3

I have been provided a WSDL for a webservice. I am now required to digitally sign that request. The previous developer utilized the Eclipse feature to generate proxy classes. Add the WSDL to the project, then right click on it, click "Web Service", then "Generate Client".

This worked fine until we were required to digitally sign the request. I did some digging and it looks like Axis 1.4 doesn't allow you to sign requests. You can use WSS4J to do that. I mavened in WSS4j 1.5 into my project.

I'm at a loss on how to digitally sign the request. Here is my existing code that uses the proxy classes: 

XiSecureWSServiceLocator service = new XiSecureWSServiceLocator();
service.setXiSecureWSServicePortEndpointAddress(paymetricPortAddress);
XiSecureWSPortType proxy = service.getXiSecureWSServicePort();
((Stub) proxy).setTimeout(paymetricTimeOutinMillisec);

SDecrypt_InputType sdi = new SDecrypt_InputType();
sdi.setStrToken(ccNumber);
sdi.setStrUserID(user);

SDecrypt_OutputType sdo = null;
sdo = proxy.pm_SingleDecrypt(sdi);

What I want to do is something similar to this article. Here is a function they used: 

public Message signSOAPEnvelope(SOAPEnvelope
unsignedEnvelope) throws Exception
{
  WSSignEnvelope signer = new WSSignEnvelope();
  String alias = "16c73ab6-b892-458f-abf5-2f875f74882e";
  String password = "security";
  signer.setUserInfo(alias, password);
  Document doc = unsignedEnvelope.getAsDocument();
  Document signedDoc = signer.build(doc, crypto);
  // Convert the signed document into a SOAP message.
  Message signedSOAPMsg =
  (org.apache.axis.Message)AxisUtil.toSOAPMessage(signedDoc);
  return signedSOAPMsg;
}

How can i get the Soap Envelope to be signed when all of the code to create it is hidden in the generated proxy classes?

Paul Lemke
  • 5,494
  • 3
  • 47
  • 66

2 Answers2

3

This JavaRanch Thread explains implementing Security and Encryption with WSS4J using Axis handlers.

It looks like you have to do a number of things:

  1. Configure/write a wsdd
  2. Call the web service with an EngineConfiguration pointing to your wsdd file
  3. Write a password callback class
  4. Write a crypto.properties file
  5. ensure the crypto.properties file and the key store containing the certificate are on the class path of the app.

Props to John Farrel on the JavaRanch forum for figuring all this out.

All in all kind of a pain in the butt. If there's a way to obtain the underlying SOAP Message itself from the Axis proxy class, that might be a quicker way to do it, but I don't have a lot of experience with Axis 1.

Hello from /r/java, by the way!

Paul Wostenberg
  • 449
  • 2
  • 9
0

Found this:

Can anyone recommend to me or point me somewhere that describes a simple, straightforward way to sign a SOAP request with a Digital Signature within the Axis framework?

"Have a look at the WSS4J project. They provide Axis handlers for signing and encrypting as it is described in WS Security."

http://mail-archives.apache.org/mod_mbox/axis-java-user/200403.mbox/%3CCGEOIPKACAGJDDPKCDIHEEKACCAA.abhinavm@contata.co.in%3E -

Does that help?

Max
  • 82
  • 1
  • I want to use the WSS4J framework but I don't have access to the Soap Request XML. All of that is hidden within the "pm_SingleDecrypt" proxy code files that were generated for me. – Paul Lemke May 08 '12 at 19:07