I will check it right now. I am also trying to make it by registering 2 different out interceptors. The first one would be creating BST element. The second one would be signing body and BST. I already managed to make it in that way in SoapUI (which also uses CXF).
Unfortunately, CXF looks like ignoring the second interceptor. Do you think this solution may work? 2012/6/29 Colm O hEigeartaigh <[email protected]>: > Hi Pawel, > > It is not possible to do this using the non-policy WS-Security > interceptors. However, you should be able to get it working by adapting one > of the X509 test policies, e.g.: > > http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security-examples/src/test/resources/org/apache/cxf/systest/wssec/examples/x509/DoubleItX509.wsdl?view=markup > > Colm. > > On Fri, Jun 29, 2012 at 12:06 PM, Paweł Gutowski > <[email protected]>wrote: > >> I need to sign Body and BinarySecurityToken elements. >> I get this exception when creating signature for the message: >> >> >> Caused by: org.apache.ws.security.WSSecurityException: Error during >> Signature: >> ... 35 more >> Caused by: org.apache.ws.security.WSSecurityException: Signature >> creation failed (Cannot setup signature data structure) >> ... 38 more >> Caused by: org.apache.ws.security.WSSecurityException: General >> security error (WSEncryptBody/WSSignEnvelope: Element to encrypt/sign >> not found: >> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd >> , >> BinarySecurityToken) >> at >> org.apache.ws.security.message.WSSecSignatureBase.addReferencesToSign(WSSecSignatureBase.java:160) >> >> >> This is my Spring config part: >> >> <bean class="org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor"> >> <constructor-arg> >> <map> >> <entry key="action" value="Signature" /> >> <entry key="user" value="mySuer" /> >> <entry key="passwordCallbackRef"> >> <bean id="myPasswordCallback" >> class="com.myCompany.MyPasswordCallback" /> >> </entry> >> <entry key="signaturePropFile" value="client_sign.properties" /> >> <entry key="signatureKeyIdentifier" value="DirectReference" /> >> <entry key="signatureParts" >> value="{}{ >> http://schemas.xmlsoap.org/soap/envelope/}Body;{}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}BinarySecurityToken >> " >> /> >> <entry key="isBSPCompliant" value="false" /> >> </map> >> </constructor-arg> >> </bean> >> >> >> I also tried to change signatureParts value to: >> <entry key="signatureParts" >> value="Token;{}{http://schemas.xmlsoap.org/soap/envelope/}Body"; /> >> >> then I get the same exception: >> Caused by: org.apache.ws.security.WSSecurityException: General >> security error (WSEncryptBody/WSSignEnvelope: Element to encrypt/sign >> not found: http://schemas.xmlsoap.org/soap/envelope/, Token) >> at >> org.apache.ws.security.message.WSSecSignatureBase.addReferencesToSign(WSSecSignatureBase.java:160) >> ... 41 more >> >> >> There is no problem with producing signature for Body and BST elements >> on Weblogic server. >> This is what I expect to produce: >> >> <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/ >> " >> xmlns:soap="http://soap.my.company.com/";> >> <soapenv:Header> >> <wsse:Security soap:mustUnderstand="1" >> xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"; >> xmlns:wsse=" >> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd >> "> >> <wsse:BinarySecurityToken >> ValueType=" >> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3 >> " >> EncodingType=" >> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary >> " >> xmlns:wsu=" >> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd >> " >> wsu:Id="SecurityToken-270e5823-573d-4252-9607-db5f6286969b">MIIDg... >> </wsse:BinarySecurityToken> >> <Signature Id="cd56d279-7479-41ec-94e1-b0d72f961cf0" >> xmlns="http://www.w3.org/2000/09/xmldsig#";> >> <SignedInfo> >> <ds:CanonicalizationMethod >> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"; >> xmlns:ds="http://www.w3.org/2000/09/xmldsig#"; /> >> <SignatureMethod >> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"; /> >> <Reference >> URI="#SecurityToken-270e5823-573d-4252-9607-db5f6286969b"> >> <Transforms> >> <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"; >> /> >> </Transforms> >> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"; >> /> >> <DigestValue>oGYH...g=</DigestValue> >> </Reference> >> <Reference URI="#Id-117b61be-9ca0-4745-b0fa-946e2492f0a3"> >> <Transforms> >> <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"; >> /> >> </Transforms> >> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"; >> /> >> <DigestValue>Qo8S...=</DigestValue> >> </Reference> >> </SignedInfo> >> <SignatureValue>KV2eV.....= >> </SignatureValue> >> <KeyInfo> >> <wsse:SecurityTokenReference> >> <wsse:Reference >> URI="#SecurityToken-270e5823-573d-4252-9607-db5f6286969b" >> ValueType=" >> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3 >> " >> /> >> </wsse:SecurityTokenReference> >> </KeyInfo> >> </Signature> >> </wsse:Security> >> </soapenv:Header> >> <soapenv:Body wsu:Id="Id-117b61be-9ca0-4745-b0fa-946e2492f0a3"> >> ..... >> </soapenv:Body> >> </soapenv:Envelope> >> > > > > -- > Colm O hEigeartaigh > > Talend Community Coder > http://coders.talend.com
