I'm using only jaxws-maven-plugin (no Spring or any other library) to generate my webservice client classes from a WSDL which works fine except I need to use WS-Security to encrypt a specific sub-element of my request.
Could you please point me to any documentation or give me a hint how to configure it? Is there a configuration file where do I set the following? Or do I need to use another library like Apache CXF?
WS-A Version: 200508
Key Identifier Type: Binary Security Token
Symmetric Encoding Algorithm: AES256-CBC
Key Encryption Algorithm: RSA-OAEP-MGF1P
Algorithm Suite: Basic256Sha256
Encypted elements XPath: //xxx/yyy
Thanks!
What I found out: (note I still don't understand what's going on)
Wildfly uses built in Apache CXF somehow (Glassfish implementation and configuration is different)
I had to modify the provided WSDL to add WS-Policy (haven't found a way how to add it to external file or somewhere without modifying the WSDL - which I'm not the author of) - see below
Had to provide a keystore
and configure access to it:
XxxService service = new XxxService();
BindingProvider bp = (BindingProvider) service.getXxxPort();
final Map<String, Object> rqc = bp.getRequestContext();
Properties p = new Properties();
p.setProperty("org.apache.ws.security.crypto.merlin.keystore.file", ...);
p.setProperty("org.apache.ws.security.crypto.merlin.keystore.password", ...);
p.setProperty("org.apache.ws.security.crypto.merlin.keystore.type", ...);
p.setProperty("org.apache.ws.security.crypto.merlin.keystore.alias", ...);
rqc.put("security.signature.properties", p);
rqc.put("security.encryption.properties", p);
WSDL Example
<?xml version="1.0" encoding="UTF-8"?>
<wsdl:definitions ... >
...
<wsdl:binding name="..." type="...">
<wsaw:UsingAddressing wsdl:required="false" xmlns:wsaw="http://www.w3.org/2006/05/addressing/wsdl" />
<wsdlsoap:binding style="document" transport="http://schemas.xmlsoap.org/soap/http" />
<!-- added to wsdl for encryption -->
<wsp:PolicyReference URI="#general_policy" />
<wsdl:operation name="xxx">
<wsdlsoap:operation soapAction="" />
<wsdl:input name="...">
<!-- added to wsdl for encryption -->
<wsp:PolicyReference URI="#xxx_policy" />
<wsdlsoap:body use="literal" />
</wsdl:input>
<wsdl:output ... >
</wsdl:operation>
</wsdl:binding>
<!-- added to wsdl for encryption -->
<wsp:Policy wsu:Id="general_policy"
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<wsp:ExactlyOne>
<wsp:Policy>
<wsp:All>
<sp:AsymmetricBinding>
<wsp:Policy>
<sp:InitiatorToken>
<wsp:Policy>
<sp:X509Token
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never">
<wsp:Policy>
<sp:WssX509V3Token10/>
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:InitiatorToken>
<sp:RecipientToken>
<wsp:Policy>
<sp:X509Token
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never">
<wsp:Policy>
<sp:WssX509V3Token10/>
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:RecipientToken>
<sp:Layout>
<wsp:Policy>
<sp:Strict />
</wsp:Policy>
</sp:Layout>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic256/>
</wsp:Policy>
</sp:AlgorithmSuite>
</wsp:Policy>
</sp:AsymmetricBinding>
</wsp:All>
</wsp:Policy>
</wsp:ExactlyOne>
</wsp:Policy>
<wsp:Policy wsu:Id="xxx_policy">
<wsp:ExactlyOne>
<wsp:All>
<sp:ContentEncryptedElements
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
<sp:XPath>/*[namespace-uri()='http://schemas.xmlsoap.org/soap/envelope/' and local-name()='Envelope']/*[namespace-uri()='http://schemas.xmlsoap.org/soap/envelope/' and local-name()='Body']/*[namespace-uri()='xxx' and local-name()='xxxRequest']/yyy</sp:XPath>
</sp:ContentEncryptedElements>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
</wsdl:definitions>
Related
I have gone through all the related posts here , but did not get any solution
I have generated Web Services Client code with wsdl2java with Apache Axis2 1.4.1
The wsdl is having the following
<wsp:Policy wsu:Id="DigitalSignatureWithCertificateAndTimestampPolicy" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:wsse="http://schemas.xmlsoap.org/ws/2002/12/secext"
xmlns:wsrmp="http://schemas.xmlsoap.org/ws/2005/02/rm/policy" xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:ExactlyOne>
<wsp:All alternative-id="DigitalSignatureWithCertificateAndTimestampPolicy">
<sp:AsymmetricBinding>
<wsp:Policy>
<sp:IncludeTimestamp/>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:TripleDesRsa15/>
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:RecipientToken>
<wsp:Policy>
<sp:X509Token IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Always"/>
</wsp:Policy>
</sp:RecipientToken>
<sp:InitiatorToken>
<wsp:Policy>
<sp:X509Token IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Always"/>
</wsp:Policy>
</sp:InitiatorToken>
</wsp:Policy>
</sp:AsymmetricBinding>
<sp:SignedParts>
<sp:Body/>
</sp:SignedParts>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
But when checked the soap request envelop , no policy header found.
And I have got following error while doing a web-service request .
ERROR [AxisEngine] Must Understand check failed for header http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd : Security
o
at org.apache.axis2.engine.AxisEngine.checkMustUnderstand(AxisEngine.java:102)
at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:166)
at org.apache.axis2.description.OutInAxisOperationClient.handleResponse(OutInAxisOperation.java:363)
at org.apache.axis2.description.OutInAxisOperationClient.send(OutInAxisOperation.java:416)
at org.apache.axis2.description.OutInAxisOperationClient.executeImpl(OutInAxisOperation.java:228)
at org.apache.axis2.client.OperationClient.execute(OperationClient.java:163)
Can anyone help me to sort this out?
I have undergone a situation where I need to accept only https requests and need to block http request. I don't know how to achieve this in CXF . I am using SOAP protocol.
If you attach a transport policy, it will restrict requests to HTTPS. For example:
<wsp:Policy xmlns:wsp="..." xmlns:sp="...">
<sp:TransportBinding>
<wsp:Policy>
<sp:TransportToken>
<wsp:Policy>
<sp:HttpsToken/>
</wsp:Policy>
</sp:TransportToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic256/>
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Strict/>
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp/>
</wsp:Policy>
</sp:TransportBinding>
</wsp:Policy>
I'm attempting to configure a Java client using Axis2 client stubs(WSDL2Java). The application consumes a WCF service that requires client certificates. The only way I've been able to get the application to work is by changing the system properties as in this code:
System.setProperty("javax.net.ssl.keyStoreType", "JKS");
System.setProperty("javax.net.ssl.keyStore","path/to/my/keystore");
System.setProperty("javax.net.ssl.keyStorePassword", "changeit");
However, I would like to use a different keystore for different applications on the same Tomcat server. I have looked into using an SSLContext based on some of the research I've done, but I haven't found any examples that use client stubs created with WSDL2Java. Does anyone have an example or have any idea how to do this?
Thanks!
I would like to add that we are using WS-Policy and use a ConfigurationContext to engage Rampart. I was thinking that I could edit our policy.xml file to indicate the keystore. Would this work? I'm getting a SocketException when I attempt to run the application: SocketException: Unconnected sockets not implemented. Here is the policy.xml file in its current form.
<?xml version="1.0" encoding="UTF-8"?>
<wsp:Policy wsu:Id="BasicHttpBinding"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wsecurity-secext-1.1.xsd"
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://schemas.xmlsoap.org/ws/2004/09/policy">
<wsp:ExactlyOne>
<wsp:All>
<sp:TransportBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:TransportToken>
<wsp:Policy>
<sp:HttpsToken RequireClientCertificate="true" />
</wsp:Policy>
</sp:TransportToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic256 />
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Strict />
</wsp:Policy>
</sp:Layout>
</wsp:Policy>
</sp:TransportBinding>
<ramp:RampartConfig xmlns:ramp="http://ws.apache.org/rampart/policy">
<ramp:user>myapplication</ramp:user>
<ramp:passwordCallbackClass>com.myproject.classes.PWCBHandler</ramp:passwordCallbackClass>
<ramp:sslConfig>
<ramp:property name="javax.net.ssl.keyStoreType">JKS</ramp:property>
<ramp:property name="javax.net.ssl.keyStore">path/to/my/keystore</ramp:property>
<ramp:property name="javax.net.ssl.keyStorePassword">changeit</ramp:property>
<ramp:property name="javax.net.ssl.trustStoreType">JKS</ramp:property>
<ramp:property name="javax.net.ssl.trustStore">path/to/my/truststore</ramp:property>
<ramp:property name="javax.net.ssl.trustStorePassword">changeit</ramp:property>
</ramp:sslConfig>
</ramp:RampartConfig>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
First of all, sorry for this long post but I am brushing my mind on this since days without success. I really seek your help.
I am trying to invoke a webservice which is secured by OWSM. Below are the policy assertions specified in the WSDL.
*************************************
<wsp:Policy wsu:Id="service.BindingQSPort_Fault_Policy" xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<sp:SignedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"/>
<sp:SignedElements xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"/>
<sp:EncryptedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"/>
<sp:EncryptedElements xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"/>
</wsp:Policy>
<wsp:Policy wsu:Id="service.BindingQSPort_Input_Policy" xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<sp:SignedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<sp:Body/>
<sp:Header Name="fmw-context" Namespace="http://xmlns.oracle.com/fmw/context/1.0"/>
<sp:Header Name="" Namespace="http://www.w3.org/2005/08/addressing"/>
<sp:Header Name="" Namespace="http://schemas.xmlsoap.org/ws/2004/08/addressing"/>
</sp:SignedParts>
<sp:SignedElements xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"/>
<sp:EncryptedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<sp:Header Name="fmw-context" Namespace="http://xmlns.oracle.com/fmw/context/1.0"/>
</sp:EncryptedParts>
<sp:EncryptedElements xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"/>
</wsp:Policy>
<wsp:Policy wsu:Id="service.BindingQSPort_Output_Policy" xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<sp:SignedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<sp:Body/>
</sp:SignedParts>
<sp:SignedElements xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"/>
<sp:EncryptedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"/>
<sp:EncryptedElements xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"/>
</wsp:Policy>
<wsp:Policy wsu:Id="wss10_x509_token_over_ssl_service_policy" xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<sp:AsymmetricBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:InitiatorToken>
<wsp:Policy>
<sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Always">
<wsp:Policy>
<sp:WssX509V3Token10/>
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:InitiatorToken>
<sp:RecipientToken>
<wsp:Policy>
<sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Always">
<wsp:Policy>
<sp:WssX509V3Token10/>
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:RecipientToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic128/>
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Lax/>
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp/>
<sp:OnlySignEntireHeadersAndBody/>
<sp:ProtectTokens/>
</wsp:Policy>
</sp:AsymmetricBinding>
<sp:Wss10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy/>
</sp:Wss10>
</wsp:Policy>
<wsdl:message name="svcFault">
<wsdl:part name="payload" element="WL5G3N2:fault"/>
</wsdl:message>
<wsdl:message name="sendSMS">
<wsdl:part name="payload" element="WL5G3N1:sendSMS"/>
</wsdl:message>
<wsdl:message name="sendSMSResponse">
<wsdl:part name="payload" element="WL5G3N1:sendSMSResponse"/>
</wsdl:message>
<wsdl:portType name="service">
<wsdl:operation name="sendSMS">
<wsdl:input message="WL5G3N1:sendSMS"/>
<wsdl:output message="WL5G3N1:sendSMSResponse"/>
<wsdl:fault name="svcFault" message="WL5G3N1:svcFault"/>
</wsdl:operation>
</wsdl:portType>
<wsdl:binding name="service.Binding" type="WL5G3N1:service">
<WL5G3N3:binding style="document" transport="http://schemas.xmlsoap.org/soap/http"/>
<wsp:PolicyReference URI="#wss10_x509_token_over_ssl_service_policy" wsdl:required="false" xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"/>
<wsdl:operation name="sendEmail">
<WL5G3N3:operation style="document" soapAction="sendEmail"/>
<wsdl:input>
<WL5G3N3:body use="literal"/>
<wsp:PolicyReference URI="#service.BindingQSPort_Input_Policy" wsdl:required="false" xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"/>
</wsdl:input>
<wsdl:output>
<WL5G3N3:body use="literal"/>
<wsp:PolicyReference URI="#service.BindingQSPort_Output_Policy" wsdl:required="false" xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"/>
</wsdl:output>
<wsdl:fault name="svcFault">
<WL5G3N3:fault name="svcFault" use="literal"/>
<wsp:PolicyReference URI="#service.BindingQSPort_Fault_Policy" wsdl:required="false" xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"/>
</wsdl:fault>
</wsdl:operation>
</wsdl:binding>
*************************************
I have written a JAX-RPC client which is using "weblogic.wsee.security.bst.ClientBSTCredentialProvider" to provide client credential as required by the service. Below is the security related code.
*************************************
serverCert.checkValidity();
cp = new ClientBSTCredentialProvider(
clientKeyStore, clientKeyStorePass,
clientKeyAlias, clientKeyPass,
"JKS", serverCert);
l_credproviders.add(cp);
Stub stub = (Stub)port;
stub._setProperty(WSSecurityContext.CREDENTIAL_PROVIDER_LIST
, l_credproviders
);
stub._setProperty(WSSecurityContext.TRUST_MANAGER
, new TrustManager() {
public boolean certificateCallback(
X509Certificate[] chain,
int validateErr) {
// Check that the server cert matches
boolean result = true;//chain[0].equals(serverCert);
return result;
}
}
);
*************************************
I am testing my client using SOAPUI. However above client code is giving me below Exceptions.
**************************************
java.rmi.RemoteException: SOAPFaultException - FaultCode [{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}InvalidSecurity] FaultString [Error on verifying message against security policy Error code:4206] FaultActor [null]No Detail; nested exception is:
**************************************
Can someone please help me to understand what my WSDL is specifying and why "ClientBSTCredentialProvider" is not able to attach the required policy? Or is is happening that since I am testing with SOAPUI, SOAPResponse is not as per the WSDL policy? Below are the SOAP requests and response for this.
***************************************
~~SOAP REQUEST~~
<env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/"><env:Header xmlns:wsa="http://www.w3.org/2005/08/addressing"><wsa:MessageID wsu:Id="MessageID_HUf02VXDqusotArv" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">uuid:c7404e48f626d447:-246df928:14183ec2b7f:-8000</wsa:MessageID><wsa:Action wsu:Id="Action_CcS8Hy0hmQ2wVKHH" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">sendSMS</wsa:Action><wsa:To wsu:Id="To_bb3aIWjwG1Got1IZ" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">http://domainname:8090/sendSMS</wsa:To><wsa:ReplyTo wsu:Id="ReplyTo_w1ZItNbfV8se2kbF" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"><wsa:Address>http://www.w3.org/2005/08/addressing/anonymous</wsa:Address></wsa:ReplyTo><wsse:Security env:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"><wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="bst_zM6y3VGAX9jZAaiV" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">MIICQTCCAaqgAwIBAgIEUixN4TANBgkqhkiG9w0BAQUFADBlMQswCQYDVQQGEwJMQjEPMA0GA1UECBMGQmVpcnV0MRAwDgYDVQQHEwdMZWJhbm9uMQ0wCwYDVQQKEwRNRFNMMQ0wCwYDVQQLEwRNRFNMMRUwEwYDVQQDEwxNYXl1ciBDbGllbnQwHhcNMTMwOTA4MTAxMzUzWhcNMTMxMjA3MTAxMzUzWjBlMQswCQYDVQQGEwJMQjEPMA0GA1UECBMGQmVpcnV0MRAwDgYDVQQHEwdMZWJhbm9uMQ0wCwYDVQQKEwRNRFNMMQ0wCwYDVQQLEwRNRFNMMRUwEwYDVQQDEwxNYXl1ciBDbGllbnQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMeT5uG9IJFxUE8SP2eXxrW7Lvo0ZlEiv8NS2OzLHe4e4T1gZC6NZhsDk6G3GKt8z6yj8MlfIPzYTrXxNSgnW34WYZ2kFw6TrjakUr99i4sH5yi1Z0Bmm3nNq9/2WWrdMXVjeI5EwEdU/UUogb2Wdgh1HPZgGUuWhkLoDmVR36y1AgMBAAEwDQYJKoZIhvcNAQEFBQADgYEAlvFZVLJ2h0BNe7EFGDUtBmEPF8EkdQn1R2AyK5AQONLM2RwNJYhVdVGLI13y+XJbACiyrFz5Sxsgu46hk6Bk6P+K/ZAUWQwDiV0pLhLg7LuR/K33o2EGkXiUnwOdcScG040n2sUnbi7ed/5mPcNuOGlYMQL/PHHZ2QGGTLEOe2U=</wsse:BinarySecurityToken><dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"><dsig:SignedInfo><dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><dsig:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><dsig:Reference URI="#MessageID_HUf02VXDqusotArv"><dsig:Transforms><dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></dsig:Transforms><dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><dsig:DigestValue>oG0PCOutUmUrhIhjsHB2G9Nu7Qc=</dsig:DigestValue></dsig:Reference><dsig:Reference URI="#Action_CcS8Hy0hmQ2wVKHH"><dsig:Transforms><dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></dsig:Transforms><dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><dsig:DigestValue>jwnM3Pu8lEpk7WLokAfW/LcR8bM=</dsig:DigestValue></dsig:Reference><dsig:Reference URI="#To_bb3aIWjwG1Got1IZ"><dsig:Transforms><dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></dsig:Transforms><dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><dsig:DigestValue>9RzmvWQQJG853YKPzwoWDUjWze8=</dsig:DigestValue></dsig:Reference><dsig:Reference URI="#ReplyTo_w1ZItNbfV8se2kbF"><dsig:Transforms><dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></dsig:Transforms><dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><dsig:DigestValue>FPYcJ1NcK6nX5nx5cF+Jj5I2PZE=</dsig:DigestValue></dsig:Reference><dsig:Reference URI="#Timestamp_H75m9X5C1O9rNV2E"><dsig:Transforms><dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></dsig:Transforms><dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><dsig:DigestValue>ZAoaTp1B5yQv/ZGM6Pd8dfmNyPg=</dsig:DigestValue></dsig:Reference><dsig:Reference URI="#Body_q8jxTBg8ZRE0VjRO"><dsig:Transforms><dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></dsig:Transforms><dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><dsig:DigestValue>tnn+BbvQz/kuDBocU8Po24hn8W4=</dsig:DigestValue></dsig:Reference><dsig:Reference URI="#bst_zM6y3VGAX9jZAaiV"><dsig:Transforms><dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></dsig:Transforms><dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><dsig:DigestValue>IG2FZBY/Oqtsu4H6sl/6f2iHJx8=</dsig:DigestValue></dsig:Reference></dsig:SignedInfo><dsig:SignatureValue>LaXCIcrxyatPzcAsKJGK28TEgaEOUdoXUrcmucjHrZDuErfGPS5fa9LrIX7irGYYDoYjJ5uQLq7a7nSRcazfNPznf03nISgr6Voc+23HON2E+fyRmHkKJzWe6OxHRPyHYmxbYQzgXkwGCKqLOZVLJsQLQykMiNV8YK3vuacDAdU=</dsig:SignatureValue><dsig:KeyInfo><wsse:SecurityTokenReference wsse11:TokenType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="str_gp0ybJxTKkZntAn1" xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"><wsse:Reference URI="#bst_zM6y3VGAX9jZAaiV" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/></wsse:SecurityTokenReference></dsig:KeyInfo></dsig:Signature><wsu:Timestamp wsu:Id="Timestamp_H75m9X5C1O9rNV2E" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"><wsu:Created>2013-10-04T14:43:16Z</wsu:Created><wsu:Expires>2013-10-04T14:44:16Z</wsu:Expires></wsu:Timestamp></wsse:Security></env:Header><env:Body wsu:Id="Body_q8jxTBg8ZRE0VjRO" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"><ent:sendSMS xmlns:ent="http://www.banqueaudi.com/evs/ent.msg.Notification"><util:header xmlns:util="http://www.banqueaudi.com/ebo/util.cmn.EBMHeader"><util:ebmSID>FCDB</util:ebmSID></util:header><ent:body><msg:smsNotification xmlns:msg="http://www.banqueaudi.com/ebo/msg.Notification"><msg:sender>98989898</msg:sender><msg:recipients><msg:recipient>78831471</msg:recipient></msg:recipients><msg:subject>SUBJECT</msg:subject><msg:message>My message</msg:message></msg:smsNotification></ent:body></ent:sendSMS></env:Body></env:Envelope>
***************************************
***************************************
~~SOAP RESONSE~~
<soapenv:Envelope xmlns:ent="http://www.banqueaudi.com/evs/ent.msg.Notification" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:util="http://www.banqueaudi.com/ebo/util.cmn.EBMHeader" xmlns:util1="http://www.banqueaudi.com/ebo/util.cmn.Basic">
<soapenv:Header><wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"/></soapenv:Header>
<soapenv:Body wsu:Id="id-45" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"><xenc:EncryptedData Id="ED-2" Type="http://www.w3.org/2001/04/xmlenc#Content" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"><xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><wsse:SecurityTokenReference wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd"><wsse:Reference URI="#EK-B692F44E26CFCF96A613807927256684"/></wsse:SecurityTokenReference></ds:KeyInfo><xenc:CipherData><xenc:CipherValue>x6T1pLtqpeAyg8SNuQQi23Ok6ceQikgVKyj80ylEdecdZoNOs2tUwhaO+irKXYy0XbMrmM+t3mMHsi2nNX5fps/camDpP9yOlN8Hosd+vUWsI4RA/8mnJVePitR3pf2dLgJD44vBowH5bQZ8R8B1vxDDjUpU2DOpfIxaPaSMApXvYfmPOMiDNtM/tXRCHrbHcljTAFvRZG9ShUZM6419i0JtpSCr77EkxJiWcVu9NIVwkHZoXpS8zY+pjjaatKi2EMzB9zPMXhtEvCER5pnEXWzUdhb5s9mWJAGaTd8h0j5o93LY/Mnw/mWBlzhFlk6b8cyJw1IrDAl5Tar8isuCqR2FbFs0aWqS8ng1QPnnc4xtBmCdgViifiXP0877LmFEqW74vDXtEDZniAfiixWt0u0gVsSYurJdwCWdZrfON12jAW35j6fWtgmGprsb6yE2cwg+J2BJaODdxTMOwyBAswygdjJw+RPLOXxCcYddyKJiFb/K+U0WiDj41yl/v8dmkYX1g9f6/CzpHMz8zpDdb+ecp2WNu3ry3z7fksMzp/LLsC5x2eVdgchOdtNZqufgLv8WQ+Ae/Hmuw/zgQ2l+xjxP4gYWanOphJ92H1Lk5KC/VsB3VdR2uz6b+rQZl0fJnY45HL7mx9uGKwQeQB9FWO1LNwcSQZw2yq7CeqUgspyvNMvwu1EXlUiIkYTu9EU0yVC9OGsXnspD9J4AG1m4IwFAL9iFHy7tJfnn5P0pSuSAoa4HeI0zO73H2zyrxEvi7eurXABxo1fk+gtXKDHl+elDtbwC1eJSYpwWZKBcpJSDATa0RCn28YKVVXZVZf0WOA3pTZ9NQNPCNVF/FC9SW8rrQ/777CFcuSlYIsexqL2+D6/TWStLvhrZLZ3K/3CsY/mwsnLwh2aFql8RZCunLSAK2a91y7Z044VO5598KERgBw8gO5RJrmwnSixmPrBjPo1yLkYcmzquHMlqS0CpWpypt5iyDJuF91P39eqYcJHZnwjG7ni8S8RFr2H5Hi3JFNm/k+A4mH5YvtyBqqTfN4+QjJMDBZkVTGFYs6JiRRUJoUK17okXxs8Pq6VYW3iSwEB85CFiVHZlt1eWppveVSHZfQsZsUr+A/QrTdRMZIx+ChRuqmXYdXiYQ35TDPveYWhiIQcWeOXvumtIZRTqYMoA34KuB/9GaH0P+7HUNfeROw6knj5y1DO1w/uIC8x6Uuhr5gMyZSuuzSEfZGUhQ6aWFtSCmnJaoVq18hdAnxNG31Oqi2gy7daCLWDRleow25xGYI2Or+dxhal3khe9+37OceJEWhgmB8gTD2nGBvp7VWLptsoGBgXgqnXs6ab8mG9lLmXbO4ef2ECq84BN//oIiV570qY6OWTQwL1yjNDQ3+1h2bKQ4DE51xq5N1UcTRoGA9DycotHmrOzyhedAMQTndlaNMJr87cC+cRVHYE=</xenc:CipherValue></xenc:CipherData></xenc:EncryptedData></soapenv:Body>
</soapenv:Envelope>
***************************************
I found resolution to my problem, which I successfully tested with SOAP-UI. Will keep posted once it works on live though.
There are following points that first we should know before writing a client for OWSM secured webservice.
It is feasible to call JAX-WS service using JAX-RPC client and vice-versa.
It is feasible to invoke a OWSM secured webservice, with JAX-RPC client without installing/ configuring OWSM at client side.
Following is the client code (only related to security) for referecnce.
ist l_credproviders = new ArrayList();
CredentialProvider cp = null;
cp = new ClientBSTCredentialProvider(MyClientKeystore.pubCertAlias, MyClientKeystore.prvKeyAlias, MyClientKeystore.serverPubCertAlias);
l_credproviders.add(cp);
Stub stub = (Stub)port;
stub._setProperty(WSSecurityContext.CREDENTIAL_PROVIDER_LIST
, l_credproviders
);
stub._setProperty(WLStub.POLICY_COMPATIBILITY_PREFERENCE
, JFProperties.getProperty(
"POLICY.COMPATIBILITY.PREFERENCE")
);
stub._setProperty(WSSecurityContext.TRUST_MANAGER
, new TrustManager() {
public boolean certificateCallback(
X509Certificate[] chain,
int validateErr) {
// Check that the server cert matches
return true;
}
}
);
How client credential provider API wotrks to secure a client:
a) It connects to the URL and parse the WSDL.
b) Get the policy assertions from the WSDL.
c) create SOAP request message considering the client policy assertions.
d) send and receive the response from the server.
e) validate response from server against the policy assertions of server response from already parsed WSDL, If server response is not valid against policy throws SecurityExceptions.
Hope this help and someone gets benefited from my exhausted experience :)
I new to Java, and thought it'd be a nice learning exercise to implement a client application on top of a .NET WCF service I'm already familiar with.
I ran wsimport.bat from the latest JAX-WS (https://jax-ws.java.net/) to generate the client proxies, However I'm stuck with the authentication part. The WCF service uses Application level Username/Password to authenticate. I don't know where to supply the credentials.
In C#, for this WCF Service I just need to add a service reference, and do the following:
var client = new ServiceClient();
client.ClientCredentials.UserName.UserName = "username";
client.ClientCredentials.UserName.Password = "password";
client.DoSomething();
From Fiddler, calling client.DoSomething() produces the following request:
<?xml version="1.0"?>
<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<s:Header>
<o:Security xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" s:mustUnderstand="1">
<u:Timestamp u:Id="_0">
<u:Created>2013-05-20T01:34:28.353Z</u:Created>
<u:Expires>2013-05-20T01:39:28.353Z</u:Expires>
</u:Timestamp>
<o:UsernameToken u:Id="uuid-da5b7b57-dbb4-4c54-b529-f5b41fc728b4-1">
<o:Username>username</o:Username>
<o:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">password</o:Password>
</o:UsernameToken>
</o:Security>
</s:Header>
<s:Body>
<DoSomething xmlns="http://tempuri.org/"/>
</s:Body>
</s:Envelope>
Here is the Java I'm currently using:
SomeService service = new SomeService();
ISomeService port = service.getBasicHttpBindingISomeService();
DoSomethingResponse response = port.getDoSomething();
This produces the following request:
<?xml version="1.0"?>
<S:Envelope xmlns:S="http://schemas.xmlsoap.org/soap/envelope/">
<S:Body>
<ns6:DoSomething xmlns="http://schemas.microsoft.com/2003/10/Serialization/Arrays" xmlns:ns6="http://tempuri.org/" xmlns:ns7="http://schemas.microsoft.com/2003/10/Serialization/"/>
</S:Body>
</S:Envelope>
It's missing the Security node, so I'm not sure how to set that up on the Java side. What am I missing?
I'm not 100% bound to using JAX-WS, if there is a better alternative out there for my needs. However, the WCF service can not be modified to reconfigured, as it's out of my reach.
WSDL:
<wsdl:definitions xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/" xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap12="http://schemas.xmlsoap.org/wsdl/soap12/" xmlns:tns="http://tempuri.org/" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" xmlns:wsap="http://schemas.xmlsoap.org/ws/2004/08/addressing/policy" xmlns:wsaw="http://www.w3.org/2006/05/addressing/wsdl" xmlns:msc="http://schemas.microsoft.com/ws/2005/12/wsdl/contract" xmlns:wsa10="http://www.w3.org/2005/08/addressing" xmlns:wsx="http://schemas.xmlsoap.org/ws/2004/09/mex" xmlns:wsam="http://www.w3.org/2007/05/addressing/metadata" name="SomeService" targetNamespace="http://tempuri.org/">
<wsp:Policy wsu:Id="BasicHttpBinding_ISomeService_policy">
<wsp:ExactlyOne>
<wsp:All>
<sp:TransportBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:TransportToken>
<wsp:Policy>
<sp:HttpsToken RequireClientCertificate="false"/>
</wsp:Policy>
</sp:TransportToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic256/>
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Lax/>
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp/>
</wsp:Policy>
</sp:TransportBinding>
<sp:SignedSupportingTokens xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:UsernameToken sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:WssUsernameToken10/>
</wsp:Policy>
</sp:UsernameToken>
</wsp:Policy>
</sp:SignedSupportingTokens>
<sp:Wss10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy/>
</sp:Wss10>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
<wsdl:types>
<xsd:schema targetNamespace="http://tempuri.org/Imports">
<xsd:import schemaLocation="https://someservice.com/service.svc?xsd=xsd0" namespace="http://tempuri.org/"/>
<xsd:import schemaLocation="https://someservice.com/service.svc?xsd=xsd1" namespace="http://schemas.microsoft.com/2003/10/Serialization/"/>
<xsd:import schemaLocation="https://someservice.com/service.svc?xsd=xsd6" namespace="http://schemas.microsoft.com/2003/10/Serialization/Arrays"/>
</xsd:schema>
</wsdl:types>
<wsdl:message name="ISomeService_DoSomething_OutputMessage">
<wsdl:part name="parameters" element="tns:DoSomethingResponse"/>
</wsdl:message>
<wsdl:portType name="ISomeService">
<wsdl:operation name="DoSomething">
<wsdl:input wsaw:Action="http://tempuri.org/ISomeService/DoSomething" message="tns:ISomeService_DoSomething_InputMessage"/>
<wsdl:output wsaw:Action="http://tempuri.org/ISomeService/DoSomethingResponse" message="tns:ISomeService_DoSomething_OutputMessage"/>
</wsdl:operation>
</wsdl:portType>
<wsdl:binding name="BasicHttpBinding_ISomeService" type="tns:ISomeService">
<wsp:PolicyReference URI="#BasicHttpBinding_ISomeService_policy"/>
<soap:binding transport="http://schemas.xmlsoap.org/soap/http"/>
<wsdl:operation name="DoSomething">
<soap:operation soapAction="http://tempuri.org/ISomeService/DoSomething" style="document"/>
<wsdl:input>
<soap:body use="literal"/>
</wsdl:input>
<wsdl:output>
<soap:body use="literal"/>
</wsdl:output>
</wsdl:operation>
</wsdl:binding>
<wsdl:service name="SomeService">
<wsdl:port name="BasicHttpBinding_ISomeService" binding="tns:BasicHttpBinding_ISomeService">
<soap:address location="https://someservice.com/service.svc"/>
</wsdl:port>
</wsdl:service>
</wsdl:definitions>
I'm using the latest JDK on Windows 8 x64
You need to create a custom CallbackHandler from your Java client. I am not an expert in Java but I know that some of my clients use Metro libraries to communicate with my WCF web services.
Try searching for creating a CallbackHandler with/without Metro library.
You can download Metro library from here.
An example of what I am suggesting.