This week's book giveaway is in the OCAJP 8 forum. We're giving away four copies of OCA Java SE 8 Programmer I Study Guide and have Edward Finegan & Robert Liguori on-line! See this thread for details.
I'm trying to secure my spring webservices using XwsSecurityInterceptor as follows:-
In SOAPUI I have configured the the keystores/Certififacte to point to my truststore.jks
In SOAPUI Outgoing WSS of the request I point to the keystore configuration.
Each time I make a soapui request to the webservice I get the following:-
Could not validate request: com.sun.xml.wss.XWSSecurityException: More Receiver requirements [ SignaturePolicy SignaturePolicy ]
specified than present in the message; nested exception is com.sun.xml.wss.XWSSecurityException: com.sun.xml.wss.XWSSecurityException:
More Receiver requirements [ SignaturePolicy SignaturePolicy ] specified than present in the message
The soap envelope request that soapui transmits contains the following:-
I'm new to WS Security and not sure about the following:-
1) I thought that I would be able to see the Certificate within the client request soap header( i.e. within BinarySecurityToken), hence is this the reason for the above error ?
2) The client is supposed to create a hash from the soap message body. The hash is then encrypt using the private key. Note sure were the private key comes from ?
3) The client transmits the soap message containing the Digital signature and the public key. Note sure were the public key comes from ?
4) The spring ws security documentation talks about using the above configuration to carry out Certificate Validation and Certificate Authentication.
As a design question, would you let the firewall server carry out certificate validation (i.e. checking expiration date passed, checking trusstore) rather than the webservice?