I am having a hard time with X509 certificate-based WS-Security in WebSphere v7.
Here's a little background:
We are using spring-ws & spring-security version 1.5.9 in our application, and we allow for UsernameToken profile security or X509 security. We implement the security on both the client-side & the server-side, both using the XWSS interceptor. There are two issues:
1. The javax.xml.crypto class returned from WebSphere for "http://www.w3.org/2001/10/xml-exc-c14n#" or any CanonicalizationMethod is not compatible with XWSS interceptor. We are seeing this error in the message log on the server-side:
I think the best thing to do here is override which implementation is used for decrypting these types. We do include the xmldsig-1.0.jar in our war file (which gets deployed with the classloader set to parent-last). Does anybody know of a way to overwrite this? I tried specifying "org.jcp.xml.dsig.internal.dom.XMLDSigRI" in the java.security in my runtime environment, but that did not work. We are including the xmldsig-1.0.jar in our application.
12/5/11 17:26:41:098 EST 00000023 XwsSecurityIn W org.springframework.ws.soap.security.AbstractWsSecurityInterceptor handleValidationException Could not validate request: com.sun.xml.wss.XWSSecurityException: javax.xml.crypto.MarshalException: java.security.NoSuchAlgorithmException: class configured for TransformService: com.ibm.xml.crypto.dsig.dom.transform.ExcC14nTransformer not a TransformService; nested exception is com.sun.xml.wss.XWSSecurityException: com.sun.xml.wss.XWSSecurityException: javax.xml.crypto.MarshalException: java.security.NoSuchAlgorithmException: class configured for TransformService: com.ibm.xml.crypto.dsig.dom.transform.ExcC14nTransformer not a TransformService
This seems like a compatibility issue between IBM's JRE & Sun's JRE. The XWSS framework was written by Sun, so they may have taken some things for granted.
2. We are getting a NullPointerException on the client-side trying to insert the header elements needed to sign the request. We are using xerces for our DOM implementation, but this seems to be along the lines of the SOAPFactory. I tried setting the property "javax.xml.soap.SOAPFactory" to "com.sun.xml.messaging.saaj.soap.ver1_1.SOAPFactor y1_1Impl", but that did not seem to fix the issue. Here is the stack trace:
[12/3/11 13:39:52:560 EST] 00000027 XwsSecurityIn E org.springframework.ws.soap.security.AbstractWsSecurityInterceptor handleSecurementException Could not secure response: java.lang.NullPointerException; nested exception is com.sun.xml.wss.XWSSecurityException: java.lang.NullPointerException
org.springframework.ws.soap.security.xwss.XwsSecuritySecurementException: java.lang.NullPointerException; nested exception is com.sun.xml.wss.XWSSecurityException: java.lang.NullPointerException
Caused by: com.sun.xml.wss.XWSSecurityException: java.lang.NullPointerException
... 86 more
Caused by: java.lang.NullPointerException
... 87 more
I've tried setting my policy configuration to disable the timestamp, but then I get a NPE on a different element. I don't believe the configuration is to blame, but here it is anyway:
<?xml version="1.0" encoding="UTF-8"?>
<SecurityConfiguration xmlns="http://java.sun.com/xml/ns/xwss/config" dumpMessages="true">
I have tested this on JBoss & Jetty, and both worked as expected. Any assistance would be greatly appreciated...