I am trying to create a SOAP security header but am having difficulty understanding how to create the proper crypto and other configs. I have attached the WSDL policy (not the entire WSDL) as well as the token request and response from the server and a whoami request that shows a example of the security header that I need to generate. The server is a WCF endpoint e.g. CRM system. All of the attachments are to a small virtual machine demo system I setup to test security processing in java. I am using wss4j 2.1.8 I've gone through the wss4j tests trying to stitch together just the right parts as I don't need to have anything robust, just a security header that meets this one target. When trying to use axis2 to generate the stubs, it did not seem to generate the security part and I just need some code for the client side in a non-servlet scenario. I tried to look at rampart to understand it may create the config but reading that code did not help. I have also read through the standards but that's not helped me map it to the code I need. Thoughts on which wss4j tests might hold critical code for me to look at and cut and paste from? For example, I've yet to figure out how to create the proper crypto to use with the signature, it seems all the choices use disk-based keystores. Thoughts? val secHeader = new WSSecHeader(doc) secHeader.insertSecurityHeader() val timestamp = new WSSecTimestamp() timestamp.setTimeToLive(3600 * 2) timestamp.build(doc, secHeader) val x509Data = new DOMX509Data(doc, new DOMX509IssuerSerial(doc, "CN=DemoCrmServer, DC=Demo, DC=Local", new java.math.BigInteger("825127572376036501802804159644169187033612293"))) // This gives me an error because I do not have a crypto.properties, but I just need a memory based version val crypto = CryptoFactory.getInstance() val signer = new WSSecSignature() signer.setSigCanonicalization(WSS4JConstants.C14N_EXCL_OMIT_COMMENTS) signer.setKeyIdentifierType(WSConstants.ISSUER_SERIAL) // What's the right crypto? val signedDoc = signer.build(doc, crypto, secHeader) ...
I'd strongly encourage you to use a web services framework instead of trying to roll your own security. Take a look at some of the CXF examples here:Colm.
On Thu, Jan 19, 2017 at 10:59 PM, Devon Miller <[hidden email]> wrote:
Colm O hEigeartaigh
Talend Community Coder
|Free forum by Nabble||Edit this page|