I need to write a mock-implementation for a third party product that offers a Soap-Webservice.
The WSDL-file is provided and I can't change it. It contains various policies, including WS-addressing- and WS-security-policies. The client for this service is implemented by another team. I have access to the client source code but not the third party service source code. The client, the third party service and my implementation all use the same WSDL-file: https://www.xoev.de/sixcms/media.php/13/XTA2Version3.zip
Both other developers (client and third party service) say they use Apache CXF and did not add any configuration/customization/implementation regarding Soap-Headers. I traced the response of the third party product and all required headers are present.
I use cxf-spring-boot-starter-jaxws and cxf-codegen-plugin.
The CXF documentation states: "In CXF 2.2, if the cxf-rt-ws-policy and cxf-rt-ws-security modules are available on the classpath, the WS-SecurityPolicy stuff is automatically enabled. Since the entire security runtime is policy driven, the only requirement is that the policy engine and security policies be available." https://cxf.apache.org/docs/ws-securitypolicy.html
I added both cxf-rt-ws-security and cxf-rt-ws-policy as direct maven dependencies to make sure they are available.
My code neither sends the required signature confirmation nor the WS-addressing headers in the response. I tried the following combinations without luck:
- CXF 3.5.5, Spring Boot 2.6.4, Java 11
- CXF 4.0.0, Spring Boot 3.0.3, Java 17
I can mitigate the WS-addressing error by manually adding the header, but that does not work for the signature confirmation and should not be necessary.
The client errors are:
- for the missing addressing header:
javax.xml.ws.soap.SOAPFaultException: A required header representing a Message Addressing Property is not present at org.apache.cxf.jaxws.JaxWsClientProxy.mapException(JaxWsClientProxy.java:195) ~[cxf-rt-frontend-jaxws-3.5.5.jar:3.5.5] at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:145) ~[cxf-rt-frontend-jaxws-3.5.5.jar:3.5.5]
- for the missing wsse-header:
javax.xml.ws.soap.SOAPFaultException: These policy alternatives can not be satisfied: {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}Wss11: Signature Confirmation policy validation failed at org.apache.cxf.jaxws.JaxWsClientProxy.mapException(JaxWsClientProxy.java:195) ~[cxf-rt-frontend-jaxws-3.5.5.jar:3.5.5] at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:145) ~[cxf-rt-frontend-jaxws-3.5.5.jar:3.5.5]
So the client enforces the policies but my server implementation does not automatically provide the required headers as described in the documentation and as seems to be working in the third party implementation.
What am I missing?
