Good morning,
I am adding signature validation to some home grown web services (not using
Axis or any other framework) and have come across WSS4J as a great API for
doing so.
I am currently attempting to ensure that all soap requests are digitally
signed with a certificate that has been trusted by my organization. Here is
the following code I have:
try {
WSSecurityEngine secEngine = WSSecurityEngine.getInstance();
Crypto crypto = CryptoFactory.getInstance("crypto.properties");
CallbackHandler cb = new SignedRequestHandler();
Vector results = secEngine.processSecurityHeader(doc, null, new
WSSCallbackHandler(), crypto);
// No results means it is not signed!
if( results == null || results.size() == 0) {
System.out.println("No results, fail");
} else {
for (int i = 0; i < results.size(); i++) {
WSSecurityEngineResult eResult =
(WSSecurityEngineResult)results.get(i);
if (
((Integer)eResult.get(WSSecurityEngineResult.TAG_ACTION)).intValue() !=
WSConstants.ENCR) {
Principal princ =
(Principal)eResult.get(WSSecurityEngineResult.TAG_PRINCIPAL);
if( princ != null ) {
System.out.println(princ.getName());
}
}
}
}
} catch (WSSecurityException e) {
e.printStackTrace();
}
public class WSSCallbackHandler implements CallbackHandler
{
public void handle( Callback[] callbacks ) throws IOException,
UnsupportedCallbackException
{
for( Callback callback : callbacks )
{
if( callback instanceof WSPasswordCallback )
{
WSPasswordCallback cb = ( WSPasswordCallback ) callback;
cb.setPassword( "pegasys1+" );
}
}
}
}
Now, what I am expecting with this code, is that if I sign the message with
a valid/trusted cert that it passes no problem. Otherwise I should be
getting a WSSecurityException complaining. However right now tha tisn't
happening.
My crypto file points to my trust anchor (a jks file which has a public key
in it, but it isn't the public key that was derived from the private key I
used to sign the message). I signed the message with a self-signed x509 v3
certificate.
Any help is greatly appreciate,
Benjamin Baril
