Inserting Username token in security header of already generated SOAP envelope gives me two headers!

java web-services security wss4j usernametoken
zzztimbo picture zzztimbo · Nov 12, 2009 · Viewed 9.2k times · Source

I'm using WSS4J to add a Username token in the header of an already formed SOAP request envelope.

Here is what the SOAP request looks like: 

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://sample03.samples.rampart.apache.org/xsd">   
   <soapenv:Header/>   
   <soapenv:Body>      
      <xsd:echo>         
         <xsd:param0>hurro kitty</xsd:param0>      
      </xsd:echo>   
   </soapenv:Body></soapenv:Envelope>

This is my code (the String, request, is the request above):

DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
DocumentBuilder builder = factory.newDocumentBuilder();
InputSource inStream = new InputSource();
inStream.setCharacterStream(new StringReader(request));
Document document = builder.parse(inStream);

WSSecUsernameToken usernametoken = new WSSecUsernameToken();
usernametoken.setPasswordType(WSConstants.PASSWORD_TEXT);
usernametoken.setUserInfo(username, password);

WSSecHeader secHeader = new WSSecHeader("", false);
secHeader.insertSecurityHeader(document);
usernametoken.build(document, secHeader);

This is my result (notice the header that was inserted is not namespaced correctly, as well as there being two headers): 

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://sample03.samples.rampart.apache.org/xsd">   
   <Header>      
      <wsse:Security soapenv:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">         
         <wsse:UsernameToken wsu:Id="UsernameToken-2765109" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">            
            <wsse:Username>bob</wsse:Username>            
            <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">bobPW</wsse:Password>         
         </wsse:UsernameToken>      
      </wsse:Security>   
   </Header>   
   <soapenv:Header/>   
   <soapenv:Body>      
      <xsd:echo>         
         <xsd:param0>hurro kitty</xsd:param0>      
      </xsd:echo>   
   </soapenv:Body></soapenv:Envelope>

What am I doing wrong?

Answer

Kevin picture Kevin · Nov 13, 2009

What am I doing wrong?

When you are building the initial XML, you need to make sure that the DocumentBuilderFactory is namespace-aware. WSSecurity is trying to find the soap header by the soap namespace but it isn't available. Adding the following line should fix it:

DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
factory.setNamespaceAware(true);
...

Related questions

org.apache.ws.security.WSSecurityException: General security error (No certificates were found for decryption (KeyId))

I have inherited some code that is a WSS4J secure webservice. It is based off of this popular tutorial: http://distributedsenses.blogspot.com/2008/09/configuring-cxf-for-web-service.html Now the server side is working with other clients, but mine is not. :( I …

Read More
HANDSHAKE_FAILURE alert received

I am writing a Java client (on weblogic 10.3) to invoke a secure web service. I have been provided with a client certificate which I have installed in cacerts, DemoIdentity.jks and DemoTrust,jks In my weblogic I have set up …

Read More
How to do a SOAP Web Service call from Java class?

I'm relative new to the webservices world and my research seems to have confused me more than enlighten me, my problem is that I was given a library(jar) which I have to extend with some webservice functionality. This library …

Read More