Skip to main content

SOAP request SSL signature validation in Spring boot cxf

What is signed SOAP request

SOAP request can be signed using SSL certificates. It can be use to sign multiple parts in SOAP request message like, timestamp, WSA address, user name, message body etc.
Then this signed message is verified by SOAP service at server where it verifies the parts of message using the available certificates. The certificate which is used by client to sign the request, must be available at server side as a trusted certificate otherwise SOAP service will not accept the request and throw the error like "Request signed by untrusted certificate".

Callback Handler

We need to create the implementation of callback handler where we configure the password details for the certificate keystore. Below is an implementation of the same.
public CallbackHandler keystorePasswordCallback() {

  return (c)->{
     WSPasswordCallback pc = (WSPasswordCallback) callbacks[0];
     pc.setPassword("keystore_password");

  };

}

WSS4J Security Interceptor

We configure a security interceptor which we set the callback handler and configure the parts of Soap message which need to be verified. Also we set a security properties file having the details of JKS, password etc. It is used by interceptor to verify the client's public key which it has as a trusted certificate in it's JKS. Below is the code for security interceptor. 
 @Bean

 public WSS4JInInterceptor signatureInterceptor() {

  Map<String, Object> sigProps = new HashMap<>();

  sigProps.put(WSHandlerConstants.PW_CALLBACK_REF, keystorePasswordCallback());

  sigProps.put(WSHandlerConstants.ACTION, 

    WSHandlerConstants.TIMESTAMP + " "

    + WSHandlerConstants.USERNAME_TOKEN + " "

    +WSHandlerConstants.SIGNATURE);

  sigProps.put(WSHandlerConstants.SIG_PROP_FILE, "security.properties");

 }

Security.properties

This security file contains setting for WSS4J for the signature verification. Below are the contents of this file. 
org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin

org.apache.ws.security.crypto.merlin.keystore.type=jks

org.apache.ws.security.crypto.merlin.keystore.password=keystore_password

org.apache.ws.security.crypto.merlin.keystore.file=keystore.jks

Setting up interceptor with Spring bus

Spring bus is an extension to CXF and works as interceptor provider. Here we need to register our security interceptor, so it will verify each incoming request. Below is the configuration for spring bus. 
@Bean(name = Bus.DEFAULT_BUS_ID)

 public SpringBus springBus() {

  SpringBus springBus = new SpringBus();

  springBus.getInInterceptors().add(signatureInterceptor());

  return springBus;

 }
You may check below post on Soap service development using Spring boot & CXF.
https://www.thetechnojournals.com/2020/01/soap-services-with-spring-boot-and.html
Labels:

Comments

  1. William Jessie15 March 2021 at 22:13

    You are giving such interesting information.What is a work certificate in Switzerland It is great and beneficial info for us, I really enjoyed reading it. Thankful to you for sharing an article like this.

    ReplyDelete
  2. Ana Cyber12 November 2021 at 05:14

    I have seen some posts on this website and I think that your blog is very interesting and has lots of excellent information. Thank you for sharing this. Find cyber Security companies in India.

    ReplyDelete
  3. ITGOLD Solutions11 March 2022 at 11:37

    I am grateful to this blog site providing special as well as useful understanding concerning this subject. Switch to NBN

    ReplyDelete

Post a Comment

Popular Posts

Setting up kerberos in Mac OS X

Kerberos in MAC OS X Kerberos authentication allows the computers in same domain network to authenticate certain services with prompting the user for credentials. MAC OS X comes with Heimdal Kerberos which is an alternate implementation of the kerberos and uses LDAP as identity management database. Here we are going to learn how to setup a kerberos on MAC OS X which we will configure latter in our application. Installing Kerberos In MAC we can use Homebrew for installing any software package. Homebrew makes it very easy to install the kerberos by just executing a simple command as given below. brew install krb5 Once installation is complete, we need to set the below export commands in user's profile which will make the kerberos utility commands and compiler available to execute from anywhere. Open user's bash profile: vi ~/.bash_profile Add below lines: export PATH=/usr/local/opt/krb5/bin:$PATH export PATH=/usr/local/opt/krb5/sbin:$PATH export LDFLAGS=...
100 comments
Read more

Why HashMap key should be immutable in java

HashMap is used to store the data in key, value pair where key is unique and value can be store or retrieve using the key. Any class can be a candidate for the map key if it follows below rules. 1. Overrides hashcode() and equals() method.   Map stores the data using hashcode() and equals() method from key. To store a value against a given key, map first calls key's hashcode() and then uses it to calculate the index position in backed array by applying some hashing function. For each index position it has a bucket which is a LinkedList and changed to Node from java 8. Then it will iterate through all the element and will check the equality with key by calling it's equals() method if a match is found, it will update the value with the new value otherwise it will add the new entry with given key and value. In the same way it check for the existing key when get() is called. If it finds a match for given key in the bucket with given hashcode(), it will return the value other...
1 comment
Read more

Singleton class in java

What is Singleton class Singleton is a design technique which gaurantees that there will be only instance of a class globally. Such classes are required when we need to create some objects which are memory/ resource extensive and we can't afford many such objects. Using singleton We can maintain single object per JVM per classloader. Classloader could be different in different hierarchy and in such case we may have more than one instances of singleton but we can avoid it by loading it at appropriate classloader. For example in an ear application there could be multiple web modules and each one of them will have their own singleton instance. Sometimes it may be a need but sometimes it could be a flaw which can be resolved by loading it either at ear level or web module level as per requirement. Implementing singleton class There are two different ways to implement singleton in java. Using singleton design pattern In this pattern we can create singleton either using lazy...
6 comments
Read more

Microservices with Spring Boot - complete tutorial

In this tutorial we are going to learn how to develop microservices using spring boot with examples. Main focus of this tutorial is on learning by doing hands-on. Before hands-on we will first understand what is microservices and related terminologies like DDD, 12-Factors App, Dev Ops. What is a Microservice In simple terms microservice is a piece of software which has a single responsibility and can be developed, tested & deployed independently. In microservices we focus on developing independent and single fully functioning modules. Opposite to microservice, with monolithic application it focuses on all the functionality or modules in a single application. So when any changes required to monolithic application it has to deploy and test the complete application while with microservice it has to develop and deploy only affected component which is a small service. It saves lot of development and deployment time in a large application. It's basically an architectural style ...
5 comments
Read more