Shawn,
sorry wrong info - your namespace defintion is correct.
The real problem is:
You can't sign the UsernameToken with itself.
To work correctly and to have the correct sequence of security
header part the WSS4J handlers
- first create the UsernameToken as internal DOM element with all
necessary data. The this data is used to sign the relevant part of the
document (usually SOAP body).
- After Signature processing the resulting Signature header data is
perpended on to of other security header data
- Then the previously prepared UsernameToken header is prepended, and
so on.
That is, the UsernameToken is not yet part of the document during
Signature processing.
The handlers process actions work from left to right, prepending the
header parts for the action
Using prepend the security header parts are in the right order for
the receiver to work with. The receiver first scans the UsernameToken
to get all the data, then gets the Signature data and verifies the
Signature, etc.
Regards,
Werner
Werner Dittmann schrieb:
Shawn,
IMO the namespace definition for UsernameToken has changed for
OASIS WSS Version 1.0 (they changed the namespace several times during
the specification work). The correct namespace is now:
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0
thus the sign element sould read
{Element}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0}UsernameToken
Regards,
Werner
BTW, signing the SOAP body should not fail. Is it a very special SOAP
body you use?
Werner
Shawn McKinney schrieb:
I should point out that before posting on this topic I
scoured the web and Google for examples on how to do
this. I tried adding a signatureParts elements, but
got this exception:
faultString: WSDoAllSender: Error during Signatur
with UsernameToken
secretorg.apache.ws.security.WSSecurityException:
General security error (WSEncryptBody/WSSignEnvelope:
Element to encrypt/sign not found:
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd,
UsernameToken)
faultActor:
faultNode:
faultDetail:
{http://xml.apache.org/axis/}stackTrace:WSDoAllSender:
Error during Signatur with UsernameToken
secretorg.apache.ws.security.WSSecurityException:
General security error (WSEncryptBody/WSSignEnvelope:
Element to encrypt/sign not found:
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd,
UsernameToken)
at
org.apache.ws.axis.security.WSDoAllSender.performUT_SIGNAction(WSDoAllSender.java:512)
at
org.apache.ws.axis.security.WSDoAllSender.invoke(WSDoAllSender.java:336)
at
org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrategy.java:32)
at
org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118)
at
org.apache.axis.SimpleChain.invoke(SimpleChain.java:83)
at
org.apache.axis.client.AxisClient.invoke(AxisClient.java:127)
at
org.apache.axis.client.Call.invokeEngine(Call.java:2765)
at
org.apache.axis.client.Call.invoke(Call.java:2748)
at
org.apache.axis.client.Call.invoke(Call.java:1784)
at
samples.message.TestIFXMsg.doit(TestIFXMsg.java:155)
at
samples.message.TestIFXMsg.main(TestIFXMsg.java:177)
{http://xml.apache.org/axis/}hostname:redhat4hp
The client-side .wsdd follows:
<requestFlow >
<handler
type="java:org.apache.ws.axis.security.WSDoAllSender"
<parameter name="action"
value="UsernameTokenSignature Encrypt"/> <parameter
name="passwordCallbackClass"
value="com.fnf.xes.framework.axis.security.client.PWClientCallback"/>
<parameter name="passwordType"
value="PasswordText" /> <parameter name="addUTElements"
value="Nonce
Created" />
<parameter name="encryptionPropFile"
value="crypto.client.properties" /> <parameter
name="encryptionKeyIdentifier"
value="X509KeyIdentifier" />
<parameter name="encryptionUser"
value="xespublickey" />
<parameter name="signatureParts"
value="{Element}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}UsernameToken";
/>
<parameter name="encryptionParts"
value="{Element}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}UsernameToken";
/>
</handler>
