Re: ws-policy/ws-security and a encrypted header part

[Martin Fernau]

Thanks a lot.
It turns out that I already implemented it this way but simply did a 
mistake for the namespace.
After correction the outgoing XML seems to be correct.
Nonetheless the request is rejected with "An error occurred when 
verifying security for the message."

Thanks
Martin

Am 24.10.2016 um 13:21 schrieb Colm O hEigeartaigh:
Yes it's possible to add headers and sign and encrypt them. There is a test
which demonstrates how to do this for encryption, although Signature works
as well:

https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=systests/ws-security/src/test/java/org/apache/cxf/systest/ws/x509/X509TokenTest.java;h=55b8298aa93bed4622c3f2f283a04b8294725aad;hb=HEAD

See "testKeyIdentifier2". The header is added with:

List<Header> headers = new ArrayList<Header>();
Header dummyHeader = new Header(new QName("uri:org.apache.cxf", "dummy"),
"dummy-header",
                                          new JAXBDataBinding(String.class));
headers.add(dummyHeader);
((BindingProvider)x509Port).getRequestContext().put(Header.HEADER_LIST,
headers);

The WSDL is here. You can see that the header is added to the encryption
parts for the "DoubleIt2" operation:

https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/DoubleItOperations.wsdl;h=836f02e0c4c7ae851f4f475ca84a17724dbf2236;hb=HEAD

On Mon, Oct 24, 2016 at 10:19 AM, Martin Fernau <martin.fer...@fernausoft.de
wrote:
No one?

Is it not possible with CXF or is it an unusual demand?
I need to consume this webservice. If its not possible with CXF I need to
find another way but I'd like to stick with CXF.

Thanks
Martin


Am 20.10.2016 um 10:00 schrieb Martin Fernau:

Hi,

is it possible to call a webservice with the following ws-security
content:
--cut
     <wsp:Policy wsu:Id="CustomBinding_IService
Customer_InsertCustomer_Input_policy">
         <wsp:ExactlyOne>
             <wsp:All>
                 <sp:SignedParts xmlns:sp="http://schemas.xmlso
ap.org/ws/2005/07/securitypolicy">
                     <sp:Body/>
                     <sp:Header Name="FfeHeader" Namespace="
http://tempuri.org/"/>
                     <sp:Header Name="To" Namespace="http://www.w3.org/2
005/08/addressing"/>
                     <sp:Header Name="From" Namespace="http://www.w3.org/2
005/08/addressing"/>
                     <sp:Header Name="FaultTo" Namespace="
http://www.w3.org/2005/08/addressing"/>
                     <sp:Header Name="ReplyTo" Namespace="
http://www.w3.org/2005/08/addressing"/>
                     <sp:Header Name="MessageID" Namespace="
http://www.w3.org/2005/08/addressing"/>
                     <sp:Header Name="RelatesTo" Namespace="
http://www.w3.org/2005/08/addressing"/>
                     <sp:Header Name="Action" Namespace="
http://www.w3.org/2005/08/addressing"/>
                 </sp:SignedParts>
                 <sp:EncryptedParts xmlns:sp="http://schemas.xmlso
ap.org/ws/2005/07/securitypolicy">
                     <sp:Body/>
                     <sp:Header Name="FfeHeader" Namespace="
http://tempuri.org/"/>
                 </sp:EncryptedParts>
             </wsp:All>
         </wsp:ExactlyOne>
     </wsp:Policy>
--cut

The problematic part is the "FfeHeader" which needs to be encrypted and
signed.
All the other parts are working (as far as I can tell).
If I use wsdl2java a class file for the FfeHeader-Type is generated but I
can find a way how to add it to my request. Thus the resulting request
contains no such header and therefore the server fails to understand my
request:
--cut
Exception in thread "main" javax.xml.ws.soap.SOAPFaultException: Object
reference not set to an instance of an object.
--cut

I only know the following way to add a custom header to my request:
--cut
ObjectFactory of = new ObjectFactory();
List<Header> headersList = new ArrayList<Header>();
// HeaderType is the generated class for FfeHeader
HeaderType type = of.createHeaderType();
// call several setters on 'type'
[...]

Header ffeHeader = new Header(new QName("http://tempuri.org";,
"FfeHeader"), type, new JAXBDataBinding(HeaderType.class));
headersList.add(ffeHeader);
client.getRequestContext().put(Header.HEADER_LIST, headersList);
--cut
But this way the FfeHeader is neither signed nor encrypted and the call
fails with exact the same error message.

I would appreciate any kind of help.

Thanks
Martin






--
FERNAUSOFT GmbH
Gartenstraße 42 - 37269 Eschwege

Telefon (0 56 51) 95 99-0
Telefax (0 56 51) 95 99-90

eMail martin.fer...@fernausoft.de
Internet http://www.fernausoft.de

Handelsregister Eschwege, HRB 1585
Geschäftsführer: Axel Fernau, Ulrich Fernau, Martin Fernau
Steuernummer 025 233 00041
USt-ID-Nr. DE 178 554 622