Search code examples
javaweb-servicessecuritysoapws-security

Calling a secured Web Service in Java


I need to write a web service client to call a third party web service (SOAP based). The third party published a wsdl and the associated xsd files.

The third party secure their website and services using .p12 certificates

I used wsdl2java to generate my stubs. I modified the endpoints and called the service. I received the following error:

<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
   <SOAP-ENV:Header></SOAP-ENV:Header>
   <SOAP-ENV:Body>
      <SOAP-ENV:Fault>
         <faultcode xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">wsse:InvalidSecurity</faultcode>
         <faultstring>SECU1075: An error was discovered processing the &lt;wsse:Security> header</faultstring>
         <detail>SECU3510: Signature requirements validation failed: Element (/soapenv:Envelope/soapenv:Body) was not signed</detail>
      </SOAP-ENV:Fault>
   </SOAP-ENV:Body>
</SOAP-ENV:Envelope>

Hmmm, ok. Makes sense that I should be signing the document.

The strange part (to me) is there isn't a security definition anywhere in the WSDL file. Is this normal? I contacted the third party and they sent me a pdf of what the SOAP message needs to look like. The following tags appear in the header: containing:

<wsse:BinarySecurityToken>

and

<dsig:SignedInfo>

so from what I gather, it requires my certificate and some digital signatures.

Can someone recommend how to generate these in Java? I started down the Axis2/Rampart path but honestly, it seems those are predicated on having the security requirements defined in the WSDL file (correct me if I'm wrong).


Solution

  • Looks like you need to sign you message using The WS-Security standard. The WS-security standard does not specify any security mapping to wsdl file. Some application use WS-Security policy and WS-Policy Attachement in conjunction with Ws-security. WS-Policy Attachment does specifies the way to map policies to WSDL.

    You can learn more about these standard from w3.org

    And yes you are on the right path, could use WSS4J or axis rampart it your choice.