1 year ago
#45421
n002213f
Adding SecurityContextToken to SOAP 1.1 Message using Apache CXF
I have to call a secure SOAP 1.1 (using X.509 Certificate) and currently getting error: An error occurred when verifying security for the message.
I suspect(and I stand corrected), the SOAP request generated has BinarySecurityToken instead of the expected SecurityContextToken in the SOAP header section. Unfortunately do not SOAP service logs to check the root cause of the security failure.
How would one configure the client so that the SecurityContextToken added removing the BinarySecurityToken?
Server: ASP.NET 4.0.30319
Client: Quarkus 2.3.1, Apache CXF 3.5.0, WSS4J 2.4.0, Java 17
Client Configuration
var factory = new JaxWsProxyFactoryBean();
factory.setAddress("https://soap.service.bet/Service.svc");
var props = new HashMap<String, Object>();
props.put(ConfigurationConstants.ACTION, ConfigurationConstants.TIMESTAMP + " " + ConfigurationConstants.SIGNATURE);
props.put(ConfigurationConstants.PW_CALLBACK_REF, callbackHandler());
props.put(ConfigurationConstants.USER, "alias");
props.put(ConfigurationConstants.SIGNATURE_USER, "alias");
props.put(ConfigurationConstants.SIG_PROP_FILE, ""file-path);
props.put(ConfigurationConstants.SIG_KEY_ID, "DirectReference");
var outInterceptor = new LoggingOutInterceptor();
outInterceptor.setPrettyLogging(true);
factory.getOutInterceptors().add(outInterceptor);
var inInterceptor = new LoggingInInterceptor();
inInterceptor.setPrettyLogging(true);
factory.getInInterceptors().add(inInterceptor);
factory.setServiceClass(DocumentService.class);
client = factory.create(DocumentService.class);
**SOAP Request Created
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Header>
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
soap:mustUnderstand="1">
<wsse:BinarySecurityToken
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"
wsu:Id="X509-4749bc58-cae6-43cf-8003-1bd2074646a2">base64-encoded-certificate</wsse:BinarySecurityToken>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="SIG-71963650-36aa-4aa1-b60a-40ad40785b5b">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="soap"/>
</ds:CanonicalizationMethod>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#id-2847b44b-8392-4d1f-9624-30d982fe1a79">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>digest-value</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>signature-value</ds:SignatureValue>
<ds:KeyInfo Id="KI-0fb9d706-78f4-4941-b993-1bb680cc74d1">
<wsse:SecurityTokenReference
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
wsu:Id="STR-81744af4-f79f-428d-969e-f3d106c4c769">
<wsse:Reference URI="#X509-4749bc58-cae6-43cf-8003-1bd2074646a2"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
<wsu:Timestamp wsu:Id="TS-f8046bd5-2eae-4321-83b1-1f9c54191751">
<wsu:Created>2022-01-12T08:52:07.692Z</wsu:Created>
<wsu:Expires>2022-01-12T08:57:07.692Z</wsu:Expires>
</wsu:Timestamp>
</wsse:Security>
<wsa:To xmlns:wsa="http://www.w3.org/2005/08/addressing">https://target-url.svc</wsa:To>
<wsa:Action xmlns:wsa="http://www.w3.org/2005/08/addressing">https://iermdocument.acmegroup.net/DocumentService/ProtectDocument</wsa:Action>
</soap:Header>
<soap:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
wsu:Id="id-2847b44b-8392-4d1f-9624-30d982fe1a79">
<ns2:ProtectDocument xmlns="http://schemas.datacontract.org/2004/07/ACME.Document.DTO"
xmlns:ns2="https://iermdocument.acmegroup.net/DocumentService"
xmlns:ns3="http://schemas.microsoft.com/2003/10/Serialization/">
<ns2:protectDocumentRequest>
<DocumentContent>byte array of file contents</DocumentContent>
<DocumentId>document-id</DocumentId>
<FileName>filename.pdf</FileName>
<TemplateId>reference-template</TemplateId>
</ns2:protectDocumentRequest>
</ns2:ProtectDocument>
</soap:Body>
</soap:Envelope>
Expected SOAP Message
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope"
xmlns:a="http://www.w3.org/2005/08/addressing"
xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<s:Header>
<a:Action s:mustUnderstand="1">https://iermdocument.acmegroup.net/DocumentService/ProtectDocument</a:Action>
<a:MessageID>urn:uuid:7a83fb99-ad23-4854-b6f6-1ed40b4ac05d</a:MessageID>
<a:ReplyTo>
<a:Address>http://www.w3.org/2005/08/addressing/anonymous</a:Address>
</a:ReplyTo>
<a:To s:mustUnderstand="1">https://target-url.svc</a:To>
<o:Security s:mustUnderstand="1" xmlns:o="http://docs.oasisopen.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<u:Timestamp u:Id="_0">
<u:Created>2015-11-16T19:07:31.193Z</u:Created>
<u:Expires>2015-11-16T19:12:31.193Z</u:Expires>
</u:Timestamp>
<c:SecurityContextToken u:Id="uuid-c164b012-61e3-419b-9f59-85346cbcdaa3-1" xmlns:c="http://schemas.xmlsoap.org/ws/2005/02/sc">
<c:Identifier>urn:uuid:b8e739ef-b550-4e46-a4b5-35bb1a95f094</c:Identifier>
</c:SecurityContextToken>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1"/>
<Reference URI="#_0">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>digest-value</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>signature-value</SignatureValue>
<KeyInfo>
<o:SecurityTokenReference>
<o:Reference ValueType="http://schemas.xmlsoap.org/ws/2005/02/sc/sct" URI="#uuid-c164b012-61e3-419b-9f59-85346cbcdaa3-1"/>
</o:SecurityTokenReference>
</KeyInfo>
</Signature>
</o:Security>
</s:Header>
<s:Body>
<ProtectDocument xmlns="https://iermdocument.acmegroup.net/DocumentService">
<protectDocumentRequest xmlns:b="http://schemas.datacontract.org/2004/07/ACME.Document.DTO" xmlns:i="http://www.w3.org/2001/XMLSchema-instance">
<b:DocumentContent>byte array of file contents</b:DocumentContent>
<b:DocumentId>document-id</b:DocumentId>
<b:FileName>filename.pdf</b:FileName>
<b:TemplateId>reference-template</b:TemplateId>
</protectDocumentRequest>
</ProtectDocument>
</s:Body>
</s:Envelope>
java
web-services
soap
cxf
wss4j
0 Answers
Your Answer