This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Validate XML Signatures & prove message Integrity

Posted on 12-23-2015 11:14 AM
API-Evangelist
Silver 5
Silver 5
Reply posted on --/--/---- --:-- AM

How to validate XML Signatures for authentication purposes & use XML Signatures to prove message integrity in apigee?

Signature location is in WS-Security block & signing key is in <KeyInfo> block in message.

similar functionality as below

==

http://docs.oracle.com/cd/E39820_01/doc.11121/gateway_docs/content/content_integrity.html

==

Is there a sample tor refer to achieve it in apigee?

1 2 511
Topic Labels
2 REPLIES 2

Posted on --/--/---- --:-- AM
Not applicable
Reply posted on --/--/---- --:-- AM

Season's Greetings @vinay poreddy! Excellent Question!

In my experience, I implemented this by leveraging a Java Callout Policy. The article Signing SOAP Messages - Generation of Enveloped XML Signatures provided some initial thoughts on how to achieve this. One of the challenging parts was to read the keys from a key store, while, for security reasons, Apigee Edge prevents access to the filesystem. However, this is achievable by storing these files in jar files and retrieving them as a file stream. Check full example attached. Hope this sample helps to give you a head start.

public ExecutionResult execute(MessageContext messageContext, ExecutionContext executionContext) {
try
{
    org.apache.xml.security.Init.init();
    InputStream fstream = this.getClass().getResourceAsStream("/templates/stockTemplate.xml"); //read stockTemplate.xml as a class from classpath
    InputStream kfstream = this.getClass().getResourceAsStream("/templates/keystore.jks");


    StringWriter writer = new StringWriter();
    IOUtils.copy(fstream, writer, "UTF-8");
    String theString = writer.toString();
    messageContext.setVariable("stockTemplateFileContent", theString); //assign file content to stockTemplateFileContent variable
    messageContext.setVariable("response.content", theString); // assign file content to response.content variable
    
    String keystoreType = "JKS";
    String keystoreFile = "/keystore.jks";
    String keystorePass = "Password123";
    String privateKeyAlias = "mydomain";
    String privateKeyPass = "Password123";
    String certificateAlias = "mydomain";
    Element element = null;


    KeyStore ks = KeyStore.getInstance(keystoreType);
    String BaseURI = "";//signatureFile.toURI().toURL().toString();  
    ks.load(kfstream, keystorePass.toCharArray());
    PrivateKey privateKey = (PrivateKey) ks.getKey(privateKeyAlias, privateKeyPass.toCharArray());
    
    
    return ExecutionResult.SUCCESS;
} catch (Exception e) {
    StringWriter sw = new StringWriter();
    e.printStackTrace(new PrintWriter(sw));
    String exceptionAsString = sw.toString();           
    messageContext.setVariable("ERROR_MESSAGE", exceptionAsString);
    return ExecutionResult.ABORT;
}
}
x509signaturejavacalloutjava.zip

Posted on --/--/---- --:-- AM
API-Evangelist
Silver 5
Silver 5
In response to
Reply posted on --/--/---- --:-- AM

can you provide a sample proxy for reference.

0 Likes