Issue with Spring-ws-security and X509Token
Hello,
I am trying to make a connection to an existing secured webservice. I am able to make a successful connection to the webservice with SoapUI. In SoapUI I configured my keystore, selecting the alias of my certificate and selecting a Binary Security Token as Key Identifier Type. I also send a timestamp.
As stated, this works all without issue. Thus I assume my keystore and certificate are correct.
I'm building an application to do the signing for me, using:
and a dependency to:Code:<spring-version>3.0.5.RELEASE</spring-version> <spring-ws-version>2.0.0.RELEASE</spring-ws-version>
My securityPolicy.xml:Code:<dependency> <groupId>org.springframework.ws</groupId> <artifactId>spring-ws-security</artifactId> <version>2.1.0.RELEASE</version> <exclusions> <exclusion> <groupId>org.apache.ws.security</groupId> <artifactId>wss4j</artifactId> </exclusion> </exclusions> </dependency>
When I look at the raw content of my WSS header in SoapUI, my BinarySecurityToken looks like:Code:<?xml version="1.0" encoding="UTF-8"?> <xwss:SecurityConfiguration xmlns:xwss="http://java.sun.com/xml/ns/xwss/config" dumpMessages="true" enableDynamicPolicy="false"> <xwss:Sign id="signature"> <xwss:X509Token certificateAlias="alias" keyReferenceType="Direct" valueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509PKIPathv1" /> </xwss:Sign> <xwss:RequireSignature/> </xwss:SecurityConfiguration>
The securityPolicy above generates the exact same BinarySecurityToken (with a different id). BinarySecurityToken comes from xws-security-1.3.1 as a dependency of Spring-ws-security.Code:<wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509PKIPathv1" wsu:Id="CertId-DBA866EF453B448F94134330378528513" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
However, when I send a request to webservice, using this configuration, I get the following Soap Fault:
This surprises me, as I am able to send requests to the webservice, using the exact same keystore. The code responsible for the signing does work for other WSS secured webservices, with a different securityPolicy. Eg. this one works (for a webservice that doesn't need the certificate in the requests):Code:<soap:Fault> <faultcode xmlns:_ns0="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">_ns0:InvalidSecurityToken</faultcode> <faultstring>SECU1045: Authentication identity is malformed. Reason: Malformed WS-Security binary token</faultstring> <detail>SECU3003: Error encountered while decoding certificate. Reason: java.security.cert.CertificateParsingException: invalid DER-encoded certificate data</detail> </soap:Fault>
Can anyone point me in the right direction? I noticed that the content in the BinarySecurityToken from SoapUI contains a lot more 'text' then the one XWSSProcessor2_0Impl adds. However, I don't know how/if I can change that generated text.Code:<xwss:SecurityConfiguration xmlns:xwss="http://java.sun.com/xml/ns/xwss/config" dumpMessages="true" enableDynamicPolicy="false"> <xwss:Sign id="signature" includeTimestamp="false"> <xwss:X509Token certificateAlias="alias"/> </xwss:Sign> <xwss:RequireSignature/> </xwss:SecurityConfiguration>
Reply With Quote