes are automatically reflected in eclipse in debug mode?
How to pass data from separate thread class to activity in Android
XML binding tools for Android [closed]
Getting values out of java callbacks
Shutting down SSL without closing underlying socket?
ScheduledExecutorService execute every night at 12 AM UTC Time
How to build a dynamic query which add number of days to date and compare that date with another date using criteria API?
Is it possible to access a Kotlin typealias from Java?
Spring @Autowired fields - which access modifier, private or package-private?
How do I pass JavaScript values to Scriptlet in JSP?
Opening source code from debug view edits .class after Android R18 update

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!