I am running the apache-cxf-3.1.3/samples/ws_security/sign_enc_policy sample
client/server code. I modified the policy to only do signature, no encryption.
I was curious to see how a custom SOAP header was handled with
<sp:OnlySignEntireHeadersAndBody/>
So I added the second section of code below.
System.out.println(wsdlURL);
SOAPService ss = new SOAPService(wsdlURL, SERVICE_NAME);
Greeter port = ss.getPort(PORT_NAME, Greeter.class);
org.apache.cxf.endpoint.Client proxy = ClientProxy.getClient(port);
List<Header> headersList = new ArrayList<Header>();
Header testHeader = new Header(new QName("http://com.test/SampleWS";,
"tcn"), "abc123", new JAXBDataBinding(String.class));
headersList.add(testHeader);
proxy.getRequestContext().put(Header.HEADER_LIST, headersList);
I can see my header in the request SOAP now. However, one digest is pointing
to the timestamp, and the other digest is pointing to the body based on the
"wsu:Id". Will my custom header not be included in the digest that is signed
using WS-Security?
SOAP example below:
<soap:Header>
<tcn xmlns="http://com.test/SampleWS";>abc123</tcn>
<wsse:Security
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
soap:mustUnderstand="1">
<wsu:Timestamp wsu:Id="TS-e092f8db-397a-47c2-8415-9c7416d03356">
<wsu:Created>2015-10-16T18:18:23.145Z</wsu:Created>
<wsu:Expires>2015-10-16T18:23:23.145Z</wsu:Expires>
</wsu:Timestamp>
<wsse:BinarySecurityToken
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary";
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3";
wsu:Id="X509-6a1a648f-2077-49b0-ad52-5dd39839bb2d">xyz
</wsse:BinarySecurityToken>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#";
Id="SIG-68e6b7c4-63e5-4a6a-907d-4ca8e629230c">
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";>
<ec:InclusiveNamespaces
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"; PrefixList="soap"/>
</ds:CanonicalizationMethod>
<ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#TS-e092f8db-397a-47c2-8415-9c7416d03356">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";>
<ec:InclusiveNamespaces
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"; PrefixList="wsse soap"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>+4djih/y2x4YOGLvfnBvf+LGQFqF6P4Rhh8V9/I5N6o=</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#_913bf553-50ca-4bab-a758-168d44e01801">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";>
<ec:InclusiveNamespaces
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"; PrefixList=""/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>sH3LRyoMxCivKqBU8sFESi3BxaBryVXhrcczVJHK2pA=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>xyz</ds:SignatureValue>
<ds:KeyInfo Id="KI-35982ca6-8c19-4e92-b90c-33d18f6f6c9d">
<wsse:SecurityTokenReference
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
wsu:Id="STR-fa6ba6f7-c883-4726-99b4-b2c869488983">
<wsse:Reference URI="#X509-6a1a648f-2077-49b0-ad52-5dd39839bb2d"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
</wsse:Security>
</soap:Header>
