WS Security for Apigee add UsernameToken

desarrollo
Participant I

Hi @Dino, @Dino-at-Google

I am currently working on a service that requires the sending of the WS Security signature, so I used your Java Callout for WS-Security Digital Signature contribution, I could see that the structure forms but I have the doubt with which property I can add the tag "wsse:UsernameToken" as it requires the sending of a user and password.

Thank you very much for your help.

Expected request:

<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
   <wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="X509-33966159F436ED774C158171838890745">MIIIIjCCBwqgAwIBAgIQD5lvJxU333peQcDPkws4IzANBgkqhkiG9w0BAQsFADCB/DEdMBsGA1UECQwUQ1IgNyBOIDI2LTIwIFAgMTgtMTkxDzANBgNVBAcMBkJPR09UQTEZMBcGA1UECAwQRElTVFJJVE8gQ0FQSVRBTDELMAkGA1UEBhMCQ08xRTBDBgNVBAoMPENFUlRJQ0FNQVJBIFMuQS4gLSBTT0NJRURBRCBDQU1FUkFMIERFIENFUlRJRklDQUNJT04gRElHSVRBTDErMCkGA1UECwwiQ0VSVElDQU1BUkEgUy5BLiAtIE5JVCA4MzAwODQ0MzMgNzEuMCwGA1UEAwwlQUMgU1VCT1JESU5BREEgREVNTyAzIENFUlRJQ0FNQVJBIFMuQTAeFw0yMDAyMTAyMDQ1MDNaFw0yMTAyMTAwNTAwMDBaMIHzMTIwMAYJKoZIhvcNAQkBFiNHQUJSSUVMLkhFUk5BTkRFWkVTQENPTFNVQlNJRElPLkNPTTELMAkGA1UEBhMCQ08xFDASBgNVBAgMC0JPR09UQSBELkMuMRQwEgYDVQQHDAtCT0dPVEEgRC5DLjEOMAwGA1UECwwFT1RST1MxOTA3BgNVBAoMMENBSkEgQ09MT01CSUFOQSBERSBTVUJTSURJTyBGQU1JTElBUiBDT0xTVUJTSURJTzE5MDcGA1UEAwwwQ0FKQSBDT0xPTUJJQU5BIERFIFNVQlNJRElPIEZBTUlMSUFSIENPTFNVQlNJRElPMIIBIDANBgkqhkiG9w0BAQEFAAOCAQ0AMIIBCAKCAQEAnag3Q7NZbMwk1VokEDdoUkjI2U1RU8PBTR4I0S5TfiSOfOFUbxF76gRGrTPOXrtKXqebZwhz1MkZNt6y6oNJkLKl/HrtUMaZmwaYpKZ443uir/5Zy9ZEjN7QYmcB5uUMGCToDvEKQGY6Pj9aQe4H+XtkFU75yWF/FwsajVl742opJWn7rPz524+aRpL/hJMk5ryeBO916Qwuh4OUmAqo9LoW0m4BZqLkH7YYOi/GDys4CyA13/guchNAGemAzcNRMZUGr+e9kZAbrSrfkgCoJOuh6+Le6Dph4N1WeyaM5VOU6TxyqhN9FOnVtt0SsZNYjpbkg+lumju/kEo4rsxjZwIBA6OCA6cwggOjMEAGCCsGAQUFBwEBBDQwMjAwBggrBgEFBQcwAYYkaHR0cDovL29jc3AtcWEuY2VydGljYW1hcmEuY29tOjkzMDgvMIHnBgNVHSAEgd8wgdwwgZkGCysGAQQBgbVjMgEIMIGJMCsGCCsGAQUFBwIBFh9odHRwOi8vd3d3LmNlcnRpY2FtYXJhLmNvbS9kcGMvMFoGCCsGAQUFBwICME4aTExpbWl0YWNpb25lcyBkZSBnYXJhbnTtYXMgZGUgZXN0ZSBjZXJ0aWZpY2FkbyBzZSBwdWVkZW4gZW5jb250cmFyIGVuIGxhIERQQy4wPgYLKwYBBAGBtWMKCgEwLzAtBggrBgEFBQcCAjAhGh9EaXNwb3NpdGl2byBkZSBoYXJkd2FyZSAoVG9rZW4pMAwGA1UdEwEB/wQCMAAwDgYDVR0PAQH/BAQDAgP4MCcGA1UdJQQgMB4GCCsGAQUFBwMBBggrBgEFBQcDAgYIKwYBBQUHAwQwHQYDVR0OBBYEFBBJkKugSwTtfn5MNYoq+vSEpF2IMB8GA1UdIwQYMBaAFOzjErHfuOR+EvzRidS8FUhiiGUKMBEGCWCGSAGG+EIBAQQEAwIFoDCCAdkGA1UdHwSCAdAwggHMMIHNoIHKoIHHhmBodHRwOi8vd3d3LmNlcnRpY2FtYXJhLmNvbS9yZXBvc2l0b3Jpb3Jldm9jYWNpb25lcy9hY19zdWJvcmRpbmFkYV9jZXJ0aWNhbWFyYV9kZW1vXzMuY3JsP2NybD1jcmyGY2h0dHA6Ly9taXJyb3IuY2VydGljYW1hcmEuY29tL3JlcG9zaXRvcmlvcmV2b2NhY2lvbmVzL2FjX3N1Ym9yZGluYWRhX2NlcnRpY2FtYXJhX2RlbW9fMy5jcmw/Y3JsPWNybDCB+aCB9qCB84Z2aHR0cDovL3d3dy5jZXJ0aWNhbWFyYS5jb20vcmVwb3NpdG9yaW9yZXZvY2FjaW9uZXMvYWNfc3Vib3JkaW5hZGFfY2VydGljYW1hcmFfZGVtb18zX2Nvbl9leHRlbnNpb25fY3JpdGljYS5jcmw/Y3JsPWNybIZ5aHR0cDovL21pcnJvci5jZXJ0aWNhbWFyYS5jb20vcmVwb3NpdG9yaW9yZXZvY2FjaW9uZXMvYWNfc3Vib3JkaW5hZGFfY2VydGljYW1hcmFfZGVtb18zX2Nvbl9leHRlbnNpb25fY3JpdGljYS5jcmw/Y3JsPWNybDANBgkqhkiG9w0BAQsFAAOCAQEAM7FUnvsw3wut5mm5gmWi8eMrvgUEf+CY0JpczE6mIFgfC7o1DYrA9ljYcqCJqSd9U2x44BO0mBEvie7gOw3hDXe/SpwwhXGg0kHtkUoxacGm1fJHE12mfOy1R5PNdZPq+8Y3lXe/p1fVg6dbAcaERwfpF5YAipf+dfzemyipfSRmuOQ70ysi0pf84RZr0ZQLV5m0Np2rTE7Rd4t4x2mFpPt33zwdyhFBAFNCY1EUVFd2GWf26agZ6TKcaaF+RXrSLa2xjjpqIMCXmPO91cBVX5QLXSuZxWnyvbTTnUdGGavQZReB4gVFQvN+kvS+60XCeahKvd9qOcl8MtnRtsF1wA==</wsse:BinarySecurityToken>
   <ds:Signature Id="SIG-33966159F436ED774C158171838891449" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
      <ds:SignedInfo>
         <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
            <ec:InclusiveNamespaces PrefixList="soapenv v1" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
         </ds:CanonicalizationMethod>
         <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
         <ds:Reference URI="#id-33966159F436ED774C158171838890848">
            <ds:Transforms>
               <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                  <ec:InclusiveNamespaces PrefixList="v1" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
               </ds:Transform>
            </ds:Transforms>
            <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
            <ds:DigestValue>gmKUJpTehR0Dn2/QMMl9GZuuI/8=</ds:DigestValue>
         </ds:Reference>
      </ds:SignedInfo>
      <ds:SignatureValue>S4Ym+F3+F1+Jh2I2jAaIM4talL6AADu0lfe5NrTzHOlebptglhmcVLkEzBuAdJxbkfqD9C/WOtkj
Xtke+hfucN+bF+MY7LhhdYWc7Gh6EERdhaM1OGNsla+EIOjym5TA8fOc6nj0VfY4Uvf96wisNJ1T
dcpMtw8466tBJ+CXjDGP+DNHFx+GjaqlTTPjY7g4kqX+mpWRGLCDbJGCrkFc4KvNZkZ1pvJ/QaAO
a/lqtkUWnJM6LwQ2BK9Q+c4RvSSOiZ93yqNpFs7r+KeJCghuvJFntg2zYd+kS3/lCaNFUvxWy/ZZ
1YUNIRlZZzMhgkv88wnTILpzi1MPLgfi5DN+hg==</ds:SignatureValue>
      <ds:KeyInfo Id="KI-33966159F436ED774C158171838890746">
         <wsse:SecurityTokenReference wsu:Id="STR-33966159F436ED774C158171838890747">
            <wsse:Reference URI="#X509-33966159F436ED774C158171838890745" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
         </wsse:SecurityTokenReference>
      </ds:KeyInfo>
   </ds:Signature>
   <wsse:UsernameToken wsu:Id="UsernameToken-33966159F436ED774C158171838890544">
      <wsse:Username>MyUser</wsse:Username>
      <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">MyPassword</wsse:Password>
      <wsse:Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">ID79BmTDQ5z2hLt4MQQ8RQ==</wsse:Nonce>
      <wsu:Created>2020-02-14T22:13:08.905Z</wsu:Created>
   </wsse:UsernameToken>
   <wsu:Timestamp wsu:Id="TS-33966159F436ED774C158171838890443">
      <wsu:Created>2020-02-14T22:13:08.904Z</wsu:Created>
      <wsu:Expires>2020-02-14T22:14:08.904Z</wsu:Expires>
   </wsu:Timestamp>
</wsse:Security>

I am using the policy with the following parameters:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<JavaCallout async="false" continueOnError="false" enabled="true" name="JCRequestSegurity">
    <DisplayName>JCRequestSegurity</DisplayName>
    <Properties>
        <Property name="source">message.content</Property>
        <Property name="expiry">60s</Property>
        <Property name="private-key">{private.vCertificateKey}</Property>
        <Property name="certificate">{property.vCertitficate}</Property>
    </Properties>
    <ClassName>com.google.apigee.edgecallouts.wssecdsig.Sign</ClassName>
    <ResourceURL>java://edge-wssecdsig-20200219.jar</ResourceURL>
</JavaCallout>
Petition built in apigee:
<wssec:Security soapenv:mustUnderstand="1">
	<wsu:Timestamp wsu:Id="Timestamp-07f2e5a8-c7a8-49b0-83bf-f094ff66f0f0">
		<wsu:Created>2020-02-21T20:33:27Z</wsu:Created>
		<wsu:Expires>2020-02-21T20:34:27Z</wsu:Expires>
	</wsu:Timestamp>
	<wssec:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="SecurityToken-7161c7ed-c0a5-47c0-8164-09876b437ac1">MIIIIjCCBwqgAwIBAgIQD5lvJxU333peQcDPkws4IzANBgkqhkiG9w0BAQsFADCB/DEdMBsGA1UECQwUQ1IgNyBOIDI2LTIwIFAgMTgtMTkxDzANBgNVBAcMBkJPR09UQTEZMBcGA1UECAwQRElTVFJJVE8gQ0FQSVRBTDELMAkGA1UEBhMCQ08xRTBDBgNVBAoMPENFUlRJQ0FNQVJBIFMuQS4gLSBTT0NJRURBRCBDQU1FUkFMIERFIENFUlRJRklDQUNJT04gRElHSVRBTDErMCkGA1UECwwiQ0VSVElDQU1BUkEgUy5BLiAtIE5JVCA4MzAwODQ0MzMgNzEuMCwGA1UEAwwlQUMgU1VCT1JESU5BREEgREVNTyAzIENFUlRJQ0FNQVJBIFMuQTAeFw0yMDAyMTAyMDQ1MDNaFw0yMTAyMTAwNTAwMDBaMIHzMTIwMAYJKoZIhvcNAQkBFiNHQUJSSUVMLkhFUk5BTkRFWkVTQENPTFNVQlNJRElPLkNPTTELMAkGA1UEBhMCQ08xFDASBgNVBAgMC0JPR09UQSBELkMuMRQwEgYDVQQHDAtCT0dPVEEgRC5DLjEOMAwGA1UECwwFT1RST1MxOTA3BgNVBAoMMENBSkEgQ09MT01CSUFOQSBERSBTVUJTSURJTyBGQU1JTElBUiBDT0xTVUJTSURJTzE5MDcGA1UEAwwwQ0FKQSBDT0xPTUJJQU5BIERFIFNVQlNJRElPIEZBTUlMSUFSIENPTFNVQlNJRElPMIIBIDANBgkqhkiG9w0BAQEFAAOCAQ0AMIIBCAKCAQEAnag3Q7NZbMwk1VokEDdoUkjI2U1RU8PBTR4I0S5TfiSOfOFUbxF76gRGrTPOXrtKXqebZwhz1MkZNt6y6oNJkLKl/HrtUMaZmwaYpKZ443uir/5Zy9ZEjN7QYmcB5uUMGCToDvEKQGY6Pj9aQe4H+XtkFU75yWF/FwsajVl742opJWn7rPz524+aRpL/hJMk5ryeBO916Qwuh4OUmAqo9LoW0m4BZqLkH7YYOi/GDys4CyA13/guchNAGemAzcNRMZUGr+e9kZAbrSrfkgCoJOuh6+Le6Dph4N1WeyaM5VOU6TxyqhN9FOnVtt0SsZNYjpbkg+lumju/kEo4rsxjZwIBA6OCA6cwggOjMEAGCCsGAQUFBwEBBDQwMjAwBggrBgEFBQcwAYYkaHR0cDovL29jc3AtcWEuY2VydGljYW1hcmEuY29tOjkzMDgvMIHnBgNVHSAEgd8wgdwwgZkGCysGAQQBgbVjMgEIMIGJMCsGCCsGAQUFBwIBFh9odHRwOi8vd3d3LmNlcnRpY2FtYXJhLmNvbS9kcGMvMFoGCCsGAQUFBwICME4aTExpbWl0YWNpb25lcyBkZSBnYXJhbnTtYXMgZGUgZXN0ZSBjZXJ0aWZpY2FkbyBzZSBwdWVkZW4gZW5jb250cmFyIGVuIGxhIERQQy4wPgYLKwYBBAGBtWMKCgEwLzAtBggrBgEFBQcCAjAhGh9EaXNwb3NpdGl2byBkZSBoYXJkd2FyZSAoVG9rZW4pMAwGA1UdEwEB/wQCMAAwDgYDVR0PAQH/BAQDAgP4MCcGA1UdJQQgMB4GCCsGAQUFBwMBBggrBgEFBQcDAgYIKwYBBQUHAwQwHQYDVR0OBBYEFBBJkKugSwTtfn5MNYoq+vSEpF2IMB8GA1UdIwQYMBaAFOzjErHfuOR+EvzRidS8FUhiiGUKMBEGCWCGSAGG+EIBAQQEAwIFoDCCAdkGA1UdHwSCAdAwggHMMIHNoIHKoIHHhmBodHRwOi8vd3d3LmNlcnRpY2FtYXJhLmNvbS9yZXBvc2l0b3Jpb3Jldm9jYWNpb25lcy9hY19zdWJvcmRpbmFkYV9jZXJ0aWNhbWFyYV9kZW1vXzMuY3JsP2NybD1jcmyGY2h0dHA6Ly9taXJyb3IuY2VydGljYW1hcmEuY29tL3JlcG9zaXRvcmlvcmV2b2NhY2lvbmVzL2FjX3N1Ym9yZGluYWRhX2NlcnRpY2FtYXJhX2RlbW9fMy5jcmw/Y3JsPWNybDCB+aCB9qCB84Z2aHR0cDovL3d3dy5jZXJ0aWNhbWFyYS5jb20vcmVwb3NpdG9yaW9yZXZvY2FjaW9uZXMvYWNfc3Vib3JkaW5hZGFfY2VydGljYW1hcmFfZGVtb18zX2Nvbl9leHRlbnNpb25fY3JpdGljYS5jcmw/Y3JsPWNybIZ5aHR0cDovL21pcnJvci5jZXJ0aWNhbWFyYS5jb20vcmVwb3NpdG9yaW9yZXZvY2FjaW9uZXMvYWNfc3Vib3JkaW5hZGFfY2VydGljYW1hcmFfZGVtb18zX2Nvbl9leHRlbnNpb25fY3JpdGljYS5jcmw/Y3JsPWNybDANBgkqhkiG9w0BAQsFAAOCAQEAM7FUnvsw3wut5mm5gmWi8eMrvgUEf+CY0JpczE6mIFgfC7o1DYrA9ljYcqCJqSd9U2x44BO0mBEvie7gOw3hDXe/SpwwhXGg0kHtkUoxacGm1fJHE12mfOy1R5PNdZPq+8Y3lXe/p1fVg6dbAcaERwfpF5YAipf+dfzemyipfSRmuOQ70ysi0pf84RZr0ZQLV5m0Np2rTE7Rd4t4x2mFpPt33zwdyhFBAFNCY1EUVFd2GWf26agZ6TKcaaF+RXrSLa2xjjpqIMCXmPO91cBVX5QLXSuZxWnyvbTTnUdGGavQZReB4gVFQvN+kvS+60XCeahKvd9qOcl8MtnRtsF1wA==</wssec:BinarySecurityToken>
	<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
		<SignedInfo>
			<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
			<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
			<Reference URI="#Body-c617cb34-3786-43e9-a58d-db45e62be9e9">
				<Transforms>
					<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
				</Transforms>
				<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
				<DigestValue>TUbN/qTRF/mvOdAtUykIWnYEdM0=</DigestValue>
			</Reference>
			<Reference URI="#Timestamp-07f2e5a8-c7a8-49b0-83bf-f094ff66f0f0">
				<Transforms>
					<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
				</Transforms>
				<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
				<DigestValue>N470HMk0F8gb5A7ONqqNYjC2Xe0=</DigestValue>
			</Reference>
		</SignedInfo>
		<SignatureValue>MXWT6rF+R0HfocaqJfyMaJQ7BVQ19QGJKTm3hgnqmDSvYFDsKsefdpqI9GRmsKt8NapfpJsJ8Tx3 Jr9bH+1Qy1flBUlEvI2B1l1Wm3ZaLU5xr2IvSJ7QU1DDvpzo9ZE6xo3K+8QMijsELfa6GcOs8yNc VgZ3UKj67JLvgNgenuYjQjfd7IyAuJusGnXEDVFp750hc/bbIVn6kV/vN5frmbq84EPBT1uBUs5g sz11Oj4HaSmGNLPzm9q8J+Jtz8BH7tlWJndWH9aPY/eJYdaYyyacQsEvU1gzDBrPCoO9XkWKPjb3 Dn7BsfNaN9eOxC87RzgdTPPSMEEpmXpcCZTFVQ==</SignatureValue>
		<KeyInfo>
			<wssec:SecurityTokenReference>
				<wssec:Reference URI="#SecurityToken-7161c7ed-c0a5-47c0-8164-09876b437ac1" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
			</wssec:SecurityTokenReference>
		</KeyInfo>
	</Signature>
</wssec:Security>
Solved Solved
0 8 785
1 ACCEPTED SOLUTION

You can't use the WS-Security callout to append a username token.

The username token can be simply injected into the SOAP document, prior to the use of the WS-Sec callout. A good way to inject an element in Apigee is with an XSLT, or even with an AssignMessage and a message template.

THEN, use the WS-Sec callout to sign.

Please note:

the Ws-Sec callout you mentioned signs the soap:Body and the WS-Sec Timestamp elements. You can change those settings (see the README) so that it signs only the Body. I don't think you'd want to do that; it doesn't make sense to me to not sign the timestamp. But your expected example shows no signature on the Timestamp, so I guess you could try it.

Also Your "expected signature" shows a signed element of "id-33966159F436ED774C158171838890848"

      <ds:Reference URI="#id-33966159F436ED774C158171838890848">
            <ds:Transforms>
               <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                  <ec:InclusiveNamespaces PrefixList="v1" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
               </ds:Transform>
            </ds:Transforms>
            <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
            <ds:DigestValue>gmKUJpTehR0Dn2/QMMl9GZuuI/8=</ds:DigestValue>
         </ds:Reference>

I guess that is the Body, but I'm not sure. You didn't show that part.

I guess I could extend the callout to also inject a username token into the WS-Sec header, but .. it seems to me.... better accomplished in a separate step. If you wanted to be slick you could make your own WS-Sec usernametoken callout to apply that Nonce and Created element automatically. (What's the rule behind that nonce, if any? Is it just a random string of bytes, base64-encoded?) Then you'd need to apply two Java callouts - one to inject the username token, and the second to sign.

What's the receiving system?

View solution in original post

8 REPLIES 8

You can't use the WS-Security callout to append a username token.

The username token can be simply injected into the SOAP document, prior to the use of the WS-Sec callout. A good way to inject an element in Apigee is with an XSLT, or even with an AssignMessage and a message template.

THEN, use the WS-Sec callout to sign.

Please note:

the Ws-Sec callout you mentioned signs the soap:Body and the WS-Sec Timestamp elements. You can change those settings (see the README) so that it signs only the Body. I don't think you'd want to do that; it doesn't make sense to me to not sign the timestamp. But your expected example shows no signature on the Timestamp, so I guess you could try it.

Also Your "expected signature" shows a signed element of "id-33966159F436ED774C158171838890848"

      <ds:Reference URI="#id-33966159F436ED774C158171838890848">
            <ds:Transforms>
               <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                  <ec:InclusiveNamespaces PrefixList="v1" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
               </ds:Transform>
            </ds:Transforms>
            <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
            <ds:DigestValue>gmKUJpTehR0Dn2/QMMl9GZuuI/8=</ds:DigestValue>
         </ds:Reference>

I guess that is the Body, but I'm not sure. You didn't show that part.

I guess I could extend the callout to also inject a username token into the WS-Sec header, but .. it seems to me.... better accomplished in a separate step. If you wanted to be slick you could make your own WS-Sec usernametoken callout to apply that Nonce and Created element automatically. (What's the rule behind that nonce, if any? Is it just a random string of bytes, base64-encoded?) Then you'd need to apply two Java callouts - one to inject the username token, and the second to sign.

What's the receiving system?

try this for injecting the username token:

https://github.com/DinoChiesa/Apigee-Java-WsSec-Username-Token

<p>Any reaction, Desarrollo? Feedback?</p>

Hi @Dino-at-Google, thank you very much for your prompt response, thanks to the contribution you made "Java Callout for WS-Security Username Token" the service worked without any problem.

Thank you very much for your help.

Happy day.

Glad to help.

Hello Mr Dino,

I tried using your code base for building the package but i encountered an error. When I execute the below commmand, i get an error. I'm using Open JDK 11 to compile.

mvn clean package

Error:

[ERROR] Failed to execute goal on project apigee-wssecusernametoken: Could not resolve dependencies for project com.google.apigee.edgecallouts:apigee-wssecusernametoken:jar:20210409: The following artifacts could not be resolved: com.apigee.edge:message-flow:jar:1.0.0, com.apigee.edge:expressions:jar:1.0.0: Could not find artifact com.apigee.edge:message-flow:jar:1.0.0 in central (https://repo.maven.apache.org/maven2) -> [Help 1]

Can you please check and help?

Thanks

Kranthi

This is pretty old thread but anyways try following & setup apigee specific jars in your local maven repo.  https://www.googlecloudcommunity.com/gc/Apigee/Apigee-Java-JARs-Where-What-How/td-p/57321

 

Yes, there is a note in the pom.xml file about this.

The following 2 jar dependencies from Apigee are not avaiable in any public repo. You can install them in your machine-local repo (The .m2 cache) to get this pom.xml to build successfully. Run the buildsetup.sh script to do this...

I should have placed it in the README as well. After you download and install those JARs, you'll be able to build.