This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Issue with java callout while signing soap 1.2 version request payload with ApigeeEdge-Java-WsSec-Signature-2 custom jar

Posted on 03-12-2020 02:16 PM
urkapigee
New Member
Reply posted on --/--/---- --:-- AM

Hi @Dino-at-Google,

Thanks for you custom jar file (https://github.com/DinoChiesa/ApigeeEdge-Java-WsSec-Signature-2)for signing / validating soap request with Ws Security . i am able to use (for signing)this custom jar only for SOAP 1.1 version payload when i am trying to use for SOAP 1.2 version payload it's not returning back any request content or error .

Could pls help me on how this jar can be used for SOAP 1.2 version requests

@Dino

0 8 295
Topic Labels
0 Likes
8 REPLIES 8

Posted on --/--/---- --:-- AM
dchiesa1
Staff
Reply posted on --/--/---- --:-- AM

Yes, I understand. That callout was designed to support soap1.1 and was not tested with soap 1.2

Can you give me an example SOAP 1.2 payload that you would like to sign?

0 Likes

Posted on --/--/---- --:-- AM
urkapigee
New Member
In response to dchiesa1
Reply posted on --/--/---- --:-- AM

Thanks Dino ..i am attaching both soap 1.2 request payload before signing and after signing (Used soap UI to generate signed payload

Pls let me know if you need entire request payload with wsa:action and wsa:to

soap12reqinfo.zip

soap12reqinfo.zip
0 Likes

Posted on --/--/---- --:-- AM
dchiesa1
Staff
In response to urkapigee
Reply posted on --/--/---- --:-- AM

Thanks Ravi.

In that signed payload, the ds:Reference points to the wsa:To element.

That's surprising to me. The only thing signed in this payload is the wsa:To element.

The wsu:Timestamp is not signed, nor is the soap:Body.

I would expect both of those elements to be signed. Maybe in addition to the wsa:To element.

Can you check to see what the ds:Reference looks like in the ACTUAL payloads, not necessarily the payloads generated by SOAP-UI ? 

         <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="SIG-460E46A238A634074C158413069535345">
            <ds:SignedInfo>
               <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                  <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="wsa soap v1 v11" />
               </ds:CanonicalizationMethod>
               <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
               <ds:Reference URI="#id-460E46A238A634074C158413069535144">


<br>

That Reference ^^ points to the wsa:To element. !!! And there is no other Reference.

0 Likes

Posted on --/--/---- --:-- AM
urkapigee
New Member
In response to dchiesa1
Reply posted on --/--/---- --:-- AM

Yes Dino in this case provider (target system)is expecting to sign only wsa:to ,Attached signed payload tested against target endpoint and that works .

0 Likes

Posted on --/--/---- --:-- AM
dchiesa1
Staff
In response to urkapigee
Reply posted on --/--/---- --:-- AM

That seems quite unwise! Without signature, the timestamp offers no real security, and the Body can be modified in any way while the message is in transit.

I don't want to tell you how to do things, but ... I think maybe your provider is mis-configured. The wsa:To is not the critical thing to sign.

In my opinion, the provider should insist that:

  • the soap:Body is signed
  • the wsu:Timestamp is present and signed
  • the wsu:Timestamp /Expires is before "now"

It might also want to check the Timestamp/Created element to see that it is not "too old".

The provider need not really care whether the wsa:To element is signed. That's probably the least sensitive element.

This is just my opinion.

0 Likes

Posted on --/--/---- --:-- AM
dchiesa1
Staff
Reply posted on --/--/---- --:-- AM

Hi Ravi,

I've updated the custom callout jar to support soap 1.2 for Signing.

Can you please re-download the JAR (make sure it is version 20200313) and try again?

The configuration should specify the soap-version like this: 

<JavaCallout name='Java-WSSEC-Sign-soap12'>
  <Properties>
    <Property name='source'>message.content</Property>
    <Property name='soap-version'>soap1.2</Property>
    <Property name='output-variable'>output</Property>
    <Property name='signing-method'>rsa-sha256</Property>
    <Property name='digest-method'>sha256</Property>
    <Property name='private-key'>{my_private_key}</Property>
    <Property name='certificate'>{my_certificate}</Property>
  </Properties>
  <ClassName>com.google.apigee.edgecallouts.wssecdsig.Sign</ClassName>
  <ResourceURL>java://edge-wssecdsig-20200313.jar</ResourceURL>
</JavaCallout>

Addendum: Using soap 1.2, this version of the callout still does this:

  • inserts a wsu:Timestamp in the wsse:Security header, with a Created and an Expired element.
  • Signs the body
  • Signs the timestamp

There is no support for signing the wsa:To header element.

0 Likes

Posted on --/--/---- --:-- AM
urkapigee
New Member
In response to dchiesa1
Reply posted on --/--/---- --:-- AM

Thanks Dino.

I did tried above jar for both 1.1 and 1.2 versions payload but its not giving any output message content

0 Likes

Posted on --/--/---- --:-- AM
dchiesa1
Staff
In response to urkapigee
Reply posted on --/--/---- --:-- AM

Show your policy configuration. Did you use the "output-variable" property?

0 Likes