Menu
I'm trying to send a request to an existing webservice. This webservice is not governed by me. The security policy of this webservice requires me to send my complete certificate chain in my SOAP request. My certificate chain contains 3 certificates. There are no issues with the setup of the certificate chain, as I'm able to test it's validity (and have done so).
The security configuration for this setup (= sending the complete certificate chain in the request), is:
<xwss:Sign id="signature"> <xwss:X509Token certificateAlias="alias" keyReferenceType="Direct" valueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509PKIPathv1" /> </xwss:Sign> I'm trying to achieve this through Spring-WS. Spring-WS uses spring-ws-security for security. Spring-ws-security delegates to xws-security.
<dependency> <groupId>org.springframework.ws</groupId> <artifactId>spring-ws-security</artifactId> <version>2.1.0.RELEASE</version> <exclusions> <exclusion> <groupId>org.apache.ws.security</groupId> <artifactId>wss4j</artifactId> </exclusion> <exclusion> <groupId>com.sun.xml.wsit</groupId> <artifactId>xws-security</artifactId> </exclusion> </exclusions> </dependency> Xws-security comes in 2 flavors:
<dependency> <groupId>com.sun.xml.wsit</groupId> <artifactId>xws-security</artifactId> <version>1.3.1</version> </dependency> and
<dependency> <groupId>com.sun.xml.wss</groupId> <artifactId>xws-security</artifactId> <version>3.0</version> </dependency> The first one is used by Spring WS Security. The second is legacy.
Applying my XWSS configuration in xws-security is done in a class called BinarySecurityToken. BinarySecurityToken has a field called
valueType The JavaDoc of valueType says it has support for X509PKIPathv1 (among others). However, it does not, as stated by this setter:
protected void setValueType(String valueType) { if (!(MessageConstants.X509v3_NS.equals(valueType)||MessageConstants.X509v1_NS.equals(valueType))) { log.log(Level.SEVERE,"WSS0342.valtype.invalid"); throw new RuntimeException("Unsupported value type: " + valueType); } this.valueType = valueType; } The class MessageConstants does not (even) have a static for X509PKIPathv1. When I run my code, I get the expected result:
Unsupported value type: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509PKIPathv1 I was able to look at the source code of the legacy com.sun.xml.wss.xws-security:3.0. Despite my efforts, I have not found the source code of com.sun.xml.wsit.xws-security-1.3.1. However I believe the code is the same. I tried both libraries and both give me the same exception. I tried it, using the default spring-ws-security and using explicit dependency declarations to both libraries (one at a time).
My questions:
I have considered re-writing BinarySecurityToken, but that would probably also imply rewriting the X509 signing of SignatureProcessor in DSIG.
382
Interesting problem you got there.
As far as I could tell with my Google-fu, there exists support for #X509PKIPathv1 in some projects (e.g., Oracle's XMLSec or Open SAML), however it is not widespread and even application like Soap UI don't support it for SOAP-WS.
Not only that, but other languages/frameworks have the same lack of support, like Delphi and .NET, IBM JRE.
What you could do, based on this SO and especially this SO is implementing your own WebServiceTemplate / WebServiceMessageSender.
176
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
