Win a copy of Functional Reactive Programming this week in the Other Languages forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

WebService Security Implementation Problems

 
Mat Anthony
Ranch Hand
Posts: 261
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi All,
I'm trying to secure my spring webservices using XwsSecurityInterceptor as follows:-


securityPolicy.xml contains:-


In SOAPUI I have configured the the keystores/Certififacte to point to my truststore.jks
In SOAPUI Outgoing WSS of the request I point to the keystore configuration.


Each time I make a soapui request to the webservice I get the following:-

org.springframework.ws.soap.security.AbstractWsSecurityInterceptor.handleValidationException(AbstractWsSecurityInterceptor.java:281)
Could not validate request: com.sun.xml.wss.XWSSecurityException: More Receiver requirements [ SignaturePolicy SignaturePolicy ]
specified than present in the message; nested exception is com.sun.xml.wss.XWSSecurityException: com.sun.xml.wss.XWSSecurityException:
More Receiver requirements [ SignaturePolicy SignaturePolicy ] specified than present in the message

The soap envelope request that soapui transmits contains the following:-



I'm new to WS Security and not sure about the following:-
1) I thought that I would be able to see the Certificate within the client request soap header( i.e. within BinarySecurityToken), hence is this the reason for the above error ?
2) The client is supposed to create a hash from the soap message body. The hash is then encrypt using the private key. Note sure were the private key comes from ?
3) The client transmits the soap message containing the Digital signature and the public key. Note sure were the public key comes from ?
4) The spring ws security documentation talks about using the above configuration to carry out Certificate Validation and Certificate Authentication.
As a design question, would you let the firewall server carry out certificate validation (i.e. checking expiration date passed, checking trusstore) rather than the webservice?

Mat
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic