users@jax-rpc.java.net

Problem with XWS-SECURITY certificate validation

From: Raman <raman.mishra_at_gmail.com>
Date: Thu, 15 Sep 2005 07:48:21 -0700

Hi All,

We are using JWSDP 1.6 for our web services implementations. We are using
XWS-SECURITY to sign the soap header from client side and verify it on
servcer side. But we have a requirement to validate the certificate in soap
request sent by the client, is in our server trust store or not. For this we
are trying to use the CertificateValidationCallback. When I am returning
false or throwing exception of type
CertificateValidationCallback.CertificateValidationException from the
validate method of implementation class for
CertificateValidationCallback.CertificateValidator interface, XWS - SECURITY
framework is not sending any SOAP Fault to the client the same thing I tried
in JWSDP 1.5 it is able to return SOAP Fault to client.

My Server side security configuration file is :

<xwss:JAXRPCSecurity xmlns:xwss="http://java.sun.com/xml/ns/xwss/config">
<xwss:Service>
<xwss:SecurityConfiguration dumpMessages="true">
<xwss:RequireSignature requireTimestamp="false">
<xwss:Target type="qname">ns:ApplicationID</xwss:Target>
</xwss:RequireSignature>
</xwss:SecurityConfiguration>
</xwss:Service>
<xwss:SecurityEnvironmentHandler>
sample.SecurityEnvironmentHandler
</xwss:SecurityEnvironmentHandler>
</xwss:JAXRPCSecurity>

and client side configuratuion file is :

<xwss:JAXRPCSecurity xmlns:xwss="http://java.sun.com/xml/ns/xwss/config">
<xwss:Service>
<xwss:SecurityConfiguration dumpMessages="true">
<xwss:Sign includeTimestamp="false">
<xwss:X509Token certificateAlias="xws-security-client"/>
<xwss:CanonicalizationMethod algorithm="
http://www.w3.org/2001/10/xml-exc-c14n#"/>
<xwss:SignatureMethod algorithm="
http://www.w3.org/2000/09/xmldsig#dsa-sha1"/>
<xwss:SignatureTarget type="qname" value="ns:ApplicationID">
<xwss:DigestMethod algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<xwss:Transform algorithm=" http://www.w3.org/2001/10/xml-exc-c14n#"/>
</xwss:SignatureTarget>
</xwss:Sign>
</xwss:SecurityConfiguration>
</xwss:Service>
<xwss:SecurityEnvironmentHandler>
sample.SecurityEnvironmentHandler
</xwss:SecurityEnvironmentHandler>
</xwss:JAXRPCSecurity>

The SecurityEnvironmentHandler class is same as bundled with JWSDP
1.6XWS-SECURITY sample.


Thanks,
Raman
© Oracle | By contributing to this project, you are agreeing to the terms of use described here.