spring-ws icon indicating copy to clipboard operation
spring-ws copied to clipboard
verified publisher icon spring-projects

- SwA profile 1.1 with Wss4jSecurityInterceptor

Open elfogre opened this issue 8 years ago • 4 comments

Hello Spring-ws comunity,

I'm using spring-ws to develope an AS4 server. Everything works correct (SAAJ + Wss4j2) except when I want to sign/encrypt Soap attachments in a request. When I try it, I get an error:

Caused by: org.apache.wss4j.common.ext.WSSecurityException: Error during Signature: at org.apache.wss4j.dom.action.SignatureAction.execute(SignatureAction.java:162) at org.apache.wss4j.dom.handler.WSHandler.doSenderAction(WSHandler.java:234) at org.springframework.ws.soap.security.wss4j2.Wss4jHandler.doSenderAction(Wss4jHandler.java:63) at org.springframework.ws.soap.security.wss4j2.Wss4jSecurityInterceptor.secureMessage(Wss4jSecurityInterceptor.java:563) ... 32 common frames omitted Caused by: org.apache.wss4j.common.ext.WSSecurityException: Cannot setup signature data structure at org.apache.wss4j.dom.message.WSSecSignatureBase.addReferencesToSign(WSSecSignatureBase.java:208) at org.apache.wss4j.dom.message.WSSecSignature.addReferencesToSign(WSSecSignature.java:412) at org.apache.wss4j.dom.action.SignatureAction.execute(SignatureAction.java:147) ... 35 common frames omitted Caused by: org.apache.wss4j.common.ext.WSSecurityException: no attachment callbackhandler supplied at org.apache.wss4j.dom.message.WSSecSignatureBase.addAttachmentReferences(WSSecSignatureBase.java:228) at org.apache.wss4j.dom.message.WSSecSignatureBase.addReferencesToSign(WSSecSignatureBase.java:111) ... 37 common frames omitted

Wss4j2 needs an attachmentCallbackHandler to work, but it can't be set it via Wss4jSecurityInterceptor. I've add a new field, it's setter and I add a line in initializeRequestData method to set it in the request. After this I could sign without problems attachments in SOAP.

A SAAJ attachmentCallbackHandler implementation with its test is also included in the pull request.

elfogre avatar Jan 02 '18 16:01 elfogre

@elfogre Please sign the Contributor License Agreement!

Click here to manually synchronize the status of this Pull Request.

See the FAQ for frequently asked questions.

pivotal-issuemaster avatar Jan 02 '18 16:01 pivotal-issuemaster

@elfogre Thank you for signing the Contributor License Agreement!

pivotal-issuemaster avatar Jan 02 '18 16:01 pivotal-issuemaster

Shouldn't this use the MimeMessage API so that it works with both SAAJ and Axiom?

veithen avatar Jan 08 '18 17:01 veithen

My first approach was with org.springframework.ws.mime.Attachment instead of SAAJ dependant AttachmentPart . However there is a design problem with org.springframework.ws.mime.Attachment that requires a big change. I'll try to explain:

  • Attachment interface declare getters for attachment contentId, contentType and InputStream for the content itself, but it lacks for a getter for mimeHeaders (like Content-Transfer-Encoding or Content-Location).

  • Axiom implementation of attachment (org.springframework.ws.soap.axiom.AxiomAttachment) stores all its data in a String for contentId and a DataHandler for contentType and content itself. There is no space for mime headers.

  • Saaj implementation (org.springframework.ws.soap.saaj.SaajAttachment) stores its data in a javax.xml.soap.AttachmentPart that have accessors for mime Headers.

As I need all attachment mime-headers to be correctly processed in the attachmentCallbackHandler, I can't use Axiom and I have to access javax.xml.soap.AttachmentPart in SAAJ implementation. This is the reason why this callback is only for SAAJ.

If we write accesors for mime-header in Attachment interface and in saaj and axiom attachment implementations, we can easily change this CallbackHandler to use SoapMessage API.

I can write that code if you think it's useful

elfogre avatar Jan 08 '18 19:01 elfogre