java

I'm consuming WSDL and I need to sign the Timestamp and SOAP-body using my client certificate when making SOAP requests.

My signing-certificate has to be represented as BinarySecurityToken in the message and be included in SOAP header like this:

<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" soap:mustUnderstand="true">
        <wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs
.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="X509-15730854BE4465A46D14538884282111">MIIFO.......56Q==</wss
e:BinarySecurityToken>
        <wsu:Timestamp wsu:Id="TS-1">
            <wsu:Created>2016-03-16T09:53:48.201Z</wsu:Created>
            <wsu:Expires>2016-03-16T09:58:48.201Z</wsu:Expires>
        </wsu:Timestamp>
        .......

I'm using WSS4JOutInterceptor to customize my request, but can't find a way how to include my signing certificate into the request:

// for outgoing messages: Signature and Timestamp validation
        outProps.put(WSHandlerConstants.ACTION, WSHandlerConstants.SIGNATURE + " " + WSHandlerConstants.TIMESTAMP);
        outProps.put(WSHandlerConstants.USER, "sss");
        outProps.put(WSHandlerConstants.PW_CALLBACK_CLASS, ClientKeystorePasswordCallbackHandler.class.getName());
        outProps.put(WSHandlerConstants.SIG_PROP_FILE, "client_sec.properties");
        outProps.put(WSHandlerConstants.SIG_KEY_ID, "X509KeyIdentifier");
        outProps.put(WSHandlerConstants.SIGNATURE_PARTS, "{}{http://schemas.xmlsoap.org/soap/envelope/}Body;{}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd}Timestamp}");

Can anyone suggest me how to do it?

What does Apache CXF use for integration with WSS4J and security?

CXF relies on WSS4J in large part to implement WS-Security. Within your own services, WS-Security can be activated by using WS-SecurityPolicy, which provides a comprehensive and sophisticated validation of the security properties of a received message.

What is WS security in soap?

Web Services Security (WS-Security) describes enhancements to SOAP messaging to provide quality of protection through message integrity, message confidentiality, and single message authentication. WS-Security mechanisms can be used to accommodate a wide variety of security models and encryption technologies.

What is Apache CXF used for?

Apache CXF™ is an open source services framework. CXF helps you build and develop services using frontend programming APIs, like JAX-WS and JAX-RS. These services can speak a variety of protocols such as SOAP, XML/HTTP, RESTful HTTP, or CORBA and work over a variety of transports such as HTTP, JMS or JBI.

OK, here as an answer as requested. :-)

As mentioned in my comment you should change the value of SIG_KEY_ID to outProps.put(WSHandlerConstants.SIG_KEY_ID, "DirectReference");

java - Apache CXF add signing certificate as BinarySecurityToken into WS-security header

Tags:

wsdl

cxf

ws-security

Oleg

People also ask

1 Answers

Frank

Recent Activity

Donate For Us