I have downloaded WSS4J version 1.5.0, I have examined the API
of class org.apache.ws.security.message.WSSecSignature, and I have
tried to run the sample "TestWSSecurityNew.java". Try as I might,
I'm unable to produce a very simple signed XML (SOAP) document.
My question is, what is the bare minimum code and bare minimum files
that I need to extract out of the wss4j distribution in order to get
this working. I would like as an answer: the list of files; the code in
one
simple class ready to compile, and the output from your test run.
Below is an example of the output I'm trying to coerce out of wss4j,
or something fairly close to it. The certificate will be in .crt or .jks
format.
<?xml version="1.0" encoding="UTF-8"?>
<SOAP-ENV:Envelope
xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<SOAP-ENV:Header>
<wsse:Security SOAP-ENV:mustUnderstand="1"
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsse:BinarySecurityToken
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0
#Base64Binary"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0
#X509v3"
wsu:Id="WS699be6ec-2aea-339c-daa9-0696b88c9e3a">
MIICaTCCAdKgAwIBAgIQ5XssOaADBODZQOhbjV+UkzANBgkqhkiG9w0BAQUFADB0MREwDwYDVQQDEwhwYXJ0bmVyQTEWMBQGA1UECxMNWE1MIEFnZW50IERldjETMBEGA1UEChMKTUVEZWNpc2lvbjEOMAwGA1UEBxMFV2F5bmUxCzAJBgNVBAYTAlVTMRUwEwYDVQQIEwxQZW5uc3lsdmFuaWEwHhcNMDYwMjE0MjEzMTU2WhcNMTYwMjE0MjEzMTU2WjB0MREwDwYDVQQDEwhwYXJ0bmVyQTEWMBQGA1UECxMNWE1MIEFnZW50IERldjETMBEGA1UEChMKTUVEZWNpc2lvbjEOMAwGA1UEBxMFV2F5bmUxCzAJBgNVBAYTAlVTMRUwEwYDVQQI
EwxQZW5uc3lsdmFuaWEwgZ0wDQYJKoZIhvcNAQEBBQADgYsAMIGHAoGBALzXxhW8orxrgdLjfM77wxqeMViIIrNsOoxqOetLupfsFEgNZhh+tJcl/2HktE39mRXXNWqLm+sXUeMlTIw9aknZONN4chcfUAjclopkqN5tJ4warZtgFohG5ajH6gYnq7nRGtAVOQVS5OszNGdNBFGNeMpMBSEvxDcqZeMXy+JnAgERMA0GCSqGSIb3DQEBBQUAA4GBACjwZLkn8JEvqQYm4/9ApOiXewBNYek0LT5chH/jVjMNHNdR2/jjeegHCqSGV2yU0gY5lsR6fuRm1vF+q+iMOJl0nfhmrUINZHckg9ZU4+VjHt5eliaYbCwn0TXy+YIgcTjJDY5ordukovMX
uOaaTXIzHgVEJ0Z6vb+GRh4Ktcud
</wsse:BinarySecurityToken>
<dsig:Signature Id="aSU1DKqecQST3NMW3cY6NmQ22"
xmlns="http://www.w3.org/2000/09/xmldsig#"
xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
<dsig:SignedInfo Id="theSignedInfo">
<dsig:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<dsig:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<dsig:Reference URI="#Body">
<dsig:Transforms>
<dsig:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</dsig:Transforms>
<dsig:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<dsig:DigestValue>J4CAoudmxxxpDdEysO+ZwD070DY=</dsig:DigestValue>
</dsig:Reference>
</dsig:SignedInfo>
<dsig:SignatureValue Id="theSigId">
TokYkMtwc0tScjaaik6Q0QI1GZEOAA1uBJgZ5jERB1jXRWeLzJIV2O1FQhxGZKb2e9U91M636R3/QOBnbLpNx2YtHSc+5k5QL9Xq6wxsWUGg+HguHKjtGVaEIixelB7wKeFac7CqK2xBD2IooMvvb0YgShTfMOpKVeMZGhIQ+GM=
</dsig:SignatureValue>
<dsig:KeyInfo>
<wsse:SecurityTokenReference
xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wsse:Reference
URI="#WS699be6ec-2aea-339c-daa9-0696b88c9e3a"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0
#X509v3"
xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
/>
</wsse:SecurityTokenReference>
</dsig:KeyInfo>
</dsig:Signature>
</wsse:Security>
</SOAP-ENV:Header>
<SOAP-ENV:Body wsu:Id="Body"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<proprietary xmnls="urn:proprietary">
[ ... some proprietary data goes here ... ]
</proprietary>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope> |
Clarification of Question by
caixazh-ga
on
11 Oct 2006 22:08 PDT
I'm going to temporarily reduce the price of this question as I am going
to post it on a competing site to see if I can get a quicker answer there.
If you are ready to answer it here, please post a comment and I'll increase
the price back to $75... thanks.
|
Request for Question Clarification by
hummer-ga
on
12 Oct 2006 05:59 PDT
Hi caixazh,
Try switching to Axis, here is the latest version.
1.4 April 22, 2006 Final Version 1.4
http://ws.apache.org/axis/java/releases.html
# Apache SOAP (note that Apache SOAP is considered obsolete; use Axis instead)
# Apache Axis is open source implementation of the JAX-RPC and SAAJ
specifications for sending and receiving SOAP messages. Always use the
latest version, as the Axis team very active is solving bugs.
# Apache SOAP was the first SOAP implementation. It is now obsolete.
Apache Axis surpassed Apache SOAP. It's better to use Apache Axis to
avail oneself of the latest features.
http://faq.javaranch.com/view?WebServicesFaq
Are there any real web services available for testing?
Yes, check http://xmethods.net/
http://faq.javaranch.com/view?WebServicesFaq
How do I get started building a web service with Axis ? Show me some code!
* Introduction to SOAP and Apache SOAP -
http://www.javaworld.com/javaworld/jw-03-2001/jw-0330-soap.html
* Article on JavaWorld -
http://www.javaworld.com/javaworld/jw-01-2002/jw-0125-axis_p.html
* Another article on JavaWorld -
http://www.javaworld.com/javaworld/jw-04-2003/jw-0411-axis_p.html
* Article on OnJava- http://www.onjava.com/lpt/a/1578
* Many questions are answered in the Axis Wiki -
http://wiki.apache.org/ws/FrontPage/Axis
* Enabling SOAPMonitor with Axis -
http://www.sosnoski.com/presents/java-xml/axis/axis-monitor.html
http://faq.javaranch.com/view?WebServicesFaq
Please let me know if that helps!
hummer
|
Clarification of Question by
caixazh-ga
on
12 Oct 2006 06:15 PDT
hummer-ga: Sorry, that's not the same thing. Axis is only basic Web Services,
while WSS4J is for WS-Security.
|
Request for Question Clarification by
hummer-ga
on
12 Oct 2006 07:55 PDT
Oops, sorry caixazh, you are correct ofcourse. Perhaps this link will
help (particularly the "sample code")?
"Although the process may initially seem complex, a method such as the
main method shown above simplifies the process considerably, breaking
it down neatly into just a few steps: creating a SOAP envelope, and
then signing, encrypting, and adding username tokens to it. I urge you
to [download the sample code] for this article and experiment with the
process. The WSS4J framework provides the core methods you need to
meet the WS-Security specifications."
http://www.devx.com/Java/Article/28816/0/page/4
Good luck!
hummer
|
Clarification of Question by
caixazh-ga
on
12 Oct 2006 09:43 PDT
hi hummer-ga:
The sample code has a reference to a class ("AxisUtil") which does not
exist! I have searched everywhere and can't find it. It's not part of
Axis (despite what the package name implies), and it's not part of wss4j.
|
Request for Question Clarification by
hummer-ga
on
12 Oct 2006 09:56 PDT
How's this?
AxisUtil.java
http://www.koders.com/java/fidF5FB5DD5944171BCA9688C465C430F9235FCB6BA.aspx
hummer
|
Clarification of Question by
caixazh-ga
on
12 Oct 2006 14:44 PDT
hummer-ga: Pretty close, but not quite there. You managed somehow to find
the source code for the project that AxisUtil is part of. But, it won't
compile, because it depends on the rest of the project. Please see if you
can find the official download site of the project that owns this piece of
code. Thanks for your help so far.
|
Request for Question Clarification by
hummer-ga
on
12 Oct 2006 15:59 PDT
Hi caixazh,
I'm glad to hear that you think that we've made some progress but I'm not so sure.
Clicking on the little box, top-right, doesn't help?
Project Info
ws-fx(ws-fx)
http://www.koders.com/java/fidF5FB5DD5944171BCA9688C465C430F9235FCB6BA.aspx
I'll work on this some more for you as soon as possible and get back
to you one way or the other -
hummer
|
Clarification of Question by
caixazh-ga
on
12 Oct 2006 20:17 PDT
hummer-ga: www.koders.com is some kind of repository and/or search engine;
it is an unofficial copy of code. An official project site would be something
like www.apache.org. I did notice I can navigate to other files on koders.com.
But that means I'll be hand-assembling my own unofficial version of an open-source
project, source file by source file. This is really undesireable and I would do
only as a last resort. This file must be part of some release of Axis. If
possible please find out which one. Thanks!
|
Request for Question Clarification by
hummer-ga
on
13 Oct 2006 05:57 PDT
Good morning, caixazh,
Three thoughts -
1. Have you seen this post?
"I couldn't find AxisUtil in the package org.apache.ws.axis.security.util. Is
there any other work around to convert the 'Documen' object to a 'Message'
object? I mean anything that replaces 'toSOAPMessage()' method of AxisUtil?"
Try this,
public SOAPMessage toSOAPMessage(Document doc) throws Exception {
Canonicalizer c14n =
Canonicalizer.getInstance(Canonicalizer.ALGO_ID_C14N_WITH_COMMENTS);
byte[] canonicalMessage = c14n.canonicalizeSubtree(doc);
ByteArrayInputStream in = new ByteArrayInputStream(canonicalMessage);
MessageFactory factory = MessageFactory.newInstance();
return factory.createMessage(null, in);
http://marc2.theaimsgroup.com/?l=wss4j-dev&m=114600073709646&w=2
2. AxisUtil is in axis.jar
Axis.jar is in the lib/axis directory
"...this was my own class but you are right that there is also an AxisUtil
class in the axis.jar. The two classes are independent, so just give it
another name."
http://mail-archives.apache.org/mod_mbox/ws-axis-user/200407.mbox/%3C1090308944.23568.157.camel@kesch.itserve.ch%3E
AXIS has several jars. The one I was after turned out to be:
\axis-1_0\lib\axis.jar
http://blog.daemon.com.au/archives/000053.html
3. Are you using Axis2?
Securing SOAP Messages with WSS4J
-For Axis2 Version 1.0
http://ws.apache.org/axis2/modules/wss4j/1_0/security-module.html
Still trying,
hummer
|
Clarification of Question by
caixazh-ga
on
13 Oct 2006 06:34 PDT
hi hummer-ga: Item 1 on your last clarification looks promising, and I'll try
out that recommendation shortly. Item 2 is tantalizing but the "axis.jar" that
they keep talking about is nowhere to be found (at least, not one that contains
the class). Item 3 (using Axis2) is a possible 'Plan B' which I may try after #1,
however, it is undesireable because Axis2 is not supposed to be a requirement of
using wss4j, in fact, axis1.4 is included in the official download of wss4j.
Just so you know, I have reduced the price of the question, because of the amount
of work that I am having to do, and the time it is taking, has decreased the value
of the answer to me. When I offered the higer price, it was in the hopes of
getting something right on target, right away.
|
Request for Question Clarification by
hummer-ga
on
13 Oct 2006 06:59 PDT
Hi caixazh,
I understand that you were hoping for an easy and quick fix, that is
why I kept your question open (not locked) in the hopes that another
researcher could help you. Since noone has come forward, I've
continued to work on it but have already put in more hours than I care
to admit. To be fair, I did so with the knowledge that if I were able
to come up with a solution for you, I would would earn $90.00
(researchers get 75% of the posted price).
I'm sorry it didn't work out but hopefully someone will be able to help you.
hummer
|
Clarification of Question by
caixazh-ga
on
27 Oct 2006 05:10 PDT
Finally I was able to resolve this. Part of the answer lies in just getting rid
of the call to toSOAPMessage(). It apparently doesn't do anything useful, and it's
called only after the encryption anyway. The other thing to get the expected
output was to set the 'DIRECT_BST' option.
|
