I have a WEB Service that receive SOAP messages according to the next model:
The XML in the cteDadosMsg are signed and I have to validate this signature. That's my problem, how to get the XML content as a String?
I tried use XFire and Axis to implement this WEB Service, but both wrapped the XML content on objects that aren't Strings (objects created by Jaxb).
You question: To get the text representation of a SOAP message from a JAXB object, you can feed the object to a zero transform that writes to an output stream.
Risks with calculating a signature from a text string representation of a SOAP message: However, when calculating the signature of a SOAP message, I suggest you use XML Signature (http://en.wikipedia.org/wiki/XML_Signature) or some other readily available method. Why? Consider the following cases:
You have SOAP messages with the same content, but one using the namespace prefix abc and the other using the namespace prefix bcd.
In your SOAP messages, there is an element which can have more than one attributes. The ordering of the attributes is not significant to SOAP and should not affect an algorithm calculating the signature of the SOAP message.
If you calculate a signature of the non-canonical SOAP messages, you will get two different signatures.
Thus, XML should be canonicalized first, then a signature can be calculated.
Thanks for you answer. Really in the SOAPMessage object has the write(OutputStream) method, and this method will to resolve my problem.
But this WEB Service was implemented using XFire framework and, according XFire documentation, the way to get SOAP message before processing of business logic is using a AbstractHandler subclass. The question now is how to get a SOAPMessage object using the XFire framework? The AbstractHandler has a invoke(MessageContext) abstract method and MessageContext object hasn't a way to get the SOAPMessage object directly.
Just for clarify the things, the choice for the XFire don't depends me, ok?
I saw the page indicated for you and I have a doubt. On the section about signing SOAP messages is it explain how to signing all SOAP messages (the header and body) or just parts of the message?
Just for clarify the things, on XML that wrapped over the body has a tag called "signature" and your value is the XML signature. So, to validate this signature we have to "re-sign" the XML and to comparer the values.
Check the WSS4J API documentation at: http://ws.apache.org/wss4j/apidocs/index.html You will want to use the class WSSecSignature and in it, the method setParts to specify which part(s) of the SOAP message you want to sign.