• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

WebService Security Implementation Problems

 
Ranch Hand
Posts: 265
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi All,
I'm trying to secure my spring webservices using XwsSecurityInterceptor as follows:-


securityPolicy.xml contains:-


In SOAPUI I have configured the the keystores/Certififacte to point to my truststore.jks
In SOAPUI Outgoing WSS of the request I point to the keystore configuration.


Each time I make a soapui request to the webservice I get the following:-

org.springframework.ws.soap.security.AbstractWsSecurityInterceptor.handleValidationException(AbstractWsSecurityInterceptor.java:281)
Could not validate request: com.sun.xml.wss.XWSSecurityException: More Receiver requirements [ SignaturePolicy SignaturePolicy ]
specified than present in the message; nested exception is com.sun.xml.wss.XWSSecurityException: com.sun.xml.wss.XWSSecurityException:
More Receiver requirements [ SignaturePolicy SignaturePolicy ] specified than present in the message

The soap envelope request that soapui transmits contains the following:-



I'm new to WS Security and not sure about the following:-
1) I thought that I would be able to see the Certificate within the client request soap header( i.e. within BinarySecurityToken), hence is this the reason for the above error ?
2) The client is supposed to create a hash from the soap message body. The hash is then encrypt using the private key. Note sure were the private key comes from ?
3) The client transmits the soap message containing the Digital signature and the public key. Note sure were the public key comes from ?
4) The spring ws security documentation talks about using the above configuration to carry out Certificate Validation and Certificate Authentication.
As a design question, would you let the firewall server carry out certificate validation (i.e. checking expiration date passed, checking trusstore) rather than the webservice?

Mat
 
The problems of the world fade way as you eat a piece of pie. This tiny ad has never known problems:
a bit of art, as a gift, that will fit in a stocking
https://gardener-gift.com
reply
    Bookmark Topic Watch Topic
  • New Topic