WS-Security with Spring WS on both client and server side

[erimag]

I'm trying to implement a service and a client that use WS Security with signing and x509v3 certificates. Using the WebServiceTemplate and the example code on Tareq's blog I was able to sign and secure the outgoing message on the client side. However, I get the following exception and fault message from the server:

(specific class names, URL's and namespaces censored for security reasons)

Code:

2007-08-24 15:42:51,325 DEBUG [org.springframework.ws.client.core.WebServiceTemplate] - <Received Fault message for request [SaajSoapMessage  {(namespace)}endpoint ]>
org.springframework.ws.soap.client.SoapFaultClientException: com.sun.xml.wss.XWSSecurityException: javax.xml.crypto.dsig.XMLSignatureException: javax.xml.crypto.dsig.TransformException: Couldn't find Canonicalizer for: http://www.w3.org/TR/2001/REC-xml-c14n-20010315: Unknown canonicalizer. No handler installed for URI http://www.w3.org/TR/2001/REC-xml-c14n-20010315; nested exception is com.sun.xml.wss.XWSSecurityException: com.sun.xml.wss.XWSSecurityException: javax.xml.crypto.dsig.XMLSignatureException: javax.xml.crypto.dsig.TransformException: Couldn't find Canonicalizer for: http://www.w3.org/TR/2001/REC-xml-c14n-20010315: Unknown canonicalizer. No handler installed for URI http://www.w3.org/TR/2001/REC-xml-c14n-20010315
	at org.springframework.ws.soap.client.core.SoapFaultMessageResolver.resolveFault(SoapFaultMessageResolver.java:37)
	at org.springframework.ws.client.core.WebServiceTemplate.handleFault(WebServiceTemplate.java:521)
	at org.springframework.ws.client.core.WebServiceTemplate.sendAndReceive(WebServiceTemplate.java:404)
	at org.springframework.ws.client.core.WebServiceTemplate.doSendAndReceive(WebServiceTemplate.java:350)
	at org.springframework.ws.client.core.WebServiceTemplate.sendSourceAndReceiveToResult(WebServiceTemplate.java:296)
	at org.springframework.ws.client.core.WebServiceTemplate.sendSourceAndReceiveToResult(WebServiceTemplate.java:287)
	at 
Client.echo(Client.java:66)
	at 
Client.main(Client.java:170)

I've searched the web and several forums but haven't come across any issues that seem related.

The message that is sent by the client is as follows:

Code:

2007-aug-24 15:42:50 com.sun.xml.wss.impl.filter.DumpFilter process
INFO: ==== Sending Message Start ====
<?xml version="1.0" encoding="UTF-8"?>
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
<SOAP-ENV:Header>
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" SOAP-ENV:mustUnderstand="1">
<wsse:BinarySecurityToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="XWSSGID-1187962969606-569478501">MIIC+DCCAmGgAwIBAgIBATANBgkqhkiG9w0BAQUFADCBpzELMAkGA1UEBhMCU0UxEjAQBgNVBAgT
CVN0b2NraG9sbTESMBAGA1UEBxMJU3RvY2tob2xtMQ8wDQYDVQQKEwZBdmFuemExFjAUBgNVBAsT
DUlUIFV0dmVja2xpbmcxHjAcBgNVBAMTFUNlcnRpZmljYXRlIEF1dGhvcml0eTEnMCUGCSqGSIb3
DQEJARYYZXJpay5tYWdudXNzb25AYXZhbnphLnNlMB4XDTA3MDcxMDAwMDM1NVoXDTA4MDcwOTAw
MDM1NVowXzELMAkGA1UEBhMCU0UxEjAQBgNVBAgTCVN0b2NraG9sbTEPMA0GA1UEChMGQXZhbnph
MRYwFAYDVQQLEw1JVCBVdHZlY2tsaW5nMRMwEQYDVQQDEwpzc2VrY2xpZW50MIGfMA0GCSqGSIb3
DQEBAQUAA4GNADCBiQKBgQCcbXBVgYJf5bEHNLEvgB4HavVKzOqpiZX1iEGn+z3pI/E1DL9RVbjW
CemFAk5mrZdKufv4H6Oh2cOEw5OhjBtF+Ccb3jvSNc0Jja6LyWddOWrbaLl7u7wT6v1pB8A9CiXt
EGu6MrmjYUvDuIyJck7CCal1Z35hj5oDxn7PEwMIHQIDAQABo3sweTAJBgNVHRMEAjAAMCwGCWCG
SAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUw6GtFfeb
QqlhMWx7zEOQHf50cEowHwYDVR0jBBgwFoAUH2rnNR3AXhFneNI8l0Cjk3rlg6AwDQYJKoZIhvcN
AQEFBQADgYEAXVscAAD/ddJSgzPsO2EtU9cMJrTnoQEBvRY9JLqVx/zrX0aybC/WGmeJlNRJBhOC
XT7k/EnxfAqtXvUOuLbuw2a+rCahCZDRPEUMRHtQ8hV10dyIPeR1olUy7ZDb0ou0aYb823/uYQ09
EDcTTBg5b8bavXlq1ABmGNpGo7mK7zw=</wsse:BinarySecurityToken>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#XWSSGID-11879629700281289441116">
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>4pGlrXI4kjDbh/dJCVxpLp1MEMw=</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#XWSSGID-11879629700281010617963">
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>cjKcC8Zn/XsIHqwoNBjZpQUXE6A=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>SBJYrjq6R7FD2OPg+JrmtdsCyJ+Pp5LvKSzScZ6jVeFDfqCOu1wTjeJDFbRYso+IN+BrXGd2biv3
zA92gQ3l+szJCOJHigYkMAS9iAJqD4bFU+15Xfae4LWXrD6VirBRlITwoKNJk5of1l2g/8zwRSKv
sGMxaaWUg7KYq1EKhpU=</ds:SignatureValue>
<ds:KeyInfo>
<wsse:SecurityTokenReference xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="XWSSGID-1187962970012-1745419003">
<wsse:Reference URI="#XWSSGID-1187962969606-569478501" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
<wsu:Timestamp xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="XWSSGID-11879629700281010617963">
<wsu:Created>2007-08-24T13:42:49Z</wsu:Created>
<wsu:Expires>2007-08-24T13:42:54Z</wsu:Expires>
</wsu:Timestamp>
</wsse:Security>
</SOAP-ENV:Header>
<SOAP-ENV:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="XWSSGID-11879629700281289441116">
<!-- (soap body omitted) -->
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
==== Sending Message End  ====

My XWSS configuration files are as follows:
Client-side:

Code:

<xwss:SecurityConfiguration dumpMessages="true" xmlns:xwss="http://java.sun.com/xml/ns/xwss/config">
	<xwss:Sign id="signature">
		<xwss:X509Token certificateAlias="client"/>
	</xwss:Sign>
</xwss:SecurityConfiguration>

Server-side:

Code:

<xwss:SecurityConfiguration xmlns:xwss="http://java.sun.com/xml/ns/xwss/config">
	<xwss:RequireSignature requireTimestamp="true"/>
</xwss:SecurityConfiguration>

If any further code/config is required I'll gladly supply it!

Thanks,
Erik

[erimag]

Forgot to mention:
I'm using Spring Web Services 1.0.0, JDK 1.6.0, and Resin 6.1.11 as a server.

[Arjen Poutsma]

Seems like it is an XWSS issue, so you can ask on the https://xwss.dev.java.net/ site.

[erimag]

Just a followup: the problem was caused by a conflict between the xmldsig.jar downloaded by Maven (I guess as a dependency for xwss-2.0) and the corresponding implementation in JRE 6. Removing the xmldsig.jar and just relying on JRE 6 solved the issue.

[blevy]

I'm having another issue trying to get the certs work, I receive the following error when trying to sign the outgoing message:

Code:

Sep 8, 2007 5:13:17 PM com.sun.xml.wss.impl.misc.DefaultSecurityEnvironmentImpl getAliasPrivKeyCertRequest
SEVERE: WSS0216: Callback Handler failed for SignatureKeyCallback.AliasPrivKeyCertRequest
Sep 8, 2007 5:13:17 PM com.sun.xml.wss.impl.misc.DefaultSecurityEnvironmentImpl getAliasPrivKeyCertRequest
SEVERE: WSS0217: Exception in Callback Handler handle()
java.lang.NullPointerException
	at com.sun.xml.wss.impl.misc.DefaultSecurityEnvironmentImpl.getAliasPrivKeyCertRequest(DefaultSecurityEnvironmentImpl.java:205)
	at com.sun.xml.wss.impl.filter.SignatureFilter.process(SignatureFilter.java:146)
	at com.sun.xml.wss.impl.HarnessUtil.processWSSPolicy(HarnessUtil.java:64)
	at com.sun.xml.wss.impl.HarnessUtil.processDeep(HarnessUtil.java:218)
	at com.sun.xml.wss.impl.SecurityAnnotator.processMessagePolicy(SecurityAnnotator.java:143)
	at com.sun.xml.wss.impl.SecurityAnnotator.secureMessage(SecurityAnnotator.java:118)
	at com.sun.xml.wss.impl.misc.XWSSProcessor2_0Impl.secureOutboundMessage(XWSSProcessor2_0Impl.java:77)
	at samples.ws.ads.ADSClient$1.doWithMessage(ADSClient.java:75)
	at org.springframework.ws.client.core.WebServiceTemplate$4.doWithMessage(WebServiceTemplate.java:354)
	at org.springframework.ws.client.core.WebServiceTemplate.sendAndReceive(WebServiceTemplate.java:395)
	at org.springframework.ws.client.core.WebServiceTemplate.doSendAndReceive(WebServiceTemplate.java:350)
	at org.springframework.ws.client.core.WebServiceTemplate.sendSourceAndReceiveToResult(WebServiceTemplate.java:296)
	at org.springframework.ws.client.core.WebServiceTemplate.sendSourceAndReceiveToResult(WebServiceTemplate.java:287)

Any ideas here? Maybe I'm not wiring up the actual keystore properly?

Thanks for any response!

[vanwijngaarden]

You need to set the default private key alias on the KeyStoreCallbackHandler. I agree that dumping a nullpointer exception is not very helpful.

BTW: I got your error with the signing as well but am forced to use JDK 1.5. Is there another way to get it solved which you know of?

[blevy]

Setting the default alias did not resolve the issue, I get the same error. [sigh] Does anyone have an example of how to wire up the xwsInterceptor and keystore to the actual client bean that implements WebServiceGatewaySupport?

[vanwijngaarden]

For your information I attached client example code: You may have forgotten to set the keystore callback handler for handling the key requests? This was not necessary in the original posting you referred since it used user authentication not signing.

The bean file wiring for the attached source:

<bean id="secureClient" class="XwssClient">
<constructor-arg value="/WEB-INF/ws/client-policy.xml"/>
<constructor-arg>
<bean class="org...xwss.callback.KeyStoreCallbackHandler ">
<property name="keyStore">
<bean class="org...support.KeyStoreFactoryBean">
<property name="location" value="/WEB-INF/ws/keystore.client"/>
<property name="password" value="changeit"/>
</bean>
</property>
<property name="defaultAlias" value="mykey"/>
<property name="privateKeyPassword" value="mypassword"/>
</bean>
</constructor-arg>
<property name="defaultUri" value="http://blabla.."/>
....
<property name="marshaller" ref="marshaller"/>
<property name="unmarshaller" ref="marshaller"/>
</bean>

[vanwijngaarden]

And the Java code.

[blevy]

Thank you for the quick responses! I am able to sign the outgoing messages now using your example. Unfortunately it appears as though the web service I'm talking to only wants the BinarySecurityToken in the header and does not require or accept the ds:Signature elements. When I manually strip out the ds:Signature elements everything works fine.

Is there a way to configure this to work in spring using a wsse policy file? Specifically I just want only the BinarySecurityToken to be applied to the header of each outgoing message.

Thanks!