How to validate XML Signatures for authentication purposes & use XML Signatures to prove message integrity in apigee?
Signature location is in WS-Security block & signing key is in <KeyInfo> block in message.
similar functionality as below
==
http://docs.oracle.com/cd/E39820_01/doc.11121/gateway_docs/content/content_integrity.html
==
Is there a sample tor refer to achieve it in apigee?
Season's Greetings @vinay poreddy! Excellent Question!
In my experience, I implemented this by leveraging a Java Callout Policy. The article Signing SOAP Messages - Generation of Enveloped XML Signatures provided some initial thoughts on how to achieve this. One of the challenging parts was to read the keys from a key store, while, for security reasons, Apigee Edge prevents access to the filesystem. However, this is achievable by storing these files in jar files and retrieving them as a file stream. Check full example attached. Hope this sample helps to give you a head start.
public ExecutionResult execute(MessageContext messageContext, ExecutionContext executionContext) { try { org.apache.xml.security.Init.init(); InputStream fstream = this.getClass().getResourceAsStream("/templates/stockTemplate.xml"); //read stockTemplate.xml as a class from classpath InputStream kfstream = this.getClass().getResourceAsStream("/templates/keystore.jks"); StringWriter writer = new StringWriter(); IOUtils.copy(fstream, writer, "UTF-8"); String theString = writer.toString(); messageContext.setVariable("stockTemplateFileContent", theString); //assign file content to stockTemplateFileContent variable messageContext.setVariable("response.content", theString); // assign file content to response.content variable String keystoreType = "JKS"; String keystoreFile = "/keystore.jks"; String keystorePass = "Password123"; String privateKeyAlias = "mydomain"; String privateKeyPass = "Password123"; String certificateAlias = "mydomain"; Element element = null; KeyStore ks = KeyStore.getInstance(keystoreType); String BaseURI = "";//signatureFile.toURI().toURL().toString(); ks.load(kfstream, keystorePass.toCharArray()); PrivateKey privateKey = (PrivateKey) ks.getKey(privateKeyAlias, privateKeyPass.toCharArray()); return ExecutionResult.SUCCESS; } catch (Exception e) { StringWriter sw = new StringWriter(); e.printStackTrace(new PrintWriter(sw)); String exceptionAsString = sw.toString(); messageContext.setVariable("ERROR_MESSAGE", exceptionAsString); return ExecutionResult.ABORT; } }
can you provide a sample proxy for reference.
User | Count |
---|---|
1 | |
1 | |
1 | |
1 | |
1 |