Outgoing WSS signing does not seem to work

Question

I am trying to digitally sign the outgoing messages from soapUI.
I have successfully installed a private X.509 certificate
I have configured outgoing WSS as follows:
- Keystore: Name of my Java keystore file
- Alias: The alias associated with the private key used for signing
- Password: The keystore password
- Key Identifier type: X.509 Certificate
- Signature Algorithm: http://www.w3c.org/2000/09/xmldsig/#rsa-sha1
- Signature Canonicalization: http://www.w3c.org/TR/2001/REC-xml-c14n-20010315
- Digest Algorithm: http://www.w3c.org/2000/09/xmldsig/#sha1
- Use Single Certificate: Yes
- Parts: No parts specified

I have then selected the configuration as Outgoing WSS for an end-point.
When I now submit a WS-request to this end-point I expect to see the signature as part of the request, however what I see is the following:


POST http://eris.dsb.dk:8200/AdresseSoegningService/AdresseSoegningServicePS HTTP/1.1
Accept-Encoding: gzip,deflate
Content-Type: text/xml;charset=UTF-8
SOAPAction: "hentLandeListe"
User-Agent: Jakarta Commons-HttpClient/3.1
Host: eris.dsb.dk:8200
Proxy-Connection: Keep-Alive
Content-Length: 779

<soapenv:Envelope xmlns:adr="http://ic.dsb.dk/kundekerne/adresse/AdresseSoegning" xmlns:ihe="http://ic.dsb.dk/iheader" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
   <soapenv:Header>
      <ihe:IgpHeader xmlns:ihe="http://ic.dsb.dk/iheader">
         <ihe:Afsender>
            <ihe:AfsenderID>aeb34c46-1653-42cc-8f26-20c505e5519c</ihe:AfsenderID>
         </ihe:Afsender>
         <ihe:OprettelsesTid>2011-11-17T11:44:18</ihe:OprettelsesTid>
         <ihe:ReferenceNr>806a314d-47a1-1a87-2ec6-cb4fd015e937</ihe:ReferenceNr>
      </ihe:IgpHeader>
   </soapenv:Header>
   <soapenv:Body wsu:Id="id-38" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
      <adr1:hentLandeListe xmlns:adr1="http://ic.dsb.dk/kundekerne/adresse/AdresseSoegningService"/>
   </soapenv:Body>
</soapenv:Envelope>

Hence, I do not see any signature in the outgoing response.
There are no errors in the error log, so according to soapUI everything went well...
Could you please specify what is wrong in the configuration?

smartbear_suppo · Answer

Hi,hmm.. which soapUI version are you using?regards!/OleSmartBear Software

dsb_it_support · Answer

I am using 4.0.0.But hits morning I upgrade to 4.0.1 to see if it made any difference, but it did not

dsb_it_support · Answer

Hi Ole,I believe that I have identified the problem. We implement RequestFilter.filterRequest. In there we add parts of the soap header needed for our setup.Apparently the signing happens before this, so the filtering mengles with the resulting request.Ideally I would like to be a able to continue with the filtering...Can you suggest a different event that fires before the signing? Or was it actually the intention that this should work so that you want to treat it as a bug?

smartbear_suppo · Answer

Hi,thanks for following up - can you show the code of the filterRequest event so we can see how you are adding the headers?regards!/OleSmartBear Software

dsb_it_support · Answer

Here is the code (placed in RequestFilter.filterRequest)


if ( !(context.requestContent.contains("some_element") ||
       context.requestContent.contains("some_other_element"))) {
   value1 = "aeb34c46-1653-42cc-8f26-20c505e5519c"
   value2 = ourUtils.xsdDate()
   value3 = ourUtils.randomUuid()
   newHeader = "<soapenv:Header>
                   <ihe:OurHeader>
                      <ihe:element1>
                         <ihe:element2>${value1}</ihe:element2> 
                      </ihe:element1>
                      <ihe:element3>${value2}</ihe:element3>
                      <ihe:element4>${value3}</ihe:element4>
                   </ihe:OurHeader>"
   req = context.requestContent
   ind1 = req.indexOf("<soapenv:Header>")
   ind2 = req.indexOf("</soapenv:Header>") - 1
   sb= new StringBuffer(context.requestContent)
   sb[ind1..ind2] = newHeader 
   context.requestContent = sb.toString()
}

Please note, that the signature is calculated on the Body contents and the contents of the OurHeader element. So it is not an option to insert changes to the header in the RequestFilter.filterRequest hook since that would invalidate the signature. That is why I need an event that is fired before the signing occurs.
For my sake I have worked around the problem by eliminating the use of the event-hook. Instead I insert the desired value in each single request.
However, I believe that it would be of general interest to know whether there is an option to perform changes to the requests in an event-hook that is invoked before signing occurs.

Forum Discussion

Outgoing WSS signing does not seem to work

Recent Discussions

Windows installation <user>

Automation for SignalingService

Unable to see receive MQTT message in response

Related Content

Transfer dollar sign as is in the Json request

Percent sign in variables

sign and encrypt the request value?