WS-Security with Spring WS on both client and server side

**vanwijngaarden** · Sep 11th, 2007, 03:03 AM

AFAIK XWSS doesn't support that. The reason is quite clear: why just send a certificate/public key to the other party without doing anything with it? This has no added value since the certificate is meant to be known by everyone and therefore doesn't add any security.

If I were you I would verify the exact requirements from the web service provider. Otherwise, you can just forget XWSS and always add the needed XML elements using Java code in the client callback. Since the information is always the same, this just means replacing the SOAP header with a SOAP header containing the binary security token.

**blevy** · Sep 11th, 2007, 04:45 PM

I agree, it seems strange that they only request the BST. I have a call into the folks we are working with to resolve this. In the meantime, I use xwss to apply the security, then remove the unused Signature elements in the header on doWithMessage. This is just a temporary hack until we get the certs figured out.

Thanks for all your help!

**13th** · Oct 25th, 2007, 02:36 AM

I used this beans definition to correct error:

Code:

    <bean id="secureClient" class="XwssClient">
		<property name="helper" ref="secureClientHelper"/>
		<property name="defaultUri" value="bla-bla"/>
		<property name="marshaller" ref="marshaller"/>
		<property name="unmarshaller" ref="marshaller"/>
	</bean>
    
    
    <bean id="secureClientHelper" class="XwssClientHelper">
    	
    	<constructor-arg value="securityPolicy.xml"/>
		<constructor-arg>
			<bean class="org.springframework.ws.soap.security.xwss.callback.KeyStoreCallbackHandler">
				<property name="trustStore">
					<bean class="org.springframework.ws.soap.security.support.KeyStoreFactoryBean">
						<property name="location" value="/WEB-INF/test-keystore.jks"/>
						<property name="password" value="password"/>
					</bean>
				</property>
				<!--property name="defaultAlias" value="mykey"/-->
				<!--property name="privateKeyPassword" value="mypassword"/-->
			</bean>
		</constructor-arg>
		
    </bean>

**13th** · Oct 25th, 2007, 03:49 AM

I compiled your source successfully, but now i have another problem:

Code:

Creating SAAJ 1.3 MessageFactory with SOAP 1.1 Protocol
Loading key store from class path resource [test-keystore.jks]
Creating empty key store

Attention on third line.
And after that:

Code:

29.10.2007 16:12:15 com.sun.xml.wss.impl.misc.DefaultSecurityEnvironmentImpl getAliasPrivKeyCertRequest
SEVERE: WSS0216: Callback Handler failed for SignatureKeyCallback.AliasPrivKeyCertRequest
29.10.2007 16:12:15 com.sun.xml.wss.impl.misc.DefaultSecurityEnvironmentImpl getAliasPrivKeyCertRequest
SEVERE: WSS0217: Exception in Callback Handler handle()
java.lang.NullPointerException
	at org.springframework.ws.soap.security.xwss.callback.KeyStoreCallbackHandler.getPrivateKey(KeyStoreCallbackHandler.java:440)

Is my keystore valid?

**vdvj** · Nov 15th, 2007, 08:29 PM

I have a web service server and a web client invoke the service. And now i need to secure the communicate between them.

I want to sign in the SOAP message and Encrypt it.

I'm going to write a payment module, so i need to encrypt and sign all message outgoing and coming on.

**vanwijngaarden** · Nov 16th, 2007, 01:29 AM

Originally Posted by vdvj

I have a web service server and a web client invoke the service. And now i need to secure the communicate between them.

I want to sign in the SOAP message and Encrypt it.

I'm going to write a payment module, so i need to encrypt and sign all message outgoing and coming on.

Have a look at the reference documentation, this should normally give you a good start:
http://static.springframework.org/sp...tml/index.html

**vanwijngaarden** · Nov 16th, 2007, 01:56 AM

Originally Posted by 13th

I compiled your source successfully, but now i have another problem:

Code:

Creating SAAJ 1.3 MessageFactory with SOAP 1.1 Protocol
Loading key store from class path resource [test-keystore.jks]
Creating empty key store

Attention on third line.
And after that:

Code:

29.10.2007 16:12:15 com.sun.xml.wss.impl.misc.DefaultSecurityEnvironmentImpl getAliasPrivKeyCertRequest
SEVERE: WSS0216: Callback Handler failed for SignatureKeyCallback.AliasPrivKeyCertRequest
29.10.2007 16:12:15 com.sun.xml.wss.impl.misc.DefaultSecurityEnvironmentImpl getAliasPrivKeyCertRequest
SEVERE: WSS0217: Exception in Callback Handler handle()
java.lang.NullPointerException
	at org.springframework.ws.soap.security.xwss.callback.KeyStoreCallbackHandler.getPrivateKey(KeyStoreCallbackHandler.java:440)

Is my keystore valid?

You probably already fixed this, but I am adding this for reference purposes anyway.
Actually, you need to remember there are two stores for keys: the "trust store" and the "key store". Generally speaking trust stores are used for validation, key stores for coding. Therefore, key stores store private keys, trust stores only public ones. Depending on the security mechanism you use and the party side (receiving/sending) trust and/or key stores are necessary. For signing (only) you need to set up and wire a key store at the client side and a trust store at the receiving side.

**priti.modgi** · Nov 25th, 2009, 06:17 AM

hey can anyone here give me any sample application or steps tht explains how do i use Username Token profile for securing my Spring ws is done on both server and client side ???

Pls i am very new to this all i need to implement it urgently ...

anyone kind enough who can help me

Thanks in advance

**cretu2** · Nov 27th, 2010, 02:53 PM

Thanks erimag ! you saved my time!

Thread: WS-Security with Spring WS on both client and server side

Thread Tools

Display

Policy

Some troubles in attached sources

Message does not conform to configured policy

How can I secure my web services!

How to secure with signing/encryption

Keystore/truststore

Ws-Security with both client and server

Posting Permissions