SWS (XWSS 3.0) interop with WSE 2.0 problem

[exgorth]

Hello, all.

I'm trying to consume a WSE 2.0 web service.
The service policy enforces its clients to "encrypt and sign" messages.

I've received a certificates and keys and also implementing a "signing" part (some methods uses only signing).

However, i'm deeply stuck with "encryption" part.

A XWSSProcessor configured with the following:

Code:

<xwss:SecurityConfiguration dumpMessages="true" xmlns:xwss="http://java.sun.com/xml/ns/xwss/config">
    <xwss:Encrypt>
        <xwss:X509Token certificateAlias="dev-server" />
        <xwss:KeyEncryptionMethod algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p" />
        <xwss:DataEncryptionMethod algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc" />
        <xwss:EncryptionTarget type="qname" value="SOAP-BODY" />
    </xwss:Encrypt>
    <xwss:Timestamp />
    <xwss:Sign includeTimestamp="false">
        <xwss:X509Token certificateAlias="invito" />
        <xwss:CanonicalizationMethod algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" disableInclusivePrefix="true" />
        <xwss:SignatureTarget type="qname" value="{http://schemas.xmlsoap.org/ws/2004/08/addressing}Action">
            <xwss:DigestMethod algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
            <xwss:Transform algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" disableInclusivePrefix="true" />
        </xwss:SignatureTarget>
        <xwss:SignatureTarget type="qname" value="{http://schemas.xmlsoap.org/ws/2004/08/addressing}MessageID">
            <xwss:DigestMethod algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
            <xwss:Transform algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" disableInclusivePrefix="true" />
        </xwss:SignatureTarget>
        <xwss:SignatureTarget type="qname" value="{http://schemas.xmlsoap.org/ws/2004/08/addressing}ReplyTo">
            <xwss:DigestMethod algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
            <xwss:Transform algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" disableInclusivePrefix="true" />
        </xwss:SignatureTarget>
        <xwss:SignatureTarget type="qname" value="{http://schemas.xmlsoap.org/ws/2004/08/addressing}To">
            <xwss:DigestMethod algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
            <xwss:Transform algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" disableInclusivePrefix="true" />
        </xwss:SignatureTarget>
        <xwss:SignatureTarget type="qname" value="SOAP-BODY">
            <xwss:DigestMethod algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
            <xwss:Transform algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" disableInclusivePrefix="true" />
        </xwss:SignatureTarget>
        <xwss:SignatureTarget type="qname" value="{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd}Timestamp">
            <xwss:DigestMethod algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
            <xwss:Transform algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" disableInclusivePrefix="true" />
        </xwss:SignatureTarget>
    </xwss:Sign>
    <xwss:RequireSignature requireTimestamp="true">
        <xwss:X509Token certificateAlias="dev-server" />
        <xwss:SignatureMethod algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
        <xwss:SignatureTarget type="qname" value="{http://schemas.xmlsoap.org/ws/2004/08/addressing}Action" />
        <xwss:SignatureTarget type="qname" value="{http://schemas.xmlsoap.org/ws/2004/08/addressing}MessageID" />
        <xwss:SignatureTarget type="qname" value="{http://schemas.xmlsoap.org/ws/2004/08/addressing}RelatesTo" />
        <xwss:SignatureTarget type="qname" value="{http://schemas.xmlsoap.org/ws/2004/08/addressing}To" />
        <xwss:SignatureTarget type="qname" value="{http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd}SignatureConfirmation" />
        <xwss:SignatureTarget type="qname" value="{http://schemas.xmlsoap.org/soap/envelope/}Body" />
    </xwss:RequireSignature>
    <xwss:RequireEncryption />
</xwss:SecurityConfiguration>

sends message with 2 binary security tokens in it, when server expects only one.
This is a fault i'm receiving from WSE.

The developers of server says - "you must encrypt with server cert(dev-server) and sign with self (invito). you must send only your public cert to validate signature".

alias "invito" is my private key which is in keystore. ''dev-server" - a server's public certificate.


Please, could anyone provide any help on this??

[Arjen Poutsma]

I would suggest asking this on the XWSS mailing list, since it seems pretty advanced. See https://xwss.dev.java.net/servlets/P...ailingListList

[exgorth]

Thanx, Arjen. I've already done it. Still researching..

[exgorth]

Have solved it, at last! With a help of xwss mailing list.

Implemented an SWS-1.0.2-SNAPSHOT client working with WSE 2.0 service, requiring ws-addressing, ws-security-1.0.

Policy: sign (headers, body, timestamp) and encrypt (body).

The discussion and full xwss configuration is available at users@xwss.dev.java.net mailing list: https://xwss.dev.java.net/servlets/B...ad&from=943112