I am trying to apply a WS Security Policy on my web services. The requirement is to sign the body and timestamp element (no encryption) with X.509 certificate. I am using SoapUI to sign and send soap messages. I implemented web services using cxf wsdl first approach.
I am getting incorrect X.509 Token Type from the server. Any suggestion to solve this ?
The Policy
<wsp:Policy wsu:Id="BindingPolicy">
<wsp:ExactlyOne>
<wsp:All>
<sp:AsymmetricBinding>
<wsp:Policy>
<sp:InitiatorToken>
<wsp:Policy>
<sp:X509Token
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:WssX509V3Token10 />
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:InitiatorToken>
<sp:RecipientToken>
<wsp:Policy>
<sp:X509Token
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never">
<wsp:Policy>
<sp:WssX509V3Token10 />
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:RecipientToken>
<sp:IncludeTimestamp />
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic128 />
</wsp:Policy>
</sp:AlgorithmSuite>
</wsp:Policy>
</sp:AsymmetricBinding>
<sp:Wss10>
<wsp:Policy>
<sp:MustSupportRefIssuerSerial />
</wsp:Policy>
</sp:Wss10>
</wsp:All>
<wsp:All>
<sp:AsymmetricBinding>
<wsp:Policy>
<sp:InitiatorToken>
<wsp:Policy>
<sp:X509Token
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:WssX509V3Token11 />
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:InitiatorToken>
<sp:RecipientToken>
<wsp:Policy>
<sp:X509Token
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never">
<wsp:Policy>
<sp:WssX509V3Token11 />
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:RecipientToken>
<sp:IncludeTimestamp />
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic128 />
</wsp:Policy>
</sp:AlgorithmSuite>
</wsp:Policy>
</sp:AsymmetricBinding>
<sp:Wss11>
<wsp:Policy>
<sp:MustSupportRefIssuerSerial />
</wsp:Policy>
</sp:Wss11>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
<wsp:Policy wsu:Id="InputBindingPolicy">
<wsp:ExactlyOne>
<wsp:All>
<sp:SignedParts>
<sp:Body />
<sp:Header Name="Timestamp"
Namespace="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" />
</sp:SignedParts>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
<wsp:Policy wsu:Id="OutputBindingPolicy">
<wsp:ExactlyOne>
<wsp:All>
<sp:SignedParts>
<sp:Body />
<sp:Header Name="Timestamp"
Namespace="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" />
</sp:SignedParts>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
The SOAP request message
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" soapenv:mustUnderstand="1">
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="SIG-83B479E74DEAAC133C142621373015110">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="bil soapenv" />
</ds:CanonicalizationMethod>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<ds:Reference URI="#id-79B1EE1537BD34718D1426151592761356">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="bil" />
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<ds:DigestValue>5sx0CDCmVVk5rCL+H/a7ePT4JLE=</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#TS-83B479E74DEAAC133C14262137301466">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="wsse bil soapenv" />
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<ds:DigestValue>KhSCUclKK36KDo/34E0KN17d974=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>LHUjvdfQK0nvl3zwsLBfhfDMK856zXzCiqTnZX2QF5xPX+DA2GwSycZIqIx6gH3ofGUG67PqvHHYtczasH74RzLIO7V6Uq/t+r4NbcFhwVXV31tcYg/X+blCYvzhj31Y45qYQ/AlVcTy1Y2411V50T67HpAErt+Bj2C8PwxlB1LXhPBLSiD4pleUSlXEDtHE/tetC+FtAP7hNcFTHmp8M5amjLWsl52QdFHew8MIde8Xd/B6HatMEHUYmhI3urhuFoqrDXweL80gmI5njlWKUHIAFEPFjXfyEB2is9E4QQNiCbgT5L/VFnArc7uKjDt58Ctua/QB8QhEr3bMIlBJeQ=
</ds:SignatureValue>
<ds:KeyInfo Id="KI-83B479E74DEAAC133C14262137301508">
<wsse:SecurityTokenReference wsu:Id="STR-83B479E74DEAAC133C14262137301509">
<ds:X509Data>
<ds:X509IssuerSerial>
<ds:X509IssuerName>CN=client</ds:X509IssuerName>
<ds:X509SerialNumber>1166791595</ds:X509SerialNumber>
</ds:X509IssuerSerial>
</ds:X509Data>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
<wsu:Timestamp wsu:Id="TS-83B479E74DEAAC133C14262137301466">
<wsu:Created>2015-03-13T02:28:50.146Z</wsu:Created>
<wsu:Expires>2015-03-20T01:08:50.146Z</wsu:Expires>
</wsu:Timestamp>
</wsse:Security>
</soapenv:Header>
<soapenv:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="id-79B1EE1537BD34718D1426151592761356">
<bil:Echo>
<parameters>
<Version>123</Version>
<CorrelationId>1234</CorrelationId>
<Message>hello</Message>
</parameters>
</bil:Echo>
</soapenv:Body>
The SOAP response message
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Body>
<soap:Fault>
<faultcode>soap:Server</faultcode>
<faultstring>These policy alternatives can not be satisfied
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}X509Token: An incorrect X.509 Token Type is detected
</faultstring>
</soap:Fault>
</soap:Body>
</soap:Envelope>
The policy says that the initiator token (signature token) must always be included to the recipient. However, your message only references the signature token via IssuerSerial.
Colm.