Trying to implement WS-Policy within WSDL.
There is my configurations:
WS-Policy within WSDL:
<wsp:Policy wsu:Id="Signature">
<wsp:ExactlyOne>
<wsp:All>
<sp:AsymmetricBinding>
<wsp:Policy>
<sp:InitiatorToken>
<wsp:Policy>
<sp:X509Token sp:IncludeToken=
"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:WssX509V3Token10 />
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:InitiatorToken>
<sp:RecipientToken>
<wsp:Policy>
<sp:X509Token sp:IncludeToken=
"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never">
<wsp:Policy>
<sp:WssX509V3Token10 />
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:RecipientToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:TripleDesRsa15/>
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:LaxTsFirst />
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp />
<sp:OnlySignEntireHeadersAndBody />
</wsp:Policy>
</sp:AsymmetricBinding>
<sp:SignedParts>
<sp:Body />
</sp:SignedParts>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
CXF configuration:
EndpointImpl endpoint = new EndpointImpl(bus, service);
endpoint.setWsdlLocation("classpath:/wsdl/ws.wsdl");
endpoint.setProperties(new HashMap<String, Object>() {
{
put("ws-security.signature.validator", customSignatureValidator);
put("ws-security.signature.properties", new Properties() {{
put("org.apache.ws.security.crypto.provider", "org.apache.ws.security.components.crypto.Merlin");
put("org.apache.ws.security.crypto.merlin.keystore.type", "jks");
put("org.apache.ws.security.crypto.merlin.keystore.password", keystorePassword);
put("org.apache.ws.security.crypto.merlin.file", keystorePath);
}});
put("ws-security.signature.username", privateKeyName);
put("ws-security.callback-handler", (CallbackHandler) callbacks -> {
WSPasswordCallback passwordCallback = (WSPasswordCallback) callbacks[0];
passwordCallback.setPassword(privateKeyPassword);
});
}
});
endpoint.publish("/ws");
Problem:
After sending SOAP request with timestamp, signature key information etc. I'm getting SOAP fault message:
These policy alternatives can not be satisfied:
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}AsymmetricBinding: Received Timestamp does not match the requirements
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}InitiatorToken
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}RecipientToken
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}IncludeTimestamp
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}OnlySignEntireHeadersAndBody
Error appears even if I'm not sending timestamp. According logs (CXF) I see that signature is correct.
>instead of four spaces; append two spaces where a line break shall be kept).) - greybeard