WS-Security configuration for SOAP API requests

Question

I am trying to fetch data from a server that needs a digital certificate (JKS) in Keystore to authorize the soap request and in addition to this, it requires basic authorization with the WSS outgoing configuration. The images show the steps that I followed on SoapUI to test the web service successfully.

Image 1 and Image 2 below shows the WS-Security Configurations (an outgoing WS-Security Configuration). Image 1 adds Timestamp entry and Image 2 Signature configuration adding Keystore (keystore.jks), password, and few other configuration along with extra parts for Body and timestamp.

Image 3 integrates the WS-Security configuration from earlier steps for outgoing requests.

Soap UI requests suceeded following above steps. Now the requirement is to implement this programmatically. Unfortunately my attempts hasn't succeeded.

Could anybody guide me through these steps in spring web services or recommend me any other library(in java or php or any other language) to connect to a SOAP server with similar security.

Following is my code snippet that I tried using Spring WS with Wss4j.

@Configuration
public class SoapClientConfig extends WsConfigurerAdapter {

@Bean
public Wss4jSecurityInterceptor securityInterceptor() throws Exception {
    Wss4jSecurityInterceptor securityInterceptor = new Wss4jSecurityInterceptor();

    securityInterceptor.setSecurementActions("Signature Timestamp");


    securityInterceptor.setSecurementTimeToLive(300000);
    securityInterceptor.setTimestampPrecisionInMilliseconds(true);

    securityInterceptor.setSecurementUsername("key-alias");
    securityInterceptor.setSecurementPassword("password");
    securityInterceptor.setSecurementSignatureCrypto(getCryptoFactoryBean().getObject());

   
    securityInterceptor.setSecurementSignatureKeyIdentifier("DirectReference");
    securityInterceptor.setSecurementSignatureAlgorithm("http://www.w3.org/2001/04/xmldsig-more#rsa-sha256");
    securityInterceptor.setSecurementSignatureDigestAlgorithm("http://www.w3.org/2001/04/xmlenc#sha256");
    
    securityInterceptor.setSecurementMustUnderstand(true);
    securityInterceptor.setSecurementSignatureParts("{Content}{http://schemas.xmlsoap.org/soap/envelope/}Body;{Content}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd}Timestamp");


    return securityInterceptor;
}

@Bean
public CryptoFactoryBean getCryptoFactoryBean() throws IOException {

    CryptoFactoryBean cryptoFactoryBean = new CryptoFactoryBean();
    cryptoFactoryBean.setKeyStorePassword("password");
    cryptoFactoryBean.setKeyStoreLocation(new ClassPathResource("keystore.jks"));

    return cryptoFactoryBean;

}

If you could specify the error you have could be easier to detect where the problem is. Anyway i suspect that the problem is related to the keystore. — vsam490, Sep 02 '20 at 17:26
I believe that on the server-side, it has the validation on the request signature and timestamp so it is throwing an exception with the message as "Policy Rejected". There's not much information on which part the validation failed. The keystore is the same that I used for calling via SOAPUI. It's working there but in code, there might be some missing configuration. — Rabinson, Sep 04 '20 at 05:49
@Rabinson does the securityInterceptor need to call setSecurementEncryptionCrypto() if "Encrypt" isn't one of the securement actions? [Reference](https://docs.spring.io/spring-ws/docs/current/reference/#_encryption_2) — munzld, Sep 05 '20 at 12:21
@munzld No, actually not, we just have the two action timestamp and signature so encrypting is not needed. I have already tried by removing it. The 'xml-exc-c14#' algorithm appears to get added automatically on the request signature. — Rabinson, Sep 05 '20 at 12:26

score 0 · Answer 1 · answered Feb 22 '23 at 17:35

Does the wsdl have a Policy section? if it has, you can't use interceptors. In my experience "Policy Rejected" is not always a validation from the server, it can be from the client.

It may be that the interceptor includes security after policy checks (client side).

WS-Security configuration for SOAP API requests

1 Answers1