Best IT Recipes

X509 WS-Security using spring-ws, XWS interceptor in WebSphere

It’s hard for me to work with WS-Security based on the X509 certificate in WebSphere v7.

Here's a little background: We use spring-ws in our application, and we enable UsernameToken profile protection or X509 security. These two options are implemented using the Xws Security interceptor, which runs with the Xws Security Framework:

http://docs.oracle.com/cd/E17802_01/webservices/webservices/docs/1.6/tutorial/doc/XWS-SecurityIntro4.html

We implement security both on the client side and on the server side, both using the XWSS interceptor. There are two questions:

  • The javax.xml.crypto class returned from WebSphere for "http://www.w3.org/2001/10/xml-exc-c14n#" or any CanonicalizationMethod method is not compatible with the XWSS interceptor. We see this error in the server side message log:

12/5/11 17: 26: 41: 098 EST 00000023 XwsSecurityIn W org.springframework.ws.soap.security.AbstractWsSecurityInterceptor handleValidationException Failed to validate request: com.sun.xml.wss.XWSSecurityException: javax.xml. crypto.MarshalException: java.security.NoSuchAlgorithmException: class configured for TransformService: com.ibm.xml.crypto.dsig.dom.transform.ExcC14nTransformer not TransformService; nested exception is com.sun.xml.wss.XWSSecurityException: com.sun.xml.wss.XWSSecurityException: javax.xml.crypto.MarshalException: java.security.NoSuchAlgorithmException: class configured for TransformService: com.ibm.xml.crypto. dsig.dom.transform.ExcC14nTransformer not TransformService

I think the best thing that can be done here is to override which implementation is used to decrypt these types. We included xmldsig-1.0.jar in our war file (which is deployed with the class loader installed on parent-last). Does anyone know a way to rewrite this? I tried to specify "org.jcp.xml.dsig.internal.dom.XMLDSigRI" in java.security in my runtime, but this did not work. We include xmldsig-1.0.jar in our application.

This seems like a compatibility issue between the IBM JRE and the Sun JRE. The XWSS interceptor was written by Sun, so they may have taken some things for granted.

  • We get a client-side NullPointerException, trying to insert the header elements needed to sign the request. We use xerces to implement the DOM, but this is similar to SOAPFactory. I tried setting the property "javax.xml.soap.SOAPFactory" to "com.sun.xml.messaging.saaj.soap.ver1_1.SOAPFactory1_1Impl, but this did not seem to fix the problem. Here is the stack trace:

    [12/3/11 13: 39: 52: 560 EST] 00000027 XwsSecurityIn E org.springframework.ws.soap.security.AbstractWsSecurityInterceptor handleSecurementException Failed to protect response: java.lang.NullPointerException; The nested exception is com.sun.xml.wss.XWSSecurityException: java.lang.NullPointerException org.springframework.ws.soap.security.xwss.XwsSecuritySecurementException: java.lang.NullPointerException; The nested exception is com.sun.xml.wss.XWSSecurityException: java.lang.NullPointerException

    ...

    Caused by: com.sun.xml.wss.XWSSecurityException: java.lang.NullPointerException on com.sun.xml.wss.impl.misc.XWSSProcessor2_0Impl.secureOutboundMessage (XWSSProcessor2_0Impl.java:98) at org.springs.fsework.security .xwss.XwsSecurityInterceptor.secureMessage (XwsSecurityInterceptor.java:135) ... 86 more Called: java.lang.NullPointerException at com.sun.xml.wss.core.Timestamp.getAsSoapElement (Timestamp.java:265) com .xml.wss.core.SecurityHeader.insertHeaderBlock (SecurityHeader.java:90) at com.sun.xml.wss.impl.filter.TimestampFilter.process (TimestampFilter.java:149) at com.sun.xml.wss.impl .HarnessUtil.processWSSPolicy (HarnessUtil.java:87) at com.sun.xml.wss.impl.HarnessUtil.processDeep (HarnessUtil.java:237) at com.sun.xml.wss.impl.SecurityAnnotator.processMessagePolicy.ava : 162) at com.sun.xml.wss.im pl.SecurityAnnotator.secureMessage (SecurityAnnotator.java:137) at com.sun.xml.wss.impl.misc.XWSSProcessor2_0Impl.secureOutboundMessage (XWSSProcessor2_0Impl.java:96) ... 87 more

I tried to configure my policy configuration to disable the timestamp, but then I get the NPE in another element. I do not believe that the configuration is to blame, but here anyway:

<?xml version="1.0" encoding="UTF-8"?> <SecurityConfiguration xmlns="http://java.sun.com/xml/ns/xwss/config" dumpMessages="true"> <Sign includeTimestamp="false"> <X509Token certificateAlias="1"/> </Sign> </SecurityConfiguration>

I tested this on JBoss and Jetty, and both worked as expected. Any help would be greatly appreciated ...

+1
spring-security spring-ws websphere x509
Dec 06 2018-11-12T00:
source share
1 answer

After much research, I found that the XWS Security Interceptor is not compatible with the IBM JRE. I was able to get it to work with UsernameToken profile protection, but it will not work with certificate-based security. I decided to rewrite it using the WSS4J interceptor.

For more information see chapter 7.2:

http://static.springsource.org/spring-ws/site/reference/pdf/spring-ws-reference.pdf

+1
Dec 07 2018-11-12T00:
source share


More articles:


All Articles