File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
http://aspose.com/file-tools
The moose likes Web Services and the fly likes WebService Security Implementation Problems Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » Web Services
Bookmark "WebService Security Implementation Problems" Watch "WebService Security Implementation Problems" New topic
Author

WebService Security Implementation Problems

Mat Anthony
Ranch Hand

Joined: May 21, 2008
Posts: 229
Hi All,
I'm trying to secure my spring webservices using XwsSecurityInterceptor as follows:-


securityPolicy.xml contains:-


In SOAPUI I have configured the the keystores/Certififacte to point to my truststore.jks
In SOAPUI Outgoing WSS of the request I point to the keystore configuration.


Each time I make a soapui request to the webservice I get the following:-

org.springframework.ws.soap.security.AbstractWsSecurityInterceptor.handleValidationException(AbstractWsSecurityInterceptor.java:281)
Could not validate request: com.sun.xml.wss.XWSSecurityException: More Receiver requirements [ SignaturePolicy SignaturePolicy ]
specified than present in the message; nested exception is com.sun.xml.wss.XWSSecurityException: com.sun.xml.wss.XWSSecurityException:
More Receiver requirements [ SignaturePolicy SignaturePolicy ] specified than present in the message

The soap envelope request that soapui transmits contains the following:-



I'm new to WS Security and not sure about the following:-
1) I thought that I would be able to see the Certificate within the client request soap header( i.e. within BinarySecurityToken), hence is this the reason for the above error ?
2) The client is supposed to create a hash from the soap message body. The hash is then encrypt using the private key. Note sure were the private key comes from ?
3) The client transmits the soap message containing the Digital signature and the public key. Note sure were the public key comes from ?
4) The spring ws security documentation talks about using the above configuration to carry out Certificate Validation and Certificate Authentication.
As a design question, would you let the firewall server carry out certificate validation (i.e. checking expiration date passed, checking trusstore) rather than the webservice?

Mat
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: WebService Security Implementation Problems
 
Similar Threads
Configuring Axis2 WS Security, Rampart etc for a Web Service Client
Rampart encrypting options: I can't encrypt parameters
AXIS2 / RAMPART - response header missing.
can't run rampart client
Java Client for a SOAP wsdl with basic authentication