Skip to main content

SOAP request SSL signature validation in Spring boot cxf

What is signed SOAP request

SOAP request can be signed using SSL certificates. It can be use to sign multiple parts in SOAP request message like, timestamp, WSA address, user name, message body etc.
Then this signed message is verified by SOAP service at server where it verifies the parts of message using the available certificates. The certificate which is used by client to sign the request, must be available at server side as a trusted certificate otherwise SOAP service will not accept the request and throw the error like "Request signed by untrusted certificate".

Callback Handler

We need to create the implementation of callback handler where we configure the password details for the certificate keystore. Below is an implementation of the same.
public CallbackHandler keystorePasswordCallback() {

  return (c)->{
     WSPasswordCallback pc = (WSPasswordCallback) callbacks[0];
     pc.setPassword("keystore_password");

  };

}

WSS4J Security Interceptor

We configure a security interceptor which we set the callback handler and configure the parts of Soap message which need to be verified. Also we set a security properties file having the details of JKS, password etc. It is used by interceptor to verify the client's public key which it has as a trusted certificate in it's JKS. Below is the code for security interceptor.
 @Bean

 public WSS4JInInterceptor signatureInterceptor() {

  Map<String, Object> sigProps = new HashMap<>();

  sigProps.put(WSHandlerConstants.PW_CALLBACK_REF, keystorePasswordCallback());

  sigProps.put(WSHandlerConstants.ACTION, 

    WSHandlerConstants.TIMESTAMP + " "

    + WSHandlerConstants.USERNAME_TOKEN + " "

    +WSHandlerConstants.SIGNATURE);

  sigProps.put(WSHandlerConstants.SIG_PROP_FILE, "security.properties");

 }

Security.properties

This security file contains setting for WSS4J for the signature verification. Below are the contents of this file.
org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin

org.apache.ws.security.crypto.merlin.keystore.type=jks

org.apache.ws.security.crypto.merlin.keystore.password=keystore_password

org.apache.ws.security.crypto.merlin.keystore.file=keystore.jks

Setting up interceptor with Spring bus

Spring bus is an extension to CXF and works as interceptor provider. Here we need to register our security interceptor, so it will verify each incoming request. Below is the configuration for spring bus.
@Bean(name = Bus.DEFAULT_BUS_ID)

 public SpringBus springBus() {

  SpringBus springBus = new SpringBus();

  springBus.getInInterceptors().add(signatureInterceptor());

  return springBus;

 }

You may check below post on Soap service development using Spring boot & CXF.
https://www.thetechnojournals.com/2020/01/soap-services-with-spring-boot-and.html

Comments

Popular Posts

SpringBoot - @ConditionalOnProperty example for conditional bean initialization

@ConditionalOnProperty annotation is used to check if specified property available in the environment or it matches some specific value so it can control the execution of some part of code like bean creation. It may be useful in many cases for example enable/disable service if specific property is available. Below are the attributes which can be used for property check.
havingValue - Provide the value which need to check against specified property otherwise it will check that value should not be false.matchIfMissing - If true it will match the condition and execute the annotated code when property itself is not available in environment.name - Name of the property to be tested. If you want to test single property then you can directly put the property name as string like "property.name" and if you have multiple properties to test then you can put the names like {"prop.name1","prop.name2"}prefix - It can be use when you want to apply some prefix to all prop…

Asynchronous REST service implementation in Spring boot

In this tutorial we will see how to create an asynchronous REST service endpoint using Spring boot application.
Asynchronous service works in a way that it will not block the client request and do the processing in separate thread. When work is complete the response returned to the client so our service will be able to handle more client requests at the same time, compare to synchronous processing model.
Let's understand how it is working in synchronous mode. In such server/client application at server side it has a pool of threads which are serving the request. If a request received by a thread then it will be blocked until it send the response back to client. In this case if processing doesn't take much time it will be able to process it quickly and accept other client requests but there could be one situation when all threads are busy and not able to accept the new client requests.

To overcome of such problems, asynchronous processing model introduced for REST services. In…

Entity to DTO conversion in Java using Jackson

It's very common to have the DTO class for a given entity in any application. When persisting data, we use entity objects and when we need to provide the data to end user/application we use DTO class. Due to this we may need to have similar properties on DTO class as we have in our Entity class and to share the data we populate DTO objects using entity objects. To do this we may need to call getter on entity and then setter on DTO for the same data which increases number of code line. Also if number of DTOs are high then we need to write lot of code to just get and set the values or vice-versa.
To overcome this problem we are going to use Jackson API and will see how to do it with minimal code only.
Maven dependency <dependency> <groupId>com.fasterxml.jackson.core</groupId> <artifactId>jackson-databind</artifactId> <version>2.9.9</version> </dependency> Entity class Below is our ent…

Web scraper using JSoup and Spring Boot

What is webscraping Webscraping is a technique to extract or pull the data from a website to gather required information by parsing the HTML source of their websites, such as articles from news or books site, products information from online shopping sites or course information from education sites. There are many organisations who uses web scraper to provide the best experience to their customers, for example extract the price for a smartphone from multiple online websites and show their customers the best and cheap product URL.
We will learn here how to code a web scraper by developing a simple new scraper service.
News scraper News scraper is used to extract the news articles or other related contents from a news site. Here we are going to create a web scraper application to pull the articles from news site.
Below are the operations provided by our news scraper service.
List all the authorsSearch articles by author nameSearch articles by article titleSearch articles by article desc…