WS-Security Support for WebService Clients?

[ghazouli]

I stopped using spring-ws for the client. I did it because that is the technology that my client knows and did not want to introduce another technology stack.

[Arjen Poutsma]

Note that the current milestone (1.5 m2) contains the client-side interception model, and also a client-side WS-security interceptor. There is no documentation for this yet (that comes in the next release: 1.5 RC1), but the airline sample includes a spring-ws client which uses this model. You can also check out the various unit tests.

[javaty]

Hi Hisham,

Are you able to resolve the Security Verification error, I'm trying to implement XWSS (X.509) security to a Web Service on Weblogic9.2, I'm able to send the signature in the request but on the server side I'm getting a Verification error, Kindly help!

I have developed the code to sign calls from the client side using x509 certificates and also added the server side code but seem to get a strange error. Not sure if it is the policy file or bad certificates. I developed a call back bean to sign the message using my keystore. Here is the context configuration:

<bean id="signMessageCallback" class="com.truewind.ws.SignMessageCallback">
<constructor-arg value="securityPolicy.xml" />
<constructor-arg>
<bean
class="org.springframework.ws.soap.security.xwss.c allback.KeyStoreCallbackHandler">
<property name="keyStore">
<bean class="org.springframework.ws.soap.security.suppor t.KeyStoreFactoryBean">
<property name="location" ref="signatureKeyStoreFile"/>
<property name="password" value="@{signature.keystore.password}"/>
</bean>
</property>
<property name="defaultAlias" value="@{default.alias}"/>
<property name="privateKeyPassword" value="@{privateKey.password}"/>
</bean>
</constructor-arg>
<property name="soapAction" value="@{soap.action}" />
</bean>


On the server side I have configured the XwsSecurityInterceptor and a KeyStoreCallBackHandler for checking the x509 certificate. I have added the following configuration to the spring-ws-servlet.xml:

<bean id="keyStoreHandler" class="org.springframework.ws.soap.security.xwss.c allback.KeyStoreCallbackHandler">
<property name="trustStore" ref="trustStore"/>
</bean>

<bean id="trustStore" class="org.springframework.ws.soap.security.suppor t.KeyStoreFactoryBean">
<property name="location" value="classpath:trust_store.jks"/>
<property name="password" value="test"/>
</bean>

<bean id="wsSecurityInterceptor"
class="org.springframework.ws.soap.security.xwss.X wsSecurityInterceptor">
<property name="policyConfiguration" value="classpath:securityPolicy.xml"/>
<property name="callbackHandler" ref="keyStoreHandler"/>
<property name="validateRequest" value="false"></property>
</bean>


Now I am getting a Security Verification Error. I checked to make sure the certificate I am signing with is indeed in the truststore and vice versa. I have been trying for days to figure this out but have been running into a brick wall.

I will exchange my design with you if you can help me diagnose this issue. Let me know.

Thanks,
Hisham

[ghazouli]

No I never did resolve the issue. Although I think the new version of Spring WS may be more compatible.

Perhaps if you post the details of the client and server code than me or someone else may be able to see the issue.

[barsimp47]

I am successfully signing messages using the new ClientInterceptor features in Spring-WS 1.5.x, but I'm using WSS4J and Axiom under the hood, not XWSS or SAAJ. (The problems I was having with Axiom before were apparently resolved in the new version as well.)

Wss4jSecurityInterceptor is working like a charm with a pkcs12 keystore type.