XwsSecurity Interception - the correct xws-security implementation for 1.5.7?

[portlet2]

I am using Xws Security where my client and service are both spring ws 1.5.7 based.

The client and the server both reside in the same eclipse project. So whatever server has, the client has too.

My serverSecurityPolicy.xml

Code:

<xwss:SecurityConfiguration xmlns:xwss="http://java.sun.com/xml/ns/xwss/config">
	<xwss:RequireSignature requireTimestamp="false">
		<xwss:X509Token certificateAlias="alias1" />
		<xwss:CanonicalizationMethod algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
		<xwss:SignatureMethod algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
	</xwss:RequireSignature>

	<xwss:RequireEncryption id="enc1">
		<xwss:X509Token certificateAlias="alias1" id="token1"/>
	</xwss:RequireEncryption>
</xwss:SecurityConfiguration>

My ClientSecurityPolicy.xml

Code:

<xwss:SecurityConfiguration xmlns:xwss="http://java.sun.com/xml/ns/xwss/config">
	 
	<xwss:Sign id="signature" includeTimestamp="false">
		<xwss:X509Token certificateAlias="alias1" />
		<xwss:CanonicalizationMethod algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
		<xwss:SignatureMethod algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
	</xwss:Sign>
	 
	<xwss:Encrypt id="enc1">
		<xwss:X509Token certificateAlias="alias1" id="token1"/>
	</xwss:Encrypt>
 </xwss:SecurityConfiguration>

Here is the formatted data the client sends to the service, removed the base64 data for readability.

Code:

<?xml version="1.0" encoding="UTF-8"?>
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
	<SOAP-ENV:Header xmlns:wsa="http://www.w3.org/2005/08/addressing">
		<wsse:Security
			xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
			SOAP-ENV:mustUnderstand="1">
			<wsse:BinarySecurityToken
				xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
				EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"
				ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"
				wsu:Id="token1"
				xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
				base64Data
			</wsse:BinarySecurityToken>
			<xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
				Id="XWSSGID-1250598455657-364754404">
				<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"
					xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" />
				<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
					<wsse:SecurityTokenReference
						xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
						<wsse:Reference URI="#token1"
							ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" />
					</wsse:SecurityTokenReference>
				</ds:KeyInfo>
				<xenc:CipherData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
					<xenc:CipherValue xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
						base64Data
					</xenc:CipherValue>
				</xenc:CipherData>
			</xenc:EncryptedKey>
			<xenc:ReferenceList xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
				<xenc:DataReference URI="#XWSSGID-1250598455875-479363074" />
			</xenc:ReferenceList>
			<wsse:BinarySecurityToken
				xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
				EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"
				ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"
				wsu:Id="XWSSGID-125059845548541647699"
				xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
				base64Data
			</wsse:BinarySecurityToken>
			<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
				Id="signature">
				<ds:SignedInfo>
					<ds:CanonicalizationMethod
						Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
						<InclusiveNamespaces xmlns="http://www.w3.org/2001/10/xml-exc-c14n#"
							PrefixList="wsse wsa SOAP-ENV" />
					</ds:CanonicalizationMethod>
					<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
					<ds:Reference URI="#XWSSGID-1250598455626263387424">
						<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
						<ds:DigestValue>base64Data digest
						</ds:DigestValue>
					</ds:Reference>
				</ds:SignedInfo>
				<ds:SignatureValue>
					base64Data signature data</ds:SignatureValue>
				<ds:KeyInfo>
					<wsse:SecurityTokenReference
						xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
						wsu:Id="XWSSGID-1250598455610-1523446675"
						xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
						<wsse:Reference URI="#XWSSGID-125059845548541647699"
							ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" />
					</wsse:SecurityTokenReference>
				</ds:KeyInfo>
			</ds:Signature>
		</wsse:Security>
		<wsa:To SOAP-ENV:mustUnderstand="1">
			http://localhost:8080/services/price</wsa:To>
		<wsa:Action>http://www.pricecompany.com/prices/main
		</wsa:Action>
		<wsa:MessageID>urn:uuid:a22c3ea1-6257-4a4a-8dec-20f8d9bd2eb8
		</wsa:MessageID>
	</SOAP-ENV:Header>
	<SOAP-ENV:Body
		xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
		wsu:Id="XWSSGID-1250598455626263387424">
		<xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
			Id="XWSSGID-1250598455875-479363074" Type="http://www.w3.org/2001/04/xmlenc#Content">
			<xenc:EncryptionMethod
				Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"
				xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" />
			<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
				<wsse:SecurityTokenReference
					xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
					<wsse:Reference URI="#XWSSGID-1250598455657-364754404" />
				</wsse:SecurityTokenReference>
			</ds:KeyInfo>
			<xenc:CipherData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
				<xenc:CipherValue xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">base64 Data
				</xenc:CipherValue>
			</xenc:CipherData>
		</xenc:EncryptedData>
	</SOAP-ENV:Body>
</SOAP-ENV:Envelope>

In my pom.xml, I tried all

Code:

	<dependency>
		<groupId>com.sun.xml.wsit</groupId>
		<artifactId>wsit-rt</artifactId>
		<version>1.3.1</version>
	</dependency>

	<dependency>
		<groupId>com.sun.xml.wsit</groupId>
		<artifactId>xmldsig</artifactId>
		<version>1.1</version>
	</dependency>

    <dependency>
    	<groupId>com.sun.xml.wsit</groupId>
    	<artifactId>xws-security</artifactId>
    	<version>1.3.1</version>
    </dependency>

    <dependency>
		<groupId>org.springframework.ws</groupId>
		<artifactId>spring-ws-security</artifactId>
		<version>${spring.ws.version}</version>
		<exclusions>
			<exclusion>
				<groupId>com.sun.xml.wss</groupId>
				<artifactId>xws-security</artifactId>
			</exclusion>
			<exclusion>
				<groupId>javax.xml.crypto</groupId>
				<artifactId>xmldsig</artifactId>
			</exclusion>
		</exclusions>
	</dependency>

as well as Spring WS's default dependency

Code:

  	<dependency>
		<groupId>com.sun.xml.wss</groupId>
		<artifactId>xws-security</artifactId>
		<version>2.0-FCS</version>
	</dependency>

I also downloaded xws-security-3.1 and tried that too. Just to confirm, I cleaned the project before trying either of the xws implementations.

Enough about the environment, here is my problem

The Service fails with

Code:

Exception in thread "main" org.springframework.ws.soap.client.SoapFaultClientException: com.sun.xml.wss.XWSSecurityException: com.sun.xml.wss.impl.PolicyViolationException: Expected Signature Element as per receiver requirements, found  ReferenceList; nested exception is com.sun.xml.wss.XWSSecurityException: com.sun.xml.wss.XWSSecurityException: com.sun.xml.wss.impl.PolicyViolationException: Expected Signature Element as per receiver requirements, found  ReferenceList
	at org.springframework.ws.soap.client.core.SoapFaultMessageResolver.resolveFault(SoapFaultMessageResolver.java:37)
	at org.springframework.ws.client.core.WebServiceTemplate.handleFault(WebServiceTemplate.java:738)
	at org.springframework.ws.client.core.WebServiceTemplate.doSendAndReceive(WebServiceTemplate.java:564)
	at org.springframework.ws.client.core.WebServiceTemplate.sendAndReceive(WebServiceTemplate.java:502)
	at org.springframework.ws.client.core.WebServiceTemplate.doSendAndReceive(WebServiceTemplate.java:457)
	at org.springframework.ws.client.core.WebServiceTemplate.sendSourceAndReceiveToResult(WebServiceTemplate.java:403)
	at org.springframework.ws.client.core.WebServiceTemplate.sendSourceAndReceiveToResult(WebServiceTemplate.java:394)

The funny thing is the message makes perfect sense to me, yes it does not like the ReferenceList element before the Signature element as you can see in the XML above.

How can we force the XWS implementation to do what it is supposed to do ?


If I enable only one of Signature or Encryption for the webservice, it all works fine. It is when both are enabled, the element ordering of the client XML is complained by the service.

Any pointers much appreciated.