Home/ Questions/Q 8227417
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-07T16:07:25+00:00

I’m using WSS4J to verify sign and timestamp in soap messages. But when I

  • 0

I’m using WSS4J to verify sign and timestamp in soap messages. But when I receive message without signed timestamp part wssj4 thinks that everything is ok, and I would like to see error in that situation.

My good message looks like that:

<?xml version="1.0" encoding="UTF-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
  <soap:Header>
    <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" soap:mustUnderstand="1">
      <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="SIG-3">
        <ds:SignedInfo>
          <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
            <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="soap"/>
          </ds:CanonicalizationMethod>
          <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"/>
          <ds:Reference URI="#id-2">
            <ds:Transforms>
              <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList=""/>
              </ds:Transform>
            </ds:Transforms>
            <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
            <ds:DigestValue>u8CMT7Q7fJJ1Dv5dEmzGU1FO5Y0=</ds:DigestValue>
          </ds:Reference>
          <ds:Reference URI="#TS-1">
            <ds:Transforms>
              <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="wsse soap"/>
              </ds:Transform>
            </ds:Transforms>
            <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
            <ds:DigestValue>m8XN2C3FUjK4WHAXhO9gLI82XeE=</ds:DigestValue>
          </ds:Reference>
        </ds:SignedInfo>
        <ds:SignatureValue>X9EntCBO7nmNrYsYuugpHxN13wSUNhTF4exkRRWj0tTrfEqbz8potg==</ds:SignatureValue>
        <ds:KeyInfo Id="KI-B60AEEFF94DBA35E9413402583324452">
          <wsse:SecurityTokenReference wsu:Id="STR-B60AEEFF94DBA35E9413402583324473">
            <ds:X509Data>
              <ds:X509IssuerSerial>
                <ds:X509IssuerName>CN=TEST,OU=Unknown,O=Unknown,L=Unknown,ST=Unknown,C=Unknown</ds:X509IssuerName>
                <ds:X509SerialNumber>1332750124</ds:X509SerialNumber>
              </ds:X509IssuerSerial>
            </ds:X509Data>
          </wsse:SecurityTokenReference>
        </ds:KeyInfo>
      </ds:Signature>
      <wsu:Timestamp wsu:Id="TS-1">
        <wsu:Created>2012-06-21T05:58:52.392Z</wsu:Created>
        <wsu:Expires>2012-06-21T06:03:52.392Z</wsu:Expires>
      </wsu:Timestamp>
    </wsse:Security>
  </soap:Header>
  <soap:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="id-2">
    [...]
  </soap:Body>
</soap:Envelope>

And bad message (this one should throw exception something like “timestamp not signed”):

<?xml version="1.0" encoding="UTF-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
  <soap:Header>
    <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" soap:mustUnderstand="1">
      <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="SIG-3">
        <ds:SignedInfo>
          <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
            <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="soap"/>
          </ds:CanonicalizationMethod>
          <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"/>
          <ds:Reference URI="#id-2">
            <ds:Transforms>
              <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList=""/>
              </ds:Transform>
            </ds:Transforms>
            <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
            <ds:DigestValue>u8CMT7Q7fJJ1Dv5dEmzGU1FO5Y0=</ds:DigestValue>
          </ds:Reference>
        </ds:SignedInfo>
        <ds:SignatureValue>U6TSJXJTCryEm5FhoMBbEoiUIL0jjFDvPxPJ3ihoOHsWCwk4t3++2w==</ds:SignatureValue>
        <ds:KeyInfo Id="KI-9AEDF8EC92B112ADE113402583983992">
          <wsse:SecurityTokenReference wsu:Id="STR-9AEDF8EC92B112ADE113402583984013">
            <ds:X509Data>
              <ds:X509IssuerSerial>
                <ds:X509IssuerName>CN=TEST,OU=Unknown,O=Unknown,L=Unknown,ST=Unknown,C=Unknown</ds:X509IssuerName>
                <ds:X509SerialNumber>1332750124</ds:X509SerialNumber>
              </ds:X509IssuerSerial>
            </ds:X509Data>
          </wsse:SecurityTokenReference>
        </ds:KeyInfo>
      </ds:Signature>
      <wsu:Timestamp wsu:Id="TS-1">
        <wsu:Created>2012-06-21T05:59:58.376Z</wsu:Created>
        <wsu:Expires>2012-06-21T06:04:58.376Z</wsu:Expires>
      </wsu:Timestamp>
    </wsse:Security>
  </soap:Header>
  <soap:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="id-2">
    [...]
  </soap:Body>
</soap:Envelope>

So my bad message doesn’t contains:

<ds:Reference URI="#TS-1">
<ds:Transforms>
  <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
    <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="wsse soap"/>
  </ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>m8XN2C3FUjK4WHAXhO9gLI82XeE=</ds:DigestValue>
</ds:Reference>

Currently I have my veryfying interceptor configured like that:

// verifying incepteptor
final String actions = WSHandlerConstants.TIMESTAMP + " " + WSHandlerConstants.SIGNATURE;
Map<String, Object> inProps = new HashMap<String, Object>();

Map<QName, Validator> validatorMap = new HashMap<QName, Validator>(); 
validatorMap.put(WSSecurityEngine.SIGNATURE, new SignatureTrustValidator());
validatorMap.put(WSSecurityEngine.TIMESTAMP, new TimeStampValidator());
inProps.put(WSS4JInInterceptor.VALIDATOR_MAP, validatorMap); 

inProps.put(WSHandlerConstants.ACTION, actions);
inProps.put(WSHandlerConstants.SIGNATURE_PARTS, "{Element}{http://schemas.xmlsoap.org/soap/envelope/}Body;{Element}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd}Timestamp");
inProps.put(WSHandlerConstants.SIG_PROP_FILE, SIG_PROPFILE);

WSS4JInInterceptor verifying = new WSS4JInInterceptor(inProps);

How to setup wss4j to achieve such behavior?
BTW:
CXF version: 2.5.1
WSS4J version: 1.6.2

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    And the answer is org.apache.cxf.ws.security.wss4j.CryptoCoverageChecker:

    <util:constant id="typeSigned" static-field="org.apache.cxf.ws.security.wss4j.CryptoCoverageUtil.CoverageType.SIGNED"/>
<util:constant id="scoopeElement" static-field="org.apache.cxf.ws.security.wss4j.CryptoCoverageUtil.CoverageScope.ELEMENT"/>
<util:map id="prfx">
    <entry key="soap" value="http://schemas.xmlsoap.org/soap/envelope/"/>
    <entry key="wsse" value="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"/>
    <entry key="wsu" value="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"/>
</util:map>
<bean id="bodyVerifier" class="org.apache.cxf.ws.security.wss4j.CryptoCoverageChecker.XPathExpression">
    <constructor-arg index="0" value="/soap:Envelope/soap:Body" />
    <constructor-arg index="1"><ref bean="typeSigned" /></constructor-arg>
    <constructor-arg index="2"><ref bean="scoopeElement" /></constructor-arg>
</bean>
<bean id="timestampVerifier" class="org.apache.cxf.ws.security.wss4j.CryptoCoverageChecker.XPathExpression">
    <constructor-arg index="0" value="/soap:Envelope/soap:Header/wsse:Security/wsu:Timestamp" />
    <constructor-arg index="1"><ref bean="typeSigned" /></constructor-arg>
    <constructor-arg index="2"><ref bean="scoopeElement" /></constructor-arg>
</bean>
<util:list id="paths" >
    <ref bean="bodyVerifier" />
    <ref bean="timestampVerifier" />
</util:list>
<bean id="coverageChecker" class="org.apache.cxf.ws.security.wss4j.CryptoCoverageChecker">
    <constructor-arg index="0"><ref bean="prfx" /></constructor-arg>
    <constructor-arg index="1"><ref bean="paths" /></constructor-arg>
</bean>

    And next we must add this as interceptor:

    <jaxws:endpoint id="someId" implementor="#example" address="/">
    <jaxws:inInterceptors>
        <ref bean="coverageChecker" />
    </jaxws:inInterceptors>
</jaxws:endpoint>
    • 0