1 Reply Latest reply on Jun 25, 2009 10:39 AM by black_bear_software

    Signing security headers in SOAP

    black_bear_software

      I'm trying to get Flex 3 to talk to JAX-WS (CXF) using WS-Security.  I've modified the flex side to add the headers, resulting in:

       

      <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xs="http://www.w3
      .org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
      
        <SOAP-ENV:Header>
      
          <ns0:Security SOAP-ENV:mustUnderstand="1" xmlns:wsse="http://schemas.xmlsoap.org/ws/2002/07/secext"
       xmlns:wsu="http://schemas.xmlsoap.org/ws/2002/07/utility" xmlns:soap="http://schemas.xmlsoap.org/soap
      /envelope/" xmlns:ns0="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0
      .xsd">
      
            <wsse:UsernameToken wsu:Id="UsernameToken-829934">
      
              <wsse:Username>username</wsse:Username>
      
              <wsse:Password Type="wsse:PasswordDigest">Q3Nmmto+7ZVD0hkbn3R84UrJ86A=</wsse:Password>
      
            </wsse:UsernameToken>
      
          </ns0:Security>
      
        </SOAP-ENV:Header>
      
        <SOAP-ENV:Body>
      
          <tns:getAllPeople xmlns:tns="http://sample.cxf.wfc.kronos.com/"/>
      
        </SOAP-ENV:Body>
      
      </SOAP-ENV:Envelope>
      
      On the server side, I'm using CXF with Spring configuration, and I added the org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor and 
      org.apache.cxf.binding.soap.saaj.SAAJInInterceptor configuration.  However, when I make the call, I get an exception thrown on the server side because
      this fails:

                  if (reqData.getWssConfig().isEnableSignatureConfirmation()) {

                      checkSignatureConfirmation(reqData, wsResult);

                  }

       

      I'm trying to figure out how to disable the confirmation requirement on the server side, but I'd also like to find out how to sign it on the client (Flex)

      side.  Any suggestions?

       

      James

       

        • 1. Re: Signing security headers in SOAP
          black_bear_software Level 1

          Gack, let's try pasting that again...

           

           

          <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
            <SOAP-ENV:Header>
              <ns0:Security SOAP-ENV:mustUnderstand="1" xmlns:wsse="http://schemas.xmlsoap.org/ws/2002/07/secext"
           xmlns:wsu="http://schemas.xmlsoap.org/ws/2002/07/utility" xmlns:soap="http://schemas.xmlsoap.org/soap
          /envelope/" xmlns:ns0="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0
          .xsd">
                <wsse:UsernameToken wsu:Id="UsernameToken-829934">
                  <wsse:Username>username</wsse:Username>
                  <wsse:Password Type="wsse:PasswordDigest">Q3Nmmto+7ZVD0hkbn3R84UrJ86A=</wsse:Password>
                </wsse:UsernameToken>
              </ns0:Security>
            </SOAP-ENV:Header>
            <SOAP-ENV:Body>
              <tns:getAllPeople xmlns:tns="http://sample.cxf.wfc.kronos.com/"/>
            </SOAP-ENV:Body>
          </SOAP-ENV:Envelope>