Search code examples
spring-bootsoap-clientspring-ws

spring ws Could not validate request: No WS-Security header found

I'm getting the error above.

Could not validate request: No WS-Security header found

The header starts with 

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
<wsse:Security soapenv:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">

So I don't really know why it's complaining. The body has an encrypted section I want to decrypt.

Note I don't actually control the server

@Bean
    @Throws(Exception::class)
    fun wss4jSecurityInterceptor(): Wss4jSecurityInterceptor {
        val securityInterceptor = Wss4jSecurityInterceptor()


        // set security actions: Timestamp Signature SAMLTokenSigned SAMLTokenUnsigned
        securityInterceptor.setSecurementActions("Timestamp Signature UsernameToken")
        //securityInterceptor.setValidationCallbackHandler(securityCallbackHandler())
        securityInterceptor.setSecurementUsername("USERNAME")
        securityInterceptor.setSecurementPassword("PASSWORD")
        securityInterceptor.setSecurementPasswordType(WSConstants.PW_TEXT)

        // sign the request
        securityInterceptor.setSecurementUsername(signingCertName)
        securityInterceptor.setSecurementPassword(signingCertPassword)
        securityInterceptor.setSecurementTimeToLive(5000)
        securityInterceptor.setTimestampStrict(false)
        securityInterceptor.setSecurementSignatureCrypto(myCrypto())
        securityInterceptor.setSecurementSignatureParts(
                "{Element}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd}Timestamp;" +
                "{Element}{http://schemas.xmlsoap.org/soap/envelope/}Body;" +
                "{Element}{http://ebs.health.ontario.ca/}EBS;" +
                "{Element}{http://idp.ebs.health.ontario.ca/}IDP;"
        )
        securityInterceptor.setSecurementSignatureDigestAlgorithm("http://www.w3.org/2000/09/xmldsig#sha1")
        securityInterceptor.setSecurementSignatureAlgorithm("http://www.w3.org/2000/09/xmldsig#rsa-sha1")
        securityInterceptor.setSecurementSignatureKeyIdentifier("DirectReference")
        securityInterceptor.setSecurementMustUnderstand(true)

        securityInterceptor.setValidationDecryptionCrypto(myCrypto())
        securityInterceptor.setValidationCallbackHandler(keyStoreCallBack())
        securityInterceptor.setSecurementEncryptionParts("{Element}{http://hcv.health.ontario.ca/}validateResponse;")
        securityInterceptor.setSecurementEncryptionCrypto(myCrypto())
        securityInterceptor.setValidationActions("Encrypt")
        securityInterceptor.setValidationActor("PASSWORD")

        securityInterceptor.afterPropertiesSet()
        return securityInterceptor
    }
Solution

  • The answer was the validation actor. I thought it was a password field, but it actually specifies the security header. Removing it got me passed the error