File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
http://aspose.com/file-tools
The moose likes Web Services and the fly likes WebService Security Implementation Problems Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » Web Services
Bookmark "WebService Security Implementation Problems" Watch "WebService Security Implementation Problems" New topic
Author

WebService Security Implementation Problems

Mat Anthony
Ranch Hand

Joined: May 21, 2008
Posts: 232
Hi All,
I'm trying to secure my spring webservices using XwsSecurityInterceptor as follows:-


securityPolicy.xml contains:-


In SOAPUI I have configured the the keystores/Certififacte to point to my truststore.jks
In SOAPUI Outgoing WSS of the request I point to the keystore configuration.


Each time I make a soapui request to the webservice I get the following:-

org.springframework.ws.soap.security.AbstractWsSecurityInterceptor.handleValidationException(AbstractWsSecurityInterceptor.java:281)
Could not validate request: com.sun.xml.wss.XWSSecurityException: More Receiver requirements [ SignaturePolicy SignaturePolicy ]
specified than present in the message; nested exception is com.sun.xml.wss.XWSSecurityException: com.sun.xml.wss.XWSSecurityException:
More Receiver requirements [ SignaturePolicy SignaturePolicy ] specified than present in the message

The soap envelope request that soapui transmits contains the following:-



I'm new to WS Security and not sure about the following:-
1) I thought that I would be able to see the Certificate within the client request soap header( i.e. within BinarySecurityToken), hence is this the reason for the above error ?
2) The client is supposed to create a hash from the soap message body. The hash is then encrypt using the private key. Note sure were the private key comes from ?
3) The client transmits the soap message containing the Digital signature and the public key. Note sure were the public key comes from ?
4) The spring ws security documentation talks about using the above configuration to carry out Certificate Validation and Certificate Authentication.
As a design question, would you let the firewall server carry out certificate validation (i.e. checking expiration date passed, checking trusstore) rather than the webservice?

Mat
 
It is sorta covered in the JavaRanch Style Guide.
 
subject: WebService Security Implementation Problems