ws-security

问题 I need to provide a service to a third-party that will be sending soap messages with a signed Timestamp. How can I configure my service to support this? UPDATE I've managed to get close to the format of the Soap message that we're after but WCF insists on signing both the username and the timestamp tokens, Is there a way to modify the binding to only sign the timestamp? Further Update Here are our requirements: The Timestamp element MUST be signed. The CN name on the certificate used for

问题 I have successfully created a WS client that works correctly when NOT using authentication. However, the server (WebSphere) now requires adding a ws-security username token, and I'm having a hard time doing this. The resulting SOAP message is supposed to look something like this: <soapenv:Envelope xmlns:ns="http://foo.bar/1.0" xmlns:ns1="http://www.witsml.org/schemas/140" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <wsse:Security soapenv:mustUnderstand="1"

问题 we are using WSS4JOutInterceptor to sign outgoing soap message from our application. We have tested the application on Tomcat without any problems, but on Websphere (7) we keep getting the ClassCastException: java.lang.ClassCastException: org.apache.jcp.xml.dsig.internal.dom.DOMXMLSignatureFactory incompatible with javax.xml.crypto.dsig.XMLSignatureFactory at javax.xml.crypto.dsig.XMLSignatureFactory.findInstance(XMLSignatureFactory.java:202) at javax.xml.crypto.dsig.XMLSignatureFactory

问题 I want BizTalk to send signed soap messages using WS-Security without encryption. My orchestration is using a dynamic send port. I have tried both, trying to configure a WCF-WSHttp Send Port like this: (temporarily altered my orchestration to use this port rather than a dynamic port) as well as doing it within my orchestration. However I only manage to get my message send out encrypted, or in plain text without being signed or encrypted. Configuring a Send Port. Result: Message gets encrypted

问题 I am attempting to consume a web service through its corresponding wsdl. This service is dependent upon authentication conforming to Web Services Security Basic Security Profile 1.0 including that the correct xmls namespace of http://docs.oasis-open.org/wss/2004/01/oasis-200401wss-wssecurity-secext-1.0.xsd must be included in the request. Example: <wsse:UsernameToken xmlns:wsse='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd' > <wsse:Username> Bob </wsse

问题 I am trying to access secured web services through WSO2 ESB. I receive a request from a web service, use sequence, apply XSLT mediator, construct the request as needed to hit the endpoint. I can do this successfully by creating a request for unsecured endpoints. How do I construct requests when the endpoints are secured using various security polices (Eg: X509 user name token, etc) Thanks. 回答1: Have a look at this sample. You need to secure the outgoing request message at the end point level.

问题 I'm trying to requests a security token from a STS service. The service is 3rd party, so I can't modify it, check logs, etc. The resulting request SOAP message looks almost identical to a sample request I have. It's only that there are two BinarySecurityToken elements added with identical values , while the proper request contains only one token. The SOAP message looks like this: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" xmlns:u="http://docs.oasis-open.org/wss/2004/01

问题 I have a question regarding soapUI: I'm trying to add a ws-security header to my soap-requests containing a signature. To do that I used the soapUI-dialog "WS-Security Configurations" in the project preferences. It works as expected, but my server application requires a Thumbprint-SHA1-Id as the KeyInfo//SecurityTokenReference Element. I found out that soapUI provides this option in the WSS Entry "Encryption" but not for "Signature". So my question is: How can I use the Key Identifier Type

问题 I am creating a WCF client for a Java web service that is out of my control, and have run into a problem, in that the service returns an InvalidSecurity fault if the Timestamp header element is signed. I am currently using the following SecurityBindingElement , but this automatically signs the Timestamp element. How can I stop this behaviour? More generally, how can I control which elements are signed and which aren't? var version = MessageSecurityVersion

问题 Today's there is more and more web services developed for internal use to connect applications together. We do not have an ESB to control and secure this web services so I guess on what is a good way to secure them. We have try to setup Two-Way SSL but we are not able to control the authorization on a particular web service. My need is to be able to control which application is calling my web service and is this application authorized to call it. I don't like WS-Trust and Ws-Security because