Hi Friends,
I have developed a java service using below security policies.
1) Sign and Encrypt messages
2) An AsymmetricBinding is used. Entire headers and body to be signed.
EncryptionParts specifies the Body to be encrypted.
3) Algorithm suite is TripleDesRsa15
I am able parse the request from .NET client and sending back the
response with security to .NET, but
the problem is , in .NET client i am getting the follow error.
"The incoming message was signed with a token which was different from what
used to encrypt the body. This was not expected."
Response to .net client is:
<?xml version='1.0' encoding='utf-8'?>
<soapenv:Envelope
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/";
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";>
<soapenv:Header>
<wsse:Security
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
soapenv:mustUnderstand="1">
<wsu:Timestamp
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
wsu:Id="Timestamp-16">
<wsu:Created>2010-01-06T20:15:10.412Z</wsu:Created>
<wsu:Expires>2010-01-06T20:20:10.412Z</wsu:Expires>
</wsu:Timestamp>
<wsse:BinarySecurityToken
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary";
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3";
wsu:Id="3BFE8F13AE52758BDC126280891045129">
MIICQTCCAaqgAwIBAgIESzGVTjANBgkqhkiG9w0BAQUFADBlMQswCQY
DVQQGEwJJTjELMAkGA1UECBMCQVAxDDAKBgNVBAcTA1ZTUDEMMAoGA1UECh
MDWVNFMRwwGgYDVQQLDBNZQUxBTUFOQ0hJTElfQ0xJRU5UMQ8wDQYDVQQDEw
ZDTElFTlQwHhcNMDkxMjIzMDM1ODA2WhcNMTUxMjIyMDM1ODA2WjBlMQswCQYDV
QQGEwJJTjELMAkGA1UECBMCQVAxDDAKBgNVBAcTA1ZTUDEMMAoGA1UEChMDWVNFM
RwwGgYDVQQLDBNZQUxBTUFOQ0hJTElfQ0xJRU5UMQ8wDQYDVQQDEwZDTElFTlQwg
Z8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJn1zNQrxu/ck+yYpNlo5WVg6Q+vO0XVGDP
bY4TC8IKO6Qb9g4vMnJeXclpklyAuwsl3qd3qslyybU+JXdjKzo16tK42cg+8IpFRe/Qw
W36OWwfQrdmLiBZ/PCWxa1QEg0+L4cCBBl+FZrVIf2te4z0ayUQKJgJ9Mb45qc1y4XnX
AgMBAAEwDQYJKoZIhvcNAQEFBQADgYEAeVSnnTKo8vxz33y3a8BIOXCzyqXQwlHaeV7w
8hEdSQOel09LvuUw4hyuyEwWn5ynSXiMBSBeJO+OGI6yz7l6emMTvwOvl6aIQM4CJ8u7
a7R43SOZXUlcvOJEj76HLW3jszqyjVsTEmqyosfMKC5/1MYPL3Vi52Jmehv+qLWAnn4=
</wsse:BinarySecurityToken>
<xenc:EncryptedKey
Id="EncKeyId-3BFE8F13AE52758BDC126280891046530">
<xenc:EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"; />
<ds:KeyInfo
xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<wsse:SecurityTokenReference>
<wsse:Reference
URI="#3BFE8F13AE52758BDC126280891045129"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3";
/>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
<xenc:CipherData>
<xenc:CipherValue>
ByeARhJOzPVayU8VnAySzM4PWV7M7ozehT5U2a+7wX6RYjtwkmjmGv34iG
6MzN7I22P3kAh4PwlxKE6F4w08tYgz7CTBbmEt/ONof7FuN9o33ZmzvpbF7bbvAs2IxbRILXf+i4LdVmga
zJH/oQasRPhiJWHzzaP6yLnplAErec=
</xenc:CipherValue>
</xenc:CipherData>
<xenc:ReferenceList>
<xenc:DataReference URI="#EncDataId-18" />
</xenc:ReferenceList>
</xenc:EncryptedKey>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#";
Id="Signature-17">
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"; />
<ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1";
/>
<ds:Reference URI="#Id-6930476">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"; />
</ds:Transforms>
<ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1";
/>
<ds:DigestValue>
2trPhYNxqJgCt9YASagi0rahj14=
</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#Timestamp-16">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"; />
</ds:Transforms>
<ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1";
/>
<ds:DigestValue>
MX7jYnYpfeaPxizuQY9Lf17w+Ic=
</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
FrjWFw7kyVqkkD9fVaBH1Y+j/DuoqsYv2U+DcUoNEq6K2OpjK9pKNVML1gVAWge/mgoFI3gj9YYa
ydiUfFhBHKEXtGTYxVy5S71Eez/D0o3NV41IJKzgp8XlKIlcgISOtha9qtmNKp4ftNzGFZrxiKy/
n0nrfJvizsojioID7Qs=
</ds:SignatureValue>
<ds:KeyInfo
Id="KeyId-3BFE8F13AE52758BDC126280891042227">
<wsse:SecurityTokenReference
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
wsu:Id="STRId-3BFE8F13AE52758BDC126280891042228">
<wsse:KeyIdentifier
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary";
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentifier";>
SQM8FoU23FrDNGnQI1AbtvLCilc=
</wsse:KeyIdentifier>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
</wsse:Security>
</soapenv:Header>
<soapenv:Body
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
wsu:Id="Id-6930476">
<xenc:EncryptedData Id="EncDataId-18"
Type="http://www.w3.org/2001/04/xmlenc#Content";>
<xenc:EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"; />
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<wsse:SecurityTokenReference
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";>
<wsse:Reference
URI="#EncKeyId-3BFE8F13AE52758BDC126280891046530" />
</wsse:SecurityTokenReference>
</ds:KeyInfo>
<xenc:CipherData>
<xenc:CipherValue>
J9S3eSeZghO41n0uW0t2IqiqXmK9aGrDh+bySECE2VuNl6QZI2vSzoGgTridbGFarSRiaeltKAwu
5mv+pE6BijB3U5Zkbd//w+MiRXtPlaQTYlE/+PwGLeczaDv+1CvqvrXRFUB6xldzg8wx+7m4zL+s
sC4Oa+d0WdJVGxwIlWLkeRaLhxqUtRI8VLYJ9MpmdFBPaEQutiSOs2S+cpNL+0zZCnKAvRgAw5RF
vE7LL5Kr3xaJKc7zqYNq3lQZKzx5fcLRhoJDyz8oi4JSX71yMxic21aXIeL7Bt2p42CE9MXUzMN4
Sek9p5lf9UNVKK0G/r8Mqb2OT0JQbj7JfyrI/qmMOzh1MPlxaDRLPvtIr6C5HxaaoKOW04Et5o+r
Re+4ego7JOMb60MEdaI5OEJun0oH0xwInnD4fxK5foSL2z/UJGYw/2LfHD9AtxNzZc6BMEGIfmxj
8NB7/iDL26tbtHFS+0dCJi77EM0vOowTrIMS5T/nQjSvpEgUTXIOLR2qzpmxM5vac+1XOu/bIwv8
CpNdxXS8rRIiIwI1Rv+d8HNBsZCglAgdHfWPk1DLTKNrNy04mZ4mpVbT5QKeWhzFi+vYO/00D38V
ungYXMpQqWKqMWUk1LeZf186SjbDMs1d4y5MNmgXfHS6kdQ/0gGanBm8Qmq9JyP5a/k8GuFk7nlZ
1euZ6DdOCwT/+s/QQWY+Xm6MEsizSPN0sUyBpOSY+YByuP6UEWLxc0om6FM5IaOaxbp48mngIg==
</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedData>
</soapenv:Body>
</soapenv:Envelope>
.NET CONFIGURATION:
<bindings>
<customBinding>
<binding name="JavaInterop">
<textMessageEncoding maxReadPoolSize="64" maxWritePoolSize="16"
messageVersion="Soap11" writeEncoding="utf-8">
<readerQuotas maxDepth="32" maxStringContentLength="8192"
maxArrayLength="16384"
maxBytesPerRead="4096" maxNameTableCharCount="16384" />
</textMessageEncoding>
<security defaultAlgorithmSuite="TripleDesRsa15"
allowSerializedSigningTokenOnReply="true"
authenticationMode="MutualCertificate" requireDerivedKeys="false"
securityHeaderLayout="Strict"
messageProtectionOrder="SignBeforeEncrypt"
messageSecurityVersion="WSSecurity10WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10">
<issuedTokenParameters keyType="AsymmetricKey" />
<localClientSettings maxClockSkew="00:25:00" replayWindow="00:25:00"
sessionKeyRolloverInterval="00:25:00"
timestampValidityDuration="00:25:00" />
<secureConversationBootstrap />
</security>
<httpTransport manualAddressing="false" maxBufferPoolSize="524288"
maxReceivedMessageSize="65536" allowCookies="false"
authenticationScheme="Anonymous"
bypassProxyOnLocal="false" hostNameComparisonMode="StrongWildcard"
keepAliveEnabled="true" maxBufferSize="65536"
proxyAuthenticationScheme="Anonymous"
realm="" transferMode="Buffered"
unsafeConnectionNtlmAuthentication="false"
useDefaultWebProxy="true" />
</binding>
</customBinding>
</bindings>
<behaviors>
<endpointBehaviors>
<behavior name="ClientCertBehavior">
<clientCredentials>
<clientCertificate findValue="ba f9 f8 82 da 54 26 1b 2b 22 18 88
aa 79 d2 e3 d0 13 f1 b9"
storeLocation="CurrentUser" storeName="My"
x509FindType="FindByThumbprint" />
<serviceCertificate>
<defaultCertificate findValue="6a ca 90 f6 4c 89 68 6e 08 ab da
97 c4 9b 8b b8 83 49 0f 04"
storeLocation="CurrentUser" storeName="My"
x509FindType="FindByThumbprint" />
<authentication certificateValidationMode="None"
revocationMode="NoCheck" />
</serviceCertificate>
<peer>
<peerAuthentication certificateValidationMode="None" />
<messageSenderAuthentication certificateValidationMode="None"
revocationMode="NoCheck" />
</peer>
</clientCredentials>
</behavior>
</endpointBehaviors>
</behaviors>
Service.xml:
<?xml version="1.0" encoding="UTF-8"?>
<serviceGroup>
<service name="TestService">
<messageReceivers>
<messageReceiver mep="http://www.w3.org/ns/wsdl/in-out";
class="com.test.ws.TestServiceMessageReceiverInOut"/>
</messageReceivers>
<parameter
name="ServiceClass">com.test.ws.TestServiceSkeleton</parameter>
<parameter name="useOriginalwsdl">true</parameter>
<parameter name="modifyUserWSDLPortAddress">true</parameter>
<operation name="getService" mep="http://www.w3.org/ns/wsdl/in-out";
namespace="http://ws.test.com";>
<actionMapping>urn:getService</actionMapping>
<outputActionMapping>urn:getServiceResponse</outputActionMapping>
</operation>
<module ref="rampart" />
<module ref="addressing" />
<wsp:Policy wsu:Id="SigEncr"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy";>
<wsp:ExactlyOne>
<wsp:All>
<sp:AsymmetricBinding
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
<wsp:Policy>
<sp:InitiatorToken>
<wsp:Policy>
<sp:X509Token
sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient";>
<wsp:Policy>
<!-- <sp:RequireKeyIdentifierReference/> -->
<sp:RequireThumbprintReference/>
<sp:WssX509V3Token10/>
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:InitiatorToken>
<sp:RecipientToken>
<wsp:Policy>
<sp:X509Token
sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never";>
<wsp:Policy>
<!-- <sp:RequireKeyIdentifierReference/> -->
<sp:RequireThumbprintReference/>
<sp:WssX509V3Token10/>
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:RecipientToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:TripleDesRsa15/>
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Strict/>
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp/>
<sp:OnlySignEntireHeadersAndBody/>
</wsp:Policy>
</sp:AsymmetricBinding>
<sp:Wss10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
<wsp:Policy>
<!-- <sp:MustSupportRefKeyIdentifier/> -->
<sp:RequireThumbprintReference/>
<sp:MustSupportRefThumbprint/>
<sp:MustSupportRefIssuerSerial/>
</wsp:Policy>
</sp:Wss10>
<sp:SignedParts
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
<sp:Body/>
</sp:SignedParts>
<sp:EncryptedParts
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
<sp:Body/>
</sp:EncryptedParts>
<ramp:RampartConfig xmlns:ramp="http://ws.apache.org/rampart/policy";>
<ramp:user>xws-security-server</ramp:user>
<ramp:encryptionUser>xws-security-client</ramp:encryptionUser>
<ramp:passwordCallbackClass>com.test.ws.PWCBHandler</ramp:passwordCallbackClass>
<ramp:signatureCrypto>
<ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin">
<ramp:property
name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property>
<ramp:property
name="org.apache.ws.security.crypto.merlin.file">keystore.jks</ramp:property>
<ramp:property
name="org.apache.ws.security.crypto.merlin.keystore.password">adminadmin</ramp:property>
</ramp:crypto>
</ramp:signatureCrypto>
<ramp:encryptionCypto>
<ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin">
<ramp:property
name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property>
<ramp:property
name="org.apache.ws.security.crypto.merlin.file">keystore.jks</ramp:property>
<ramp:property
name="org.apache.ws.security.crypto.merlin.keystore.password">adminadmin</ramp:property>
</ramp:crypto>
</ramp:encryptionCypto>
</ramp:RampartConfig>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
</service>
</serviceGroup>
Kindly help me friends.
-------------
with Regards,
Siva Kumar
"This e-mail message may contain confidential, proprietary or legally
privileged information. It should not be used by anyone who is not the original
intended recipient. If you have erroneously received this message, please
delete it immediately and notify the sender. The recipient acknowledges that
YALAMANCHILI or its subsidiaries and associated companies, are unable to
exercise control or ensure or guarantee the integrity of/over the contents of
the information contained in e-mail transmissions and further acknowledges that
any views expressed in this message are those of the individual sender and no
binding nature of the message shall be implied or assumed unless the sender
does so expressly with due authority of YALAMANCHILI Group. Before opening any
attachments please check them for viruses and defects."
