cxf ws-security signing message problem
Issue
- We have a web application deployed on EAP that acts as a client of another service of which I have the WSDL. We have to sign the message. We are using the code below:
***********************************************************************
System.setProperty("javax.net.ssl.trustStore",
"/home/nicoletta/cert/trustStore");
System.setProperty("javax.net.ssl.trustStorePassword", "changeit");
QName serviceName = new QName("http://com.redhat/",
"ServiceName");
String serviceURL = "file:///com.redhat.Service.wsdl";
URL wsdlURL = new URL(serviceURL);
Service service = Service.create(wsdlURL, serviceName);
ServiceImpl proxy = (Service) service.getPort(Service.class);
setupTLS(proxy);
STSClient s = new org.apache.cxf.ws.security.trust.STSClient(org.apache.cxf.BusFactory.getDefaultBus());
s.setWsdlLocation("/Service.wsdl");
((BindingProvider) proxy).getRequestContext().put("ws-security.sts.client", s);
((BindingProvider) proxy).getRequestContext().put(" ws-security.sts.token.usecert", true);
((BindingProvider) proxy).getRequestContext().put(
"ws-security.callback-handler", new KeystorePasswordCallback());
((BindingProvider) proxy).getRequestContext().put(
"ws-security.signature.properties",
Thread.currentThread().getContextClassLoader()
.getResource("/edotto.properties"));
((BindingProvider) proxy).getRequestContext().put(
"ws-security.encryption.properties",
Thread.currentThread().getContextClassLoader()
.getResource("/edotto.properties"));
((BindingProvider) proxy).getRequestContext().put(
"ws-security.signature.username", "noemalife");
SdoRequest filter = new SdoRequest();
filter.setNumScheda("09000001");
filter.setCodIstituto("160907");
GetSDO gds = new GetSDO();
gds.setFiltriRequest(filter);
AttributiAutorizzativi aa = new AttributiAutorizzativi();
aa.setRuoloIstituzionale("RIS000260");
aa.setIdentificativoUtente("BCCNDR78P18G843Y");
aa.setIdentificativoServizio("getSDO");
try {
GetSDOResponse resp = proxy.getSDO(gds, aa);
SdoResponse result = resp.getReturn();
_logger.info("CF: " + result.getCodFiscale());
return "<cf>" + result.getCodFiscale() + "</cf>";
} catch (Exception e) {
throw new Throwable(e);
}
**************************************************************
- Here is the
ws-security.signature.propertiesfile:
org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin
org.apache.ws.security.crypto.merlin.keystore.type=jks
org.apache.ws.security.crypto.merlin.keystore.password=changeit
org.apache.ws.security.crypto.merlin.keystore.alias=someAlias
org.apache.ws.security.crypto.merlin.keystore.file=/home/cert/keystore.jks
-
We also put in the WEB-INF/classes directory the
wsit-client.xmlfile, but its not used. -
Unfortunately, with the code above, we obtain the following error:
org.apache.cxf.ws.policy.PolicyException: These policy alternatives can not be satisfied:
{http://ws-sx/ws-securitypolicy/200702}SignedParts: {http://schemas.xmlsoap.org/soap/envelope/}Body not SIGNED
- An analogous code running in a standalone client with the metro library works. The difference is that in metro, we can set the PrivateKey, and the X509Certificate for client and server. Here you have the snippet:
CertificateFactory fact = CertificateFactory.getInstance("X509");
PrivateKey key = readPrivateKey("/home/cert/keystore.cer");
X509Certificate cert = (X509Certificate) fact.generateCertificate(new FileInputStream("/home/cert/keystore.crt"));
X509Certificate serverCert = (X509Certificate)fact.generateCertificate(new FileInputStream("server.cer"));
((BindingProvider) stub).getRequestContext().put(XWSSConstants.CERTIFICATE_PROPERTY, cert);
((BindingProvider) stub).getRequestContext().put(XWSSConstants.PRIVATEKEY_PROPERTY, key);
((BindingProvider) stub).getRequestContext().put(XWSSConstants.SERVER_CERTIFICATE_PROPERTY, serverCert);
- We think the problem is to set the analogous properties of
XWSSConstants.CERTIFICATE_PROPERTY,XWSSConstants.PRIVATEKEY_PROPERTY,XWSSConstants.SERVER_CERTIFICATE_PROPERTYfor CXF.
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.
