1) On the ESB, how are you sending and receiving the SOAP messages? Are you using the CXF-BC?
2) Two WSS4JInInterceptors will not do what you want. I believe that 2.2 still lacked a check to see if the handler has been executed already, but either way, the second execution isn't going to get you what you want. 3) I don't think SignedParts has any affect on inbound processing as WSS4J does not attempt to enforce this when validating the signature. 4) As long as both signatures are in the same WS-Security Security element and your WSS4J configuration matches the role/actor of that element (if you don’t know what this is or haven't configured it, it matches by default) a single WSS4J interceptor should suffice. The interceptor delegates to WSS4J which is going to iterate through all of the children of the Security element and apply a matching Processor to them (See WSSecurityEngine). This should process multiple signatures and stack the results up in the WSS4J results. The following code snippet shows how to inspect the X509Certificate portion of the results for the first signature processed if you need to look deeper than just checking the signature validity. final Vector<WSSecurityEngineResult> results = new Vector<WSSecurityEngineResult>(); WSSecurityUtil.fetchAllActionResults(wsHandlerResult.getResults(), WSConstants.SIGN, results); final WSSecurityEngineResult result = results.get(0); result.get(WSSecurityEngineResult.TAG_X509_CERTIFICATE); Since you are getting an error from WSS4J, it is likely that you have your interceptor/WSS4J misconfigured or that the outbound side of your ESB is corrupting your message in some way. Do you have the stack trace for the error message? If you have multiple Security elements in the header, that might make things more difficult to solve. On Wed, Mar 24, 2010 at 4:34 AM, Kopp, Markus <[email protected]> wrote: > > In our SOA we will have to sign a request (parts of the SOAP header) twice: > > 1. the client signs the SOAP body > > 2. the ESB signs a part of the SOAP header, so that the service can verify, > that the request was routed over the ESB > > I'm currently trying to implement/configure this using Apache CXF 2.2. Its > working on the client side as well as on the ESB. But I'm not able to > configure CXF on the server side to allow two different signatures. I'm > trying to configure two WSS4JInInterceptor-beans, but the first one reports > the error: "WSSecurityException: An error was discoveredprocessing the header" > > I'm already using the "signatureParts" in the WSS4JInInterceptor properties > configuration. > > Does anybody know, how to configure the WSS4JInInterceptor to allow > different/multiple XML Signatures? > > Many thanks > > Markus > > > > > Please help Logica to respect the environment by not printing this email / > Pour contribuer comme Logica au respect de l'environnement, merci de ne pas > imprimer ce mail / Bitte drucken Sie diese Nachricht nicht aus und helfen > Sie so Logica dabei, die Umwelt zu schützen. / Por favor ajude a Logica a > respeitar o ambiente nao imprimindo este correio electronico. > > > > This e-mail and any attachment is for authorised use by the intended > recipient(s) only. It may contain proprietary material, confidential > information and/or be subject to legal privilege. It should not be copied, > disclosed to, retained or used by, any other party. If you are not an > intended recipient then please promptly delete this e-mail and any attachment > and all copies and inform the sender. Thank you. >
