WS Security for Apigee add UsernameToken

Hi @Dino, @Dino-at-Google

I am currently working on a service that requires the sending of the WS Security signature, so I used your Java Callout for WS-Security Digital Signature contribution, I could see that the structure forms but I have the doubt with which property I can add the tag "wsse:UsernameToken" as it requires the sending of a user and password.

Thank you very much for your help.

Expected request:

<wsse:Security xmlns:wsse="" xmlns:wsu="">
   <ds:Signature Id="SIG-33966159F436ED774C158171838891449" xmlns:ds="">
         <ds:CanonicalizationMethod Algorithm="">
            <ec:InclusiveNamespaces PrefixList="soapenv v1" xmlns:ec=""/>
         <ds:SignatureMethod Algorithm=""/>
         <ds:Reference URI="#id-33966159F436ED774C158171838890848">
               <ds:Transform Algorithm="">
                  <ec:InclusiveNamespaces PrefixList="v1" xmlns:ec=""/>
            <ds:DigestMethod Algorithm=""/>
      <ds:KeyInfo Id="KI-33966159F436ED774C158171838890746">
         <wsse:SecurityTokenReference wsu:Id="STR-33966159F436ED774C158171838890747">
            <wsse:Reference URI="#X509-33966159F436ED774C158171838890745" ValueType=""/>
   <wsse:UsernameToken wsu:Id="UsernameToken-33966159F436ED774C158171838890544">
      <wsse:Password Type="">MyPassword</wsse:Password>
      <wsse:Nonce EncodingType="">ID79BmTDQ5z2hLt4MQQ8RQ==</wsse:Nonce>
   <wsu:Timestamp wsu:Id="TS-33966159F436ED774C158171838890443">

I am using the policy with the following parameters:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<JavaCallout async="false" continueOnError="false" enabled="true" name="JCRequestSegurity">
        <Property name="source">message.content</Property>
        <Property name="expiry">60s</Property>
        <Property name="private-key">{private.vCertificateKey}</Property>
        <Property name="certificate">{property.vCertitficate}</Property>
Petition built in apigee:
<wssec:Security soapenv:mustUnderstand="1">
	<wsu:Timestamp wsu:Id="Timestamp-07f2e5a8-c7a8-49b0-83bf-f094ff66f0f0">
	<Signature xmlns="">
			<CanonicalizationMethod Algorithm=""/>
			<SignatureMethod Algorithm=""/>
			<Reference URI="#Body-c617cb34-3786-43e9-a58d-db45e62be9e9">
					<Transform Algorithm=""/>
				<DigestMethod Algorithm=""/>
			<Reference URI="#Timestamp-07f2e5a8-c7a8-49b0-83bf-f094ff66f0f0">
					<Transform Algorithm=""/>
				<DigestMethod Algorithm=""/>
		<SignatureValue>MXWT6rF+R0HfocaqJfyMaJQ7BVQ19QGJKTm3hgnqmDSvYFDsKsefdpqI9GRmsKt8NapfpJsJ8Tx3 Jr9bH+1Qy1flBUlEvI2B1l1Wm3ZaLU5xr2IvSJ7QU1DDvpzo9ZE6xo3K+8QMijsELfa6GcOs8yNc VgZ3UKj67JLvgNgenuYjQjfd7IyAuJusGnXEDVFp750hc/bbIVn6kV/vN5frmbq84EPBT1uBUs5g sz11Oj4HaSmGNLPzm9q8J+Jtz8BH7tlWJndWH9aPY/eJYdaYyyacQsEvU1gzDBrPCoO9XkWKPjb3 Dn7BsfNaN9eOxC87RzgdTPPSMEEpmXpcCZTFVQ==</SignatureValue>
				<wssec:Reference URI="#SecurityToken-7161c7ed-c0a5-47c0-8164-09876b437ac1" ValueType=""/>
Solved Solved
0 8 806

You can't use the WS-Security callout to append a username token.

The username token can be simply injected into the SOAP document, prior to the use of the WS-Sec callout. A good way to inject an element in Apigee is with an XSLT, or even with an AssignMessage and a message template.

THEN, use the WS-Sec callout to sign.

Please note:

the Ws-Sec callout you mentioned signs the soap:Body and the WS-Sec Timestamp elements. You can change those settings (see the README) so that it signs only the Body. I don't think you'd want to do that; it doesn't make sense to me to not sign the timestamp. But your expected example shows no signature on the Timestamp, so I guess you could try it.

Also Your "expected signature" shows a signed element of "id-33966159F436ED774C158171838890848"

      <ds:Reference URI="#id-33966159F436ED774C158171838890848">
               <ds:Transform Algorithm="">
                  <ec:InclusiveNamespaces PrefixList="v1" xmlns:ec=""/>
            <ds:DigestMethod Algorithm=""/>

I guess that is the Body, but I'm not sure. You didn't show that part.

I guess I could extend the callout to also inject a username token into the WS-Sec header, but .. it seems to me.... better accomplished in a separate step. If you wanted to be slick you could make your own WS-Sec usernametoken callout to apply that Nonce and Created element automatically. (What's the rule behind that nonce, if any? Is it just a random string of bytes, base64-encoded?) Then you'd need to apply two Java callouts - one to inject the username token, and the second to sign.

What's the receiving system?

View solution in original post


You can't use the WS-Security callout to append a username token.

The username token can be simply injected into the SOAP document, prior to the use of the WS-Sec callout. A good way to inject an element in Apigee is with an XSLT, or even with an AssignMessage and a message template.

THEN, use the WS-Sec callout to sign.

Please note:

the Ws-Sec callout you mentioned signs the soap:Body and the WS-Sec Timestamp elements. You can change those settings (see the README) so that it signs only the Body. I don't think you'd want to do that; it doesn't make sense to me to not sign the timestamp. But your expected example shows no signature on the Timestamp, so I guess you could try it.

Also Your "expected signature" shows a signed element of "id-33966159F436ED774C158171838890848"

      <ds:Reference URI="#id-33966159F436ED774C158171838890848">
               <ds:Transform Algorithm="">
                  <ec:InclusiveNamespaces PrefixList="v1" xmlns:ec=""/>
            <ds:DigestMethod Algorithm=""/>

I guess that is the Body, but I'm not sure. You didn't show that part.

I guess I could extend the callout to also inject a username token into the WS-Sec header, but .. it seems to me.... better accomplished in a separate step. If you wanted to be slick you could make your own WS-Sec usernametoken callout to apply that Nonce and Created element automatically. (What's the rule behind that nonce, if any? Is it just a random string of bytes, base64-encoded?) Then you'd need to apply two Java callouts - one to inject the username token, and the second to sign.

What's the receiving system?

try this for injecting the username token:

<p>Any reaction, Desarrollo? Feedback?</p>

Hi @Dino-at-Google, thank you very much for your prompt response, thanks to the contribution you made "Java Callout for WS-Security Username Token" the service worked without any problem.

Thank you very much for your help.

Happy day.

Glad to help.

Hello Mr Dino,

I tried using your code base for building the package but i encountered an error. When I execute the below commmand, i get an error. I'm using Open JDK 11 to compile.

mvn clean package


[ERROR] Failed to execute goal on project apigee-wssecusernametoken: Could not resolve dependencies for project The following artifacts could not be resolved: com.apigee.edge:message-flow:jar:1.0.0, com.apigee.edge:expressions:jar:1.0.0: Could not find artifact com.apigee.edge:message-flow:jar:1.0.0 in central ( -> [Help 1]

Can you please check and help?



This is pretty old thread but anyways try following & setup apigee specific jars in your local maven repo.


Yes, there is a note in the pom.xml file about this.

The following 2 jar dependencies from Apigee are not avaiable in any public repo. You can install them in your machine-local repo (The .m2 cache) to get this pom.xml to build successfully. Run the script to do this...

I should have placed it in the README as well. After you download and install those JARs, you'll be able to build.