Any help - sample code....?
Junior Member
WSS4J - binary security token example
Any help - sample code....?
Member
If you are talking about certificate token authentication using wss4j, the support does not yet exist. (see this post: http://forum.springframework.org/showthread.php?t=53675)
I am working on the same problem, please post if you find a solution.
Junior Member
Its same thing I am talking about. Is that a bug in Spring WS? I believe, WSS4J supports binary (certificate) token and token reference based security i.e. both....
I do not see binary token in webservice message but just see binary token reference...
Is there any way to add token itself? Do we need to create new JIRA issue for this one?
Member
Since spring-ws doesn't officially support Certificate Authentication with wss4j at this point (it DOES support it using xwss) it's technically not a bug but a feature request. I would definitely vote for the request though.
Looking through the wss4j forums I saw a post that said the x.509 token profile usage is demonstrated in the "interop" sample application which is shipped with the binary distribution of wss4j 1.5.*. Hope this helps.
Senior Member
Junior Member
Any update on this one?
Member
As I understand it now, wss4j "Signature" securement/validation action does BOTH signature validation AND x.509 token authentication (aka x.509 token profile). This makes sense b/c in order to validate the signature the server has to validate the x.509 certificate which was used to create the signature. For an example showing plain wss4j configuration for x.509 token profile configuration, look at this post.
I also found that if I set the securementSignatureKeyIdentifier to DirectReference on my Wss4jSecurityInterceptor bean I do get a wsse:BinarySecurityToken security header in the produced soap message. Here is my client config:
Server config:Code:<bean id="wsDigSignSecurityInterceptor" class="org.springframework.ws.soap.security.wss4j.Wss4jSecurityInterceptor"> <property name="securementActions" value="Signature" /> <property name="securementUsername" value="alias" /> <property name="securementPassword" value="keypass" /> <property name="securementSignatureCrypto"> <bean class="org.springframework.ws.soap.security.wss4j.support.CryptoFactoryBean"> <property name="keyStorePassword" value="storepass" /> <property name="keyStoreLocation" value="classpath:/keystore.jks" /> </bean> </property> <property name="securementSignatureKeyIdentifier" value="DirectReference"/> </bean>
Please correct me if my assumptions are wrong.Code:<bean id="wsDigSignSecurityInterceptor" class="org.springframework.ws.soap.security.wss4j.Wss4jSecurityInterceptor"> <property name="validationActions" value="Signature" /> <property name="validationSignatureCrypto"> <bean class="org.springframework.ws.soap.security.wss4j.support.CryptoFactoryBean"> <property name="keyStorePassword" value="storepass" /> <property name="keyStoreLocation" value="classpath:/keystore.jks" /> </bean> </property> </bean>
Thanks,
Paul
Senior Member
Spring Team
For your entertainment and education, I've created http://jira.springframework.org/browse/SWS-356, which you can track.
Junior Member
I'm confused. I thought this was already working as of 1.5, at least on the client side. This is my config - pretty much the same as pdotsenko's - and it's working great for me. I'm getting a BinarySecurityToken and everything.
Again, this is for a WebServiceTemplate used for outgoing client requests.Code:<bean id="loginServiceTemplate" class="org.springframework.ws.client.core.WebServiceTemplate"> <constructor-arg ref="messageFactory"/> <property name="messageSender" ref="messageSender" /> <property name="defaultUri" value="https://foo.com/bar/Login" /> <property name="interceptors"> <list> <ref bean="securityInterceptor" /> </list> </property> </bean> <!-- ClientInterceptor that signs an outgoing message with our X509 certificate. --> <bean id="securityInterceptor" class="org.springframework.ws.soap.security.wss4j.Wss4jSecurityInterceptor"> <property name="securementActions" value="Signature" /> <property name="securementUsername" value="12345e2c56614e11240fe67890b5bdf0_abcdeffd-e775-4a98-825c-a92a12345678" /> <property name="securementPassword" value="secret" /> <property name="securementSignatureCrypto"> <bean class="org.springframework.ws.soap.security.wss4j.support.CryptoFactoryBean"> <property name="keyStorePassword" value="password" /> <property name="keyStoreLocation" value="classpath:/ACES.p12" /> <property name="keyStoreType" value="pkcs12" /> <property name="defaultX509Alias" value="12345e2c56614e11240fe67890b5bdf0_abcdeffd-e775-4a98-825c-a92a12345678" /> </bean> </property> <property name="securementSignatureKeyIdentifier" value="DirectReference" /> <!-- Sign the body and a custom header element called FooBar --> <property name="securementSignatureParts" value="{}{http://foo.com/bar/baz.xsd}FooBar;{}{http://schemas.xmlsoap.org/soap/envelope/}Body" /> </bean> <bean id="messageFactory" class="org.springframework.ws.soap.axiom.AxiomSoapMessageFactory"> <property name="payloadCaching" value="true" /> </bean> <bean id="messageSender" class="org.springframework.ws.transport.http.CommonsHttpMessageSender"> </bean>
I must be misunderstanding what you all are asking for, but I figured I'd post just in case this is helpful.
Member
barsimp47 - thanks for the post. I agree that x.509 token profile is indeed supported by spring-ws using wss4j since 1.5, it just wasn't obvious to me (and at least a few others) earlier. It is working for me as well.
Arjen, perhaps the JIRA task you created could be repurposed to request a short reference doc section like "Certificate Authentication" for Wss4jSecurityInterceptor, I think it would help other users.
Thanks,
Paul
Posting Permissions
Reply With Quote