Forums Register Login

WebService Security Implementation Problems

+Pie Number of slices to send: Send
Hi All,
I'm trying to secure my spring webservices using XwsSecurityInterceptor as follows:-


securityPolicy.xml contains:-


In SOAPUI I have configured the the keystores/Certififacte to point to my truststore.jks
In SOAPUI Outgoing WSS of the request I point to the keystore configuration.


Each time I make a soapui request to the webservice I get the following:-

org.springframework.ws.soap.security.AbstractWsSecurityInterceptor.handleValidationException(AbstractWsSecurityInterceptor.java:281)
Could not validate request: com.sun.xml.wss.XWSSecurityException: More Receiver requirements [ SignaturePolicy SignaturePolicy ]
specified than present in the message; nested exception is com.sun.xml.wss.XWSSecurityException: com.sun.xml.wss.XWSSecurityException:
More Receiver requirements [ SignaturePolicy SignaturePolicy ] specified than present in the message

The soap envelope request that soapui transmits contains the following:-



I'm new to WS Security and not sure about the following:-
1) I thought that I would be able to see the Certificate within the client request soap header( i.e. within BinarySecurityToken), hence is this the reason for the above error ?
2) The client is supposed to create a hash from the soap message body. The hash is then encrypt using the private key. Note sure were the private key comes from ?
3) The client transmits the soap message containing the Digital signature and the public key. Note sure were the public key comes from ?
4) The spring ws security documentation talks about using the above configuration to carry out Certificate Validation and Certificate Authentication.
As a design question, would you let the firewall server carry out certificate validation (i.e. checking expiration date passed, checking trusstore) rather than the webservice?

Mat
You know it is dark times when the trees riot. I think this tiny ad is their leader:
a bit of art, as a gift, that will fit in a stocking
https://gardener-gift.com


reply
reply
This thread has been viewed 2458 times.
Similar Threads
Java Client for a SOAP wsdl with basic authentication
AXIS2 / RAMPART - response header missing.
can't run rampart client
Configuring Axis2 WS Security, Rampart etc for a Web Service Client
Rampart encrypting options: I can't encrypt parameters
More...

All times above are in ranch (not your local) time.
The current ranch time is
Mar 19, 2024 00:13:18.