We are running a WSO2 ESB 5.0 server. We want to create a service that transforms a normal SOAP message to a signed version and delivers this to an endpoint.
We are getting the message:
Caused by: org.apache.ws.security.WSSecurityException: General
security error (No certificates for user wso2carbon were found for
signature)
Why do I get this message? I do not understand the meaning of this.
Update: I figured out, that the user in the rampart config should be the Alias of the key that you want to use to sign. And the password handler Should return the password of the alias key
The synapse (wso2 esb) service is:
<?xml version="1.0" encoding="UTF-8"?>
<proxy xmlns="http://ws.apache.org/ns/synapse"
name="__mke_siging_out"
startOnLoad="true"
statistics="disable"
trace="disable"
transports="https">
<target>
<inSequence>
<send>
<endpoint>
<address uri="http://foo.bar.host/services/default/Echo/echo_client_ep">
<enableSec policy="gov:/policies/__mke_sign_out.xml"/>
</address>
</endpoint>
</send>
</inSequence>
<outSequence>
<header xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
action="remove"
name="wsse:Security"
scope="default"/>
<send/>
</outSequence>
<faultSequence/>
</target>
<description/>
</proxy>
The rampart configuration is, pointing to a JKS keystore in which private/pub certificate is loaded and protected by a password:
<?xml version="1.0" encoding="UTF-8"?>
<wsp:Policy xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="SigOnly">
<wsp:ExactlyOne>
<wsp:All>
<sp:AsymmetricBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:InitiatorToken>
<wsp:Policy>
<sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:RequireThumbprintReference />
<sp:WssX509V3Token10 />
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:InitiatorToken>
<sp:RecipientToken>
<wsp:Policy>
<sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never">
<wsp:Policy>
<sp:RequireThumbprintReference />
<sp:WssX509V3Token10 />
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:RecipientToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic256 />
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Strict />
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp />
<sp:OnlySignEntireHeadersAndBody />
</wsp:Policy>
</sp:AsymmetricBinding>
<sp:Wss10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<sp:Policy>
<sp:MustSupportRefKeyIdentifier />
<sp:MustSupportRefIssuerSerial />
</sp:Policy>
</sp:Wss10>
<sp:SignedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<sp:Body />
</sp:SignedParts>
</wsp:All>
</wsp:ExactlyOne>
<rampart:RampartConfig xmlns:rampart="http://ws.apache.org/rampart/policy">
<rampart:user>wso2carbon</rampart:user>
<rampart:passwordCallbackClass>nl.rsg.it.igw.passwordcallback.Handler</rampart:passwordCallbackClass>
<rampart:encryptionUser>useReqSigCert</rampart:encryptionUser>
<rampart:timestampPrecisionInMilliseconds>true</rampart:timestampPrecisionInMilliseconds>
<rampart:timestampTTL>300</rampart:timestampTTL>
<rampart:timestampMaxSkew>300</rampart:timestampMaxSkew>
<rampart:timestampStrict>false</rampart:timestampStrict>
<rampart:tokenStoreClass>org.wso2.carbon.security.util.SecurityTokenStore</rampart:tokenStoreClass>
<rampart:nonceLifeTime>300</rampart:nonceLifeTime>
<rampart:encryptionCrypto>
<rampart:crypto provider="org.wso2.carbon.security.util.ServerCrypto" cryptoKey="org.wso2.carbon.security.crypto.privatestore">
<rampart:property name="org.wso2.carbon.security.crypto.alias">myAlias</rampart:property>
<rampart:property name="org.wso2.carbon.security.crypto.privatestore">myPrivate.jks</rampart:property>
<rampart:property name="org.wso2.stratos.tenant.id">-1234</rampart:property>
<rampart:property name="org.wso2.carbon.security.crypto.truststores">myPrivate.jks</rampart:property>
</rampart:crypto>
</rampart:encryptionCrypto>
<rampart:signatureCrypto>
<rampart:crypto provider="org.wso2.carbon.security.util.ServerCrypto" cryptoKey="org.wso2.carbon.security.crypto.privatestore">
<rampart:property name="org.wso2.carbon.security.crypto.alias">myAlias</rampart:property>
<rampart:property name="org.wso2.carbon.security.crypto.privatestore">myPrivate.jks</rampart:property>
<rampart:property name="org.wso2.stratos.tenant.id">-1234</rampart:property>
<rampart:property name="org.wso2.carbon.security.crypto.truststores">myPrivate.jks</rampart:property>
</rampart:crypto>
</rampart:signatureCrypto>
</rampart:RampartConfig>
</wsp:Policy>
I figured out, that the user in the rampart config should be the Alias of the key that you want to use to sign. And the password handler Should return the password of the alias key.
Related
I have read that there is no way to create a message with ws-security from httprio, only modifying the xml that is generated, in the beforeexecute, overwriting the stream content.
But I want to know how sign the body section from that xml.
In JBoss this is the example (https://docs.jboss.org/author/display/WFLY10/WS-Security.html) but I don't find classes or methods in Delphi for do it.
The wsdl definition include a wsp section not readed when imported the wsdl definition
<wsp:Policy xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy" wsu:Id="SecurityServiceSignThenEncryptPolicy">
<wsp:ExactlyOne>
<wsp:All>
<sp:AsymmetricBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:InitiatorToken>
<wsp:Policy>
<sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:WssX509V1Token11/>
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:InitiatorToken>
<sp:RecipientToken>
<wsp:Policy>
<sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never">
<wsp:Policy>
<sp:WssX509V1Token11/>
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:RecipientToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:TripleDesRsa15/>
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Lax/>
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp/>
<sp:EncryptSignature/>
<sp:OnlySignEntireHeadersAndBody/>
<sp:SignBeforeEncrypting/>
</wsp:Policy>
</sp:AsymmetricBinding>
<sp:SignedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<sp:Body/>
</sp:SignedParts>
<sp:EncryptedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<sp:Body/>
</sp:EncryptedParts>
<sp:Wss10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:MustSupportRefIssuerSerial/>
</wsp:Policy>
</sp:Wss10>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
Then I need rewrite the xml before request with a token and the body encrypted with that token.
I need encrypt the body with a token, that is how jboss do it.
No user or password. Only encrypt the message.
My original xml normal for call webservice look as:
<?xml version="1.0"?>
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<SOAP-ENV:Body>
<shawAny xmlns="http://showany.com/webservices">
<Value xmlns="">1360814</nroCertificado>
<autenticacion xmlns=""> <signWSAA>EISgwe7vyrAtvpe/uBy1Vj9IyYRGjjZfY4isNTLYDhl33BeqPWHjJ5NXU5+UMBSxjAO84bCydJJmCiDlATZq725EThMppowyO2CcAYBET8zBdqlXqaVMT12OHFnSH5QHc5aG4SkrgubPXqCeJO5Lcb/T6irySorBaYG647K33/8=</signWSAA>
<CN>dnra</CN> <ticketWSAA>CjxhdXRoPgoJPGlkIHVuaXF1ZV9pZD0iNzQwMDE0NjUyIiBzcmM9IkM9UFksIE89ZG5hLCBPVT1zb2ZpYSwgQ049d3NhYXRlc3QiIGdlbl90aW1lPSIyMDIwLTA3LTIwVDEwOjI5OjI3LjYzMi0wNDowMCIgZXhwX3RpbWU9IjIwMjAtMDctMjFUMTA6Mjk6MjcuNjMyLTA0OjAwIi8+Cgk8b3BlcmF0aW9uIHZhbHVlPSJncmFudGVkIiB0eXBlPSJsb2dpbiI+CgkJPGxvZ2luIHVpZD0iQz1QWSwgTz1ETlJBLCBPVT1USSwgQ049ZG5yYSIgc2VydmljZT0ic2VydmljaW9jZXJuYWMiIGF1dGhtZXRob2Q9ImNtcyI+CgkJPC9sb2dpbj4KCTwvb3BlcmF0aW9uPgo8L2F1dGg+Cg==</ticketWSAA>
</autenticacion>
</showAny>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope
and then ws-security must look as:
<?xml version="1.0" encoding="UTF8"?>
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
<SOAP-ENV:Header>
<wsse:Security xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" SOAP-ENV:mustUnderstand="1">
<wsse:BinarySecurityToken
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509"
wsu:Id="x509cert00">CjxhdXRoPgoJPGlkIHVuaXF1ZV9pZD0iMTYwMTE4MTMwIiBzcmM9IkM9UFksIE89ZG5hLCBPVT1zb2ZpYSwgQ049d3NhYXRlc3QiIGdlbl90aW1lPSIyMDIwLTA3LTIwVDE1OjUzOjMyLjAxMC0wNDowMCIgZXhwX3RpbWU9IjIwMjAtMDctMjFUMTU6NTM6MzIuMDEwLTA0OjAwIi8+Cgk8b3BlcmF0aW9uIHZhbHVlPSJncmFudGVkIiB0eXBlPSJsb2dpbiI+CgkJPGxvZ2luIHVpZD0iQz1QWSwgTz1ETlJBLCBPVT1USSwgQ049ZG5yYSIgc2VydmljZT0ic2VydmljaW9jZXJuYWMiIGF1dGhtZXRob2Q9ImNtcyI+CgkJPC9sb2dpbj4KCTwvb3BlcmF0aW9uPgo8L2F1dGg+Cg==
</wsse:BinarySecurityToken>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="wsse SOAP-ENV"/></ds:CanonicalizationMethod><ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/><ds:Reference URI="#TheBody"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>VhsSnaEAFsY0OYegKQh99v9csXg=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>axkNSVJdFcJWvd9H2TFYC5AvKLs8c3aMxeXKr0ZrQFWUp7fGivPtAAbQAlO2Wju14sy+TM1POyRd8blkJLLYVcFokrRj7X2SshbKasIosH9aWVoMdl8cL7G1SmUBguxekuI4N++yAAHJZotBka575Eaj3bNlSMNTZL5K2hqTFxal/oIExwDMNAmtCpiEapHgaW7mXgqibttNKhxrGmAGidBnHVGgqMcbM3l6aWhD8F6L4IK1PuB1LQoW/n8wkeO2+PrUzIqQ4LY5+Bx69OZjNHcuiC7HdwMNH9+aMipa7b3Q3DZ0+Qi4k/DWbT3kxterYnOWk6XULifV0F2pH3lg4Q==</ds:SignatureValue><ds:KeyInfo><wsse:SecurityTokenReference><wsse:Reference URI="#x509cert00" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509"/></wsse:SecurityTokenReference></ds:KeyInfo></ds:Signature></wsse:Security>
</SOAP-ENV:Header>
<SOAP-ENV:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="TheBody">
<getVersion xmlns="http://msgsec.wssecfvt.ws.ibm.com"/>
MIIDjjCCAnagAwIBAgIIU/FocaP2GcUwDQYJKoZIhvcNAQEFBQAwVTEWMBQGA1UE
AwwNU0lGUm9vdENBMjA0ODETMBEGCgmSJomT8ixkARkWA1NJRjETMBEGCgmSJomT
8ixkARkWA0NPTTERMA8GCgmSJomT8ixkARkWAVAwHhcNMjAwNjE4MjAxNDUxWhcN
MzAwNjE2MjAxNDUxWjA4MQ0wCwYDVQQDDARkbnJhMQswCQYDVQQLDAJUSTENMAsG
A1UECgwERE5SQTELMAkGA1UEBhMCUFkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
ggEKAoIBAQDWtyo5ASPoLtHGdAaj9CXBtiMnaGZQ6ERjeDvg+2czWKcbpIBUCl4C
hpOfcWobR5+gF7br3wYzhkg4GqyXIcDqlZQiRNRD8gnR0Q0ZFo0AMtabEGnOrSTJ
e5Wi+2af4Ku5kETSah7zWnv58OELQYzPVh2wxc2v0uuQ9N0riF16d1Do3knuqP4U
rz0/qXokpcIUpWt9FnWK7ux0fmaBipPDQeYPxBlIFKrGwIzj8JjWHliWJ3e1lyab
Qz2l9rkVi+gvbHixazie/sU0zcz7rMYbvM1/kD0ScRbvbr9i6xKPns97GWS2t2Q+
vnN9bQqOqPJTlJKpCJPBPV23W1FJ3HD3AgMBAAGjfzB9MB0GA1UdDgQWBBSevr6z
DFqKIIXrnlrF12ViI9iJgjAMBgNVHRMBAf8EAjAAMB8GA1UdIwQYMBaAFIwsCl6R
oTkooHzDxwykypf6IsWtMA4GA1UdDwEB/wQEAwIE8DAdBgNVHSUEFjAUBggrBgEF
BQcDAQYIKwYBBQUHAwIwDQYJKoZIhvcNAQEFBQADggEBAIjTQ7NFHCdHLdp5z3zL
sqeuq6e7CEYng0i3uW/xFgzKg20W7xh99KgmPiVjEBNMxsXhbMqEtvuOOF4aj+HH
fmMa0wvLzrKD0symhnBlLZCQbDrRsk6KkGuqcPn40csQ12O8G8kEqjuf2SoYkHye
bXDL2+fwdpX+SgLwWy88xSjwPHPT4IqbuYFn7uFzpgUOCDVNFUl++gMkNVW+MR6S
OBqfc84dVAANhThH7rwxnPiQ8/8l2BLUgGhFyZqDHlmUbsnd6QTCLFSREV3m3Mra
uoRs/tuAdlGM/01C65eNPsajaWXmkoM3EZk+SLt5+038DECfRkkuLToA8W2783H1
pIQ=
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
You do not need to write and append the XML for the security header manually.
The Delphi SOAP implementation has TSOAPHeader objects for that.
Example:
type
TMySoapHeader = class(TSOAPHeader)
private
FSomeData: string;
published
property SomeData: string read FSomeData write FSomeData;
end;
To apply the header before sending it, use:
(Webservice as ISOAPHeaders).Send(header);
I've created WS-Sec headers (for Username/Password auth) in the past, which I added add GitHub: https://github.com/ronaldhoek/SOAPStuff
[EIDT] Recently added the BinarySecurityToken part to the Security header for version '200401'.
These could help you build the headers required for this service.
Using Liberty 19.0.09, I have this Exception "Incorrect inclusion value".
javax.xml.ws.soap.SOAPFaultException: Incorrect inclusion value: null.
Caused by:
java.lang.RuntimeException - Incorrect inclusion value: null
at org.apache.cxf.ws.security.policy.model.Token.setInclusion(Token.java:82)
I have tried multiple configurations without success. Here is the code I am using to access this WS :
>DocumentMgmtHttpService service = new DocumentMgmtHttpService();
>HandlerResolver resolver = service.getHandlerResolver();
>DocumentMgmt docmgmt = service.getDocumentMgmtHttpPort();
>BindingProvider bp = (BindingProvider) docmgmt;
>bp.getRequestContext().put(BindingProvider.USERNAME_PROPERTY, "xxxx");
>bp.getRequestContext().put(BindingProvider.PASSWORD_PROPERTY, "xxxxx");
>SearchDocumentResponseType response=null;
then the request and the call
Where should I be looking ?
I have configure ( 3 features below ) + handlers + CallBackHandler ( as a feature on the server )
server.xml
<wsSecurityClient id="default"
ws-security.callback-handler="com.xxx.xxxx.callbackhandler.CallBackHandler"
ws-security.signature.username="portal_certificate"
ws-security.username="CN=portalx509.xxxxxxxxxx, OU=IT, O=xxxxxxxxx, L=xxxxxxxx, ST=xxxxx, C=CA"
ws-security.encryption.username="portal_certificate">
<signatureProperties
org.apache.ws.security.crypto.merlin.keystore.type="jceks"
org.apache.ws.security.crypto.merlin.keystore.password="{xor}PDc+MTg6Nis="
org.apache.ws.security.crypto.merlin.keystore.alias="portal_certificate"
org.apache.ws.security.crypto.merlin.file="${server.config.dir}/resources/security/keystore-ti.jks"
org.apache.ws.security.crypto.merlin.truststore.file="${server.config.dir}/resources/security/keystore-ti.jks"
org.apache.ws.security.crypto.merlin.truststore.password="{xor}PDc+MTg6Nis="
org.apache.ws.security.crypto.merlin.truststore.type="jceks"
org.apache.ws.security.crypto.merlin.keystore.private.password="{xor}PDc+MTg6Nis="/>
<encryptionProperties
org.apache.ws.security.crypto.merlin.keystore.type="jceks"
org.apache.ws.security.crypto.merlin.keystore.password="{xor}PDc+MTg6Nis="
org.apache.ws.security.crypto.merlin.keystore.alias="portal_certificate"
org.apache.ws.security.crypto.merlin.file="${server.config.dir}/resources/security/keystore-ti.jks"
org.apache.ws.security.crypto.merlin.truststore.type="jceks"
org.apache.ws.security.crypto.merlin.truststore.file="${server.config.dir}/resources/security/keystore-ti.jks"
org.apache.ws.security.crypto.merlin.truststore.password="{xor}PDc+MTg6Nis="
org.apache.ws.security.crypto.merlin.keystore.private.password="{xor}PDc+MTg6Nis="
/>
- **ibm-ws-bnd.xml**
<ws:webservices-bnd xmlns:ws="http://websphere.ibm.com/xml/ns/javaee" xmlns:xml="http://www.w3.org/XML/1998/namespace" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://websphere.ibm.com/xml/ns/javaee http://websphere.ibm.com/xml/ns/javaee/ibm-ws-bnd_1_0.xsd" version="1.0">
<ws:webservice-endpoint-properties enableLoggingInOutInterceptor="true" />
<ws:service-ref name="service/DocumentMgmtHttpService">
<ws:port name="DocumentMgmtHttpPort" namespace="http://ibm.com/ws/jaxws/transport/security/" ssl-ref="SSL01" />
<ws:properties http.conduit.tlsClientParameters.disableCNCheck="true" />
</ws:service-ref>
</ws:webservices-bnd>
policy-attachements-client.xml ( in WEB-INF )
<?xml version="1.0" encoding="UTF-8"?>
<attachments
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
xmlns:wsp="http://www.w3.org/ns/ws-policy"
xmlns:wsa="http://www.w3.org/2005/08/addressing"
xmlns:wsam="http://www.w3.org/2007/05/addressing/metadata"
xmlns:sp13="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200802"
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
<wsp:PolicyAttachment
wsdlNamespace="http://www.xxxxx.xx/EnterpriseMgmt/DocumentMgmt/V1">
<wsp:AppliesTo>
<wsa:EndpointReference>
<wsa:Address>https://xxxxxxxxxxxxxx:8442/ti/DocumentMgmt/V1
</wsa:Address>
</wsa:EndpointReference>
<wsp:URI>https://xxxxxxxxxxxxxxxx:8442/ti/DocumentMgmt/V1#wsdl11.service(DocumentMgmtHttpService)</wsp:URI>
</wsp:AppliesTo>
<wsp:Policy
wsu:Id="X509AsymmetricMutualAndUntAuthentication">
<wsp:ExactlyOne>
<wsp:All>
<wsam:Addressing wsp:Optional="true">
<wsp:Policy>
<wsp:ExactlyOne>
<wsp:All />
<wsam:AnonymousResponses />
<wsam:NonAnonymousResponses />
</wsp:ExactlyOne>
</wsp:Policy>
</wsam:Addressing>
<sp:SignedEncryptedSupportingTokens
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
<wsp:Policy>
<sp:UsernameToken
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:WssUsernameToken11 />
</wsp:Policy>
</sp:UsernameToken>
</wsp:Policy>
</sp:SignedEncryptedSupportingTokens>
<sp:AsymmetricBinding>
<wsp:Policy>
<sp:InitiatorToken>
<wsp:Policy>
<sp:X509Token
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200712/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:WssX509V3Token11/>
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:InitiatorToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic128Rsa15 />
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:RecipientToken>
<wsp:Policy>
<sp:X509Token
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200712/IncludeToken/AlwaysToInitiator">
<wsp:Policy>
<sp:WssX509V3Token11 />
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:RecipientToken>
<sp:Layout>
<wsp:Policy>
<sp:Strict />
</wsp:Policy>
</sp:Layout>
</wsp:Policy>
</sp:AsymmetricBinding>
<sp:SupportingTokens>
<wsp:Policy wsu:Id="request:username_token">
<sp:UsernameToken
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200712/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:WssUsernameToken11 />
</wsp:Policy>
</sp:UsernameToken>
</wsp:Policy>
</sp:SupportingTokens>
<sp:SignedParts>
<sp:Body />
<sp:Header
Namespace="http://schemas.xmlsoap.org/ws/2004/08/addressing" />
<sp:Header
Namespace="http://www.w3.org/2005/08/addressing" />
<sp:Header
Namespace="http://www.nbfg.ca/fw/serviceHeaders" />
</sp:SignedParts>
<sp:SignedElements>
<sp:XPath>/*[namespace-uri()='http://schemas.xmlsoap.org/soap/envelope/' and local-name()='Envelope']/*[namespace-uri()='http://schemas.xmlsoap.org/soap/envelope/' and local-name()='Header']/*[namespace-uri()='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd' and local-name()='Security']/*[namespace-uri()='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd' and local-name()='Timestamp']</sp:XPath>
<sp:XPath>/*[namespace-uri()='http://www.w3.org/2003/05/soap-envelope' and local-name()='Envelope']/*[namespace-uri()='http://www.w3.org/2003/05/soap-envelope' and local-name()='Header']/*[namespace-uri()='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd' and local-name()='Security']/*[namespace-uri()='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd' and local-name()='UsernameToken']</sp:XPath>
<sp:XPath>/*[namespace-uri()='http://www.w3.org/2003/05/soap-envelope' and local-name()='Envelope']/*[namespace-uri()='http://www.w3.org/2003/05/soap-envelope' and local-name()='Header']/*[namespace-uri()='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd' and local-name()='Security']/*[namespace-uri()='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd' and local-name()='Timestamp']</sp:XPath>
<sp:XPath>/*[namespace-uri()='http://schemas.xmlsoap.org/soap/envelope/' and local-name()='Envelope']/*[namespace-uri()='http://schemas.xmlsoap.org/soap/envelope/' and local-name()='Header']/*[namespace-uri()='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd' and local-name()='Security']/*[namespace-uri()='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd' and local-name()='UsernameToken']</sp:XPath>
</sp:SignedElements>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
</wsp:PolicyAttachment>
</attachments>
Any help ? Thanks a lot in advance.
in your policy-attachments-client.xml, the IncludeToken value is not correct. Update all the IncludeToken values and change "200712" to "200702".
i starting to use wso2EI in my company.
We have a requirement to invoke a service that exposes ones of our provider. This service is a SOAP webservice with signature in body through a keystore (they send me a pfx) and the idea is to use the wso2EI to invoke that service to consume internaly through this application.
So, I create a proxy service and the Policy.xml. When i try call the proxy service without the Policy.xml and i put a harcoded request it works fine. But when i put the Policy im facing the following error:
[-1234] [] [PassThroughMessageProcessor-351] ERROR {org.apache.synapse.core.axis2.Axis2Sender} - Unexpected error during sending message out
java.lang.NullPointerException
at sun.security.provider.JavaKeyStore$JKS.convertAlias(JavaKeyStore.java:58)
at sun.security.provider.JavaKeyStore.engineGetCertificateChain(JavaKeyStore.java:163)
at sun.security.provider.JavaKeyStore$JKS.engineGetCertificateChain(JavaKeyStore.java:56)
at sun.security.provider.KeyStoreDelegator.engineGetCertificateChain(KeyStoreDelegator.java:101)
at sun.security.provider.JavaKeyStore$DualFormatJKS.engineGetCertificateChain(JavaKeyStore.java:70)
at java.security.KeyStore.getCertificateChain(KeyStore.java:1048)
at org.apache.ws.security.components.crypto.CryptoBase.getCertificates(CryptoBase.java:468)
at org.apache.ws.security.message.WSSecSignature.prepare(WSSecSignature.java:313)
at org.apache.rampart.builder.BindingBuilder.getSignatureBuilder(BindingBuilder.java:351)
at org.apache.rampart.builder.BindingBuilder.getSignatureBuilder(BindingBuilder.java:266)
at org.apache.rampart.builder.AsymmetricBindingBuilder.doSignature(AsymmetricBindingBuilder.java:762)
at org.apache.rampart.builder.AsymmetricBindingBuilder.doSignBeforeEncrypt(AsymmetricBindingBuilder.java:457)
at org.apache.rampart.builder.AsymmetricBindingBuilder.build(AsymmetricBindingBuilder.java:97)
at org.apache.rampart.MessageBuilder.build(MessageBuilder.java:147)
at org.apache.rampart.handler.RampartSender.invoke(RampartSender.java:65)
at org.apache.axis2.engine.Phase.invokeHandler(Phase.java:340)
at org.apache.axis2.engine.Phase.invoke(Phase.java:313)
at org.apache.axis2.engine.AxisEngine.invoke(AxisEngine.java:261)
at org.apache.axis2.engine.AxisEngine.send(AxisEngine.java:426)
at org.apache.synapse.core.axis2.DynamicAxisOperation$DynamicOperationClient.send(DynamicAxisOperation.java:185)
at org.apache.synapse.core.axis2.DynamicAxisOperation$DynamicOperationClient.executeImpl(DynamicAxisOperation.java:167)
at org.apache.axis2.client.OperationClient.execute(OperationClient.java:149)
at org.apache.synapse.core.axis2.Axis2FlexibleMEPClient.send(Axis2FlexibleMEPClient.java:603)
at org.apache.synapse.core.axis2.Axis2Sender.sendOn(Axis2Sender.java:85)
at org.apache.synapse.core.axis2.Axis2SynapseEnvironment.send(Axis2SynapseEnvironment.java:547)
at org.apache.synapse.endpoints.AbstractEndpoint.send(AbstractEndpoint.java:384)
at org.apache.synapse.endpoints.AddressEndpoint.send(AddressEndpoint.java:65)
at org.apache.synapse.mediators.builtin.SendMediator.mediate(SendMediator.java:123)
at org.apache.synapse.mediators.AbstractListMediator.mediate(AbstractListMediator.java:108)
at org.apache.synapse.mediators.AbstractListMediator.mediate(AbstractListMediator.java:70)
at org.apache.synapse.mediators.base.SequenceMediator.mediate(SequenceMediator.java:158)
at org.apache.synapse.core.axis2.ProxyServiceMessageReceiver.receive(ProxyServiceMessageReceiver.java:224)
at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:180)
at org.apache.synapse.transport.passthru.ServerWorker.processEntityEnclosingRequest(ServerWorker.java:415)
at org.apache.synapse.transport.passthru.ServerWorker.run(ServerWorker.java:151)
at org.apache.axis2.transport.base.threads.NativeWorkerPool$1.run(NativeWorkerPool.java:172)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
The proxy is:
<in><header>
<sec:OriginPoint xmlns:sec="http://esb.xxx.com/sec/">cd</sec:OriginPoint>
</header>
<send buildmessage="true">
<endpoint>
<address uri="https://xxx.xxx.xxx.xxx:4443/ESB-Host-secure-services/http/host-secure-services/serviceSecureRouter">
<enableSec policy="gov:ws-policy/Policy.xml"/>
</address>
</endpoint>
</send>
</in>
<out>
<log level="full"/>
<send/>
</out>
and the policy:
<wsp:Policy wsu:Id="signingpolicy" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
<wsp:ExactlyOne>
<wsp:All>
<sp:AsymmetricBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:InitiatorToken>
<wsp:Policy>
<sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:WssX509V3Token10/>
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:InitiatorToken>
<sp:RecipientToken>
<wsp:Policy>
<sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never">
<wsp:Policy>
<sp:WssX509V3Token10/>
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:RecipientToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic256Rsa15/>
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Strict/>
</wsp:Policy>
</sp:Layout>
</wsp:Policy>
</sp:AsymmetricBinding>
<sp:Wss10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:MustSupportRefKeyIdentifier/>
<sp:MustSupportRefEmbeddedToken/>
<sp:MustSupportRefIssuerSerial/>
</wsp:Policy>
</sp:Wss10>
<sp:SignedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<sp:Body/>
</sp:SignedParts>
<ramp:RampartConfig xmlns:ramp="http://ws.apache.org/rampart/policy">
<ramp:signatureCrypto>
<ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin">
<ramp:property name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property>
<ramp:property name="org.apache.ws.security.crypto.merlin.file">xx/xx/xx/certificado.jks</ramp:property>
<ramp:property name="org.apache.ws.security.crypto.merlin.keystore.password">xxx</ramp:property>
</ramp:crypto>
</ramp:signatureCrypto>
</ramp:RampartConfig>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
UPDATE
After setting the org.apache.synapse.transport.http.wire with DEBUG option i started to view the resoponse in the log but the servirce continues failing.
The error is this:
[2019-03-19 16:29:29,620] [-1] [] [PassThroughMessageProcessor-2] ERROR {org.apache.axis2.transport.base.threads.NativeWorkerPool} - Uncaught exception
java.lang.NullPointerException
at org.apache.ws.security.processor.SignatureProcessor.verifyXMLSignature(SignatureProcessor.java:265)
at org.apache.ws.security.processor.SignatureProcessor.handleToken(SignatureProcessor.java:124)
at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:332)
at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:249)
at org.apache.rampart.RampartEngine.process(RampartEngine.java:221)
at org.apache.rampart.handler.RampartReceiver.invoke(RampartReceiver.java:93)
at org.apache.axis2.engine.Phase.invokeHandler(Phase.java:340)
at org.apache.axis2.engine.Phase.invoke(Phase.java:313)
at org.apache.axis2.engine.AxisEngine.invoke(AxisEngine.java:261)
at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:167)
at org.apache.synapse.transport.passthru.ClientWorker.run(ClientWorker.java:263)
at org.apache.axis2.transport.base.threads.NativeWorkerPool$1.run(NativeWorkerPool.java:172)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
The proxy server is still the same.
UPDATE 2
Finally i made it !!!. The problem were in the proxy service and the security mediator. Here is the final proxy service. Thanks to all!!:
<inSequence>
<header>
<sec:OriginPoint xmlns:sec="http://esb.firstdata.com/sec/">cencosud</sec:OriginPoint>
</header>
<send>
<endpoint>
<address uri="https://172.24.4.215:4443/ESB-Host-secure-services/http/host-secure-services/serviceSecureRouter">
<enableAddressing/>
<enableSec outboundPolicy="gov:ws-policy/Policy.xml"/>
</address>
</endpoint>
</send>
</inSequence>
</target>
<description/>
</proxy>
Two things stand out to me: It seems, based on the error, that you have some keystore or certificate alias issue. A few things to try:
A common mistake is to import the certificate without aliasname.
Inspect the keystore to see if the name is correct.
I do not see a callbackhandler mentioned? Did you implement one?
Some more info here including an examplepolicy and callbackhandler project
I need to call Soap service from groovy. I want to use groovy-wslite library.
I have no problem with simple services but I have trouble with service using WS-Security and WS-Reliable Messaging. I have sample configuration on the client site:
<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<system.serviceModel>
<bindings>
<wsHttpBinding>
<binding name="WSHttpBinding_IRestrictionImport" closeTimeout="00:01:00"
openTimeout="00:01:00" receiveTimeout="00:10:00" sendTimeout="00:01:00"
bypassProxyOnLocal="false" transactionFlow="false" hostNameComparisonMode="StrongWildcard"
maxBufferPoolSize="524288" maxReceivedMessageSize="65536" messageEncoding="Text"
textEncoding="utf-8" useDefaultWebProxy="true" allowCookies="false">
<readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"
maxBytesPerRead="4096" maxNameTableCharCount="16384" />
<reliableSession ordered="true" inactivityTimeout="00:10:00"
enabled="false" />
<security mode="TransportWithMessageCredential">
<transport clientCredentialType="None" proxyCredentialType="None"
realm="" />
<message clientCredentialType="UserName" negotiateServiceCredential="true"
algorithmSuite="Default" />
</security>
</binding>
</wsHttpBinding>
</bindings>
<client>
<endpoint address="https://test.ceidg.gov.pl/CEIDG.Services.Import/RestrictionImport.svc"
binding="wsHttpBinding" bindingConfiguration="WSHttpBinding_IRestrictionImport"
contract="RestrictionImportService.IRestrictionImport" name="WSHttpBinding_IRestrictionImport" />
</client>
</system.serviceModel>
</configuration>
WSDL:
wsdl:definitions name="RestrictionImport" targetNamespace="http://zeto.bialystok.pl"><wsp:Policy wsu:Id="WSHttpBinding_IRestrictionImport_policy">
<wsp:ExactlyOne>
<wsp:All>
<sp:TransportBinding>
<wsp:Policy>
<sp:TransportToken>
<wsp:Policy>
<sp:HttpsToken RequireClientCertificate="false"/>
</wsp:Policy>
</sp:TransportToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic256/>
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Strict/>
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp/>
</wsp:Policy>
</sp:TransportBinding>
<sp:EndorsingSupportingTokens>
<wsp:Policy>
<sp:SecureConversationToken sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:BootstrapPolicy>
<wsp:Policy>
<sp:SignedParts>
<sp:Body/>
<sp:Header Name="To" Namespace="http://www.w3.org/2005/08/addressing"/>
<sp:Header Name="From" Namespace="http://www.w3.org/2005/08/addressing"/>
<sp:Header Name="FaultTo" Namespace="http://www.w3.org/2005/08/addressing"/>
<sp:Header Name="ReplyTo" Namespace="http://www.w3.org/2005/08/addressing"/>
<sp:Header Name="MessageID" Namespace="http://www.w3.org/2005/08/addressing"/>
<sp:Header Name="RelatesTo" Namespace="http://www.w3.org/2005/08/addressing"/>
<sp:Header Name="Action" Namespace="http://www.w3.org/2005/08/addressing"/>
</sp:SignedParts>
<sp:EncryptedParts>
<sp:Body/>
</sp:EncryptedParts>
<sp:TransportBinding>
<wsp:Policy>
<sp:TransportToken>
<wsp:Policy>
<sp:HttpsToken RequireClientCertificate="false"/>
</wsp:Policy>
</sp:TransportToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic256/>
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Strict/>
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp/>
</wsp:Policy>
</sp:TransportBinding>
<sp:SignedSupportingTokens>
<wsp:Policy>
<sp:UsernameToken sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:WssUsernameToken10/>
</wsp:Policy>
</sp:UsernameToken>
</wsp:Policy>
</sp:SignedSupportingTokens>
<sp:Wss11>
<wsp:Policy/>
</sp:Wss11>
<sp:Trust10>
<wsp:Policy>
<sp:MustSupportIssuedTokens/>
<sp:RequireClientEntropy/>
<sp:RequireServerEntropy/>
</wsp:Policy>
</sp:Trust10>
</wsp:Policy>
</sp:BootstrapPolicy>
</wsp:Policy>
</sp:SecureConversationToken>
</wsp:Policy>
</sp:EndorsingSupportingTokens>
<sp:Wss11>
<wsp:Policy/>
</sp:Wss11>
<sp:Trust10>
<wsp:Policy>
<sp:MustSupportIssuedTokens/>
<sp:RequireClientEntropy/>
<sp:RequireServerEntropy/>
</wsp:Policy>
</sp:Trust10>
<wsaw:UsingAddressing/>
</wsp:All>
</wsp:ExactlyOne>
https://test.ceidg.gov.pl/CEIDG.Services.Import/RestrictionImport.svc
I have username and password for authentication.
I tried to call service fro groovy using this XML:
def client = new SOAPClient("https://test.ceidg.gov.pl/ceidg.public.api/APIService.svc")
response = client.send(
"""<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:tem="http://tempuri.org/">
<soap:Header xmlns:wsa="http://www.w3.org/2005/08/addressing">
<wsse:Security mode="TransportWithMessageCredential" soap:mustUnderstand="true" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsse:UsernameToken wsu:Id="UsernameToken-C42BA6EAC6DBDE07EC14636522574269">
<wsse:Username>USER</wsse:Username>
<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">PASSWORD</wsse:Password>
<wsse:Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">AceynGmXO0uy+sRgBBEj8Q==</wsse:Nonce>
<wsu:Created>$data</wsu:Created>
</wsse:UsernameToken>
</wsse:Security>
<wsa:MessageID>uuid:$uuid</wsa:MessageID><ActivityId CorrelationId="c2fa49e7-fb82-41fe-81d3-065e985a3df6" xmlns="http://schemas.microsoft.com/2004/09/ServiceModel/Diagnostics">cbe1563c-0609-40dd-aa81-3ddcbebb0424</ActivityId><wsa:ReplyTo><wsa:Address>http://www.w3.org/2005/08/addressing/anonymous</wsa:Address></wsa:ReplyTo><wsa:To soap:mustUnderstand="1">http://test.ceidg.gov.pl/CEIDG.Services.Import/RestrictionImport.svc</wsa:To>
</soap:Header>
<soap:Body>
<tem:AddFileToImport>
<tem:fileName>?</tem:fileName>
<tem:importData>cid:1388108976858</tem:importData>
</tem:AddFileToImport>
</soap:Body>
</soap:Envelope>""")
but i`m getting error:
wslite.soap.SOAPFaultException: s:Sender - The message with To 'http://test.ceidg.gov.pl/CEIDG.Services.Import/RestrictionImport.svc' cannot be processed at the receiver, due to an AddressFilter mismatch at the EndpointDispatcher. Check that the sender and receiver's EndpointAddresses agree
Any ideas?
How can I authorise a client (in this case a client is an application) to use a web service within .NET,
For example:
I want a 3rd pary application to call a method but not allow other applications within the network to call this method.
I want to avoid transport layer authorisation and use message based authorisation.
You should take a look at the WS-Security and WS-Policy standards. The best way is to have the client application sign all requests (with a private key) and check this signature on the server side.
We use a setup like this, with the following WS-Policy definitions in the WSDL:
<!--Endpoint Policy-->
<wsp:Policy wsu:Id="Endpoint_policy"
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsp:ExactlyOne>
<wsp:All>
<sp:AsymmetricBinding
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:InitiatorToken>
<wsp:Policy>
<sp:X509Token
sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:WssX509V3Token10 />
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:InitiatorToken>
<sp:RecipientToken>
<wsp:Policy>
<sp:X509Token
sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never">
<wsp:Policy>
<sp:WssX509V3Token10 />
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:RecipientToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<!-- sp:Basic256/-->
<sp:TripleDesRsa15 />
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Lax />
</wsp:Policy>
</sp:Layout>
</wsp:Policy>
</sp:AsymmetricBinding>
<sp:Wss10
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:MustSupportRefKeyIdentifier />
<sp:MustSupportRefIssuerSerial />
</wsp:Policy>
</sp:Wss10>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
<!--End of Endpoint Policy-->
<!--Message Policy1-->
<wsp:Policy wsu:Id="Sign_message_policy"
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsp:ExactlyOne>
<wsp:All>
<sp:SignedParts
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<sp:Body />
</sp:SignedParts>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
<!--End of Message Policy1-->
You then reference these policies in the binding part of the WSDL. Example:
<binding name="ExampleServiceSOAP" type="foobar:ExampleServicePort">
<!-- WS-Security -->
<wsp:PolicyReference URI="#Endpoint_policy" />
<soap:binding style="document" transport="http://schemas.xmlsoap.org/soap/http"/>
<operation name="getSomething">
<soap:operation soapAction="getSomething" style="document"/>
<input>
<!-- WS-Security -->
<wsp:PolicyReference URI="#Sign_message_policy" />
<soap:body use="literal"/>
</input>
<output>
<soap:body use="literal"/>
</output>
</operation>
</binding>
The simplest (and the most "portable") thing will be to use HTTP Authentication.