I am trying to implement Spring WS Security using Signature in both server and client side.
I have added the WSS4J interceptors in both client and server configurations.
However, I am getting an exception that states:No WS-Security header found.
I think I need to add some security information in my SOAP Request Header in my client. But since my wsdls do not have any security information, wsdlimport tool does not generate any header specific method.
I looked at this link : http://forum.springsource.org/archive/index.php/t-52204.html but it does not help in resolving the issue.
Can you please help?
Thanks.
It is the issue of key store, Server must have keystore containing the private key and client must have keystore that contnains public key generated from the same private key.
Related
I am in process of creating an SAML 2.0 response from IDP to SP. What I need is to get the values of the SAML 2.0 attributes from the certificate I got. Following are the SAML 2.0 attributes:
`<ds:SignatureValue> value from certificate </ds:SignatureValue>
<ds:DigestValue> value from certificate </ds:DigestValue>
`
And also can anybody guide me that what exactly are the steps I need to perform on SP side to successfully validate the generated SignatureValue form the given certificate.
Thanks!
There is an Oracle tutorial for how to validate XML digital signatures using the java.xml.crypto.dsig APIs:
http://docs.oracle.com/javase/7/docs/technotes/guides/security/xmldsig/XMLDigitalSignature.html
Unfortunately I did not have an easy time actually locating the code samples to download. I did find one bit of the sample validation code here.
Another good article is here.
At some point you'll need to obtain your SP's public key from the certificate and provide it to your validation code - that's covered in the tutorial under using KeySelectors section. You can use the keytool command to extract from the certificate and add it to a keystore. Sometimes this comes from key/certificate exchange offline; sometimes the key itself comes within the SAML document as X.509 data within<KeyInfo>.
I've generated classes from wsdl with wsimport, wsdl location: https://somehost/wsdl. There was no problem with generation.
But when I tried to send soap request, I've received exception:
com.sun.xml.internal.ws.client.ClientTransportException: The server sent HTTP status code 403: Client certificate required
I find out, surfing the internet, that I have to add certificate in my keystore. I've done it, but this doesn't help.
And I have no idea what to do or even what to google.
Can anybody help me?(
It sounds like a mutual authentication problem.
The server is requiring that your client use a known digital certificate to sign your messages and send that information within the request. It is like a user/password mechanism, but you and the server agree to use a known key-pair for identification.
This situation usually means that the web service server administrator will generate a key-pair and send the private part of the certificate to you.
But you can send the public certificate for him as well if you created it yourself. The server must have access to the public certificate, and it maybe you will have to publish it to a Certification Authority. In some cases it has to be a commercial certificate (you will have to buy it).
You will then use the private key to digitally sign your messages.
I've found some links that may help:
Authentication Mechanisms
Java client for the X.509 secured web-service
Java HTTPS client certificate authentication
If you already did those steps, then something is wrong with your implementation or the certificate/keys provided are invalid.
I recommend you to use a mock server to make sure you are implementing the client authentication properly before you try to connect to the real service. Making it to work locally will set the knowledge you need to call the real functions. You can also ask the web service administrator to send you debug information.
I have been googling a lot for this problem. There are many relevant answers, but I simply didn't find one that gave a complete view IMHO. So, here I am.
The statement of problem is as follows. Given the API information of an HTTPS service, including URL and any required HTTP headers and body format, how do you use a Jersey client to access the service? Note that the statement doesn't assume the client side has any other information from the target service beforehand.
As we know, when a web browser tries to access an HTTPS site, behind the scene, the browser will first get a certificate and a public key from the site. Then, if the browser trusts the certificate, it will use the public key to encrypt the actual request and send it. I have found many examples that explain how to use Jersey client for HTTPS given a truststore that incorporates the certificate and the public key. However, what if the truststore is not available yet? Can we use Jersey client, programmatically, to get the site certificate and public key, and use them to send the actual request, as a web browser does?
Thank you very much.
I have a SOAP webservice made in Java, running on Oracle Weblogic. And I need to get the certificate which is supposed to be provided by the client connecting, and extract some information (IssuerDN). How would I go about this?
Edit: I think the 1st thing I am stuck on, is how do I get the input-stream/connection? Then how would I get the certificate?
This depends what implementation you are running. I some cases the request certificate may be put on the SOAPMessageContext. If that is the case you can implement a SOAPhandler to get hold of the certificate used in the request.
For example, in the IBM Websphere´s Axis2 based implementation of JAX-WS the following code will retrieve the certificate:
public X509Certificate getRequestCertificate(SOAPMessageContext aMessageContext) {
return ((java.security.cert.X509Certificate) aMessageContext.get("com.ibm.xml.soapsec.RequestCert"));
}
Notice, be aware of the following. The code above may not be supported by the vendor of the web service container implementation.
I'm interested if Google App Engine provides a way to use a X.509 Certificate to create a HTTPS connection (the server where I have to connect provides the public certificate - to encrypt data that I send and the private key to decrypt the data received from that server).
According to this post https://groups.google.com/forum/?fromgroups#!topic/google-appengine-python/C9RSDGeIraE it's not possible but 3 years passed since this answer was posted.
SSL client certificates are not currently supported. The feature request is here.
AppEngine has the ability to work with SSL certificate on your custom domain, that means the you can assign a certificate to a domain that is running on the AppEngine.
You cannot AFAIK make a request and provide a custom certificate per request.
Documentation on AppEngine SSL.