I'm trying to sign a SOAP message with a symmetric key. It seems that the only way the library provides to sign without a certificate is to use a UsernameToken. I found the following trick to make WSS4J do what I want:
WSSecSignature signer = new WSSecSignature();
signer.setKeyIdentifierType(WSConstants.UT_SIGNING);
signer.setSignatureAlgorithm("http://www.w3.org/2000/09/xmldsig#hmac-sha1");
MyWSSecUsernameToken token = new MyWSSecUsernameToken();
signer.setUsernameToken(token);
MyWSSecUsernameToken extends WSSecUsernameToken with these differences:
- getSecretKey() returns a hard-coded symmetric key
- getId() return a hard-coded identifier
The result seems consistent but cannot be verified since the verification process tries to find the security token with the provided id in the SOAP message:
<wsse:SecurityTokenReference ...>
<wsse:Reference URI="#MyId" .../>
</wsse:SecurityTokenReference>
I'd like to replace this <SecurityTokenReference> statement with a <KeyName> and handle the key lookup with a handler (exactly the same as for the encryption process).
So, finally ;), my questions are:
- as I used a trick, is my message really signed with HMACSHA1 algorithm?
- is there any way to do that in a simpler way (with working verification)?
Thank you all,
Yann
Découvrez une nouvelle façon d'obtenir des réponses à toutes vos questions ! Profitez des connaissances, des opinions et des expériences des internautes sur Yahoo! Questions/Réponses.
