WS-Security Message Sign Example
In this example we configure both the client and the server to sign the message body. Both also require this from each other. So, if you remove either the client or the server security deployment descriptor, you will notice that the other party will throw a fault explaining that the message did not conform to the proper security requirements.
Server configuration (jboss-wsse-server.xml)
<?xml version="1.0" encoding="UTF-8"?> <jboss-ws-security xmlns="http://www.jboss.com/ws-security/config" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.jboss.com/ws-security/config http://www.jboss.com/ws-security/schema/jboss-ws-security_1_0.xsd"> 1. <key-store-file>WEB-INF/wsse.keystore</key-store-file> 2. <key-store-password>jbossws</key-store-password> 3. <trust-store-file>WEB-INF/wsse.truststore</trust-store-file> 4. <trust-store-password>jbossws</trust-store-password> 5. <config> 6 <sign type="x509v3" alias="wsse"></sign> 7. <requires> 8. <signature></signature> </requires> </config> </jboss-ws-security>
Explanation
This specifies that the key store we wish to use is WEB-INF/wsse.keystore, which is located in our war file.
This specifies that the store password is "jbossws"
This specifies that the trust store we wish to use is WEB-INF/wsse.truststore, which is located in our war file.
This specifies that the trust store password is also "jbossws"
Here we start our root config block. The root config block is the default configuration for all services in this war file.
This means that the server must sign the message body of all responses. Type means that we are to use a X.509v3 certificate (a standard certificate). The alias option says that the certificate/key pair to use for signing is in the key store under the "wsse" alias
Here we start our optional requires block. This block specifies all security requirements that must be met when the server receives a message.
This means that all web services in this war file require the message body to be siged.
Client configuration (jboss-wsse-client.xml)
<?xml version="1.0" encoding="UTF-8"?> <jboss-ws-security xmlns="http://www.jboss.com/ws-security/config" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.jboss.com/ws-security/config http://www.jboss.com/ws-security/schema/jboss-ws-security_1_0.xsd"> 1. <config> 2. <sign type="x509v3" alias="wsse"></sign> 3. <requires> 4. <signature></signature> </requires> </config> </jboss-ws-security>
Explanation
Here we start our root config block. The root config block is the default configuration for all web service clients (Call, Proxy objects).
This means that the client must sign the message body of all requests it sends. Type means that we are to use a X.509v3 certificate (a standard certificate). The alias option says that the certificate/key pair to use for signing is in the key store under the "wsse" alias
Here we start our optional requires block. This block specifies all security requirements that must be met when the client receives a response.
This means that all web service clients must receive signed response messages.
Notes
We did not specify a key store or trust store, because client apps instead use the wsse System properties instead. If this was a web or ejb client (meaning a webservice client in a war or ejb jar file), then we would have specified them in the client descriptor.
Client Request Before Signing
<?xml version="1.0" encoding="UTF-8"?> <env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/"> <env:Header></env:Header> <env:Body> <ns1:echoUserType xmlns:ns1="http://org.jboss.test.ws/wsse"> <UserType_1 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <msg>Kermit</msg> </UserType_1> </ns1:echoUserType> </env:Body> </env:Envelope>
Server Response Before Signing
<?xml version="1.0" encoding="UTF-8"?> <env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/"> <env:Header> </env:Header> <env:Body> <ns1:echoUserTypeResponse xmlns:ns1="http://org.jboss.test.ws/wsse"> <result xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <msg>Kermit</msg> </result> </ns1:echoUserTypeResponse> </env:Body> </env:Envelope>
Client Request After Signing
<?xml version="1.0" encoding="UTF-8"?> <env:Envelope xmlns:env='http://schemas.xmlsoap.org/soap/envelope></env:Envelope> <env:Header> <wsse:Security env:mustUnderstand='1' xmlns:wsse='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd' xmlns:wsu='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd'> <wsu:Timestamp wsu:Id='timestamp'> <wsu:Created>2005-10-19T03:18:25.359Z</wsu:Created> </wsu:Timestamp> <wsse:BinarySecurityToken EncodingType='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary' ValueType='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3' wsu:Id='token-2-1129691905640-12730771'> MIIEQTCCA6qgAwIBAgIBAzANBgkqhkiG9w0BAQUFADCBkjELMAkGA1UEBhMCVVMxEzARBgNVBAgT Cldhc2hpbmd0b24xGDAWBgNVBAcTD1Nub3F1YWxtaWUgUGFzczETMBEGA1UEChMKSkJvc3MgSW5j LjELMAkGA1UECxMCUUExEjAQBgNVBAMTCWpib3NzLmNvbTEeMBwGCSqGSIb3DQEJARYPYWRtaW5A amJvc3MuY29tMB4XDTA1MDkxNTAwMDk0MVoXDTE1MDkxMzAwMDk0MVowgYsxCzAJBgNVBAYTAlVT MRMwEQYDVQQIEwpXYXNoaW5ndG9uMRMwEQYDVQQKEwpKQm9zcyBJbmMuMRQwEgYDVQQLEwtEZXZl bG9wbWVudDEVMBMGA1UEAxMMSmFzb24gR3JlZW5lMSUwIwYJKoZIhvcNAQkBFhZqYXNvbi5ncmVl bmVAamJvc3MuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzzj+VomXdEuHTg4g N9mN865eulLiAPITiZMLfz2ODuzF0pj39iTKhHM8IS6YQYbkPGRXMTmnCy0NFfMsVKTXs/9rZBMP 1ko3kZopaN+XrUT8yxIiydL76QYcRpDGgxG9G4kc+mHdt0rZtARWVwoVPhO4Irx09AONpSYqdSq0 8jMXscA+yXwvhDHGV+J4CCSmQgYVa95OdDaAMnWp5csAfg4eL/GTLI36Up4tjsFnMq5NFKsCnZ1q qxA1OO3CbhsK/IlEZw13alGJPJ1FgvaTZTZNh+h2YIKl//P5iQOtfURrzWsVwGcEa6S+lC72BJHj JBOw4byI/FTi1HCe6wd3iQIDAQABo4IBJjCCASIwCQYDVR0TBAIwADAsBglghkgBhvhCAQ0EHxYd T3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFKzdWmBd7MDzEemEN6HMXIeq St86MIHHBgNVHSMEgb8wgbyAFEuV2BcIYuw61dmN9JIrAvNK+hZ+oYGYpIGVMIGSMQswCQYDVQQG EwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEYMBYGA1UEBxMPU25vcXVhbG1pZSBQYXNzMRMwEQYD VQQKEwpKQm9zcyBJbmMuMQswCQYDVQQLEwJRQTESMBAGA1UEAxMJamJvc3MuY29tMR4wHAYJKoZI hvcNAQkBFg9hZG1pbkBqYm9zcy5jb22CCQCr9VL/ZBpN7zANBgkqhkiG9w0BAQUFAAOBgQDEU/Bs M2Pqcr8j8/NdYlgSYXX1R7u2wjYkRnW6jeHlxNm5XeuY0t4nr8fq5S05YOAlU4LTJuGNMB8kZUit hAU2QxkMLmKKsb+B1zIdzP756xC6x+5g0dXLIt0ItVjPv5GQIw1SRmQKBkfliwV5jOrkCzJ5/v04 Hb1iUP9iqcdN2w==</wsse:BinarySecurityToken> <ds:Signature xmlns:ds='http://www.w3.org/2000/09/xmldsig#'> <ds:SignedInfo xmlns:ds='http://www.w3.org/2000/09/xmldsig#'> <ds:CanonicalizationMethod Algorithm='http://www.w3.org/2001/10/xml-exc-c14n#' xmlns:ds='http://www.w3.org/2000/09/xmldsig#'></ds:CanonicalizationMethod> <ds:SignatureMethod Algorithm='http://www.w3.org/2000/09/xmldsig#rsa-sha1' xmlns:ds='http://www.w3.org/2000/09/xmldsig#'></ds:SignatureMethod> <ds:Reference URI='#element-1-1129691905375-12082199' xmlns:ds='http://www.w3.org/2000/09/xmldsig#'> <ds:Transforms xmlns:ds='http://www.w3.org/2000/09/xmldsig#'> <ds:Transform Algorithm='http://www.w3.org/2001/10/xml-exc-c14n#' xmlns:ds='http://www.w3.org/2000/09/xmldsig#'></ds:Transform> </ds:Transforms> <ds:DigestMethod Algorithm='http://www.w3.org/2000/09/xmldsig#sha1' xmlns:ds='http://www.w3.org/2000/09/xmldsig#'></ds:DigestMethod> <ds:DigestValue xmlns:ds='http://www.w3.org/2000/09/xmldsig#'> 9SbOp1WkPF1DOeTrTy+ToTO6qUA= </ds:DigestValue> </ds:Reference> <ds:Reference URI='#timestamp' xmlns:ds='http://www.w3.org/2000/09/xmldsig#'> <ds:Transforms xmlns:ds='http://www.w3.org/2000/09/xmldsig#'> <ds:Transform Algorithm='http://www.w3.org/2001/10/xml-exc-c14n#' xmlns:ds='http://www.w3.org/2000/09/xmldsig#'></ds:Transform> </ds:Transforms> <ds:DigestMethod Algorithm='http://www.w3.org/2000/09/xmldsig#sha1' xmlns:ds='http://www.w3.org/2000/09/xmldsig#'></ds:DigestMethod> <ds:DigestValue xmlns:ds='http://www.w3.org/2000/09/xmldsig#'> xSz9lxVD/HbLfaV6SDv+o6Y0rdI= </ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue xmlns:ds='http://www.w3.org/2000/09/xmldsig#'> Tu8sRZ6NhcjvIlwCfvuoLpGK7IP4LthRYUg/URi8WDo0VgkzSfoG7wlBR93RykQ5Q3cSXFozFmgl C7Cnb26qgMuwEE7eWHIhrG0hzWiDd1X/AZ/db5UBOy3Px7tcRF9YGvzHRBmL6z3QWsZ58uHaF9y5 NNi74TDDcNoeDqYfqKDTJUB99atZB/nKzHDwsdbPH1g2NX8A3bX6gRy7gY0u/6eiCWxH8v7u5MaZ grBIWoXDzwheLBTWxEc5A5Obif8SjT7frbh0lFEpqaMYObRKZlMJedFPrR+r/vpG5QKpMjC1TaGX GKMpqcSqTVz+TKnOjun4OJh+Jhute9uIytl+gA== </ds:SignatureValue> <ds:KeyInfo xmlns:ds='http://www.w3.org/2000/09/xmldsig#'> <wsse:SecurityTokenReference wsu:Id='reference-3-1129691905640-23022207'> <wsse:Reference URI='#token-2-1129691905640-12730771' ValueType='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3' ></wsse:Reference> </wsse:SecurityTokenReference> </ds:KeyInfo> </ds:Signature> </wsse:Security> </env:Header> <env:Body wsu:Id='element-1-1129691905375-12082199' xmlns:wsu='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd'> <ns1:echoUserType xmlns:ns1='http://org.jboss.test.ws/wsse'> <UserType_1 xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'> <msg>Kermit</msg> </UserType_1> </ns1:echoUserType> </env:Body> </env:Envelope>
Server Response After Signing
<env:Envelope xmlns:env='http://schemas.xmlsoap.org/soap/envelope/'> <env:Header> <wsse:Security env:mustUnderstand='1' xmlns:wsse='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd' xmlns:wsu='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd'> <wsu:Timestamp wsu:Id='timestamp'> <wsu:Created xmlns:wsu='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd' >2005-10-19T03:18:26.781Z</wsu:Created> </wsu:Timestamp> <wsse:BinarySecurityToken EncodingType='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary' ValueType='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3' wsu:Id='token-2-1129691907015-14256896' >MIIEQTCCA6qgAwIBAgIBAzANBgkqhkiG9w0BAQUFADCBkjELMAkGA1UEBhMCVVMxEzARBgNVBAgT Cldhc2hpbmd0b24xGDAWBgNVBAcTD1Nub3F1YWxtaWUgUGFzczETMBEGA1UEChMKSkJvc3MgSW5j LjELMAkGA1UECxMCUUExEjAQBgNVBAMTCWpib3NzLmNvbTEeMBwGCSqGSIb3DQEJARYPYWRtaW5A amJvc3MuY29tMB4XDTA1MDkxNTAwMDk0MVoXDTE1MDkxMzAwMDk0MVowgYsxCzAJBgNVBAYTAlVT MRMwEQYDVQQIEwpXYXNoaW5ndG9uMRMwEQYDVQQKEwpKQm9zcyBJbmMuMRQwEgYDVQQLEwtEZXZl bG9wbWVudDEVMBMGA1UEAxMMSmFzb24gR3JlZW5lMSUwIwYJKoZIhvcNAQkBFhZqYXNvbi5ncmVl bmVAamJvc3MuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzzj+VomXdEuHTg4g N9mN865eulLiAPITiZMLfz2ODuzF0pj39iTKhHM8IS6YQYbkPGRXMTmnCy0NFfMsVKTXs/9rZBMP 1ko3kZopaN+XrUT8yxIiydL76QYcRpDGgxG9G4kc+mHdt0rZtARWVwoVPhO4Irx09AONpSYqdSq0 8jMXscA+yXwvhDHGV+J4CCSmQgYVa95OdDaAMnWp5csAfg4eL/GTLI36Up4tjsFnMq5NFKsCnZ1q qxA1OO3CbhsK/IlEZw13alGJPJ1FgvaTZTZNh+h2YIKl//P5iQOtfURrzWsVwGcEa6S+lC72BJHj JBOw4byI/FTi1HCe6wd3iQIDAQABo4IBJjCCASIwCQYDVR0TBAIwADAsBglghkgBhvhCAQ0EHxYd T3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFKzdWmBd7MDzEemEN6HMXIeq St86MIHHBgNVHSMEgb8wgbyAFEuV2BcIYuw61dmN9JIrAvNK+hZ+oYGYpIGVMIGSMQswCQYDVQQG EwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEYMBYGA1UEBxMPU25vcXVhbG1pZSBQYXNzMRMwEQYD VQQKEwpKQm9zcyBJbmMuMQswCQYDVQQLEwJRQTESMBAGA1UEAxMJamJvc3MuY29tMR4wHAYJKoZI hvcNAQkBFg9hZG1pbkBqYm9zcy5jb22CCQCr9VL/ZBpN7zANBgkqhkiG9w0BAQUFAAOBgQDEU/Bs M2Pqcr8j8/NdYlgSYXX1R7u2wjYkRnW6jeHlxNm5XeuY0t4nr8fq5S05YOAlU4LTJuGNMB8kZUit hAU2QxkMLmKKsb+B1zIdzP756xC6x+5g0dXLIt0ItVjPv5GQIw1SRmQKBkfliwV5jOrkCzJ5/v04 Hb1iUP9iqcdN2w==</wsse:BinarySecurityToken> <ds:Signature xmlns:ds='http://www.w3.org/2000/09/xmldsig#'> <ds:SignedInfo xmlns:ds='http://www.w3.org/2000/09/xmldsig#'> <ds:CanonicalizationMethod Algorithm='http://www.w3.org/2001/10/xml-exc-c14n#' xmlns:ds='http://www.w3.org/2000/09/xmldsig#'></ds:CanonicalizationMethod> <ds:SignatureMethod Algorithm='http://www.w3.org/2000/09/xmldsig#rsa-sha1' xmlns:ds='http://www.w3.org/2000/09/xmldsig#'></ds:SignatureMethod> <ds:Reference URI='#element-1-1129691906796-9997782' xmlns:ds='http://www.w3.org/2000/09/xmldsig#'> <ds:Transforms xmlns:ds='http://www.w3.org/2000/09/xmldsig#'> <ds:Transform Algorithm='http://www.w3.org/2001/10/xml-exc-c14n#' xmlns:ds='http://www.w3.org/2000/09/xmldsig#'></ds:Transform> </ds:Transforms> <ds:DigestMethod Algorithm='http://www.w3.org/2000/09/xmldsig#sha1' xmlns:ds='http://www.w3.org/2000/09/xmldsig#'></ds:DigestMethod> <ds:DigestValue xmlns:ds='http://www.w3.org/2000/09/xmldsig#'> BiHYrHFspjppNAoq1vbSLKwyCzo= </ds:DigestValue> </ds:Reference> <ds:Reference URI='#timestamp' xmlns:ds='http://www.w3.org/2000/09/xmldsig#'> <ds:Transforms xmlns:ds='http://www.w3.org/2000/09/xmldsig#'> <ds:Transform Algorithm='http://www.w3.org/2001/10/xml-exc-c14n#' xmlns:ds='http://www.w3.org/2000/09/xmldsig#'></ds:Transform> </ds:Transforms> <ds:DigestMethod Algorithm='http://www.w3.org/2000/09/xmldsig#sha1' xmlns:ds='http://www.w3.org/2000/09/xmldsig#'></ds:DigestMethod> <ds:DigestValue xmlns:ds='http://www.w3.org/2000/09/xmldsig#'> 4Vt62YYlU/yFT2i8bOHU6hPWQio= </ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue xmlns:ds='http://www.w3.org/2000/09/xmldsig#'> efUTQdCGvw7+AQ8Cc6/q3hODRH2hPFPNFzF6qAAxUx7nXcC6cBBlDpz1gwmCN+/vcCo8vJk/Jn4M tCixczu3i/eoW9CLzjF/vT+KrXFmDHJPQYbFwc4QY3oIN39gPV99nFJ0IFhANpRk0dex7PX4vW2H qyzh7u5nLpVwSrckYT85KNOXIke79aegi+MEx2vrW75eENlgDg+/nOLJtUPY/0pr8tttTXwoaX7c apkYxhN42Z/pIrUzbPdDRF+4bxrnHCrZty5AAj789LSSX4qBWfFREDkukCxxcqqEZpeoNUIhRXA9 ++K3YTARwKy5vcg9rMh268yz+sT5tM2owMwyZQ== </ds:SignatureValue> <ds:KeyInfo xmlns:ds='http://www.w3.org/2000/09/xmldsig#'> <wsse:SecurityTokenReference wsu:Id='reference-3-1129691907015-3462250' xmlns:wsse='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd'> <wsse:Reference URI='#token-2-1129691907015-14256896' ValueType='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3' xmlns:wsse='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd'></wsse:Reference> </wsse:SecurityTokenReference> </ds:KeyInfo> </ds:Signature> </wsse:Security> </env:Header> <env:Body wsu:Id='element-1-1129691906796-9997782' xmlns:wsu='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd'> <ns1:echoUserTypeResponse xmlns:ns1='http://org.jboss.test.ws/wsse'> <result xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'> <msg>Kermit</msg> </result> </ns1:echoUserTypeResponse> </env:Body> </env:Envelope>
Comments